circle-ir 3.53.0 → 3.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +87 -3
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/findings.d.ts.map +1 -1
- package/dist/analysis/findings.js +11 -6
- package/dist/analysis/findings.js.map +1 -1
- package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts +42 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts.map +1 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.js +185 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.js.map +1 -0
- package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts +45 -0
- package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts.map +1 -0
- package/dist/analysis/passes/jwt-verify-disabled-pass.js +164 -0
- package/dist/analysis/passes/jwt-verify-disabled-pass.js.map +1 -0
- package/dist/analysis/passes/mass-assignment-pass.d.ts +41 -0
- package/dist/analysis/passes/mass-assignment-pass.d.ts.map +1 -0
- package/dist/analysis/passes/mass-assignment-pass.js +124 -0
- package/dist/analysis/passes/mass-assignment-pass.js.map +1 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.d.ts +58 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map +1 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.js +196 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.js.map +1 -0
- package/dist/analysis/rules.d.ts.map +1 -1
- package/dist/analysis/rules.js +36 -0
- package/dist/analysis/rules.js.map +1 -1
- package/dist/analysis/taint-propagation.d.ts.map +1 -1
- package/dist/analysis/taint-propagation.js +1 -0
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/analyzer.d.ts.map +1 -1
- package/dist/analyzer.js +12 -0
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +549 -11
- package/dist/core/circle-ir-core.cjs +93 -5
- package/dist/core/circle-ir-core.js +93 -5
- package/dist/types/index.d.ts +1 -1
- package/dist/types/index.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,
|
|
1
|
+
{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CA4BlF"}
|
|
@@ -135,19 +135,24 @@ export function canSourceReachSink(sourceType, sinkType) {
|
|
|
135
135
|
// code_injection added to http_param/http_query/http_header/http_cookie:
|
|
136
136
|
// `eval(req.query.x)`, `Function(req.header('x'))`, `vm.runInThisContext(req.cookies.c)`
|
|
137
137
|
// are all real RCE patterns in JS web apps (cognium-dev #83).
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
138
|
+
// crlf added to http_param/http_query/http_header/http_cookie/http_body:
|
|
139
|
+
// setHeader/setCookie/redirect of any user-controlled string is CRLF / response
|
|
140
|
+
// splitting (CWE-113) — Sprint 6, issue #86.
|
|
141
|
+
// mass_assignment added to http_body / http_param: Object.assign(user, req.body),
|
|
142
|
+
// User(**request.form) — CWE-915.
|
|
143
|
+
http_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
|
|
144
|
+
http_body: ['sql_injection', 'command_injection', 'deserialization', 'xxe', 'xss', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'],
|
|
145
|
+
http_header: ['sql_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf'],
|
|
146
|
+
http_cookie: ['sql_injection', 'xss', 'mybatis_mapper_call', 'code_injection', 'crlf'],
|
|
142
147
|
http_path: ['path_traversal', 'sql_injection', 'ssrf', 'mybatis_mapper_call'],
|
|
143
|
-
http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection'],
|
|
148
|
+
http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
|
|
144
149
|
io_input: ['command_injection', 'path_traversal', 'deserialization', 'xxe', 'code_injection', 'xss'],
|
|
145
150
|
env_input: ['command_injection', 'path_traversal'],
|
|
146
151
|
db_input: ['xss', 'sql_injection'], // Second-order injection
|
|
147
152
|
file_input: ['deserialization', 'xxe', 'path_traversal', 'command_injection', 'code_injection'],
|
|
148
153
|
network_input: ['sql_injection', 'command_injection', 'xss', 'ssrf'],
|
|
149
154
|
config_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'ssrf'], // Servlet init params
|
|
150
|
-
interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call'], // Cross-method taint
|
|
155
|
+
interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'], // Cross-method taint
|
|
151
156
|
plugin_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'code_injection'], // Plugin/config parameters
|
|
152
157
|
};
|
|
153
158
|
const validSinks = sourceToSinkMapping[sourceType];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACjK,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,CAAC;QAC3H,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACtF,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC1G,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,EAAE,qBAAqB;QACnM,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}
|
|
1
|
+
{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,yEAAyE;QACzE,gFAAgF;QAChF,6CAA6C;QAC7C,kFAAkF;QAClF,kCAAkC;QAClC,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QAC5L,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACtJ,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QAC9F,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACtF,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACrI,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,qBAAqB;QAC9N,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: csrf-protection-disabled (CWE-352, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where cross-site request forgery (CSRF)
|
|
5
|
+
* protection is *explicitly disabled*. We do not attempt to detect the
|
|
6
|
+
* absence of CSRF protection (false-positive prone across framework
|
|
7
|
+
* idioms); instead we look for the documented "turn it off" calls.
