circle-ir 3.52.0 → 3.54.0

package/dist/browser/circle-ir.js

@@ -10621,6 +10621,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -11055,7 +11062,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -12090,7 +12097,58 @@ var DEFAULT_SINKS = [
   { method: "from_str", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_reader", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_str", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
-  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] }
+  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
+  // =========================================================================
+  // ReDoS sinks (CWE-1333) — issue #86 / Sprint 5
+  // =========================================================================
+  // First argument of regex compile/match functions is the pattern. Tainted
+  // patterns enable catastrophic-backtracking DoS.
+  // Python: re.{match,search,compile,findall,fullmatch,sub,subn,split}
+  { method: "match", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "search", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fullmatch", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "findall", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "finditer", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "sub", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "subn", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "split", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Java: Pattern.compile / Pattern.matches; String.matches/replaceAll/replaceFirst/split
+  { method: "compile", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceAll", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceFirst", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "split", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  // JS/TS: new RegExp(pat) ctor; receiver_type === 'RegExp'. Also string.match
+  // and string.matchAll, replace, search take a regex/string pattern.
+  { method: "RegExp", class: "constructor", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go: regexp.Compile / MustCompile / Match / MatchString
+  { method: "Compile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MustCompile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Match", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MatchString", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  // =========================================================================
+  // Format-string sinks (CWE-134) — issue #86 / Sprint 5
+  // =========================================================================
+  // First argument is the format string. Tainted format strings enable
+  // information disclosure and (for C-style runtimes) memory writes.
+  // Java: String.format / Formatter.format / printf / format on PrintStream
+  // (note: printf/format on PrintWriter/PrintStream are already XSS sinks above)
+  { method: "format", class: "String", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "format", class: "Formatter", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", class: "System.out", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  // NOTE: Python `userFmt.format(...)` and `userFmt % args` require
+  // receiver-taint or operator-LHS-taint tracking — the format string is the
+  // receiver, not an argument. Deferred to Sprint 6 (#86 follow-up).
+  // C-style: printf / fprintf / sprintf / snprintf via ctypes/cffi.
+  { method: "printf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fprintf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [1], languages: ["python"] },
+  // Go: fmt.Sprintf/Printf/Fprintf/Errorf — format string is first/second arg
+  { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -12738,10 +12796,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12999,13 +13058,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -14771,7 +14831,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "xxe",
   "deserialization",
   "code_injection",
-  "mybatis_mapper_call"
+  "mybatis_mapper_call",
+  "redos",
+  "format_string"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -27347,6 +27409,50 @@ function literalAlgo2(call, position) {
   const cleaned = stripQuotes5(raw);
   return cleaned || null;
 }
+function detectStaticIvJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+    return `zero-filled ${expr}`;
+  }
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+    return `literal byte[] initializer`;
+  }
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+    return `literal string .getBytes()`;
+  }
+  if (/^"[^"]*"$/.test(expr)) {
+    return `literal string`;
+  }
+  return null;
+}
+function isJavaCtor(call, className) {
+  if (call.is_constructor === true) return true;
+  if (call.receiver) return false;
+  if (call.receiver_type === className) return true;
+  if ((call.receiver_type_fqn ?? "").endsWith("." + className)) return true;
+  return false;
+}
+function detectHardcodedKeyJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) return `literal string .getBytes()`;
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) return `literal byte[] initializer`;
+  if (/^"[^"]*"$/.test(expr)) return `literal string`;
+  return null;
+}
+var ISSUE_CWE = {
+  "weak-cipher": "CWE-327",
+  "ecb-mode": "CWE-327",
+  "deprecated-api": "CWE-327",
+  "static-iv": "CWE-329",
+  "hardcoded-key": "CWE-321",
+  "weak-rsa-key": "CWE-326"
+};
 var WeakCryptoPass = class {
   name = "weak-crypto";
   category = "security";
@@ -27365,13 +27471,13 @@ var WeakCryptoPass = class {
           pass: this.name,
           category: this.category,
           rule_id: this.name,
-          cwe: "CWE-327",
+          cwe: ISSUE_CWE[det.issue],
           severity: "high",
           level: "error",
           message,
           file,
           line,
-          fix: "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.",
+          fix: this.buildFix(det.issue),
           evidence: { ...det, language }
         });
       }
@@ -27386,10 +27492,28 @@ var WeakCryptoPass = class {
         return `ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ECB leaks plaintext structure (identical blocks \u2192 identical ciphertext) and is not semantically secure.`;
       case "deprecated-api":
         return `Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). This API derives the key/IV from a password in an insecure way.`;
+      case "static-iv":
+        return `Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for GCM, can leak the authentication key.`;
+      case "hardcoded-key":
+        return `Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). Keys embedded in source code are trivially recoverable from binaries and shared across deployments \u2014 they provide no confidentiality.`;
+      case "weak-rsa-key":
+        return `Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. RSA keys below 2048 bits are factorable and not compliant with NIST SP 800-57 / FIPS 186-5.`;
       default:
         return `Weak cryptography: ${det.detail} (${det.api})`;
     }
   }
+  buildFix(issue) {
+    switch (issue) {
+      case "static-iv":
+        return "Generate a fresh random IV per message using SecureRandom: `byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); new IvParameterSpec(iv);` and prepend it to the ciphertext.";
+      case "hardcoded-key":
+        return "Load the key from a secure key management system (HSM, KMS, Vault) or platform keystore. Never embed key material in source code.";
+      case "weak-rsa-key":
+        return "Initialize KeyPairGenerator with at least 2048 bits (preferably 3072 or 4096) for RSA, or switch to EC keys (P-256+).";
+      default:
+        return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.";
+    }
+  }
   detect(call, language) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
@@ -27405,6 +27529,33 @@ var WeakCryptoPass = class {
           if (ecb) out2.push({ issue: "ecb-mode", detail: spec, api });
         }
       }
+      if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
+        const ivDetail = detectStaticIvJava(call);
+        if (ivDetail) {
+          out2.push({ issue: "static-iv", detail: ivDetail, api: "new IvParameterSpec" });
+        }
+      }
+      if (method === "SecretKeySpec" && isJavaCtor(call, "SecretKeySpec")) {
+        const keyDetail = detectHardcodedKeyJava(call);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: "new SecretKeySpec" });
+        }
+      }
+      if (method === "initialize") {
+        const isKpg = call.receiver_type === "KeyPairGenerator" || (call.receiver_type_fqn ?? "").endsWith(".KeyPairGenerator");
+        if (isKpg) {
+          const sizeArg = call.arguments.find((a) => a.position === 0);
+          const expr = (sizeArg?.literal ?? sizeArg?.expression ?? "").trim();
+          const n = parseInt(expr, 10);
+          if (Number.isFinite(n) && n > 0 && n < 2048) {
+            out2.push({
+              issue: "weak-rsa-key",
+              detail: String(n),
+              api: "KeyPairGenerator.initialize"
+            });
+          }
+        }
+      }
       return out2;
     }
     if (language === "python") {
@@ -27830,6 +27981,112 @@ var TlsVerifyDisabledPass = class {
   }
 };
 
