circle-ir 3.54.0 → 3.55.0

package/dist/analysis/findings.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAuBlF"}
+{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CA4BlF"}

package/dist/analysis/findings.js

@@ -135,19 +135,24 @@ export function canSourceReachSink(sourceType, sinkType) {
         // code_injection added to http_param/http_query/http_header/http_cookie:
         // `eval(req.query.x)`, `Function(req.header('x'))`, `vm.runInThisContext(req.cookies.c)`
         // are all real RCE patterns in JS web apps (cognium-dev #83).
-        http_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'mybatis_mapper_call', 'code_injection'],
-        http_body: ['sql_injection', 'command_injection', 'deserialization', 'xxe', 'xss', 'code_injection', 'mybatis_mapper_call'],
-        http_header: ['sql_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection'],
-        http_cookie: ['sql_injection', 'xss', 'mybatis_mapper_call', 'code_injection'],
+        // crlf added to http_param/http_query/http_header/http_cookie/http_body:
+        // setHeader/setCookie/redirect of any user-controlled string is CRLF / response
+        // splitting (CWE-113) — Sprint 6, issue #86.
+        // mass_assignment added to http_body / http_param: Object.assign(user, req.body),
+        // User(**request.form) — CWE-915.
+        http_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
+        http_body: ['sql_injection', 'command_injection', 'deserialization', 'xxe', 'xss', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'],
+        http_header: ['sql_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf'],
+        http_cookie: ['sql_injection', 'xss', 'mybatis_mapper_call', 'code_injection', 'crlf'],
         http_path: ['path_traversal', 'sql_injection', 'ssrf', 'mybatis_mapper_call'],
-        http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection'],
+        http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
         io_input: ['command_injection', 'path_traversal', 'deserialization', 'xxe', 'code_injection', 'xss'],
         env_input: ['command_injection', 'path_traversal'],
         db_input: ['xss', 'sql_injection'], // Second-order injection
         file_input: ['deserialization', 'xxe', 'path_traversal', 'command_injection', 'code_injection'],
         network_input: ['sql_injection', 'command_injection', 'xss', 'ssrf'],
         config_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'ssrf'], // Servlet init params
-        interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call'], // Cross-method taint
+        interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'], // Cross-method taint
         plugin_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'code_injection'], // Plugin/config parameters
     };
     const validSinks = sourceToSinkMapping[sourceType];

package/dist/analysis/findings.js.map

@@ -1 +1 @@
-{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACjK,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,CAAC;QAC3H,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACtF,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC1G,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,EAAE,qBAAqB;QACnM,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}
+{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,yEAAyE;QACzE,gFAAgF;QAChF,6CAA6C;QAC7C,kFAAkF;QAClF,kCAAkC;QAClC,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QAC5L,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACtJ,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QAC9F,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACtF,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACrI,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,qBAAqB;QAC9N,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}

package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Pass: csrf-protection-disabled (CWE-352, category: security)
+ *
+ * Pattern pass — flags places where cross-site request forgery (CSRF)
+ * protection is *explicitly disabled*. We do not attempt to detect the
+ * absence of CSRF protection (false-positive prone across framework
+ * idioms); instead we look for the documented "turn it off" calls.
+ *
+ * Detection per language:
+ *   Java (Spring Security):
+ *     - `http.csrf().disable()`
+ *     - `http.csrf(csrf -> csrf.disable())`        — DSL form
+ *     - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
+ *     - `.csrfTokenRepository(null)`               — neuters the repo
+ *   Python (Django):
+ *     - `@csrf_exempt` decorator on a view
+ *     - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
+ *       removed — we do NOT detect this (config-file analysis).
+ *   JavaScript (Express):
+ *     - We do NOT detect "csurf missing" — that's an absence check that
+ *       fires on every non-Express handler.
+ *
+ * Severity: critical (CWE-352 is direct privilege escalation).
+ * Issue: #86, Sprint 6.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface CsrfProtectionDisabledResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class CsrfProtectionDisabledPass implements AnalysisPass<CsrfProtectionDisabledResult> {
+    readonly name = "csrf-protection-disabled";
+    readonly category: "security";
+    run(ctx: PassContext): CsrfProtectionDisabledResult;
+    private detectCall;
+    private fixFor;
+}
+//# sourceMappingURL=csrf-protection-disabled-pass.d.ts.map

