circle-ir 3.54.0 → 3.56.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +36 -3
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/findings.d.ts.map +1 -1
- package/dist/analysis/findings.js +11 -6
- package/dist/analysis/findings.js.map +1 -1
- package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts +42 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.d.ts.map +1 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.js +185 -0
- package/dist/analysis/passes/csrf-protection-disabled-pass.js.map +1 -0
- package/dist/analysis/passes/mass-assignment-pass.d.ts +41 -0
- package/dist/analysis/passes/mass-assignment-pass.d.ts.map +1 -0
- package/dist/analysis/passes/mass-assignment-pass.js +124 -0
- package/dist/analysis/passes/mass-assignment-pass.js.map +1 -0
- package/dist/analysis/passes/weak-crypto-pass.d.ts +10 -0
- package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
- package/dist/analysis/passes/weak-crypto-pass.js +263 -3
- package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
- package/dist/analysis/passes/xml-entity-expansion-pass.d.ts +58 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map +1 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.js +196 -0
- package/dist/analysis/passes/xml-entity-expansion-pass.js.map +1 -0
- package/dist/analysis/rules.d.ts.map +1 -1
- package/dist/analysis/rules.js +18 -0
- package/dist/analysis/rules.js.map +1 -1
- package/dist/analysis/taint-propagation.js +1 -1
- package/dist/analysis/taint-propagation.js.map +1 -1
- package/dist/analyzer.d.ts.map +1 -1
- package/dist/analyzer.js +9 -0
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +533 -14
- package/dist/core/circle-ir-core.cjs +40 -5
- package/dist/core/circle-ir-core.js +40 -5
- package/dist/types/index.d.ts +1 -1
- package/dist/types/index.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,
|
|
1
|
+
{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,GAAG,EAEH,OAAO,EAEP,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAQ3B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,WAAW,EAAE,EACtB,KAAK,EAAE,SAAS,EAAE,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,MAAM,GACf,OAAO,EAAE,CAkGX;AAiCD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CA4BlF"}
|
|
@@ -135,19 +135,24 @@ export function canSourceReachSink(sourceType, sinkType) {
|
|
|
135
135
|
// code_injection added to http_param/http_query/http_header/http_cookie:
|
|
136
136
|
// `eval(req.query.x)`, `Function(req.header('x'))`, `vm.runInThisContext(req.cookies.c)`
|
|
137
137
|
// are all real RCE patterns in JS web apps (cognium-dev #83).
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
138
|
+
// crlf added to http_param/http_query/http_header/http_cookie/http_body:
|
|
139
|
+
// setHeader/setCookie/redirect of any user-controlled string is CRLF / response
|
|
140
|
+
// splitting (CWE-113) — Sprint 6, issue #86.
|
|
141
|
+
// mass_assignment added to http_body / http_param: Object.assign(user, req.body),
|
|
142
|
+
// User(**request.form) — CWE-915.
|
|
143
|
+
http_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
|
|
144
|
+
http_body: ['sql_injection', 'command_injection', 'deserialization', 'xxe', 'xss', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'],
|
|
145
|
+
http_header: ['sql_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf'],
|
|
146
|
+
http_cookie: ['sql_injection', 'xss', 'mybatis_mapper_call', 'code_injection', 'crlf'],
|
|
142
147
|
http_path: ['path_traversal', 'sql_injection', 'ssrf', 'mybatis_mapper_call'],
|
|
143
|
-
http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection'],
|
|
148
|
+
http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf', 'mybatis_mapper_call', 'code_injection', 'crlf', 'mass_assignment'],
|
|
144
149
|
io_input: ['command_injection', 'path_traversal', 'deserialization', 'xxe', 'code_injection', 'xss'],
|
|
145
150
|
env_input: ['command_injection', 'path_traversal'],
|
|
146
151
|
db_input: ['xss', 'sql_injection'], // Second-order injection
|
|
147
152
|
file_input: ['deserialization', 'xxe', 'path_traversal', 'command_injection', 'code_injection'],
|
|
148
153
|
network_input: ['sql_injection', 'command_injection', 'xss', 'ssrf'],
|
|
149
154
|
config_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'ssrf'], // Servlet init params
|
|
150
|
-
interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call'], // Cross-method taint
|
|
155
|
+
interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection', 'mybatis_mapper_call', 'crlf', 'mass_assignment'], // Cross-method taint
|
|
151
156
|
plugin_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'code_injection'], // Plugin/config parameters
|
|
152
157
|
};
|
|
153
158
|
