circle-ir 3.51.0 → 3.53.0

package/dist/analysis/passes/insecure-cookie-pass.d.ts

@@ -1,30 +1,26 @@
 /**
  * Pass: insecure-cookie (CWE-614, category: security)
  *
- * JavaScript / TypeScript pattern pass that flags Express `res.cookie(name,
- * value, options)` calls where the options object is missing or does not
- * set both `secure: true` and `httpOnly: true`.
+ * Pattern pass — flags cookie set operations that are missing the `Secure`
+ * or `HttpOnly` flags. This is a configuration/absence vulnerability (the
+ * cookie value itself does not need to be tainted), so it is detected by
+ * inspecting call-site option literals rather than via taint flow.
  *
- * Rationale: the absence of `Secure` / `HttpOnly` flags is a vulnerability
- * of *shape*, not of taint. `insecure_cookie` is already modeled as a
- * Java sink (`new Cookie(...)`) via the YAML config, but the equivalent
- * Express pattern uses a literal options object whose presence/absence
- * of flags must be inspected at the call site. The receiver type does
- * not propagate cleanly through middleware, so we do a syntactic check
- * on the literal source-text of arg 2.
- *
- * Detection:
- *   1. Filter language to javascript/typescript.
- *   2. Iterate `graph.ir.calls` for `method_name === 'cookie'` with a
- *      receiver that looks like an Express response (`res`, `response`,
- *      `reply`, `ctx.cookies` is intentionally excluded — Koa's API has
- *      different semantics).
- *   3. Read the raw expression text of arg 2 (the options object).
- *   4. Flag if:
- *        - arg 2 is absent, OR
- *        - arg 2 does not contain `secure: true` (regex), OR
- *        - arg 2 does not contain `httpOnly: true` (regex).
- *   5. Emit a single finding per call site listing the missing flags.
+ * Detection per language:
+ *   JavaScript / TypeScript:
+ *     - Express `res.cookie(name, value, options)` — flag if options object
+ *       (arg 2) is absent OR does not literally contain `secure: true` and
+ *       `httpOnly: true`.
+ *   Python:
+ *     - Flask / Django / Starlette `response.set_cookie(name, value, **kw)`
+ *       — flag if `secure=True` and `httponly=True` keyword args are not
+ *       present in the call expression text.
+ *   Java:
+ *     - `new javax.servlet.http.Cookie("name", "value")` — flag the
+ *       construction site if no `.setSecure(true)` AND `.setHttpOnly(true)`
+ *       calls appear in the same source file (text-based heuristic; a
+ *       full DFG-based version would require tracking the assigned
+ *       variable through CFG).
  *
  * Excluded (intentionally not flagged):
  *   - `res.clearCookie(...)` — clears, not sets.
@@ -49,5 +45,9 @@ export declare class InsecureCookiePass implements AnalysisPass<InsecureCookieRe
     readonly name = "insecure-cookie";
     readonly category: "security";
     run(ctx: PassContext): InsecureCookieResult;
+    private detectJs;
+    private detectPython;
+    private detectJavaCookieCtor;
+    private emit;
 }
 //# sourceMappingURL=insecure-cookie-pass.d.ts.map

package/dist/analysis/passes/insecure-cookie-pass.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"insecure-cookie-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAS9E,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,KAAK,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,eAAe,EAAE,OAAO,CAAC;QACzB,cAAc,EAAE,OAAO,CAAC;KACzB,CAAC,CAAC;CACJ;AAED,qBAAa,kBAAmB,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAC3E,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;CAoE5C"}
+{"version":3,"file":"insecure-cookie-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,KAAK,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,eAAe,EAAE,OAAO,CAAC;QACzB,cAAc,EAAE,OAAO,CAAC;KACzB,CAAC,CAAC;CACJ;AAED,qBAAa,kBAAmB,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAC3E,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;IAqC3C,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,YAAY;IAuBpB,OAAO,CAAC,oBAAoB;IA8B5B,OAAO,CAAC,IAAI;CAwCb"}

package/dist/analysis/passes/insecure-cookie-pass.js

@@ -1,30 +1,26 @@
 /**
  * Pass: insecure-cookie (CWE-614, category: security)
  *
- * JavaScript / TypeScript pattern pass that flags Express `res.cookie(name,
- * value, options)` calls where the options object is missing or does not
- * set both `secure: true` and `httpOnly: true`.