|
|
8
|
+
*
|
|
9
|
+
* Detection per language:
|
|
10
|
+
* Java (Spring Security):
|
|
11
|
+
* - `http.csrf().disable()`
|
|
12
|
+
* - `http.csrf(csrf -> csrf.disable())` — DSL form
|
|
13
|
+
* - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
|
|
14
|
+
* - `.csrfTokenRepository(null)` — neuters the repo
|
|
15
|
+
* Python (Django):
|
|
16
|
+
* - `@csrf_exempt` decorator on a view
|
|
17
|
+
* - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
|
|
18
|
+
* removed — we do NOT detect this (config-file analysis).
|
|
19
|
+
* JavaScript (Express):
|
|
20
|
+
* - We do NOT detect "csurf missing" — that's an absence check that
|
|
21
|
+
* fires on every non-Express handler.
|
|
22
|
+
*
|
|
23
|
+
* Severity: critical (CWE-352 is direct privilege escalation).
|
|
24
|
+
* Issue: #86, Sprint 6.
|
|
25
|
+
*/
|
|
26
|
+
import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
|
|
27
|
+
export interface CsrfProtectionDisabledResult {
|
|
28
|
+
findings: Array<{
|
|
29
|
+
line: number;
|
|
30
|
+
language: string;
|
|
31
|
+
pattern: string;
|
|
32
|
+
api: string;
|
|
33
|
+
}>;
|
|
34
|
+
}
|
|
35
|
+
export declare class CsrfProtectionDisabledPass implements AnalysisPass<CsrfProtectionDisabledResult> {
|
|
36
|
+
readonly name = "csrf-protection-disabled";
|
|
37
|
+
readonly category: "security";
|
|
38
|
+
run(ctx: PassContext): CsrfProtectionDisabledResult;
|
|
39
|
+
private detectCall;
|
|
40
|
+
private fixFor;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=csrf-protection-disabled-pass.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf-protection-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAkB9E,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,0BACX,YAAW,YAAY,CAAC,4BAA4B,CAAC;IAErD,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,4BAA4B;IAgHnD,OAAO,CAAC,UAAU;IA2BlB,OAAO,CAAC,MAAM;CAoBf"}
|
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: csrf-protection-disabled (CWE-352, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where cross-site request forgery (CSRF)
|
|
5
|
+
* protection is *explicitly disabled*. We do not attempt to detect the
|
|
6
|
+
* absence of CSRF protection (false-positive prone across framework
|
|
7
|
+
* idioms); instead we look for the documented "turn it off" calls.
|
|
8
|
+
*
|
|
9
|
+
* Detection per language:
|
|
10
|
+
* Java (Spring Security):
|
|
11
|
+
* - `http.csrf().disable()`
|
|
12
|
+
* - `http.csrf(csrf -> csrf.disable())` — DSL form
|
|
13
|
+
* - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
|
|
14
|
+
* - `.csrfTokenRepository(null)` — neuters the repo
|
|
15
|
+
* Python (Django):
|
|
16
|
+
* - `@csrf_exempt` decorator on a view
|
|
17
|
+
* - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
|
|
18
|
+
* removed — we do NOT detect this (config-file analysis).
|
|
19
|
+
* JavaScript (Express):
|
|
20
|
+
* - We do NOT detect "csurf missing" — that's an absence check that
|
|
21
|
+
* fires on every non-Express handler.
|
|
22
|
+
*
|
|
23
|
+
* Severity: critical (CWE-352 is direct privilege escalation).
|
|
24
|
+
* Issue: #86, Sprint 6.
|
|
25
|
+
*/
|
|
26
|
+
// Match `.csrf().disable()` or `.csrf(<lambda>).disable(...)`.
|
|
27
|
+
const JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
|
|
28
|
+
// `csrf(csrf -> csrf.disable())` or `csrf(c -> c.disable())`.
|
|
29
|
+
const JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
|
|
30
|
+
// Method-reference form: `csrf(AbstractHttpConfigurer::disable)`.
|
|
31
|
+
const JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
|
|
32
|
+
// `.csrfTokenRepository(null)`.
|
|
33
|
+
const JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
|
|
34
|
+
export class CsrfProtectionDisabledPass {
|
|
35
|
+
name = 'csrf-protection-disabled';
|
|
36
|
+
category = 'security';
|
|
37
|
+
run(ctx) {
|
|
38
|
+
const { graph, language } = ctx;
|
|
39
|
+
const file = graph.ir.meta.file;
|
|
40
|
+
const findings = [];
|
|
41
|
+
// 1. Call-based detection.