const validSinks = sourceToSinkMapping[sourceType];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACjK,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,CAAC;QAC3H,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QACtF,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;QAC1G,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,EAAE,qBAAqB;QACnM,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}
|
|
1
|
+
{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;wBACjB,eAAe,EAAE,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC;qBACtD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,CAAC,CAAC,QAAQ,GAAG;gBACX,GAAG,CAAC,CAAC,QAAQ;gBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;aACxD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAE,QAAQ,CAAC,QAAQ,EAAE,OAAiD,IAAI,EAAE,CAAC,CAAC;YAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,QAAQ,CAAC,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,oBAAoB,CAC1C,QAAQ,CAAC,YAAY,CAAC,eAAe,EACrC,CAAC,CAAC,YAAY,CAAC,eAAe,CAC/B,CAAC;YACF,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,EAAE,CAAC;gBACvC,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;gBACnC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;gBACvC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;gBACrC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YACD,QAAQ,CAAC,YAAY,CAAC,eAAe,GAAG,eAAe,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7C,kCAAkC;IAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,MAAmB,EACnB,IAAe;IAEf,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,CAAyC,EACzC,CAAyC;IAEzC,MAAM,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,CAAC,IAAI,QAAQ,CAAC;IAC5B,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IACvE,MAAM,mBAAmB,GAA+B;QACtD,yEAAyE;QACzE,yFAAyF;QACzF,8DAA8D;QAC9D,yEAAyE;QACzE,gFAAgF;QAChF,6CAA6C;QAC7C,kFAAkF;QAClF,kCAAkC;QAClC,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QAC5L,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACtJ,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QAC9F,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACtF,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,CAAC;QAC7E,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,CAAC;QACrI,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,qBAAqB;QAC9N,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: csrf-protection-disabled (CWE-352, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where cross-site request forgery (CSRF)
|
|
5
|
+
* protection is *explicitly disabled*. We do not attempt to detect the
|
|
6
|
+
* absence of CSRF protection (false-positive prone across framework
|
|
7
|
+
* idioms); instead we look for the documented "turn it off" calls.
|
|
8
|
+
*
|
|
9
|
+
* Detection per language:
|
|
10
|
+
* Java (Spring Security):
|
|
11
|
+
* - `http.csrf().disable()`
|
|
12
|
+
* - `http.csrf(csrf -> csrf.disable())` — DSL form
|
|
13
|
+
* - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
|
|
14
|
+
* - `.csrfTokenRepository(null)` — neuters the repo
|
|
15
|
+
* Python (Django):
|
|
16
|
+
* - `@csrf_exempt` decorator on a view
|
|
17
|
+
* - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
|
|
18
|
+
* removed — we do NOT detect this (config-file analysis).
|
|
19
|
+
* JavaScript (Express):
|
|
20
|
+
* - We do NOT detect "csurf missing" — that's an absence check that
|
|
21
|
+
* fires on every non-Express handler.
|
|
22
|
+
*
|
|
23
|
+
* Severity: critical (CWE-352 is direct privilege escalation).
|
|
24
|
+
* Issue: #86, Sprint 6.
|
|
25
|
+
*/
|
|
26
|
+
import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
|
|
27
|
+
export interface CsrfProtectionDisabledResult {
|
|
28
|
+
findings: Array<{
|
|
29
|
+
line: number;
|
|
30
|
+
language: string;
|
|
31
|
+
pattern: string;
|
|
32
|
+
api: string;
|
|
33
|
+
}>;
|
|
34
|
+
}
|
|
35
|
+
export declare class CsrfProtectionDisabledPass implements AnalysisPass<CsrfProtectionDisabledResult> {
|
|
36
|
+
readonly name = "csrf-protection-disabled";
|
|
37
|
+
readonly category: "security";
|
|
38
|
+
run(ctx: PassContext): CsrfProtectionDisabledResult;
|
|
39
|
+
private detectCall;
|
|
40
|
+
private fixFor;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=csrf-protection-disabled-pass.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf-protection-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAkB9E,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,0BACX,YAAW,YAAY,CAAC,4BAA4B,CAAC;IAErD,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,4BAA4B;IAgHnD,OAAO,CAAC,UAAU;IA2BlB,OAAO,CAAC,MAAM;CAoBf"}
|
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: csrf-protection-disabled (CWE-352, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags places where cross-site request forgery (CSRF)
|
|
5
|
+
* protection is *explicitly disabled*. We do not attempt to detect the
|
|
6
|
+
* absence of CSRF protection (false-positive prone across framework
|
|
7
|
+
* idioms); instead we look for the documented "turn it off" calls.