+ * Pattern pass — flags cookie set operations that are missing the `Secure`
+ * or `HttpOnly` flags. This is a configuration/absence vulnerability (the
+ * cookie value itself does not need to be tainted), so it is detected by
+ * inspecting call-site option literals rather than via taint flow.
  *
- * Rationale: the absence of `Secure` / `HttpOnly` flags is a vulnerability
- * of *shape*, not of taint. `insecure_cookie` is already modeled as a
- * Java sink (`new Cookie(...)`) via the YAML config, but the equivalent
- * Express pattern uses a literal options object whose presence/absence
- * of flags must be inspected at the call site. The receiver type does
- * not propagate cleanly through middleware, so we do a syntactic check
- * on the literal source-text of arg 2.
- *
- * Detection:
- *   1. Filter language to javascript/typescript.
- *   2. Iterate `graph.ir.calls` for `method_name === 'cookie'` with a
- *      receiver that looks like an Express response (`res`, `response`,
- *      `reply`, `ctx.cookies` is intentionally excluded — Koa's API has
- *      different semantics).
- *   3. Read the raw expression text of arg 2 (the options object).
- *   4. Flag if:
- *        - arg 2 is absent, OR
- *        - arg 2 does not contain `secure: true` (regex), OR
- *        - arg 2 does not contain `httpOnly: true` (regex).
- *   5. Emit a single finding per call site listing the missing flags.
+ * Detection per language:
+ *   JavaScript / TypeScript:
+ *     - Express `res.cookie(name, value, options)` — flag if options object
+ *       (arg 2) is absent OR does not literally contain `secure: true` and
+ *       `httpOnly: true`.
+ *   Python:
+ *     - Flask / Django / Starlette `response.set_cookie(name, value, **kw)`
+ *       — flag if `secure=True` and `httponly=True` keyword args are not
+ *       present in the call expression text.
+ *   Java:
+ *     - `new javax.servlet.http.Cookie("name", "value")` — flag the
+ *       construction site if no `.setSecure(true)` AND `.setHttpOnly(true)`
+ *       calls appear in the same source file (text-based heuristic; a
+ *       full DFG-based version would require tracking the assigned
+ *       variable through CFG).
  *
  * Excluded (intentionally not flagged):
  *   - `res.clearCookie(...)` — clears, not sets.
@@ -35,75 +31,169 @@
  *     We flag the call (RHS is opaque) unless `secure: true` and
  *     `httpOnly: true` appear literally. Users can suppress via config.
  */
+// ---------- JS / TS ----------
 const COOKIE_RESPONSE_RECEIVERS = new Set([
     'res', 'response', 'reply',
 ]);
 const SECURE_TRUE_RE = /\bsecure\s*:\s*true\b/;
 const HTTPONLY_TRUE_RE = /\bhttpOnly\s*:\s*true\b/i;
+// ---------- Python ----------
+const PY_SET_COOKIE_RECEIVERS = new Set([
+    'response', 'resp', 'res',
+]);
+const PY_SECURE_TRUE_RE = /\bsecure\s*=\s*True\b/;
+const PY_HTTPONLY_TRUE_RE = /\bhttponly\s*=\s*True\b/i;
+// ---------- Java ----------
+const JAVA_SET_SECURE_TRUE_RE = /\.setSecure\s*\(\s*true\s*\)/;
+const JAVA_SET_HTTPONLY_TRUE_RE = /\.setHttpOnly\s*\(\s*true\s*\)/;
 export class InsecureCookiePass {
     name = 'insecure-cookie';
     category = 'security';
     run(ctx) {
-        const { graph, language } = ctx;
-        if (language !== 'javascript' && language !== 'typescript') {
-            return { insecureCookies: [] };
-        }
+        const { graph, language, code } = ctx;
         const file = graph.ir.meta.file;
         const insecureCookies = [];
-        for (const call of graph.ir.calls) {
-            if (call.method_name !== 'cookie')
-                continue;
-            const receiver = call.receiver ?? '';
-            if (!COOKIE_RESPONSE_RECEIVERS.has(receiver))
-                continue;
-            // Must look like a setter call: at least (name, value) args.