|
|
42
|
+
for (const call of graph.ir.calls) {
|
|
43
|
+
const detections = this.detectCall(call, language);
|
|
44
|
+
for (const det of detections) {
|
|
45
|
+
const line = call.location.line;
|
|
46
|
+
findings.push({ line, language, ...det });
|
|
47
|
+
ctx.addFinding({
|
|
48
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
49
|
+
pass: this.name,
|
|
50
|
+
category: this.category,
|
|
51
|
+
rule_id: this.name,
|
|
52
|
+
cwe: 'CWE-352',
|
|
53
|
+
severity: 'critical',
|
|
54
|
+
level: 'error',
|
|
55
|
+
message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
|
|
56
|
+
`(${det.api}). Any browser session can be silently used to ` +
|
|
57
|
+
'perform state-changing requests from a malicious origin.',
|
|
58
|
+
file,
|
|
59
|
+
line,
|
|
60
|
+
fix: this.fixFor(language),
|
|
61
|
+
evidence: { ...det, language },
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
// 2. Source-text detection for Java DSL chains that are emitted as a
|
|
66
|
+
// single call expression (the `disable()` arrives as a method on a
|
|
67
|
+
// chained receiver and not always as a discoverable separate CallInfo).
|
|
68
|
+
if (language === 'java') {
|
|
69
|
+
const src = ctx.code ?? '';
|
|
70
|
+
if (src) {
|
|
71
|
+
const lines = src.split('\n');
|
|
72
|
+
for (let i = 0; i < lines.length; i++) {
|
|
73
|
+
const line = i + 1;
|
|
74
|
+
const text = lines[i] ?? '';
|
|
75
|
+
let det = null;
|
|
76
|
+
if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
|
|
77
|
+
det = { pattern: 'csrf(c -> c.disable())', api: 'HttpSecurity.csrf' };
|
|
78
|
+
}
|
|
79
|
+
else if (JAVA_CSRF_METHODREF_RE.test(text)) {
|
|
80
|
+
det = { pattern: 'csrf(::disable)', api: 'HttpSecurity.csrf' };
|
|
81
|
+
}
|
|
82
|
+
else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
|
|
83
|
+
det = { pattern: 'csrfTokenRepository(null)', api: 'HttpSecurity.csrfTokenRepository' };
|
|
84
|
+
}
|
|
85
|
+
else if (JAVA_CSRF_DISABLE_RE.test(text)) {
|
|
86
|
+
det = { pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' };
|
|
87
|
+
}
|
|
88
|
+
if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
|
|
89
|
+
findings.push({ line, language, ...det });
|
|
90
|
+
ctx.addFinding({
|
|
91
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
92
|
+
pass: this.name,
|
|
93
|
+
category: this.category,
|
|
94
|
+
rule_id: this.name,
|
|
95
|
+
cwe: 'CWE-352',
|
|
96
|
+
severity: 'critical',
|
|
97
|
+
level: 'error',
|
|
98
|
+
message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
|
|
99
|
+
`(${det.api}). Any browser session can be silently used to ` +
|
|
100
|
+
'perform state-changing requests from a malicious origin.',
|
|
101
|
+
file,
|
|
102
|
+
line,
|
|
103
|
+
fix: this.fixFor(language),
|
|
104
|
+
evidence: { ...det, language },
|
|
105
|
+
});
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
// 3. Python `@csrf_exempt` decorator — present on annotations / types.
|
|
111
|
+
if (language === 'python') {
|
|
112
|
+
const src = ctx.code ?? '';
|
|
113
|
+
if (src) {
|
|
114
|
+
const lines = src.split('\n');
|
|
115
|
+
for (let i = 0; i < lines.length; i++) {
|
|
116
|
+
const text = lines[i] ?? '';
|
|
117
|
+
if (/^\s*@csrf_exempt\b/.test(text)) {
|
|
118
|
+
const line = i + 1;
|
|
119
|
+
const det = { pattern: '@csrf_exempt', api: 'django.views.decorators.csrf' };
|
|
120
|
+
findings.push({ line, language, ...det });
|
|
121
|
+
ctx.addFinding({
|
|
122
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
123
|
+
pass: this.name,
|
|
124
|
+
category: this.category,
|
|
125
|
+
rule_id: this.name,
|
|
126
|
+
cwe: 'CWE-352',
|
|
127
|
+
severity: 'critical',
|
|
128
|
+
level: 'error',
|
|
129
|
+
message: 'Django view is decorated with `@csrf_exempt`, bypassing the ' +
|
|
130
|
+
'framework CSRF middleware for this endpoint. Any browser ' +
|
|
131
|
+
'session can be silently used to invoke this handler from ' +
|
|
132
|
+
'a malicious origin.',
|
|
133
|
+
file,
|
|
134
|
+
line,
|
|
135
|
+
fix: this.fixFor(language),
|
|
136
|
+
evidence: { ...det, language },
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
return { findings };
|
|
143
|
+
}
|
|
144
|
+
detectCall(call, language) {
|
|
145
|
+
const out = [];
|
|
146
|
+
if (language !== 'java')
|
|
147
|
+
return out;
|
|
148
|
+
// Plain `csrf().disable()` chain — the IR may split this into two calls
|
|
149
|
+
// (the outer .disable() with receiver "csrf()" or chained receiver).