|
|
8
|
+
*
|
|
9
|
+
* Detection per language:
|
|
10
|
+
* Java (Spring Security):
|
|
11
|
+
* - `http.csrf().disable()`
|
|
12
|
+
* - `http.csrf(csrf -> csrf.disable())` — DSL form
|
|
13
|
+
* - `http.csrf(AbstractHttpConfigurer::disable)` — method-ref form
|
|
14
|
+
* - `.csrfTokenRepository(null)` — neuters the repo
|
|
15
|
+
* Python (Django):
|
|
16
|
+
* - `@csrf_exempt` decorator on a view
|
|
17
|
+
* - `MIDDLEWARE = [...]` with `django.middleware.csrf.CsrfViewMiddleware`
|
|
18
|
+
* removed — we do NOT detect this (config-file analysis).
|
|
19
|
+
* JavaScript (Express):
|
|
20
|
+
* - We do NOT detect "csurf missing" — that's an absence check that
|
|
21
|
+
* fires on every non-Express handler.
|
|
22
|
+
*
|
|
23
|
+
* Severity: critical (CWE-352 is direct privilege escalation).
|
|
24
|
+
* Issue: #86, Sprint 6.
|
|
25
|
+
*/
|
|
26
|
+
// Match `.csrf().disable()` or `.csrf(<lambda>).disable(...)`.
|
|
27
|
+
const JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
|
|
28
|
+
// `csrf(csrf -> csrf.disable())` or `csrf(c -> c.disable())`.
|
|
29
|
+
const JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
|
|
30
|
+
// Method-reference form: `csrf(AbstractHttpConfigurer::disable)`.
|
|
31
|
+
const JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
|
|
32
|
+
// `.csrfTokenRepository(null)`.
|
|
33
|
+
const JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
|
|
34
|
+
export class CsrfProtectionDisabledPass {
|
|
35
|
+
name = 'csrf-protection-disabled';
|
|
36
|
+
category = 'security';
|
|
37
|
+
run(ctx) {
|
|
38
|
+
const { graph, language } = ctx;
|
|
39
|
+
const file = graph.ir.meta.file;
|
|
40
|
+
const findings = [];
|
|
41
|
+
// 1. Call-based detection.
|
|
42
|
+
for (const call of graph.ir.calls) {
|
|
43
|
+
const detections = this.detectCall(call, language);
|
|
44
|
+
for (const det of detections) {
|
|
45
|
+
const line = call.location.line;
|
|
46
|
+
findings.push({ line, language, ...det });
|
|
47
|
+
ctx.addFinding({
|
|
48
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
49
|
+
pass: this.name,
|
|
50
|
+
category: this.category,
|
|
51
|
+
rule_id: this.name,
|
|
52
|
+
cwe: 'CWE-352',
|
|
53
|
+
severity: 'critical',
|
|
54
|
+
level: 'error',
|
|
55
|
+
message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
|
|
56
|
+
`(${det.api}). Any browser session can be silently used to ` +
|
|
57
|
+
'perform state-changing requests from a malicious origin.',
|
|
58
|
+
file,
|
|
59
|
+
line,
|
|
60
|
+
fix: this.fixFor(language),
|
|
61
|
+
evidence: { ...det, language },
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
// 2. Source-text detection for Java DSL chains that are emitted as a
|
|
66
|
+
// single call expression (the `disable()` arrives as a method on a
|
|
67
|
+
// chained receiver and not always as a discoverable separate CallInfo).