package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf-protection-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAkB9E,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,0BACX,YAAW,YAAY,CAAC,4BAA4B,CAAC;IAErD,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,4BAA4B;IAgHnD,OAAO,CAAC,UAAU;IA2BlB,OAAO,CAAC,MAAM;CAoBf"}

package/dist/analysis/passes/csrf-protection-disabled-pass.js

@@ -0,0 +1,185 @@
+/**
+ * Pass: csrf-protection-disabled (CWE-352, category: security)
+ *
+ * Pattern pass — flags places where cross-site request forgery (CSRF)
+ * protection is *explicitly disabled*. We do not attempt to detect the
+ * absence of CSRF protection (false-positive prone across framework
+ * idioms); instead we look for the documented "turn it off" calls.
+ *
+ * Detection per language:
+ *   Java (Spring Security):
+ *     - `http.csrf().disable()`
+ *     - `http.csrf(csrf -> csrf.disable())`        — DSL form
+ *     - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
+ *     - `.csrfTokenRepository(null)`               — neuters the repo
+ *   Python (Django):
+ *     - `@csrf_exempt` decorator on a view
+ *     - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
+ *       removed — we do NOT detect this (config-file analysis).
+ *   JavaScript (Express):
+ *     - We do NOT detect "csurf missing" — that's an absence check that
+ *       fires on every non-Express handler.
+ *
+ * Severity: critical (CWE-352 is direct privilege escalation).
+ * Issue: #86, Sprint 6.
+ */
+// Match `.csrf().disable()` or `.csrf(<lambda>).disable(...)`.
+const JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
+// `csrf(csrf -> csrf.disable())` or `csrf(c -> c.disable())`.
+const JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
+// Method-reference form: `csrf(AbstractHttpConfigurer::disable)`.
+const JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
+// `.csrfTokenRepository(null)`.
+const JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
+export class CsrfProtectionDisabledPass {
+    name = 'csrf-protection-disabled';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // 1. Call-based detection.
+        for (const call of graph.ir.calls) {
+            const detections = this.detectCall(call, language);
+            for (const det of detections) {
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.pattern}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-352',
+                    severity: 'critical',
+                    level: 'error',
+                    message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
+                        `(${det.api}). Any browser session can be silently used to ` +
+                        'perform state-changing requests from a malicious origin.',
+                    file,
+                    line,
+                    fix: this.fixFor(language),
+                    evidence: { ...det, language },
+                });
+            }
+        }
+        // 2. Source-text detection for Java DSL chains that are emitted as a
+        // single call expression (the `disable()` arrives as a method on a
+        // chained receiver and not always as a discoverable separate CallInfo).
+        if (language === 'java') {
+            const src = ctx.code ?? '';
+            if (src) {
+                const lines = src.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const line = i + 1;
+                    const text = lines[i] ?? '';
+                    let det = null;
+                    if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
+                        det = { pattern: 'csrf(c -> c.disable())', api: 'HttpSecurity.csrf' };
+                    }
+                    else if (JAVA_CSRF_METHODREF_RE.test(text)) {
+                        det = { pattern: 'csrf(::disable)', api: 'HttpSecurity.csrf' };
+                    }
+                    else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
+                        det = { pattern: 'csrfTokenRepository(null)', api: 'HttpSecurity.csrfTokenRepository' };
+                    }
+                    else if (JAVA_CSRF_DISABLE_RE.test(text)) {
+                        det = { pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' };
+                    }
+                    if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
+                        findings.push({ line, language, ...det });
+                        ctx.addFinding({
+                            id: `${this.name}-${file}-${line}-${det.pattern}`,