|
|
150
|
+
if (call.method_name === 'disable') {
|
|
151
|
+
const recv = call.receiver ?? '';
|
|
152
|
+
if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith('.csrf()')) {
|
|
153
|
+
out.push({ pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' });
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
if (call.method_name === 'csrfTokenRepository') {
|
|
157
|
+
const arg = call.arguments.find((a) => a.position === 0);
|
|
158
|
+
const expr = (arg?.expression ?? arg?.literal ?? '').trim();
|
|
159
|
+
if (expr === 'null') {
|
|
160
|
+
out.push({
|
|
161
|
+
pattern: 'csrfTokenRepository(null)',
|
|
162
|
+
api: 'HttpSecurity.csrfTokenRepository',
|
|
163
|
+
});
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
return out;
|
|
167
|
+
}
|
|
168
|
+
fixFor(language) {
|
|
169
|
+
if (language === 'java') {
|
|
170
|
+
return ('Leave Spring Security CSRF protection enabled. If you need to ' +
|
|
171
|
+
'exempt a specific endpoint (e.g. webhook), use ' +
|
|
172
|
+
'`.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than ' +
|
|
173
|
+
'`.disable()`. For stateless APIs, prefer a per-request token over ' +
|
|
174
|
+
'disabling CSRF entirely.');
|
|
175
|
+
}
|
|
176
|
+
if (language === 'python') {
|
|
177
|
+
return ('Remove `@csrf_exempt`. For stateless API endpoints, use Django REST ' +
|
|
178
|
+
'Framework with a token / session auth backend that does not rely on ' +
|
|
179
|
+
'cookies. For webhook receivers, verify a shared-secret signature ' +
|
|
180
|
+
'instead of disabling CSRF.');
|
|
181
|
+
}
|
|
182
|
+
return 'Re-enable framework CSRF protection or replace with origin / token validation.';
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
//# sourceMappingURL=csrf-protection-disabled-pass.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf-protection-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,+DAA+D;AAC/D,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,8DAA8D;AAC9D,MAAM,2BAA2B,GAC/B,kDAAkD,CAAC;AACrD,kEAAkE;AAClE,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;AACpE,gCAAgC;AAChC,MAAM,sBAAsB,GAAG,wCAAwC,CAAC;AAgBxE,MAAM,OAAO,0BAA0B;IAG5B,IAAI,GAAG,0BAA0B,CAAC;IAClC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAE9D,2BAA2B;QAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACnD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;oBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;wBAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;wBAC5D,0DAA0D;oBAC5D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,mEAAmE;QACnE,wEAAwE;QACxE,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;oBACnB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,GAAG,GAAqB,IAAI,CAAC;oBACjC,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,wBAAwB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACxE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACjE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,kCAAkC,EAAE,CAAC;oBAC1F,CAAC;yBAAM,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBAClE,CAAC;oBACD,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,GAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBAChF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;gCAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;gCAC5D,0DAA0D;4BAC5D,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;wBACnB,MAAM,GAAG,GAAc,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,8BAA8B,EAAE,CAAC;wBACxF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,8DAA8D;gCAC9D,2DAA2D;gCAC3D,2DAA2D;gCAC3D,qBAAqB;4BACvB,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,IAAc,EAAE,QAAgB;QACjD,MAAM,GAAG,GAAgB,EAAE,CAAC;QAC5B,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,GAAG,CAAC;QAEpC,wEAAwE;QACxE,qEAAqE;QACrE,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACjC,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,KAAK,qBAAqB,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC;oBACP,OAAO,EAAE,2BAA2B;oBACpC,GAAG,EAAE,kCAAkC;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB;QAC7B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CACL,gEAAgE;gBAChE,iDAAiD;gBACjD,kEAAkE;gBAClE,oEAAoE;gBACpE,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CACL,sEAAsE;gBACtE,sEAAsE;gBACtE,mEAAmE;gBACnE,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QACD,OAAO,gFAAgF,CAAC;IAC1F,CAAC;CACF"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: jwt-verify-disabled (CWE-347, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where JWT signature verification is explicitly
|
|
5
|
+
* disabled or set to the `none` algorithm. This is a configuration
|
|
6
|
+
* vulnerability (the bad value is a hard-coded constant), not a taint flow.