|
|
68
|
+
if (language === 'java') {
|
|
69
|
+
const src = ctx.code ?? '';
|
|
70
|
+
if (src) {
|
|
71
|
+
const lines = src.split('\n');
|
|
72
|
+
for (let i = 0; i < lines.length; i++) {
|
|
73
|
+
const line = i + 1;
|
|
74
|
+
const text = lines[i] ?? '';
|
|
75
|
+
let det = null;
|
|
76
|
+
if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
|
|
77
|
+
det = { pattern: 'csrf(c -> c.disable())', api: 'HttpSecurity.csrf' };
|
|
78
|
+
}
|
|
79
|
+
else if (JAVA_CSRF_METHODREF_RE.test(text)) {
|
|
80
|
+
det = { pattern: 'csrf(::disable)', api: 'HttpSecurity.csrf' };
|
|
81
|
+
}
|
|
82
|
+
else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
|
|
83
|
+
det = { pattern: 'csrfTokenRepository(null)', api: 'HttpSecurity.csrfTokenRepository' };
|
|
84
|
+
}
|
|
85
|
+
else if (JAVA_CSRF_DISABLE_RE.test(text)) {
|
|
86
|
+
det = { pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' };
|
|
87
|
+
}
|
|
88
|
+
if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
|
|
89
|
+
findings.push({ line, language, ...det });
|
|
90
|
+
ctx.addFinding({
|
|
91
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
92
|
+
pass: this.name,
|
|
93
|
+
category: this.category,
|
|
94
|
+
rule_id: this.name,
|
|
95
|
+
cwe: 'CWE-352',
|
|
96
|
+
severity: 'critical',
|
|
97
|
+
level: 'error',
|
|
98
|
+
message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` +
|
|
99
|
+
`(${det.api}). Any browser session can be silently used to ` +
|
|
100
|
+
'perform state-changing requests from a malicious origin.',
|
|
101
|
+
file,
|
|
102
|
+
line,
|
|
103
|
+
fix: this.fixFor(language),
|
|
104
|
+
evidence: { ...det, language },
|
|
105
|
+
});
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
// 3. Python `@csrf_exempt` decorator — present on annotations / types.
|
|
111
|
+
if (language === 'python') {
|
|
112
|
+
const src = ctx.code ?? '';
|
|
113
|
+
if (src) {
|
|
114
|
+
const lines = src.split('\n');
|
|
115
|
+
for (let i = 0; i < lines.length; i++) {
|
|
116
|
+
const text = lines[i] ?? '';
|
|
117
|
+
if (/^\s*@csrf_exempt\b/.test(text)) {
|
|
118
|
+
const line = i + 1;
|
|
119
|
+
const det = { pattern: '@csrf_exempt', api: 'django.views.decorators.csrf' };
|
|
120
|
+
findings.push({ line, language, ...det });
|
|
121
|
+
ctx.addFinding({
|
|
122
|
+
id: `${this.name}-${file}-${line}-${det.pattern}`,
|
|
123
|
+
pass: this.name,
|
|
124
|
+
category: this.category,
|
|
125
|
+
rule_id: this.name,
|
|
126
|
+
cwe: 'CWE-352',
|
|
127
|
+
severity: 'critical',
|
|
128
|
+
level: 'error',
|
|
129
|
+
message: 'Django view is decorated with `@csrf_exempt`, bypassing the ' +
|
|
130
|
+
'framework CSRF middleware for this endpoint. Any browser ' +
|
|
131
|
+
'session can be silently used to invoke this handler from ' +
|
|
132
|
+
'a malicious origin.',
|
|
133
|
+
file,
|
|
134
|
+
line,
|
|
135
|
+
fix: this.fixFor(language),
|
|
136
|
+
evidence: { ...det, language },
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
return { findings };
|
|
143
|
+
}
|
|
144
|
+
detectCall(call, language) {
|
|
145
|
+
const out = [];
|
|
146
|
+
if (language !== 'java')
|
|
147
|
+
return out;
|
|
148
|
+
// Plain `csrf().disable()` chain — the IR may split this into two calls
|
|
149
|
+
// (the outer .disable() with receiver "csrf()" or chained receiver).