-            // `res.cookie('name')` (Express getter form) takes one arg — skip.
-            if (call.arguments.length < 2)
-                continue;
-            const opts = call.arguments.find(a => a.position === 2);
-            const optsExpr = (opts?.expression ?? '').trim();
-            const optionsPresent = optsExpr.length > 0;
-            const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
-            const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
-            if (!missingSecure && !missingHttpOnly)
-                continue;
-            const line = call.location.line;
-            insecureCookies.push({
-                line,
-                receiver,
-                missingSecure,
-                missingHttpOnly,
-                optionsPresent,
-            });
-            const missing = [];
-            if (missingSecure)
-                missing.push('`secure: true`');
-            if (missingHttpOnly)
-                missing.push('`httpOnly: true`');
-            ctx.addFinding({
-                id: `${this.name}-${file}-${line}`,
-                pass: this.name,
-                category: this.category,
-                rule_id: this.name,
-                cwe: 'CWE-614',
-                severity: 'medium',
-                level: 'warning',
-                message: `Cookie set without ${missing.join(' and ')} — vulnerable to ` +
-                    `cleartext transmission (CWE-614) and client-side JS access ` +
-                    `(CWE-1004).`,
-                file,
-                line,
-                fix: 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the ' +
-                    'third argument to `res.cookie()`.',
-                evidence: {
-                    receiver,
-                    options_present: optionsPresent,
-                    missing_secure: missingSecure,
-                    missing_http_only: missingHttpOnly,
-                },
-            });
+        if (language === 'javascript' || language === 'typescript') {
+            for (const call of graph.ir.calls) {
+                const det = this.detectJs(call);
+                if (!det)
+                    continue;
+                insecureCookies.push(det);
+                this.emit(ctx, file, det, 'js');
+            }
+        }
+        else if (language === 'python') {
+            for (const call of graph.ir.calls) {
+                const det = this.detectPython(call);
+                if (!det)
+                    continue;
+                insecureCookies.push(det);
+                this.emit(ctx, file, det, 'python');
+            }
+        }
+        else if (language === 'java') {
+            // Java text-based heuristic: detect `new Cookie(...)` constructor calls,
+            // then look in the file source for `.setSecure(true)` and `.setHttpOnly(true)`
+            // anywhere. Misses only when those setters exist in another file.
+            const hasSetSecureTrue = JAVA_SET_SECURE_TRUE_RE.test(code);
+            const hasSetHttpOnlyTrue = JAVA_SET_HTTPONLY_TRUE_RE.test(code);
+            for (const call of graph.ir.calls) {
+                const det = this.detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue);
+                if (!det)
+                    continue;
+                insecureCookies.push(det);
+                this.emit(ctx, file, det, 'java');
+            }
         }
         return { insecureCookies };
     }
+    // ---------------- JS / TS ----------------
+    detectJs(call) {
+        if (call.method_name !== 'cookie')
+            return null;
+        const receiver = call.receiver ?? '';
+        if (!COOKIE_RESPONSE_RECEIVERS.has(receiver))
+            return null;
+        // Must look like a setter call: at least (name, value) args.
+        // `res.cookie('name')` (Express getter form) takes one arg — skip.
