circle-ir 3.54.0 → 3.55.0

package/dist/browser/circle-ir.js

@@ -11177,9 +11177,16 @@ var DEFAULT_SINKS = [
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XSS in error messages (CWE-81)
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  // Response header injection (can lead to header XSS)
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  // Response header injection — re-categorised from `xss` to `crlf`
+  // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
+  // splitting / cache-poisoning / cookie forging; reflected XSS via header
+  // reflection remains a downstream concern of body-writing sinks.
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
+  // (CWE-601) further down — see entry near line 1195. CRLF via Location
+  // header is a secondary concern; keeping the canonical SSRF entry avoids
+  // double-emission that would mask the open-redirect chain.
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // JSP output
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -12148,7 +12155,33 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
+  // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
+  // is also CRLF-sensitive but is almost always a string literal; we model
+  // arg 1 (the value) as the primary sink.
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Express: res.location(url) and res.redirect(url) — Location header.
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
+  // (Header is a map; the actual `value` is arg 1 of the call). We flag the
+  // value position so a tainted variable is detected.
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Mass-assignment (CWE-915) — Sprint 6, #86.
+  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
+  // source is request-tainted, every key gets written onto the target. We
+  // flag the source positions; the analyzer only needs one tainted to fire.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // jQuery $.extend(target, source) (legacy).
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -13618,12 +13651,17 @@ function canSourceReachSink(sourceType, sinkType) {
     // code_injection added to http_param/http_query/http_header/http_cookie:
     // `eval(req.query.x)`, `Function(req.header('x'))`, `vm.runInThisContext(req.cookies.c)`
     // are all real RCE patterns in JS web apps (cognium-dev #83).
-    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call"],
-    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection"],
+    // crlf added to http_param/http_query/http_header/http_cookie/http_body:
+    // setHeader/setCookie/redirect of any user-controlled string is CRLF / response
+    // splitting (CWE-113) — Sprint 6, issue #86.
+    // mass_assignment added to http_body / http_param: Object.assign(user, req.body),
+    // User(**request.form) — CWE-915.
+    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
+    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
+    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf"],
+    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
     http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
-    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
     io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
     env_input: ["command_injection", "path_traversal"],
     db_input: ["xss", "sql_injection"],
@@ -13632,7 +13670,7 @@ function canSourceReachSink(sourceType, sinkType) {
     network_input: ["sql_injection", "command_injection", "xss", "ssrf"],
     config_param: ["sql_injection", "command_injection", "path_traversal", "xss", "ssrf"],
     // Servlet init params
-    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call"],
+    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
     // Cross-method taint
     plugin_param: ["sql_injection", "command_injection", "path_traversal", "xss", "code_injection"]
     // Plugin/config parameters
@@ -14833,7 +14871,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -28087,6 +28127,341 @@ var JwtVerifyDisabledPass = class {
   }
 };
 