+// src/analysis/passes/jwt-verify-disabled-pass.ts
+var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
+var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
+var PY_ALG_NONE_RE = /\balgorithms\s*=\s*[\[\(]\s*["']none["']/i;
+var JS_ALG_NONE_RE = /\balgorithms\s*:\s*\[\s*["']none["']/i;
+var JwtVerifyDisabledPass = class {
+  name = "jwt-verify-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detect(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-347",
+          severity: "critical",
+          level: "error",
+          message: `JWT signature verification disabled via \`${det.pattern}\` in \`${det.api}\`. Any attacker can forge a token with arbitrary claims (user id, roles, expiry) since the signature is not checked.`,
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    const out2 = [];
+    if (language === "python") {
+      if (receiver === "jwt" && method === "decode") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr) continue;
+          if (PY_VERIFY_SIGNATURE_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify_signature: False", api: "jwt.decode" });
+          }
+          if (PY_VERIFY_KW_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify=False", api: "jwt.decode" });
+          }
+          if (PY_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms=['none']", api: "jwt.decode" });
+          }
+        }
+      }
+      return out2;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (receiver === "jwt" && method === "verify") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr) continue;
+          if (JS_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms: ['none']", api: "jwt.verify" });
+          }
+          if (/\bverify\s*:\s*false\b/i.test(expr)) {
+            out2.push({ pattern: "verify: false", api: "jwt.verify" });
+          }
+        }
+        const keyArg = call.arguments.find((a) => a.position === 1);
+        const keyExpr = (keyArg?.expression ?? keyArg?.literal ?? "").trim();
+        if (keyExpr === "null" || keyExpr === "undefined" || keyExpr === '""' || keyExpr === "''" || keyExpr === "``") {
+          out2.push({ pattern: `empty key (${keyExpr || "missing"})`, api: "jwt.verify" });
+        }
+      }
+      return out2;
+    }
+    if (language === "java") {
+      if (method === "require" && (receiver === "JWT" || receiver.endsWith(".JWT"))) {
+        const arg = call.arguments.find((a) => a.position === 0);
+        const expr = (arg?.expression ?? "").trim();
+        if (/\bAlgorithm\s*\.\s*none\s*\(/.test(expr)) {
+          out2.push({ pattern: "Algorithm.none()", api: "JWT.require" });
+        }
+      }
+      if (method === "parse" && receiver.includes("parser")) {
+        out2.push({ pattern: "parse() instead of parseClaimsJws()", api: "Jwts.parser().parse" });
+      }
+      return out2;
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "python") {
+      return 'Always pass `options={"verify_signature": True}` (the default in PyJWT 2.0+) and a concrete `algorithms=["HS256"|"RS256"]` list. Never accept `none`.';
+    }
+    if (language === "javascript" || language === "typescript") {
+      return 'Call `jwt.verify(token, secret, { algorithms: ["HS256" | "RS256"] })` with a non-empty key. Never use `algorithms: ["none"]` or pass null/empty as the secret.';
+    }
+    if (language === "java") {
+      return "For auth0/java-jwt: use `JWT.require(Algorithm.HMAC256(secret))` or an RSA algorithm. For jjwt: call `parseClaimsJws(token)` (signature enforced) rather than `parse(token)` (signature ignored).";
+    }
+    return "Enforce JWT signature verification with a concrete algorithm (HS256/RS256/ES256). Never accept `alg: none`.";
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -28731,6 +28988,7 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-crypto")) pipeline.add(new WeakCryptoPass());
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
+    if (!disabledPasses.has("jwt-verify-disabled")) pipeline.add(new JwtVerifyDisabledPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");