+        if (call.arguments.length < 2)
+            return null;
+        const opts = call.arguments.find((a) => a.position === 2);
+        const optsExpr = (opts?.expression ?? '').trim();
+        const optionsPresent = optsExpr.length > 0;
+        const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
+        const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
+        if (!missingSecure && !missingHttpOnly)
+            return null;
+        return {
+            line: call.location.line,
+            receiver,
+            missingSecure,
+            missingHttpOnly,
+            optionsPresent,
+        };
+    }
+    // ---------------- Python ----------------
+    detectPython(call) {
+        if (call.method_name !== 'set_cookie')
+            return null;
+        const receiver = call.receiver ?? '';
+        if (!PY_SET_COOKIE_RECEIVERS.has(receiver))
+            return null;
+        // Concatenate all argument expression text — keyword args may appear in
+        // any position past the leading positional args.
+        const argsBlob = call.arguments.map((a) => a.expression ?? '').join(', ');
+        const missingSecure = !PY_SECURE_TRUE_RE.test(argsBlob);
+        const missingHttpOnly = !PY_HTTPONLY_TRUE_RE.test(argsBlob);
+        if (!missingSecure && !missingHttpOnly)
+            return null;
+        return {
+            line: call.location.line,
+            receiver,
+            missingSecure,
+            missingHttpOnly,
+            optionsPresent: call.arguments.length >= 2,
+        };
+    }
+    // ---------------- Java ----------------
+    detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
+        // Java constructor: method_name === 'Cookie', receiver is null,
+        // receiver_type === 'Cookie' (set by the Java plugin). Some plugins
+        // also set call.is_constructor — accept any of the indicators.
+        if (call.method_name !== 'Cookie')
+            return null;
+        const looksLikeCtor = call.is_constructor ||
+            (!call.receiver && call.receiver_type === 'Cookie') ||
+            (call.resolution?.target ?? '').endsWith('.<init>');
+        if (!looksLikeCtor)
+            return null;
+        // Need at least (name, value).
+        if (call.arguments.length < 2)
+            return null;
+        const missingSecure = !hasSetSecureTrue;
+        const missingHttpOnly = !hasSetHttpOnlyTrue;
+        if (!missingSecure && !missingHttpOnly)
+            return null;
+        return {
+            line: call.location.line,
+            receiver: 'new Cookie',
+            missingSecure,
+            missingHttpOnly,
+            optionsPresent: false,
+        };
+    }
+    emit(ctx, file, det, flavor) {
+        const missing = [];
+        if (det.missingSecure)
+            missing.push(flavor === 'js' ? '`secure: true`' : flavor === 'python' ? '`secure=True`' : '`setSecure(true)`');
+        if (det.missingHttpOnly)
+            missing.push(flavor === 'js' ? '`httpOnly: true`' : flavor === 'python' ? '`httponly=True`' : '`setHttpOnly(true)`');
+        const fix = flavor === 'js'
+            ? 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.'
+            : flavor === 'python'
+                ? 'Pass `secure=True, httponly=True, samesite="Lax"` to `response.set_cookie(...)`.'