|
|
150
|
+
if (call.method_name === 'disable') {
|
|
151
|
+
const recv = call.receiver ?? '';
|
|
152
|
+
if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith('.csrf()')) {
|
|
153
|
+
out.push({ pattern: 'csrf().disable()', api: 'HttpSecurity.csrf' });
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
if (call.method_name === 'csrfTokenRepository') {
|
|
157
|
+
const arg = call.arguments.find((a) => a.position === 0);
|
|
158
|
+
const expr = (arg?.expression ?? arg?.literal ?? '').trim();
|
|
159
|
+
if (expr === 'null') {
|
|
160
|
+
out.push({
|
|
161
|
+
pattern: 'csrfTokenRepository(null)',
|
|
162
|
+
api: 'HttpSecurity.csrfTokenRepository',
|
|
163
|
+
});
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
return out;
|
|
167
|
+
}
|
|
168
|
+
fixFor(language) {
|
|
169
|
+
if (language === 'java') {
|
|
170
|
+
return ('Leave Spring Security CSRF protection enabled. If you need to ' +
|
|
171
|
+
'exempt a specific endpoint (e.g. webhook), use ' +
|
|
172
|
+
'`.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than ' +
|
|
173
|
+
'`.disable()`. For stateless APIs, prefer a per-request token over ' +
|
|
174
|
+
'disabling CSRF entirely.');
|
|
175
|
+
}
|
|
176
|
+
if (language === 'python') {
|
|
177
|
+
return ('Remove `@csrf_exempt`. For stateless API endpoints, use Django REST ' +
|
|
178
|
+
'Framework with a token / session auth backend that does not rely on ' +
|
|
179
|
+
'cookies. For webhook receivers, verify a shared-secret signature ' +
|
|
180
|
+
'instead of disabling CSRF.');
|
|
181
|
+
}
|
|
182
|
+
return 'Re-enable framework CSRF protection or replace with origin / token validation.';
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
//# sourceMappingURL=csrf-protection-disabled-pass.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf-protection-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/csrf-protection-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,+DAA+D;AAC/D,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,8DAA8D;AAC9D,MAAM,2BAA2B,GAC/B,kDAAkD,CAAC;AACrD,kEAAkE;AAClE,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;AACpE,gCAAgC;AAChC,MAAM,sBAAsB,GAAG,wCAAwC,CAAC;AAgBxE,MAAM,OAAO,0BAA0B;IAG5B,IAAI,GAAG,0BAA0B,CAAC;IAClC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAE9D,2BAA2B;QAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACnD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;oBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;wBAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;wBAC5D,0DAA0D;oBAC5D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,mEAAmE;QACnE,wEAAwE;QACxE,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;oBACnB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,GAAG,GAAqB,IAAI,CAAC;oBACjC,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,wBAAwB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACxE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBACjE,CAAC;yBAAM,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7C,GAAG,GAAG,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,kCAAkC,EAAE,CAAC;oBAC1F,CAAC;yBAAM,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3C,GAAG,GAAG,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC;oBAClE,CAAC;oBACD,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,GAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBAChF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,KAAK;gCAC7D,IAAI,GAAG,CAAC,GAAG,iDAAiD;gCAC5D,0DAA0D;4BAC5D,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;wBACnB,MAAM,GAAG,GAAc,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,8BAA8B,EAAE,CAAC;wBACxF,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;wBAC1C,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;4BACjD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,GAAG,EAAE,SAAS;4BACd,QAAQ,EAAE,UAAU;4BACpB,KAAK,EAAE,OAAO;4BACd,OAAO,EACL,8DAA8D;gCAC9D,2DAA2D;gCAC3D,2DAA2D;gCAC3D,qBAAqB;4BACvB,IAAI;4BACJ,IAAI;4BACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;4BAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,IAAc,EAAE,QAAgB;QACjD,MAAM,GAAG,GAAgB,EAAE,CAAC;QAC5B,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,GAAG,CAAC;QAEpC,wEAAwE;QACxE,qEAAqE;QACrE,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACjC,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,KAAK,qBAAqB,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC;oBACP,OAAO,EAAE,2BAA2B;oBACpC,GAAG,EAAE,kCAAkC;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB;QAC7B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CACL,gEAAgE;gBAChE,iDAAiD;gBACjD,kEAAkE;gBAClE,oEAAoE;gBACpE,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CACL,sEAAsE;gBACtE,sEAAsE;gBACtE,mEAAmE;gBACnE,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QACD,OAAO,gFAAgF,CAAC;IAC1F,CAAC;CACF"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: mass-assignment (CWE-915, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags code paths that splat an HTTP request bag (form /
|
|
5
|
+
* body / query / json) directly into a domain-object constructor or update
|
|
6
|
+
* helper without an allow-list. This complements the taint-based
|
|
7
|
+
* `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
|
|
8
|
+
* via the regular sink matcher; this pass catches the *syntactic spread /
|
|
9
|
+
* kwargs* forms that aren't a discrete call argument.