package/dist/core/circle-ir-core.cjs

@@ -10003,6 +10003,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -10437,7 +10444,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11472,7 +11479,58 @@ var DEFAULT_SINKS = [
   { method: "from_str", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_reader", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_str", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
-  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] }
+  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
+  // =========================================================================
+  // ReDoS sinks (CWE-1333) — issue #86 / Sprint 5
+  // =========================================================================
+  // First argument of regex compile/match functions is the pattern. Tainted
+  // patterns enable catastrophic-backtracking DoS.
+  // Python: re.{match,search,compile,findall,fullmatch,sub,subn,split}
+  { method: "match", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "search", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fullmatch", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "findall", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "finditer", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "sub", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "subn", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "split", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Java: Pattern.compile / Pattern.matches; String.matches/replaceAll/replaceFirst/split
+  { method: "compile", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceAll", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceFirst", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "split", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  // JS/TS: new RegExp(pat) ctor; receiver_type === 'RegExp'. Also string.match
+  // and string.matchAll, replace, search take a regex/string pattern.
+  { method: "RegExp", class: "constructor", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go: regexp.Compile / MustCompile / Match / MatchString
+  { method: "Compile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MustCompile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Match", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MatchString", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  // =========================================================================
+  // Format-string sinks (CWE-134) — issue #86 / Sprint 5
+  // =========================================================================
+  // First argument is the format string. Tainted format strings enable
+  // information disclosure and (for C-style runtimes) memory writes.
+  // Java: String.format / Formatter.format / printf / format on PrintStream
+  // (note: printf/format on PrintWriter/PrintStream are already XSS sinks above)
+  { method: "format", class: "String", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "format", class: "Formatter", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", class: "System.out", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  // NOTE: Python `userFmt.format(...)` and `userFmt % args` require
+  // receiver-taint or operator-LHS-taint tracking — the format string is the
+  // receiver, not an argument. Deferred to Sprint 6 (#86 follow-up).
+  // C-style: printf / fprintf / sprintf / snprintf via ctypes/cffi.
+  { method: "printf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fprintf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [1], languages: ["python"] },
+  // Go: fmt.Sprintf/Printf/Fprintf/Errorf — format string is first/second arg
+  { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -12033,10 +12091,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -12294,13 +12353,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -13124,7 +13184,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "xxe",
   "deserialization",
   "code_injection",
-  "mybatis_mapper_call"
+  "mybatis_mapper_call",
+  "redos",
+  "format_string"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);