+                : 'After constructing the cookie, call `cookie.setSecure(true)` and `cookie.setHttpOnly(true)` before adding it to the response.';
+        ctx.addFinding({
+            id: `${this.name}-${file}-${det.line}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: 'CWE-614',
+            severity: 'medium',
+            level: 'warning',
+            message: `Cookie set without ${missing.join(' and ')} — vulnerable to ` +
+                `cleartext transmission (CWE-614) and client-side JS access ` +
+                `(CWE-1004).`,
+            file,
+            line: det.line,
+            fix,
+            evidence: {
+                receiver: det.receiver,
+                options_present: det.optionsPresent,
+                missing_secure: det.missingSecure,
+                missing_http_only: det.missingHttpOnly,
+            },
+        });
+    }
 }
 //# sourceMappingURL=insecure-cookie-pass.js.map

package/dist/analysis/passes/insecure-cookie-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"insecure-cookie-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAIH,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,KAAK,EAAE,UAAU,EAAE,OAAO;CAC3B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAI,uBAAuB,CAAC;AAChD,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAYpD,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;QACjC,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,eAAe,GAA4C,EAAE,CAAC;QAEpE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;gBAAE,SAAS;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACrC,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEvD,6DAA6D;YAC7D,mEAAmE;YACnE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YAExC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAE3C,MAAM,aAAa,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrD,MAAM,eAAe,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzD,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;gBAAE,SAAS;YAEjD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,eAAe,CAAC,IAAI,CAAC;gBACnB,IAAI;gBACJ,QAAQ;gBACR,aAAa;gBACb,eAAe;gBACf,cAAc;aACf,CAAC,CAAC;YAEH,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,IAAI,aAAa;gBAAI,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACpD,IAAI,eAAe;gBAAE,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAEtD,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,sBAAsB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB;oBAC9D,6DAA6D;oBAC7D,aAAa;gBACf,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,kEAAkE;oBAClE,mCAAmC;gBACrC,QAAQ,EAAE;oBACR,QAAQ;oBACR,eAAe,EAAE,cAAc;oBAC/B,cAAc,EAAE,aAAa;oBAC7B,iBAAiB,EAAE,eAAe;iBACnC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,CAAC;IAC7B,CAAC;CACF"}
+{"version":3,"file":"insecure-cookie-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAKH,gCAAgC;AAChC,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,KAAK,EAAE,UAAU,EAAE,OAAO;CAC3B,CAAC,CAAC;AACH,MAAM,cAAc,GAAK,uBAAuB,CAAC;AACjD,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD,+BAA+B;AAC/B,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,UAAU,EAAE,MAAM,EAAE,KAAK;CAC1B,CAAC,CAAC;AACH,MAAM,iBAAiB,GAAK,uBAAuB,CAAC;AACpD,MAAM,mBAAmB,GAAG,0BAA0B,CAAC;AAEvD,6BAA6B;AAC7B,MAAM,uBAAuB,GAAK,8BAA8B,CAAC;AACjE,MAAM,yBAAyB,GAAG,gCAAgC,CAAC;AAYnE,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,eAAe,GAA4C,EAAE,CAAC;QAEpE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;gBACpC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,yEAAyE;YACzE,+EAA+E;YAC/E,kEAAkE;YAClE,MAAM,gBAAgB,GAAK,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9D,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;gBAClF,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,CAAC;IAC7B,CAAC;IAED,4CAA4C;IACpC,QAAQ,CAAC,IAAc;QAC7B,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAE1D,6DAA6D;QAC7D,mEAAmE;QACnE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,eAAe,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc;SACf,CAAC;IACJ,CAAC;IAED,2CAA2C;IACnC,YAAY,CAAC,IAAc;QACjC,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAExD,wEAAwE;QACxE,iDAAiD;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1E,MAAM,aAAa,GAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC;SAC3C,CAAC;IACJ,CAAC;IAED,yCAAyC;IACjC,oBAAoB,CAC1B,IAAc,EACd,