|
|
10
|
+
*
|
|
11
|
+
* Detection per language:
|
|
12
|
+
* Python:
|
|
13
|
+
* - `Model(**request.form)`
|
|
14
|
+
* - `Model(**request.json)` / `**request.get_json()`
|
|
15
|
+
* - `Model(**request.args)` / `**request.values`
|
|
16
|
+
* - `Model.objects.create(**request.X)` (Django ORM)
|
|
17
|
+
* - `Model.objects.update(**request.X)`
|
|
18
|
+
* JavaScript / TypeScript:
|
|
19
|
+
* - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
|
|
20
|
+
* - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
|
|
21
|
+
* - `await Model.create({ ...req.body })`
|
|
22
|
+
* - `await user.update({ ...req.body })`
|
|
23
|
+
*
|
|
24
|
+
* Severity: high (direct privilege escalation vector).
|
|
25
|
+
* Issue: #86, Sprint 6.
|
|
26
|
+
*/
|
|
27
|
+
import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
|
|
28
|
+
export interface MassAssignmentResult {
|
|
29
|
+
findings: Array<{
|
|
30
|
+
line: number;
|
|
31
|
+
language: string;
|
|
32
|
+
pattern: string;
|
|
33
|
+
snippet: string;
|
|
34
|
+
}>;
|
|
35
|
+
}
|
|
36
|
+
export declare class MassAssignmentPass implements AnalysisPass<MassAssignmentResult> {
|
|
37
|
+
readonly name = "mass-assignment";
|
|
38
|
+
readonly category: "security";
|
|
39
|
+
run(ctx: PassContext): MassAssignmentResult;
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=mass-assignment-pass.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mass-assignment-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAuB9E,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,kBACX,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAE7C,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;CA0F5C"}
|
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pass: mass-assignment (CWE-915, category: security)
|
|
3
|
+
*
|
|
4
|
+
* Pattern pass — flags code paths that splat an HTTP request bag (form /
|
|
5
|
+
* body / query / json) directly into a domain-object constructor or update
|
|
6
|
+
* helper without an allow-list. This complements the taint-based
|
|
7
|
+
* `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
|
|
8
|
+
* via the regular sink matcher; this pass catches the *syntactic spread /
|
|
9
|
+
* kwargs* forms that aren't a discrete call argument.
|
|
10
|
+
*
|
|
11
|
+
* Detection per language:
|
|
12
|
+
* Python:
|
|
13
|
+
* - `Model(**request.form)`
|
|
14
|
+
* - `Model(**request.json)` / `**request.get_json()`
|
|
15
|
+
* - `Model(**request.args)` / `**request.values`
|
|
16
|
+
* - `Model.objects.create(**request.X)` (Django ORM)
|
|
17
|
+
* - `Model.objects.update(**request.X)`
|
|
18
|
+
* JavaScript / TypeScript:
|
|
19
|
+
* - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
|
|
20
|
+
* - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
|
|
21
|
+
* - `await Model.create({ ...req.body })`
|
|
22
|
+
* - `await user.update({ ...req.body })`
|
|
23
|
+
*
|
|
24
|
+
* Severity: high (direct privilege escalation vector).
|
|
25
|
+
* Issue: #86, Sprint 6.
|
|
26
|
+
*/
|
|
27
|
+
// Python: `**<httpSource>` where httpSource is one of the known
|
|
28
|
+
// request bags. We intentionally allow trailing dots / call-syntax
|
|
29
|
+
// (`request.get_json()`).
|
|
30
|
+
const PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
|
|
31
|
+
// JS object-spread of an HTTP source. We match `{...<source>}` where the
|
|
32
|
+
// source begins with `req|request|ctx|context` and continues into `body`,
|
|
33
|
+
// `query`, `params`, `request.body`, etc.