|
|
7
|
+
*
|
|
8
|
+
* Detection per language:
|
|
9
|
+
* Python (PyJWT):
|
|
10
|
+
* - `jwt.decode(token, ..., options={"verify_signature": False})`
|
|
11
|
+
* - `jwt.decode(token, ..., verify=False)` — pre-2.0 PyJWT
|
|
12
|
+
* - `jwt.decode(token, ..., algorithms=["none"])` — accepts unsigned tokens
|
|
13
|
+
* JavaScript / TypeScript (jsonwebtoken):
|
|
14
|
+
* - `jwt.verify(token, secret, { algorithms: ['none'] })`
|
|
15
|
+
* - `jwt.verify(token, null, ...)` / `jwt.verify(token, '', ...)` — empty key
|
|
16
|
+
* - `jwt.verify(token, secret, { verify: false })` (rare)
|
|
17
|
+
* Java (auth0 java-jwt):
|
|
18
|
+
* - `JWT.require(Algorithm.none())` — accepts `alg:none` tokens
|
|
19
|
+
* Java (jjwt 0.x):
|
|
20
|
+
* - `Jwts.parser().setSigningKey(...).parse(...)` — `parse` returns Jwt<?,?>
|
|
21
|
+
* without enforcing the signature; `parseClaimsJws()` is the safe form
|
|
22
|
+
*
|
|
23
|
+
* Aligned with: CWE-347, OWASP API Security Top 10 (API2:2023 broken auth),
|
|
24
|
+
* Bandit B701 (jinja2_autoescape is unrelated — JWT has no direct Bandit rule
|
|
25
|
+
* but PyJWT documents this as misuse).
|
|
26
|
+
*
|
|
27
|
+
* Issue: #86, Sprint 5.
|
|
28
|
+
*/
|
|
29
|
+
import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
|
|
30
|
+
export interface JwtVerifyDisabledResult {
|
|
31
|
+
findings: Array<{
|
|
32
|
+
line: number;
|
|
33
|
+
language: string;
|
|
34
|
+
pattern: string;
|
|
35
|
+
api: string;
|
|
36
|
+
}>;
|
|
37
|
+
}
|
|
38
|
+
export declare class JwtVerifyDisabledPass implements AnalysisPass<JwtVerifyDisabledResult> {
|
|
39
|
+
readonly name = "jwt-verify-disabled";
|
|
40
|
+
readonly category: "security";
|
|
41
|
+
run(ctx: PassContext): JwtVerifyDisabledResult;
|
|
42
|
+
private detect;
|
|
43
|
+
private fixFor;
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=jwt-verify-disabled-pass.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt-verify-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/jwt-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmB9E,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,qBACX,YAAW,YAAY,CAAC,uBAAuB,CAAC;IAEhD,QAAQ,CAAC,IAAI,yBAAyB;IACtC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,uBAAuB;IAkC9C,OAAO,CAAC,MAAM;IA6Ed,OAAO,CAAC,MAAM;CA2Bf"}
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: jwt-verify-disabled (CWE-347, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where JWT signature verification is explicitly
|
|
5
|
+
* disabled or set to the `none` algorithm. This is a configuration
|
|
6
|
+
* vulnerability (the bad value is a hard-coded constant), not a taint flow.
|
|
7
|
+
*
|
|
8
|
+
* Detection per language:
|
|
9
|
+
* Python (PyJWT):
|
|
10
|
+
* - `jwt.decode(token, ..., options={"verify_signature": False})`
|
|
11
|
+
* - `jwt.decode(token, ..., verify=False)` — pre-2.0 PyJWT
|
|
12
|
+
* - `jwt.decode(token, ..., algorithms=["none"])` — accepts unsigned tokens
|
|
13
|
+
* JavaScript / TypeScript (jsonwebtoken):
|
|
14
|
+
* - `jwt.verify(token, secret, { algorithms: ['none'] })`
|
|
15
|
+
* - `jwt.verify(token, null, ...)` / `jwt.verify(token, '', ...)` — empty key
|
|
16
|
+
* - `jwt.verify(token, secret, { verify: false })` (rare)
|
|
17
|
+
* Java (auth0 java-jwt):
|
|
18
|
+
* - `JWT.require(Algorithm.none())` — accepts `alg:none` tokens
|
|
19
|
+
* Java (jjwt 0.x):
|
|
20
|
+
* - `Jwts.parser().setSigningKey(...).parse(...)` — `parse` returns Jwt<?,?>
|
|
21
|
+
* without enforcing the signature; `parseClaimsJws()` is the safe form
|
|
22
|
+
*
|
|
23
|
+
* Aligned with: CWE-347, OWASP API Security Top 10 (API2:2023 broken auth),
|
|
24
|
+
* Bandit B701 (jinja2_autoescape is unrelated — JWT has no direct Bandit rule
|
|
25
|
+
* but PyJWT documents this as misuse).
