circle-ir 3.51.0 → 3.53.0

package/dist/core/circle-ir-core.cjs

@@ -10003,6 +10003,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -10437,7 +10444,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -10914,26 +10921,16 @@ var DEFAULT_SINKS = [
   { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   // =============================================================================
-  // Weak Cryptography Sinks (no taint flow required - presence alone is vulnerability)
+  // Config / Absence Vulnerabilities (handled by dedicated pattern passes)
   // =============================================================================
-  // Weak Random (CWE-330) - java.util.Random is not cryptographically secure
-  { method: "Random", class: "constructor", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextInt", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextLong", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextFloat", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextDouble", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBoolean", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBytes", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  // Weak Hash (CWE-328) - MD5/SHA1 are cryptographically broken
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "MessageDigest", type: "weak_hash", cwe: "CWE-328", severity: "medium", arg_positions: [0] },
-  // Weak Crypto (CWE-327) - DES/RC4/Blowfish are weak ciphers
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "Cipher", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  { method: "getInstance", class: "KeyGenerator", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  // Insecure Cookie (CWE-614) - cookies without secure/httpOnly flags
-  // Note: Detection requires checking if setSecure(true)/setHttpOnly(true) called - handled in runner
-  { method: "Cookie", class: "constructor", type: "insecure_cookie", cwe: "CWE-614", severity: "medium", arg_positions: [] },
+  // weak_random  → WeakRandomPass        (src/analysis/passes/weak-random-pass.ts)
+  // weak_hash    → WeakHashPass          (src/analysis/passes/weak-hash-pass.ts)
+  // weak_crypto  → WeakCryptoPass        (src/analysis/passes/weak-crypto-pass.ts)
+  // insecure_cookie → InsecureCookiePass (src/analysis/passes/insecure-cookie-pass.ts)
+  // tls_verify_disabled → TlsVerifyDisabledPass
+  // These patterns are detected by call-site literal inspection, not taint flow,
+  // so they are NOT registered here as sinks (they could never match a "tainted
+  // value flowing into a sink" because the bad value is a hard-coded constant).
   // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
   // The vulnerability is attacker controlling which key to use, not the value
   { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
@@ -12043,10 +12040,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12304,13 +12302,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }

package/dist/core/circle-ir-core.js

@@ -9937,6 +9937,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -10371,7 +10378,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -10848,26 +10855,16 @@ var DEFAULT_SINKS = [
   { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   // =============================================================================
-  // Weak Cryptography Sinks (no taint flow required - presence alone is vulnerability)
+  // Config / Absence Vulnerabilities (handled by dedicated pattern passes)
   // =============================================================================
-  // Weak Random (CWE-330) - java.util.Random is not cryptographically secure
-  { method: "Random", class: "constructor", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextInt", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextLong", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextFloat", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextDouble", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBoolean", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBytes", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  // Weak Hash (CWE-328) - MD5/SHA1 are cryptographically broken
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "MessageDigest", type: "weak_hash", cwe: "CWE-328", severity: "medium", arg_positions: [0] },
-  // Weak Crypto (CWE-327) - DES/RC4/Blowfish are weak ciphers
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "Cipher", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  { method: "getInstance", class: "KeyGenerator", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  // Insecure Cookie (CWE-614) - cookies without secure/httpOnly flags
-  // Note: Detection requires checking if setSecure(true)/setHttpOnly(true) called - handled in runner
-  { method: "Cookie", class: "constructor", type: "insecure_cookie", cwe: "CWE-614", severity: "medium", arg_positions: [] },
+  // weak_random  → WeakRandomPass        (src/analysis/passes/weak-random-pass.ts)
+  // weak_hash    → WeakHashPass          (src/analysis/passes/weak-hash-pass.ts)
+  // weak_crypto  → WeakCryptoPass        (src/analysis/passes/weak-crypto-pass.ts)
+  // insecure_cookie → InsecureCookiePass (src/analysis/passes/insecure-cookie-pass.ts)
+  // tls_verify_disabled → TlsVerifyDisabledPass
+  // These patterns are detected by call-site literal inspection, not taint flow,
+  // so they are NOT registered here as sinks (they could never match a "tainted
+  // value flowing into a sink" because the bad value is a hard-coded constant).
   // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
   // The vulnerability is attacker controlling which key to use, not the value
   { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
@@ -11977,10 +11974,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12238,13 +12236,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.51.0",
+  "version": "3.53.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",