+// src/analysis/passes/csrf-protection-disabled-pass.ts
+var JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
+var JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
+var JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
+var JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
+var CsrfProtectionDisabledPass = class {
+  name = "csrf-protection-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detectCall(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-352",
+          severity: "critical",
+          level: "error",
+          message: `CSRF protection explicitly disabled via \`${det.pattern}\` (${det.api}). Any browser session can be silently used to perform state-changing requests from a malicious origin.`,
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    if (language === "java") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split("\n");
+        for (let i2 = 0; i2 < lines.length; i2++) {
+          const line = i2 + 1;
+          const text = lines[i2] ?? "";
+          let det = null;
+          if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf(c -> c.disable())", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_METHODREF_RE.test(text)) {
+            det = { pattern: "csrf(::disable)", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
+            det = { pattern: "csrfTokenRepository(null)", api: "HttpSecurity.csrfTokenRepository" };
+          } else if (JAVA_CSRF_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf().disable()", api: "HttpSecurity.csrf" };
+          }
+          if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: `CSRF protection explicitly disabled via \`${det.pattern}\` (${det.api}). Any browser session can be silently used to perform state-changing requests from a malicious origin.`,
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split("\n");
+        for (let i2 = 0; i2 < lines.length; i2++) {
+          const text = lines[i2] ?? "";
+          if (/^\s*@csrf_exempt\b/.test(text)) {
+            const line = i2 + 1;
+            const det = { pattern: "@csrf_exempt", api: "django.views.decorators.csrf" };
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: "Django view is decorated with `@csrf_exempt`, bypassing the framework CSRF middleware for this endpoint. Any browser session can be silently used to invoke this handler from a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const out2 = [];
+    if (language !== "java") return out2;
+    if (call.method_name === "disable") {
+      const recv = call.receiver ?? "";
+      if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith(".csrf()")) {
+        out2.push({ pattern: "csrf().disable()", api: "HttpSecurity.csrf" });
+      }
+    }
+    if (call.method_name === "csrfTokenRepository") {
+      const arg = call.arguments.find((a) => a.position === 0);
+      const expr = (arg?.expression ?? arg?.literal ?? "").trim();
+      if (expr === "null") {
+        out2.push({
+          pattern: "csrfTokenRepository(null)",
+          api: "HttpSecurity.csrfTokenRepository"
+        });
+      }
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "java") {
+      return 'Leave Spring Security CSRF protection enabled. If you need to exempt a specific endpoint (e.g. webhook), use `.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than `.disable()`. For stateless APIs, prefer a per-request token over disabling CSRF entirely.';
+    }
+    if (language === "python") {
+      return "Remove `@csrf_exempt`. For stateless API endpoints, use Django REST Framework with a token / session auth backend that does not rely on cookies. For webhook receivers, verify a shared-secret signature instead of disabling CSRF.";
+    }
+    return "Re-enable framework CSRF protection or replace with origin / token validation.";
+  }
+};
+
+// src/analysis/passes/xml-entity-expansion-pass.ts
+var JAVA_FACTORIES = /* @__PURE__ */ new Set([
+  "SAXParserFactory",
+  "DocumentBuilderFactory",
+  "XMLInputFactory",
+  "SchemaFactory",
+  "TransformerFactory"
+]);
+var JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+var PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+var XmlEntityExpansionPass = class {
+  name = "xml-entity-expansion";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (language === "java") {
+      const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+      if (safeInFile) return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectJavaCall(call);
+        if (!det) continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} created without disabling DTD / external-entity processing. Vulnerable to billion-laughs / quadratic blow-up DoS (CWE-776) and external-entity disclosure (CWE-611). Add \`setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)\` (or the equivalent) before parsing.`,
+          file,
+          line,
+          fix: this.fixForJava(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    if (language === "python") {
+      const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) || /\bdefusedxml\b/.test(code);
+      if (safeInFile) return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectPythonCall(call);
