circle-ir 3.54.0 → 3.55.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/dist/analysis/config-loader.d.ts.map +1 -1
  2. package/dist/analysis/config-loader.js +36 -3
  3. package/dist/analysis/config-loader.js.map +1 -1
  4. package/dist/analysis/findings.d.ts.map +1 -1
  5. package/dist/analysis/findings.js +11 -6
  6. package/dist/analysis/findings.js.map +1 -1
  7. package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts +42 -0
  8. package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts.map +1 -0
  9. package/dist/analysis/passes/csrf-protection-disabled-pass.js +185 -0
  10. package/dist/analysis/passes/csrf-protection-disabled-pass.js.map +1 -0
  11. package/dist/analysis/passes/mass-assignment-pass.d.ts +41 -0
  12. package/dist/analysis/passes/mass-assignment-pass.d.ts.map +1 -0
  13. package/dist/analysis/passes/mass-assignment-pass.js +124 -0
  14. package/dist/analysis/passes/mass-assignment-pass.js.map +1 -0
  15. package/dist/analysis/passes/xml-entity-expansion-pass.d.ts +58 -0
  16. package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map +1 -0
  17. package/dist/analysis/passes/xml-entity-expansion-pass.js +196 -0
  18. package/dist/analysis/passes/xml-entity-expansion-pass.js.map +1 -0
  19. package/dist/analysis/rules.d.ts.map +1 -1
  20. package/dist/analysis/rules.js +18 -0
  21. package/dist/analysis/rules.js.map +1 -1
  22. package/dist/analysis/taint-propagation.js +1 -1
  23. package/dist/analysis/taint-propagation.js.map +1 -1
  24. package/dist/analyzer.d.ts.map +1 -1
  25. package/dist/analyzer.js +9 -0
  26. package/dist/analyzer.js.map +1 -1
  27. package/dist/browser/circle-ir.js +389 -11
  28. package/dist/core/circle-ir-core.cjs +40 -5
  29. package/dist/core/circle-ir-core.js +40 -5
  30. package/dist/types/index.d.ts +1 -1
  31. package/dist/types/index.d.ts.map +1 -1
  32. package/package.json +1 -1
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAob1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAm0CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAob1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAs2CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -732,9 +732,16 @@ export const DEFAULT_SINKS = [
732
732
  { method: 'println', class: 'ServletOutputStream', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
733
733
  // XSS in error messages (CWE-81)
734
734
  { method: 'sendError', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
735
- // Response header injection (can lead to header XSS)
736
- { method: 'setHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
737
- { method: 'addHeader', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
735
+ // Response header injection re-categorised from `xss` to `crlf`
736
+ // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
737
+ // splitting / cache-poisoning / cookie forging; reflected XSS via header
738
+ // reflection remains a downstream concern of body-writing sinks.
739
+ { method: 'setHeader', class: 'HttpServletResponse', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1] },
740
+ { method: 'addHeader', class: 'HttpServletResponse', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1] },
741
+ // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
742
+ // (CWE-601) further down — see entry near line 1195. CRLF via Location
743
+ // header is a secondary concern; keeping the canonical SSRF entry avoids
744
+ // double-emission that would mask the open-redirect chain.
738
745
  { method: 'setContentType', class: 'HttpServletResponse', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
739
746
  // JSP output
740
747
  { method: 'setAttribute', class: 'PageContext', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
@@ -1703,6 +1710,32 @@ export const DEFAULT_SINKS = [
1703
1710
  { method: 'Printf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [0], languages: ['go'] },
1704
1711
  { method: 'Errorf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [0], languages: ['go'] },
1705
1712
  { method: 'Fprintf', class: 'fmt', type: 'format_string', cwe: 'CWE-134', severity: 'medium', arg_positions: [1], languages: ['go'] },
1713
+ // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
1714
+ // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
1715
+ // is also CRLF-sensitive but is almost always a string literal; we model
1716
+ // arg 1 (the value) as the primary sink.
1717
+ { method: 'setHeader', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['javascript', 'typescript'] },
1718
+ { method: 'writeHead', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [2], languages: ['javascript', 'typescript'] },
1719
+ // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
1720
+ { method: 'cookie', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['javascript', 'typescript'] },
1721
+ // Express: res.location(url) and res.redirect(url) — Location header.
1722
+ { method: 'location', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [0], languages: ['javascript', 'typescript'] },
1723
+ { method: 'redirect', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [0], languages: ['javascript', 'typescript'] },
1724
+ // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
1725
+ // (Header is a map; the actual `value` is arg 1 of the call). We flag the
1726
+ // value position so a tainted variable is detected.
1727
+ { method: 'Set', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
1728
+ { method: 'Add', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
1729
+ // Mass-assignment (CWE-915) — Sprint 6, #86.
1730
+ // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
1731
+ // source is request-tainted, every key gets written onto the target. We
1732
+ // flag the source positions; the analyzer only needs one tainted to fire.
1733
+ { method: 'assign', class: 'Object', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
1734
+ // Lodash bulk-merge helpers behave identically.
1735
+ { method: 'merge', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
1736
+ { method: 'extend', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
1737
+ // jQuery $.extend(target, source) (legacy).
1738
+ { method: 'extend', class: '$', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
1706
1739
  ];
1707
1740
  export const DEFAULT_SANITIZERS = [
1708
1741
  // SQL Injection - proper parameter binding sanitizes input