gBAAyB,EACzB,kBAA2B;QAE3B,gEAAgE;QAChE,oEAAoE;QACpE,+DAA+D;QAC/D,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,aAAa,GACjB,IAAI,CAAC,cAAc;YACnB,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC;YACnD,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAChC,+BAA+B;QAC/B,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,gBAAgB,CAAC;QAC1C,MAAM,eAAe,GAAG,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ,EAAE,YAAY;YACtB,aAAa;YACb,eAAe;YACf,cAAc,EAAE,KAAK;SACtB,CAAC;IACJ,CAAC;IAEO,IAAI,CACV,GAAgB,EAChB,IAAY,EACZ,GAAoD,EACpD,MAAgC;QAEhC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,aAAa;YAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC;QACxI,IAAI,GAAG,CAAC,eAAe;YAAE,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC;QAE9I,MAAM,GAAG,GACP,MAAM,KAAK,IAAI;YACb,CAAC,CAAC,mGAAmG;YACrG,CAAC,CAAC,MAAM,KAAK,QAAQ;gBACnB,CAAC,CAAC,kFAAkF;gBACpF,CAAC,CAAC,+HAA+H,CAAC;QAExI,GAAG,CAAC,UAAU,CAAC;YACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE;YACtC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,SAAS;YAChB,OAAO,EACL,sBAAsB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB;gBAC9D,6DAA6D;gBAC7D,aAAa;YACf,IAAI;YACJ,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,GAAG;YACH,QAAQ,EAAE;gBACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,eAAe,EAAE,GAAG,CAAC,cAAc;gBACnC,cAAc,EAAE,GAAG,CAAC,aAAa;gBACjC,iBAAiB,EAAE,GAAG,CAAC,eAAe;aACvC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analysis/passes/tls-verify-disabled-pass.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Pass: tls-verify-disabled (CWE-295, category: security)
+ *
+ * Pattern pass — flags places where TLS certificate / hostname verification
+ * is explicitly disabled. This is a *configuration* vulnerability (the bad
+ * value is hard-coded, no taint flow is involved).
+ *
+ * Detection per language:
+ *   Go:
+ *     - `&tls.Config{InsecureSkipVerify: true}` (composite literal)
+ *     - Detected via call argument scan: when the receiver is `tls` and
+ *       call/composite contains literal `InsecureSkipVerify: true`, OR via
+ *       a syntactic text scan (composite literals are not always emitted
+ *       as calls in IR).
+ *   Python:
+ *     - `requests.get|post|put|delete|patch|head|options|request(..., verify=False)`
+ *     - `ssl._create_unverified_context()` / `ssl._create_default_https_context = ssl._create_unverified_context`
+ *     - `urllib3.disable_warnings(InsecureRequestWarning)` — best-effort hint
+ *     - `httpx.Client(verify=False)` / `httpx.get(..., verify=False)`
+ *   JavaScript / TypeScript:
+ *     - `{ rejectUnauthorized: false }` in https.request / fetch options /
+ *       node-fetch / axios — text scan on arg expressions
+ *     - `https.Agent({ rejectUnauthorized: false })`
+ *     - `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'` (assignment;
+ *       detected via call to property assignment — best-effort)
+ *   Java:
+ *     - Custom `HostnameVerifier` that returns true unconditionally
+ *       (lambdas `(h, s) -> true` / anonymous classes) — detected via
+ *       textual scan on setHostnameVerifier arg expression.
+ *     - `setHostnameVerifier(NoopHostnameVerifier.INSTANCE)` /
+ *       `setHostnameVerifier(new AllowAllHostnameVerifier())`
+ *
+ * Aligned with: gosec G402 (Go), Bandit B501/B502/B504/B505 (Python).
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface TlsVerifyDisabledResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class TlsVerifyDisabledPass implements AnalysisPass<TlsVerifyDisabledResult> {
+    readonly name = "tls-verify-disabled";
+    readonly category: "security";
+    run(ctx: PassContext): TlsVerifyDisabledResult;
+    private detectCall;
+    private detectSourceText;
+    private fixFor;
+}
+//# sourceMappingURL=tls-verify-disabled-pass.d.ts.map

package/dist/analysis/passes/tls-verify-disabled-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls-verify-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/tls-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAsB9E,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,qBAAsB,YAAW,YAAY,CAAC,uBAAuB,CAAC;IACjF,QAAQ,CAAC,IAAI,yBAAyB;IACtC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,uBAAuB;IA6D9C,OAAO,CAAC,UAAU;IA4ElB,OAAO,CAAC,gBAAgB;IAiDxB,OAAO,CAAC,MAAM;CA2Bf"}