|
|
26
|
+
*
|
|
27
|
+
* Issue: #86, Sprint 5.
|
|
28
|
+
*/
|
|
29
|
+
// `verify_signature: False` inside an `options=` dict literal.
|
|
30
|
+
const PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
|
|
31
|
+
// `verify=False` kwarg (pre-2.0 PyJWT).
|
|
32
|
+
const PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
|
|
33
|
+
// `algorithms=['none', ...]` or `algorithms=("none",)` — case-insensitive.
|
|
34
|
+
const PY_ALG_NONE_RE = /\balgorithms\s*=\s*[\[\(]\s*["']none["']/i;
|
|
35
|
+
// JS `algorithms: ['none']` inside an options literal.
|
|
36
|
+
const JS_ALG_NONE_RE = /\balgorithms\s*:\s*\[\s*["']none["']/i;
|
|
37
|
+
export class JwtVerifyDisabledPass {
|
|
38
|
+
name = 'jwt-verify-disabled';
|
|
39
|
+
category = 'security';
|
|
40
|
+
run(ctx) {
|
|
41
|
+
const { graph, language } = ctx;
|
|
42
|
+
const file = graph.ir.meta.file;
|
|
43
|
+
const findings = [];
|
|
44
|
+
for (const call of graph.ir.calls) {
|
|
45
|
+
const detections = this.detect(call, language);
|
|
46
|
+
for (const det of detections) {
|
|
47
|
+
const line = call.location.line;
|
|
48
|
+
findings.push({ line, language, ...det });
|
|
49
|
+
ctx.addFinding({
|
|
50
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
51
|
+
pass: this.name,
|
|
52
|
+
category: this.category,
|
|
53
|
+
rule_id: this.name,
|
|
54
|
+
cwe: 'CWE-347',
|
|
55
|
+
severity: 'critical',
|
|
56
|
+
level: 'error',
|
|
57
|
+
message: `JWT signature verification disabled via \`${det.pattern}\` in ` +
|
|
58
|
+
`\`${det.api}\`. Any attacker can forge a token with arbitrary ` +
|
|
59
|
+
'claims (user id, roles, expiry) since the signature is not ' +
|
|
60
|
+
'checked.',
|
|
61
|
+
file,
|
|
62
|
+
line,
|
|
63
|
+
fix: this.fixFor(language),
|
|
64
|
+
evidence: { ...det, language },
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
return { findings };
|
|
69
|
+
}
|
|
70
|
+
detect(call, language) {
|
|
71
|
+
const method = call.method_name;
|
|
72
|
+
const receiver = call.receiver ?? '';
|
|
73
|
+
const out = [];
|
|
74
|
+
if (language === 'python') {
|
|
75
|
+
// PyJWT: jwt.decode(token, key, options={...}, algorithms=[...], verify=...)
|
|
76
|
+
if (receiver === 'jwt' && method === 'decode') {
|
|
77
|
+
for (const arg of call.arguments) {
|
|
78
|
+
const expr = (arg.expression ?? '').trim();
|
|
79
|
+
if (!expr)
|
|
80
|
+
continue;
|
|
81
|
+
if (PY_VERIFY_SIGNATURE_FALSE_RE.test(expr)) {
|
|
82
|
+
out.push({ pattern: 'verify_signature: False', api: 'jwt.decode' });
|
|
83
|
+
}
|
|
84
|
+
if (PY_VERIFY_KW_FALSE_RE.test(expr)) {
|
|
85
|
+
out.push({ pattern: 'verify=False', api: 'jwt.decode' });
|
|
86
|
+
}
|
|
87
|
+
if (PY_ALG_NONE_RE.test(expr)) {
|
|
88
|
+
out.push({ pattern: "algorithms=['none']", api: 'jwt.decode' });
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
return out;
|
|
93
|
+
}
|
|
94
|
+
if (language === 'javascript' || language === 'typescript') {
|
|
95
|
+
// jsonwebtoken: jwt.verify(token, secret, options)
|
|
96
|
+
if (receiver === 'jwt' && method === 'verify') {
|
|
97
|
+
// Inspect option literal for algorithms:['none'] or verify:false.
