circle-ir 3.52.0 → 3.53.0

package/dist/browser/circle-ir.js

@@ -10621,6 +10621,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -11055,7 +11062,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -12738,10 +12745,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12999,13 +13007,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -27347,6 +27356,50 @@ function literalAlgo2(call, position) {
   const cleaned = stripQuotes5(raw);
   return cleaned || null;
 }
+function detectStaticIvJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+    return `zero-filled ${expr}`;
+  }
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+    return `literal byte[] initializer`;
+  }
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+    return `literal string .getBytes()`;
+  }
+  if (/^"[^"]*"$/.test(expr)) {
+    return `literal string`;
+  }
+  return null;
+}
+function isJavaCtor(call, className) {
+  if (call.is_constructor === true) return true;
+  if (call.receiver) return false;
+  if (call.receiver_type === className) return true;
+  if ((call.receiver_type_fqn ?? "").endsWith("." + className)) return true;
+  return false;
+}
+function detectHardcodedKeyJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) return `literal string .getBytes()`;
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) return `literal byte[] initializer`;
+  if (/^"[^"]*"$/.test(expr)) return `literal string`;
+  return null;
+}
+var ISSUE_CWE = {
+  "weak-cipher": "CWE-327",
+  "ecb-mode": "CWE-327",
+  "deprecated-api": "CWE-327",
+  "static-iv": "CWE-329",
+  "hardcoded-key": "CWE-321",
+  "weak-rsa-key": "CWE-326"
+};
 var WeakCryptoPass = class {
   name = "weak-crypto";
   category = "security";
@@ -27365,13 +27418,13 @@ var WeakCryptoPass = class {
           pass: this.name,
           category: this.category,
           rule_id: this.name,
-          cwe: "CWE-327",
+          cwe: ISSUE_CWE[det.issue],
           severity: "high",
           level: "error",
           message,
           file,
           line,
-          fix: "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.",
+          fix: this.buildFix(det.issue),
           evidence: { ...det, language }
         });
       }
@@ -27386,10 +27439,28 @@ var WeakCryptoPass = class {
         return `ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ECB leaks plaintext structure (identical blocks \u2192 identical ciphertext) and is not semantically secure.`;
       case "deprecated-api":
         return `Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). This API derives the key/IV from a password in an insecure way.`;
+      case "static-iv":
+        return `Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for GCM, can leak the authentication key.`;
+      case "hardcoded-key":
+        return `Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). Keys embedded in source code are trivially recoverable from binaries and shared across deployments \u2014 they provide no confidentiality.`;
+      case "weak-rsa-key":
+        return `Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. RSA keys below 2048 bits are factorable and not compliant with NIST SP 800-57 / FIPS 186-5.`;
       default:
         return `Weak cryptography: ${det.detail} (${det.api})`;
     }
   }
+  buildFix(issue) {
+    switch (issue) {
+      case "static-iv":
+        return "Generate a fresh random IV per message using SecureRandom: `byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); new IvParameterSpec(iv);` and prepend it to the ciphertext.";
+      case "hardcoded-key":
+        return "Load the key from a secure key management system (HSM, KMS, Vault) or platform keystore. Never embed key material in source code.";
+      case "weak-rsa-key":
+        return "Initialize KeyPairGenerator with at least 2048 bits (preferably 3072 or 4096) for RSA, or switch to EC keys (P-256+).";
+      default:
+        return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.";
+    }
+  }
   detect(call, language) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
@@ -27405,6 +27476,33 @@ var WeakCryptoPass = class {
           if (ecb) out2.push({ issue: "ecb-mode", detail: spec, api });
         }
       }
+      if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
+        const ivDetail = detectStaticIvJava(call);
+        if (ivDetail) {
+          out2.push({ issue: "static-iv", detail: ivDetail, api: "new IvParameterSpec" });
+        }
+      }
+      if (method === "SecretKeySpec" && isJavaCtor(call, "SecretKeySpec")) {
+        const keyDetail = detectHardcodedKeyJava(call);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: "new SecretKeySpec" });
+        }
+      }
+      if (method === "initialize") {
+        const isKpg = call.receiver_type === "KeyPairGenerator" || (call.receiver_type_fqn ?? "").endsWith(".KeyPairGenerator");
+        if (isKpg) {
+          const sizeArg = call.arguments.find((a) => a.position === 0);
+          const expr = (sizeArg?.literal ?? sizeArg?.expression ?? "").trim();
+          const n = parseInt(expr, 10);
+          if (Number.isFinite(n) && n > 0 && n < 2048) {
+            out2.push({
+              issue: "weak-rsa-key",
+              detail: String(n),
+              api: "KeyPairGenerator.initialize"
+            });
+          }
+        }
+      }
       return out2;
     }
     if (language === "python") {

package/dist/core/circle-ir-core.cjs

@@ -10003,6 +10003,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -10437,7 +10444,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -12033,10 +12040,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12294,13 +12302,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }

package/dist/core/circle-ir-core.js

@@ -9937,6 +9937,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -10371,7 +10378,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11967,10 +11974,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12228,13 +12236,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.52.0",
+  "version": "3.53.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",