|
|
34
|
+
const JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
|
|
35
|
+
export class MassAssignmentPass {
|
|
36
|
+
name = 'mass-assignment';
|
|
37
|
+
category = 'security';
|
|
38
|
+
run(ctx) {
|
|
39
|
+
const { graph, language } = ctx;
|
|
40
|
+
const file = graph.ir.meta.file;
|
|
41
|
+
const findings = [];
|
|
42
|
+
const code = ctx.code ?? '';
|
|
43
|
+
if (!code)
|
|
44
|
+
return { findings };
|
|
45
|
+
const lines = code.split('\n');
|
|
46
|
+
if (language === 'python') {
|
|
47
|
+
for (let i = 0; i < lines.length; i++) {
|
|
48
|
+
const text = lines[i] ?? '';
|
|
49
|
+
const m = PY_KWARGS_SPLAT_RE.exec(text);
|
|
50
|
+
if (!m)
|
|
51
|
+
continue;
|
|
52
|
+
const line = i + 1;
|
|
53
|
+
const det = {
|
|
54
|
+
pattern: '**request.<bag>',
|
|
55
|
+
match: m[0],
|
|
56
|
+
};
|
|
57
|
+
findings.push({
|
|
58
|
+
line,
|
|
59
|
+
language,
|
|
60
|
+
pattern: det.pattern,
|
|
61
|
+
snippet: text.trim().slice(0, 200),
|
|
62
|
+
});
|
|
63
|
+
ctx.addFinding({
|
|
64
|
+
id: `${this.name}-${file}-${line}`,
|
|
65
|
+
pass: this.name,
|
|
66
|
+
category: this.category,
|
|
67
|
+
rule_id: this.name,
|
|
68
|
+
cwe: 'CWE-915',
|
|
69
|
+
severity: 'high',
|
|
70
|
+
level: 'error',
|
|
71
|
+
message: `HTTP request bag splatted into constructor / ORM helper via ` +
|
|
72
|
+
`\`${det.match}\`. Every form field becomes a settable attribute ` +
|
|
73
|
+
'on the domain object, including ones the endpoint did not ' +
|
|
74
|
+
'intend to expose (e.g. `is_admin`, `role`, `owner_id`).',
|
|
75
|
+
file,
|
|
76
|
+
line,
|
|
77
|
+
fix: 'Replace the `**` splat with an explicit allow-list: ' +
|
|
78
|
+
"`Model(name=request.form['name'], email=request.form['email'])`. " +
|
|
79
|
+
'For Django, use a `ModelForm` / serializer with `fields = [...]`.',
|
|
80
|
+
evidence: { pattern: det.pattern, match: det.match, language },
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
return { findings };
|
|
84
|
+
}
|
|
85
|
+
if (language === 'javascript' || language === 'typescript') {
|
|
86
|
+
for (let i = 0; i < lines.length; i++) {
|
|
87
|
+
const text = lines[i] ?? '';
|
|
88
|
+
const m = JS_OBJECT_SPREAD_RE.exec(text);
|
|
89
|
+
if (!m)
|
|
90
|
+
continue;
|
|
91
|
+
const line = i + 1;
|
|
92
|
+
findings.push({
|
|
93
|
+
line,
|
|
94
|
+
language,
|
|
95
|
+
pattern: '{...req.<bag>}',
|
|
96
|
+
snippet: text.trim().slice(0, 200),
|
|
97
|
+
});
|
|
98
|
+
ctx.addFinding({
|
|
99
|
+
id: `${this.name}-${file}-${line}`,
|
|
100
|
+
pass: this.name,
|
|
101
|
+
category: this.category,
|
|
102
|
+
rule_id: this.name,
|
|
103
|
+
cwe: 'CWE-915',
|
|
104
|
+
severity: 'high',
|
|
105
|
+
level: 'error',
|
|
106
|
+
message: `HTTP request bag spread into object literal via \`${m[0]}\`. ` +
|
|
107
|
+
'Every body field becomes a settable property on the resulting ' +
|
|
108
|
+
'object, including ones the endpoint did not intend to expose ' +
|
|
109
|
+
'(e.g. `isAdmin`, `role`, `ownerId`).',
|
|
110
|
+
file,
|
|
111
|
+
line,
|
|
112
|
+
fix: 'Replace the spread with an explicit pick: ' +
|
|
113
|
+
'`const { name, email } = req.body; const user = { name, email };`. ' +
|
|
114
|
+
'For ORMs, use a DTO / Zod schema with `.pick(...)` or ' +
|
|
115
|
+
'allow-list serializers.',
|
|
116
|
+
evidence: { pattern: '{...req.<bag>}', match: m[0], language },