+        if (!det) continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} called without an entity-safe parser. Vulnerable to billion-laughs / quadratic blow-up DoS (CWE-776) and external-entity disclosure (CWE-611). Use \`defusedxml\` or pass an \`XMLParser(resolve_entities=False)\` to lxml.`,
+          file,
+          line,
+          fix: this.fixForPython(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+  detectJavaCall(call) {
+    if (call.method_name !== "newInstance") return null;
+    const recv = call.receiver ?? "";
+    const recvType = call.receiver_type ?? "";
+    for (const factory of JAVA_FACTORIES) {
+      if (recv === factory || recvType === factory || recv.endsWith("." + factory) || recvType.endsWith("." + factory)) {
+        return {
+          pattern: `${factory}.newInstance()`,
+          api: factory,
+          cwe: "CWE-776"
+        };
+      }
+    }
+    return null;
+  }
+  detectPythonCall(call) {
+    const recv = call.receiver ?? "";
+    const method = call.method_name;
+    if ((method === "parse" || method === "fromstring" || method === "XML") && (recv === "etree" || recv.endsWith(".etree"))) {
+      return {
+        pattern: `etree.${method}`,
+        api: `lxml.etree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    if ((method === "parse" || method === "fromstring") && (recv === "ET" || recv === "ElementTree" || recv.endsWith(".ElementTree"))) {
+      return {
+        pattern: `ElementTree.${method}`,
+        api: `xml.etree.ElementTree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    return null;
+  }
+  fixForJava(api) {
+    if (api === "SAXParserFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` and `factory.setXIncludeAware(false)` before `newSAXParser()`.';
+    }
+    if (api === "DocumentBuilderFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` and `factory.setExpandEntityReferences(false)` before `newDocumentBuilder()`.';
+    }
+    if (api === "XMLInputFactory") {
+      return "Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)` before `createXMLStreamReader`.";
+    }
+    return "Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable DTD / external-entity loading on the factory before parsing.";
+  }
+  fixForPython(api) {
+    if (api.startsWith("lxml.etree")) {
+      return "Pass an explicit parser: `etree.parse(src, parser=etree.XMLParser(resolve_entities=False, no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.";
+    }
+    return "Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which disables DTD / entity processing by default.";
+  }
+};
+
+// src/analysis/passes/mass-assignment-pass.ts
+var PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+var JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+var MassAssignmentPass = class {
+  name = "mass-assignment";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (!code) return { findings };
+    const lines = code.split("\n");
+    if (language === "python") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = PY_KWARGS_SPLAT_RE.exec(text);
+        if (!m) continue;
+        const line = i2 + 1;
+        const det = {
+          pattern: "**request.<bag>",
+          match: m[0]
+        };
+        findings.push({
+          line,
+          language,
+          pattern: det.pattern,
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag splatted into constructor / ORM helper via \`${det.match}\`. Every form field becomes a settable attribute on the domain object, including ones the endpoint did not intend to expose (e.g. \`is_admin\`, \`role\`, \`owner_id\`).`,
+          file,
+          line,
+          fix: "Replace the `**` splat with an explicit allow-list: `Model(name=request.form['name'], email=request.form['email'])`. For Django, use a `ModelForm` / serializer with `fields = [...]`.",
+          evidence: { pattern: det.pattern, match: det.match, language }
+        });
+      }
+      return { findings };
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = JS_OBJECT_SPREAD_RE.exec(text);
+        if (!m) continue;
+        const line = i2 + 1;
+        findings.push({
+          line,
+          language,
+          pattern: "{...req.<bag>}",
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag spread into object literal via \`${m[0]}\`. Every body field becomes a settable property on the resulting object, including ones the endpoint did not intend to expose (e.g. \`isAdmin\`, \`role\`, \`ownerId\`).`,
+          file,
+          line,
+          fix: "Replace the spread with an explicit pick: `const { name, email } = req.body; const user = { name, email };`. For ORMs, use a DTO / Zod schema with `.pick(...)` or allow-list serializers.",
+          evidence: { pattern: "{...req.<bag>}", match: m[0], language }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -28989,6 +29364,9 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
     if (!disabledPasses.has("jwt-verify-disabled")) pipeline.add(new JwtVerifyDisabledPass());
+    if (!disabledPasses.has("csrf-protection-disabled")) pipeline.add(new CsrfProtectionDisabledPass());
+    if (!disabledPasses.has("xml-entity-expansion")) pipeline.add(new XmlEntityExpansionPass());
+    if (!disabledPasses.has("mass-assignment")) pipeline.add(new MassAssignmentPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");