+                            pass: this.name,
+                            category: this.category,
+                            rule_id: this.name,
+                            cwe: 'CWE-352',
+                            severity: 'critical',
+                            level: 'error',
+                            message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
+                                `(${det.api}). Any browser session can be silently used to ` +
+                                'perform state-changing requests from a malicious origin.',
+                            file,
+                            line,
+                            fix: this.fixFor(language),
+                            evidence: { ...det, language },
+                        });
+                    }
+                }
+            }
+        }
+        // 3. Python `@csrf_exempt` decorator — present on annotations / types.
+        if (language === 'python') {
+            const src = ctx.code ?? '';
+            if (src) {
+                const lines = src.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const text = lines[i] ?? '';
+                    if (/^\s*@csrf_exempt\b/.test(text)) {
+                        const line = i + 1;
+                        const det = { pattern: '@csrf_exempt', api: 'django.views.decorators.csrf' };
+                        findings.push({ line, language, ...det });
+                        ctx.addFinding({
+                            id: `${this.name}-${file}-${line}-${det.pattern}`,
+                            pass: this.name,
+                            category: this.category,
+                            rule_id: this.name,
+                            cwe: 'CWE-352',
+                            severity: 'critical',
+                            level: 'error',
+                            message: 'Django view is decorated with `@csrf_exempt`, bypassing the ' +
+                                'framework CSRF middleware for this endpoint. Any browser ' +
+                                'session can be silently used to invoke this handler from ' +
+                                'a malicious origin.',
+                            file,
+                            line,
+                            fix: this.fixFor(language),
+                            evidence: { ...det, language },
+                        });
+                    }
+                }
+            }
+        }
+        return { findings };
+    }
+    detectCall(call, language) {
+        const out = [];
+        if (language !== 'java')
+            return out;
+        // Plain `csrf().disable()` chain — the IR may split this into two calls
+        // (the outer .disable() with receiver "csrf()" or chained receiver).
+        if (call.method_name === 'disable') {
+            const recv = call.receiver ?? '';
+            if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith('.csrf()')) {
+                out.push({ pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' });
+            }
+        }
+        if (call.method_name === 'csrfTokenRepository') {
+            const arg = call.arguments.find((a) => a.position === 0);
+            const expr = (arg?.expression ?? arg?.literal ?? '').trim();
+            if (expr === 'null') {
+                out.push({
+                    pattern: 'csrfTokenRepository(null)',
+                    api: 'HttpSecurity.csrfTokenRepository',
+                });
+            }
+        }
+        return out;
+    }
+    fixFor(language) {
+        if (language === 'java') {
+            return ('Leave Spring Security CSRF protection enabled. If you need to ' +
+                'exempt a specific endpoint (e.g. webhook), use ' +
+                '`.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than ' +
+                '`.disable()`. For stateless APIs, prefer a per-request token over ' +
+                'disabling CSRF entirely.');
+        }
+        if (language === 'python') {
+            return ('Remove `@csrf_exempt`. For stateless API endpoints, use Django REST ' +
+                'Framework with a token / session auth backend that does not rely on ' +
+                'cookies. For webhook receivers, verify a shared-secret signature ' +
+                'instead of disabling CSRF.');
+        }
+        return 'Re-enable framework CSRF protection or replace with origin / token validation.';
+    }
+}
+//# sourceMappingURL=csrf-protection-disabled-pass.js.map