|
|
98
|
+
for (const arg of call.arguments) {
|
|
99
|
+
const expr = (arg.expression ?? '').trim();
|
|
100
|
+
if (!expr)
|
|
101
|
+
continue;
|
|
102
|
+
if (JS_ALG_NONE_RE.test(expr)) {
|
|
103
|
+
out.push({ pattern: "algorithms: ['none']", api: 'jwt.verify' });
|
|
104
|
+
}
|
|
105
|
+
if (/\bverify\s*:\s*false\b/i.test(expr)) {
|
|
106
|
+
out.push({ pattern: 'verify: false', api: 'jwt.verify' });
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
// Empty / null key as 2nd arg.
|
|
110
|
+
const keyArg = call.arguments.find((a) => a.position === 1);
|
|
111
|
+
const keyExpr = (keyArg?.expression ?? keyArg?.literal ?? '').trim();
|
|
112
|
+
if (keyExpr === 'null' || keyExpr === 'undefined' ||
|
|
113
|
+
keyExpr === '""' || keyExpr === "''" || keyExpr === '``') {
|
|
114
|
+
out.push({ pattern: `empty key (${keyExpr || 'missing'})`, api: 'jwt.verify' });
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
return out;
|
|
118
|
+
}
|
|
119
|
+
if (language === 'java') {
|
|
120
|
+
// auth0 java-jwt: JWT.require(Algorithm.none())
|
|
121
|
+
// The argument expression text contains `Algorithm.none()`.
|
|
122
|
+
if (method === 'require' &&
|
|
123
|
+
(receiver === 'JWT' || receiver.endsWith('.JWT'))) {
|
|
124
|
+
const arg = call.arguments.find((a) => a.position === 0);
|
|
125
|
+
const expr = (arg?.expression ?? '').trim();
|
|
126
|
+
if (/\bAlgorithm\s*\.\s*none\s*\(/.test(expr)) {
|
|
127
|
+
out.push({ pattern: 'Algorithm.none()', api: 'JWT.require' });
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
// jjwt 0.x: Jwts.parser()...parse(token) — unsafe (no signature check)
|
|
131
|
+
// vs parseClaimsJws / parseSignedClaims which do verify.
|
|
132
|
+
if (method === 'parse' && receiver.includes('parser')) {
|
|
133
|
+
// Match shapes like `Jwts.parser().setSigningKey(k).parse(t)` where
|
|
134
|
+
// the receiver chain ends in `parser()` and `.parse()` is invoked.
|
|
135
|
+
// The exact receiver string emitted by the Java plugin varies; we
|
|
136
|
+
// match `parser()` substring in the receiver expression as a
|
|
137
|
+
// best-effort signal.
|
|
138
|
+
out.push({ pattern: 'parse() instead of parseClaimsJws()', api: 'Jwts.parser().parse' });
|
|
139
|
+
}
|
|
140
|
+
return out;
|
|
141
|
+
}
|
|
142
|
+
return out;
|
|
143
|
+
}
|
|
144
|
+
fixFor(language) {
|
|
145
|
+
if (language === 'python') {
|
|
146
|
+
return ('Always pass `options={"verify_signature": True}` (the default in ' +
|
|
147
|
+
'PyJWT 2.0+) and a concrete `algorithms=["HS256"|"RS256"]` list. ' +
|
|
148
|
+
'Never accept `none`.');
|
|
149
|
+
}
|
|
150
|
+
if (language === 'javascript' || language === 'typescript') {
|
|
151
|
+
return ('Call `jwt.verify(token, secret, { algorithms: ["HS256" | "RS256"] })` ' +
|
|
152
|
+
'with a non-empty key. Never use `algorithms: ["none"]` or pass ' +
|
|
153
|
+
'null/empty as the secret.');
|
|
154
|
+
}
|
|
155
|
+
if (language === 'java') {
|
|
156
|
+
return ('For auth0/java-jwt: use `JWT.require(Algorithm.HMAC256(secret))` or ' +
|
|
157
|
+
'an RSA algorithm. For jjwt: call `parseClaimsJws(token)` (signature ' +
|
|
158
|
+
'enforced) rather than `parse(token)` (signature ignored).');
|
|
159
|
+
}
|
|
160
|
+
return ('Enforce JWT signature verification with a concrete algorithm ' +
|
|
161
|
+
'(HS256/RS256/ES256). Never accept `alg: none`.');
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
//# sourceMappingURL=jwt-verify-disabled-pass.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt-verify-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/jwt-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAKH,+DAA+D;AAC/D,MAAM,4BAA4B,GAChC,wCAAwC,CAAC;AAC3C,wCAAwC;AACxC,MAAM,qBAAqB,GAAG,wBAAwB,CAAC;AACvD,2EAA2E;AAC3E,MAAM,cAAc,GAAG,2CAA2C,CAAC;AAEnE,uDAAuD;AACvD,MAAM,cAAc,GAAG,uCAAuC,CAAC;AAgB/D,MAAM,OAAO,qBAAqB;IAGvB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAwC,EAAE,CAAC;QAEzD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;oBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,QAAQ;wBAChE,KAAK,GAAG,CAAC,GAAG,oDAAoD;wBAChE,6DAA6D;wBAC7D,UAAU;oBACZ,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAgB,EAAE,CAAC;QAE5B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