circle-ir 3.54.0 → 3.56.0

package/dist/analysis/passes/weak-crypto-pass.js

@@ -27,6 +27,12 @@
  *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
  *     - `cryptography.hazmat.primitives.ciphers.algorithms.{TripleDES,Blowfish,ARC4,IDEA,SEED,CAST5}`
  *     - `AES.new(key, AES.MODE_ECB)` — ECB mode argument
+ *     - `modes.ECB()` (cryptography.hazmat) — issue #87
+ *     - `AES.new(b"literal", …)` / `algorithms.AES(b"literal")` — hardcoded
+ *       symmetric key (CWE-321, issue #87). Detected for both inline byte
+ *       literals and variables resolved via constant propagation.
+ *     - `rsa.generate_private_key(key_size=<2048)` — weak RSA key size
+ *       (CWE-326, issue #87)
  *   JavaScript / TypeScript:
  *     - `crypto.createCipher(...)` (deprecated; always weak)
  *     - `crypto.createCipheriv("des-..."|"rc4"|"bf-..."|"des-ede"|".*-ecb")`
@@ -34,6 +40,10 @@
  *     - `des.NewCipher(...)` / `des.NewTripleDESCipher(...)` / `rc4.NewCipher(...)`
  *       (from `crypto/des` and `crypto/rc4`)
  *     - `cipher.NewECBEncrypter(...)` (custom ECB wrappers — best-effort)
+ *     - `aes.NewCipher([]byte("literal"))` — hardcoded symmetric key
+ *       (CWE-321, issue #87)
+ *     - `rsa.GenerateKey(rand.Reader, <2048)` — weak RSA key size
+ *       (CWE-326, issue #87)
  *
  * Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
  */
@@ -163,6 +173,183 @@ function detectHardcodedKeyJava(call) {
         return `literal string`;
     return null;
 }
+/**
+ * Detect a hardcoded symmetric key passed as the first positional argument
+ * of a Python cipher constructor (`AES.new`, `DES.new`, `algorithms.AES(…)`,
+ * etc.).
+ *
+ * Patterns flagged (returns a human-readable detail string):
+ *   - inline bytes literal `b"…"` / `b'…'`
+ *   - inline string literal `"…"` / `'…'` (legacy pycrypto style)
+ *   - variable resolved by constant propagation to a string/bytes constant
+ *
+ * Returns null when the key argument is a runtime value (function call,
+ * env-var lookup, parameter, etc.).
+ */
+function detectHardcodedKeyPython(call, constProp, literalBindings) {
+    const arg = call.arguments.find((a) => a.position === 0);
+    if (!arg)
+        return null;
+    // Prefer `expression` over `literal` — the Python plugin's `literal`
+    // field strips the trailing quote on bytes literals, breaking the
+    // `^b"…"$` regex.
+    const expr = (arg.expression ?? arg.literal ?? '').trim();
+    if (!expr)
+        return null;
+    // Inline bytes literal: b"…" / b'…' / rb"…" / br"…"
+    if (/^[bB][rR]?["'][^"']*["']$/.test(expr) || /^[rR][bB]["'][^"']*["']$/.test(expr)) {
+        return `literal bytes ${expr.slice(0, 24)}${expr.length > 24 ? '…' : ''}`;
+    }
+    // Inline plain string literal: "…" / '…'
+    if (/^["'][^"']*["']$/.test(expr)) {
+        return `literal string ${expr.slice(0, 24)}${expr.length > 24 ? '…' : ''}`;
+    }
+    // Variable resolved by constant propagation (Java symbol table).
+    if (arg.variable && constProp) {
+        const sym = constProp.symbols.get(arg.variable);
+        if (sym && sym.type === 'string' && typeof sym.value === 'string') {
+            return `constant-propagated bytes from \`${arg.variable}\``;
+        }
+    }
+    // Variable bound to a literal RHS earlier in the file (regex scan
+    // fallback for languages whose const-prop pass does not yet track
+    // string/bytes assignments).