package/dist/analysis/passes/csrf-protection-disabled-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf-protection-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,+DAA+D;AAC/D,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,8DAA8D;AAC9D,MAAM,2BAA2B,GAC/B,kDAAkD,CAAC;AACrD,kEAAkE;AAClE,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;AACpE,gCAAgC;AAChC,MAAM,sBAAsB,GAAG,wCAAwC,CAAC;AAgBxE,MAAM,OAAO,0BAA0B;IAG5B,IAAI,GAAG,0BAA0B,CAAC;IAClC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAE9D,2BAA2B;QAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACnD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;oBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;wBAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;wBAC5D,0DAA0D;oBAC5D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,mEAAmE;QACnE,wEAAwE;QACxE,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;oBACnB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,GAAG,GAAqB,IAAI,CAAC;oBACjC,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,wBAAwB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACxE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACjE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,kCAAkC,EAAE,CAAC;oBAC1F,CAAC;yBAAM,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBAClE,CAAC;oBACD,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,GAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBAChF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;gCAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;gCAC5D,0DAA0D;4BAC5D,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;wBACnB,MAAM,GAAG,GAAc,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,8BAA8B,EAAE,CAAC;wBACxF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,8DAA8D;gCAC9D,2DAA2D;gCAC3D,2DAA2D;gCAC3D,qBAAqB;4BACvB,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,IAAc,EAAE,QAAgB;QACjD,MAAM,GAAG,GAAgB,EAAE,CAAC;QAC5B,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,GAAG,CAAC;QAEpC,wEAAwE;QACxE,qEAAqE;QACrE,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACjC,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,KAAK,qBAAqB,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC;oBACP,OAAO,EAAE,2BAA2B;oBACpC,GAAG,EAAE,kCAAkC;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB;QAC7B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CACL,gEAAgE;gBAChE,iDAAiD;gBACjD,kEAAkE;gBAClE,oEAAoE;gBACpE,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CACL,sEAAsE;gBACtE,sEAAsE;gBACtE,mEAAmE;gBACnE,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QACD,OAAO,gFAAgF,CAAC;IAC1F,CAAC;CACF"}

package/dist/analysis/passes/mass-assignment-pass.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Pass: mass-assignment (CWE-915, category: security)
+ *
+ * Pattern pass — flags code paths that splat an HTTP request bag (form /
+ * body / query / json) directly into a domain-object constructor or update
+ * helper without an allow-list. This complements the taint-based
+ * `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
+ * via the regular sink matcher; this pass catches the *syntactic spread /
+ * kwargs* forms that aren't a discrete call argument.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `Model(**request.form)`
+ *     - `Model(**request.json)` / `**request.get_json()`
+ *     - `Model(**request.args)` / `**request.values`
+ *     - `Model.objects.create(**request.X)` (Django ORM)
+ *     - `Model.objects.update(**request.X)`
+ *   JavaScript / TypeScript:
+ *     - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
+ *     - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
+ *     - `await Model.create({ ...req.body })`
+ *     - `await user.update({ ...req.body })`
+ *
+ * Severity: high (direct privilege escalation vector).
+ * Issue: #86, Sprint 6.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MassAssignmentResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        snippet: string;
+    }>;
+}
+export declare class MassAssignmentPass implements AnalysisPass<MassAssignmentResult> {
+    readonly name = "mass-assignment";
+    readonly category: "security";
+    run(ctx: PassContext): MassAssignmentResult;
+}
+//# sourceMappingURL=mass-assignment-pass.d.ts.map

package/dist/analysis/passes/mass-assignment-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAuB9E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,kBACX,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAE7C,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;CA0F5C"}