|
|
117
|
+
});
|
|
118
|
+
}
|
|
119
|
+
return { findings };
|
|
120
|
+
}
|
|
121
|
+
return { findings };
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
//# sourceMappingURL=mass-assignment-pass.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mass-assignment-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,gEAAgE;AAChE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,kBAAkB,GACtB,yHAAyH,CAAC;AAE5H,yEAAyE;AACzE,0EAA0E;AAC1E,0CAA0C;AAC1C,MAAM,mBAAmB,GACvB,6FAA6F,CAAC;AAoBhG,MAAM,OAAO,kBAAkB;IAGpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAqC,EAAE,CAAC;QACtD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAE/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,MAAM,GAAG,GAAgB;oBACvB,OAAO,EAAE,iBAAiB;oBAC1B,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;iBACZ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,8DAA8D;wBAC9D,KAAK,GAAG,CAAC,KAAK,oDAAoD;wBAClE,4DAA4D;wBAC5D,yDAAyD;oBAC3D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,sDAAsD;wBACtD,mEAAmE;wBACnE,mEAAmE;oBACrE,QAAQ,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,gBAAgB;oBACzB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,qDAAqD,CAAC,CAAC,CAAC,CAAC,MAAM;wBAC/D,gEAAgE;wBAChE,+DAA+D;wBAC/D,sCAAsC;oBACxC,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,4CAA4C;wBAC5C,qEAAqE;wBACrE,wDAAwD;wBACxD,yBAAyB;oBAC3B,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}
|
|
@@ -27,6 +27,12 @@
|
|
|
27
27
|
* `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
|
|
28
28
|
* - `cryptography.hazmat.primitives.ciphers.algorithms.{TripleDES,Blowfish,ARC4,IDEA,SEED,CAST5}`
|
|
29
29
|
* - `AES.new(key, AES.MODE_ECB)` — ECB mode argument
|
|
30
|
+
* - `modes.ECB()` (cryptography.hazmat) — issue #87
|
|
31
|
+
* - `AES.new(b"literal", …)` / `algorithms.AES(b"literal")` — hardcoded
|
|
32
|
+
* symmetric key (CWE-321, issue #87). Detected for both inline byte
|
|
33
|
+
* literals and variables resolved via constant propagation.
|
|
34
|
+
* - `rsa.generate_private_key(key_size=<2048)` — weak RSA key size
|
|
35
|
+
* (CWE-326, issue #87)
|
|
30
36
|
* JavaScript / TypeScript:
|
|
31
37
|
* - `crypto.createCipher(...)` (deprecated; always weak)
|
|
32
38
|
* - `crypto.createCipheriv("des-..."|"rc4"|"bf-..."|"des-ede"|".*-ecb")`
|
|
@@ -34,6 +40,10 @@
|
|
|
34
40
|
* - `des.NewCipher(...)` / `des.NewTripleDESCipher(...)` / `rc4.NewCipher(...)`
|
|
35
41
|
* (from `crypto/des` and `crypto/rc4`)
|
|
36
42
|
* - `cipher.NewECBEncrypter(...)` (custom ECB wrappers — best-effort)
|
|
43
|
+
* - `aes.NewCipher([]byte("literal"))` — hardcoded symmetric key
|
|
44
|
+
* (CWE-321, issue #87)
|
|
45
|
+
* - `rsa.GenerateKey(rand.Reader, <2048)` — weak RSA key size
|
|
46
|
+
* (CWE-326, issue #87)
|
|
37
47
|
*
|
|
38
48
|
* Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
|
|
39
49
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AA0T9E,MAAM,MAAM,eAAe,GACvB,aAAa,GACb,UAAU,GACV,gBAAgB,GAChB,WAAW,GACX,eAAe,GACf,cAAc,CAAC;AAYnB,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,eAAe,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,cAAe,YAAW,YAAY,CAAC,gBAAgB,CAAC;IACnE,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,gBAAgB;IA+CvC,OAAO,CAAC,YAAY;IA0CpB,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,MAAM;CA4Nf"}
|