,6EAA6E;YAC7E,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,CAAC,IAAI;wBAAE,SAAS;oBACpB,IAAI,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBACtE,CAAC;oBACD,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACrC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC3D,CAAC;oBACD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAClE,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,mDAAmD;YACnD,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC9C,kEAAkE;gBAClE,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,CAAC,IAAI;wBAAE,SAAS;oBACpB,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBACnE,CAAC;oBACD,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACzC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC5D,CAAC;gBACH,CAAC;gBACD,+BAA+B;gBAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBAC5D,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,UAAU,IAAI,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACrE,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,WAAW;oBAC7C,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;oBAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,OAAO,IAAI,SAAS,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,gDAAgD;YAChD,4DAA4D;YAC5D,IAAI,MAAM,KAAK,SAAS;gBACpB,CAAC,QAAQ,KAAK,KAAK,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;YACD,uEAAuE;YACvE,yDAAyD;YACzD,IAAI,MAAM,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,oEAAoE;gBACpE,mEAAmE;gBACnE,kEAAkE;gBAClE,6DAA6D;gBAC7D,sBAAsB;gBACtB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAC3F,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB;QAC7B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CACL,mEAAmE;gBACnE,kEAAkE;gBAClE,sBAAsB,CACvB,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,CACL,wEAAwE;gBACxE,iEAAiE;gBACjE,2BAA2B,CAC5B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CACL,sEAAsE;gBACtE,sEAAsE;gBACtE,2DAA2D,CAC5D,CAAC;QACJ,CAAC;QACD,OAAO,CACL,+DAA+D;YAC/D,gDAAgD,CACjD,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: mass-assignment (CWE-915, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags code paths that splat an HTTP request bag (form /
|
|
5
|
+
* body / query / json) directly into a domain-object constructor or update
|
|
6
|
+
* helper without an allow-list. This complements the taint-based
|
|
7
|
+
* `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
|
|
8
|
+
* via the regular sink matcher; this pass catches the *syntactic spread /
|
|
9
|
+
* kwargs* forms that aren't a discrete call argument.
|
|
10
|
+
*
|
|
11
|
+
* Detection per language:
|
|
12
|
+
* Python:
|
|
13
|
+
* - `Model(**request.form)`
|
|
14
|
+
* - `Model(**request.json)` / `**request.get_json()`
|
|
15
|
+
* - `Model(**request.args)` / `**request.values`
|
|
16
|
+
* - `Model.objects.create(**request.X)` (Django ORM)
|
|
17
|
+
* - `Model.objects.update(**request.X)`
|
|
18
|
+
* JavaScript / TypeScript:
|
|
19
|
+
* - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
|
|
20
|
+
* - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
|
|
21
|
+
* - `await Model.create({ ...req.body })`
|
|
22
|
+
* - `await user.update({ ...req.body })`
|
|
23
|
+
*
|
|
24
|
+
* Severity: high (direct privilege escalation vector).
|
|
25
|
+
* Issue: #86, Sprint 6.
|
|
26
|
+
*/
|
|
27
|
+
import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
|
|
28
|
+
export interface MassAssignmentResult {
|
|
29
|
+
findings: Array<{
|
|
30
|
+
line: number;
|
|
31
|
+
language: string;
|
|
32
|
+
pattern: string;
|
|
33
|
+
snippet: string;
|
|
34
|
+
}>;
|
|
35
|
+
}
|
|
36
|
+
export declare class MassAssignmentPass implements AnalysisPass<MassAssignmentResult> {
|
|
37
|
+
readonly name = "mass-assignment";
|
|
38
|
+
readonly category: "security";
|
|
39
|
+
run(ctx: PassContext): MassAssignmentResult;
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=mass-assignment-pass.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mass-assignment-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAuB9E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,kBACX,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAE7C,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;CA0F5C"}
|