package/dist/analysis/passes/mass-assignment-pass.js

@@ -0,0 +1,124 @@
+/**
+ * Pass: mass-assignment (CWE-915, category: security)
+ *
+ * Pattern pass — flags code paths that splat an HTTP request bag (form /
+ * body / query / json) directly into a domain-object constructor or update
+ * helper without an allow-list. This complements the taint-based
+ * `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
+ * via the regular sink matcher; this pass catches the *syntactic spread /
+ * kwargs* forms that aren't a discrete call argument.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `Model(**request.form)`
+ *     - `Model(**request.json)` / `**request.get_json()`
+ *     - `Model(**request.args)` / `**request.values`
+ *     - `Model.objects.create(**request.X)` (Django ORM)
+ *     - `Model.objects.update(**request.X)`
+ *   JavaScript / TypeScript:
+ *     - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
+ *     - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
+ *     - `await Model.create({ ...req.body })`
+ *     - `await user.update({ ...req.body })`
+ *
+ * Severity: high (direct privilege escalation vector).
+ * Issue: #86, Sprint 6.
+ */
+// Python: `**<httpSource>` where httpSource is one of the known
+// request bags. We intentionally allow trailing dots / call-syntax
+// (`request.get_json()`).
+const PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+// JS object-spread of an HTTP source. We match `{...<source>}` where the
+// source begins with `req|request|ctx|context` and continues into `body`,
+// `query`, `params`, `request.body`, etc.
+const JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+export class MassAssignmentPass {
+    name = 'mass-assignment';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        const code = ctx.code ?? '';
+        if (!code)
+            return { findings };
+        const lines = code.split('\n');
+        if (language === 'python') {
+            for (let i = 0; i < lines.length; i++) {
+                const text = lines[i] ?? '';
+                const m = PY_KWARGS_SPLAT_RE.exec(text);
+                if (!m)
+                    continue;
+                const line = i + 1;
+                const det = {
+                    pattern: '**request.<bag>',
+                    match: m[0],
+                };
+                findings.push({
+                    line,
+                    language,
+                    pattern: det.pattern,
+                    snippet: text.trim().slice(0, 200),
+                });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-915',
+                    severity: 'high',
+                    level: 'error',
+                    message: `HTTP request bag splatted into constructor / ORM helper via ` +
+                        `\`${det.match}\`. Every form field becomes a settable attribute ` +
+                        'on the domain object, including ones the endpoint did not ' +
+                        'intend to expose (e.g. `is_admin`, `role`, `owner_id`).',
+                    file,
+                    line,
+                    fix: 'Replace the `**` splat with an explicit allow-list: ' +
+                        "`Model(name=request.form['name'], email=request.form['email'])`. " +
+                        'For Django, use a `ModelForm` / serializer with `fields = [...]`.',
+                    evidence: { pattern: det.pattern, match: det.match, language },
+                });
+            }
+            return { findings };
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (let i = 0; i < lines.length; i++) {
+                const text = lines[i] ?? '';
+                const m = JS_OBJECT_SPREAD_RE.exec(text);
+                if (!m)
+                    continue;
+                const line = i + 1;
+                findings.push({
+                    line,
+                    language,
+                    pattern: '{...req.<bag>}',
+                    snippet: text.trim().slice(0, 200),
+                });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-915',
+                    severity: 'high',
+                    level: 'error',
+                    message: `HTTP request bag spread into object literal via \`${m[0]}\`. ` +
+                        'Every body field becomes a settable property on the resulting ' +
+                        'object, including ones the endpoint did not intend to expose ' +
+                        '(e.g. `isAdmin`, `role`, `ownerId`).',
+                    file,
+                    line,
+                    fix: 'Replace the spread with an explicit pick: ' +
+                        '`const { name, email } = req.body; const user = { name, email };`. ' +
+                        'For ORMs, use a DTO / Zod schema with `.pick(...)` or ' +
+                        'allow-list serializers.',
+                    evidence: { pattern: '{...req.<bag>}', match: m[0], language },
+                });
+            }
+            return { findings };
+        }
+        return { findings };
+    }
+}
+//# sourceMappingURL=mass-assignment-pass.js.map