package/dist/core/circle-ir-core.cjs

@@ -10559,9 +10559,16 @@ var DEFAULT_SINKS = [
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XSS in error messages (CWE-81)
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  // Response header injection (can lead to header XSS)
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  // Response header injection — re-categorised from `xss` to `crlf`
+  // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
+  // splitting / cache-poisoning / cookie forging; reflected XSS via header
+  // reflection remains a downstream concern of body-writing sinks.
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
+  // (CWE-601) further down — see entry near line 1195. CRLF via Location
+  // header is a secondary concern; keeping the canonical SSRF entry avoids
+  // double-emission that would mask the open-redirect chain.
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // JSP output
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -11530,7 +11537,33 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
+  // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
+  // is also CRLF-sensitive but is almost always a string literal; we model
+  // arg 1 (the value) as the primary sink.
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Express: res.location(url) and res.redirect(url) — Location header.
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
+  // (Header is a map; the actual `value` is arg 1 of the call). We flag the
+  // value position so a tainted variable is detected.
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Mass-assignment (CWE-915) — Sprint 6, #86.
+  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
+  // source is request-tainted, every key gets written onto the target. We
+  // flag the source positions; the analyzer only needs one tainted to fire.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // jQuery $.extend(target, source) (legacy).
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -13186,7 +13219,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);

package/dist/core/circle-ir-core.js

@@ -10493,9 +10493,16 @@ var DEFAULT_SINKS = [
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XSS in error messages (CWE-81)
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  // Response header injection (can lead to header XSS)
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  // Response header injection — re-categorised from `xss` to `crlf`
+  // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
+  // splitting / cache-poisoning / cookie forging; reflected XSS via header
+  // reflection remains a downstream concern of body-writing sinks.
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
+  // (CWE-601) further down — see entry near line 1195. CRLF via Location
+  // header is a secondary concern; keeping the canonical SSRF entry avoids
+  // double-emission that would mask the open-redirect chain.
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // JSP output
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -11464,7 +11471,33 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
+  // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
+  // is also CRLF-sensitive but is almost always a string literal; we model
+  // arg 1 (the value) as the primary sink.
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Express: res.location(url) and res.redirect(url) — Location header.
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
+  // (Header is a map; the actual `value` is arg 1 of the call). We flag the
+  // value position so a tainted variable is detected.
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Mass-assignment (CWE-915) — Sprint 6, #86.
+  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
+  // source is request-tainted, every key gets written onto the target. We
+  // flag the source positions; the analyzer only needs one tainted to fire.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // jQuery $.extend(target, source) (legacy).
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -13120,7 +13153,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);

package/dist/types/index.d.ts

@@ -158,7 +158,7 @@ export interface TaintFlowStep {
     type: 'source' | 'assignment' | 'use' | 'return' | 'field' | 'sink';
 }
 export type SourceType = "http_param" | "http_body" | "http_header" | "http_cookie" | "http_path" | "http_query" | "io_input" | "env_input" | "db_input" | "network_input" | "file_input" | "dom_input" | "config_param" | "interprocedural_param" | "plugin_param" | "constructor_field";
-export type SinkType = "sql_injection" | "nosql_injection" | "command_injection" | "path_traversal" | "xss" | "xxe" | "deserialization" | "ldap_injection" | "xpath_injection" | "ssrf" | "open_redirect" | "code_injection" | "log_injection" | "redos" | "format_string" | "mybatis_mapper_call" | "weak_random" | "weak_hash" | "weak_crypto" | "insecure_cookie" | "trust_boundary" | "external_taint_escape";
+export type SinkType = "sql_injection" | "nosql_injection" | "command_injection" | "path_traversal" | "xss" | "xxe" | "deserialization" | "ldap_injection" | "xpath_injection" | "ssrf" | "open_redirect" | "code_injection" | "log_injection" | "redos" | "format_string" | "crlf" | "mass_assignment" | "mybatis_mapper_call" | "weak_random" | "weak_hash" | "weak_crypto" | "insecure_cookie" | "trust_boundary" | "external_taint_escape";
 export type Severity = "critical" | "high" | "medium" | "low";
 export interface TaintSource {
     type: SourceType;