circle-ir 3.53.0 → 3.55.0

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAob1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8wCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAob1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAs2CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -732,9 +732,16 @@ export const DEFAULT_SINKS = [
     { method: 'println', class: 'ServletOutputStream', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
     // XSS in error messages (CWE-81)
     { method: 'sendError', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
-    // Response header injection (can lead to header XSS)
-    { method: 'setHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
-    { method: 'addHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
+    // Response header injection — re-categorised from `xss` to `crlf`
+    // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
+    // splitting / cache-poisoning / cookie forging; reflected XSS via header
+    // reflection remains a downstream concern of body-writing sinks.
+    { method: 'setHeader', class: 'HttpServletResponse', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1] },
+    { method: 'addHeader', class: 'HttpServletResponse', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1] },
+    // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
+    // (CWE-601) further down — see entry near line 1195. CRLF via Location
+    // header is a secondary concern; keeping the canonical SSRF entry avoids
+    // double-emission that would mask the open-redirect chain.
     { method: 'setContentType', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     // JSP output
     { method: 'setAttribute', class: 'PageContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
@@ -1652,6 +1659,83 @@ export const DEFAULT_SINKS = [
     { method: 'from_reader', class: 'serde_yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
     { method: 'from_str', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
     { method: 'from_slice', class: 'serde_json', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
+    // =========================================================================
+    // ReDoS sinks (CWE-1333) — issue #86 / Sprint 5
+    // =========================================================================
+    // First argument of regex compile/match functions is the pattern. Tainted
+    // patterns enable catastrophic-backtracking DoS.
+    // Python: re.{match,search,compile,findall,fullmatch,sub,subn,split}
+    { method: 'match', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'search', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'fullmatch', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'compile', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'findall', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'finditer', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'sub', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'subn', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'split', class: 're', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['python'] },
+    // Java: Pattern.compile / Pattern.matches; String.matches/replaceAll/replaceFirst/split
+    { method: 'compile', class: 'Pattern', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'matches', class: 'Pattern', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'matches', class: 'String', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'replaceAll', class: 'String', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'replaceFirst', class: 'String', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'split', class: 'String', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['java'] },
+    // JS/TS: new RegExp(pat) ctor; receiver_type === 'RegExp'. Also string.match
+    // and string.matchAll, replace, search take a regex/string pattern.
+    { method: 'RegExp', class: 'constructor', type: 'redos', cwe: 'CWE-1333', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    // Go: regexp.Compile / MustCompile / Match / MatchString
+    { method: 'Compile', class: 'regexp', type: 'redos', cwe: 'CWE-1333', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'MustCompile', class: 'regexp', type: 'redos', cwe: 'CWE-1333', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'Match', class: 'regexp', type: 'redos', cwe: 'CWE-1333', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'MatchString', class: 'regexp', type: 'redos', cwe: 'CWE-1333', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    // =========================================================================
+    // Format-string sinks (CWE-134) — issue #86 / Sprint 5
+    // =========================================================================
+    // First argument is the format string. Tainted format strings enable
+    // information disclosure and (for C-style runtimes) memory writes.
+    // Java: String.format / Formatter.format / printf / format on PrintStream
+    // (note: printf/format on PrintWriter/PrintStream are already XSS sinks above)
+    { method: 'format', class: 'String', type: 'format_string', cwe: 'CWE-134', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'format', class: 'Formatter', type: 'format_string', cwe: 'CWE-134', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'printf', class: 'System.out', type: 'format_string', cwe: 'CWE-134', severity: 'high', arg_positions: [0], languages: ['java'] },
+    // NOTE: Python `userFmt.format(...)` and `userFmt % args` require
+    // receiver-taint or operator-LHS-taint tracking — the format string is the
+    // receiver, not an argument. Deferred to Sprint 6 (#86 follow-up).
+    // C-style: printf / fprintf / sprintf / snprintf via ctypes/cffi.
+    { method: 'printf', type: 'format_string', cwe: 'CWE-134', severity: 'high', arg_positions: [0], languages: ['python'] },
+    { method: 'fprintf', type: 'format_string', cwe: 'CWE-134', severity: 'high', arg_positions: [1], languages: ['python'] },
+    // Go: fmt.Sprintf/Printf/Fprintf/Errorf — format string is first/second arg
+    { method: 'Sprintf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'Printf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'Errorf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [0], languages: ['go'] },
+    { method: 'Fprintf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [1], languages: ['go'] },
+    // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
+    // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
+    // is also CRLF-sensitive but is almost always a string literal; we model
+    // arg 1 (the value) as the primary sink.
+    { method: 'setHeader', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['javascript', 'typescript'] },
+    { method: 'writeHead', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [2], languages: ['javascript', 'typescript'] },
+    // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
+    { method: 'cookie', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['javascript', 'typescript'] },
+    // Express: res.location(url) and res.redirect(url) — Location header.
+    { method: 'location', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    { method: 'redirect', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
+    // (Header is a map; the actual `value` is arg 1 of the call). We flag the
+    // value position so a tainted variable is detected.
+    { method: 'Set', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
+    { method: 'Add', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
+    // Mass-assignment (CWE-915) — Sprint 6, #86.
+    // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
+    // source is request-tainted, every key gets written onto the target. We
+    // flag the source positions; the analyzer only needs one tainted to fire.
+    { method: 'assign', class: 'Object', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    // Lodash bulk-merge helpers behave identically.
+    { method: 'merge', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'extend', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    // jQuery $.extend(target, source) (legacy).
+    { method: 'extend', class: '$', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
 ];
 export const DEFAULT_SANITIZERS = [
     // SQL Injection - proper parameter binding sanitizes input