package/dist/analysis/passes/mass-assignment-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,gEAAgE;AAChE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,kBAAkB,GACtB,yHAAyH,CAAC;AAE5H,yEAAyE;AACzE,0EAA0E;AAC1E,0CAA0C;AAC1C,MAAM,mBAAmB,GACvB,6FAA6F,CAAC;AAoBhG,MAAM,OAAO,kBAAkB;IAGpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAqC,EAAE,CAAC;QACtD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAE/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,MAAM,GAAG,GAAgB;oBACvB,OAAO,EAAE,iBAAiB;oBAC1B,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;iBACZ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,8DAA8D;wBAC9D,KAAK,GAAG,CAAC,KAAK,oDAAoD;wBAClE,4DAA4D;wBAC5D,yDAAyD;oBAC3D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,sDAAsD;wBACtD,mEAAmE;wBACnE,mEAAmE;oBACrE,QAAQ,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,gBAAgB;oBACzB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,qDAAqD,CAAC,CAAC,CAAC,CAAC,MAAM;wBAC/D,gEAAgE;wBAChE,+DAA+D;wBAC/D,sCAAsC;oBACxC,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,4CAA4C;wBAC5C,qEAAqE;wBACrE,wDAAwD;wBACxD,yBAAyB;oBAC3B,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Pass: xml-entity-expansion (CWE-776 / CWE-611, category: security)
+ *
+ * Pattern pass — flags XML parser instantiation that does *not* disable
+ * DTD / external-entity processing in the same file. This covers:
+ *   - Billion-laughs / quadratic blow-up DoS (CWE-776)
+ *   - External-entity disclosure (CWE-611) [already partially covered by
+ *     existing xxe taint sinks; this pass adds the config-level signal]
+ *
+ * Detection (Java):
+ *   Factory instantiation:
+ *     - `SAXParserFactory.newInstance()`
+ *     - `DocumentBuilderFactory.newInstance()`
+ *     - `XMLInputFactory.newInstance()` (StAX)
+ *     - `SchemaFactory.newInstance(...)`
+ *     - `TransformerFactory.newInstance()`
+ *   Safe-feature setters (any of these in the same file silences the
+ *   finding for that factory class):
+ *     - `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)`
+ *     - `setFeature("http://xml.org/sax/features/external-general-entities", false)`
+ *     - `setFeature("http://xml.org/sax/features/external-parameter-entities", false)`
+ *     - `setProperty(XMLInputFactory.SUPPORT_DTD, false)`
+ *     - `setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")`
+ *
+ * Detection (Python):
+ *   - `xml.etree.ElementTree.parse` / `fromstring` — defxml advises
+ *     `defusedxml.ElementTree` instead.
+ *   - `lxml.etree.parse(...)` without `XMLParser(resolve_entities=False)`
+ *     argument. We only fire if `resolve_entities=False` does NOT appear
+ *     in the file.
+ *
+ * Note: the existing `xxe` taint sinks (`SAXParser.parse`, `XMLReader.parse`,
+ * etc.) already fire when *tainted* XML reaches the parser. This pass is
+ * the orthogonal *configuration* signal — fire even on hard-coded inputs
+ * because billion-laughs is exploitable via any attacker-supplied entity
+ * file even when the parse() argument itself is trusted.
+ *
+ * Issue: #86, Sprint 6.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface XmlEntityExpansionResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class XmlEntityExpansionPass implements AnalysisPass<XmlEntityExpansionResult> {
+    readonly name = "xml-entity-expansion";
+    readonly category: "security";
+    run(ctx: PassContext): XmlEntityExpansionResult;
+    private detectJavaCall;
+    private detectPythonCall;
+    private fixForJava;
+    private fixForPython;
+}
+//# sourceMappingURL=xml-entity-expansion-pass.d.ts.map

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-entity-expansion-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/xml-entity-expansion-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAyB9E,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,sBACX,YAAW,YAAY,CAAC,wBAAwB,CAAC;IAEjD,QAAQ,CAAC,IAAI,0BAA0B;IACvC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,wBAAwB;IA0E/C,OAAO,CAAC,cAAc;IAiBtB,OAAO,CAAC,gBAAgB;IAyBxB,OAAO,CAAC,UAAU;IA6BlB,OAAO,CAAC,YAAY;CAarB"}