+    if (arg.variable) {
+        const lit = literalBindings.get(arg.variable);
+        if (lit) {
+            return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? '…' : ''}`;
+        }
+    }
+    return null;
+}
+/**
+ * Detect a hardcoded symmetric key passed as the first positional argument
+ * of a Go cipher constructor (`aes.NewCipher`, `des.NewCipher`, etc.).
+ *
+ * Patterns flagged:
+ *   - inline `[]byte("literal")` conversion
+ *   - inline `[]byte{0x00, 0x01, …}` composite literal
+ *   - variable resolved by constant propagation to a string constant
+ *
+ * Returns null when the key argument is a runtime value.
+ */
+function detectHardcodedKeyGo(call, constProp, literalBindings) {
+    const arg = call.arguments.find((a) => a.position === 0);
+    if (!arg)
+        return null;
+    const expr = (arg.literal ?? arg.expression ?? '').trim();
+    if (!expr)
+        return null;
+    // []byte("literal") / []byte(`literal`)
+    if (/^\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\)$/.test(expr)) {
+        return `literal []byte("…")`;
+    }
+    // []byte{0x00, 0x01, …}
+    if (/^\[\s*\]\s*byte\s*\{[^}]*\}$/.test(expr)) {
+        return `literal []byte{…} composite`;
+    }
+    // Variable resolved by constant propagation.
+    if (arg.variable && constProp) {
+        const sym = constProp.symbols.get(arg.variable);
+        if (sym && sym.type === 'string' && typeof sym.value === 'string') {
+            return `constant-propagated key from \`${arg.variable}\``;
+        }
+    }
+    // Regex fallback: `var key = []byte("…")` / `key := []byte("…")` /
+    // `const key = "…"` earlier in the same file.
+    if (arg.variable) {
+        const lit = literalBindings.get(arg.variable);
+        if (lit) {
+            return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? '…' : ''}`;
+        }
+    }
+    return null;
+}
+/**
+ * Extract a weak (< 2048) `key_size` argument from a Python
+ * `…rsa.generate_private_key(...)` call.
+ *
+ * The Python plugin renders keyword arguments as `name=value` in
+ * `argument.expression` and exposes the numeric RHS in `argument.literal`,
+ * so we scan every positional and keyword argument for a `key_size=N`
+ * spelling first, then fall back to a positional `key_size` (uncommon in
+ * the cryptography API but accepted via `**kwargs`).
+ */
+function parseWeakRsaKeySizePython(call) {
+    for (const arg of call.arguments) {
+        const expr = (arg.expression ?? '').trim();
+        const lit = (arg.literal ?? '').trim();
+        const m = expr.match(/^key_size\s*=\s*(-?\d+)\s*$/);
+        if (m && m[1]) {
+            const n = parseInt(m[1], 10);
+            if (Number.isFinite(n) && n > 0 && n < 2048)
+                return n;
+            return null;
+        }
+        // Keyword arg where expression='key_size=…' but literal already isolated.
+        if (/^key_size\s*=/.test(expr) && lit) {
+            const n = parseInt(lit, 10);
+            if (Number.isFinite(n) && n > 0 && n < 2048)
+                return n;
+        }
+    }
+    return null;
+}
+/**
+ * Build a `<name> → <literal>` map by regex-scanning the file's source.
+ *
+ * Recognised forms per language (only inline literal RHSes — not function
+ * calls, attribute lookups, parameters, etc.):
+ *
+ *   Python:
+ *     `name = b"…"` / `name = b'…'`     (bytes literal)
+ *     `name = "…"` / `name = '…'`        (string literal)
+ *
+ *   Go:
+ *     `name := []byte("…")` / `var name = []byte("…")`
+ *     `name := "…"` / `const name = "…"`
+ *
+ * Used by `detectHardcodedKeyPython` / `detectHardcodedKeyGo` to recognise
+ * the common pattern `key = b"…"; AES.new(key, …)`. Returns an empty map
+ * for unsupported languages or when the source is empty.
+ */
+function scanLiteralBindings(code, language) {
+    const out = new Map();
+    if (!code)
+        return out;
+    if (language === 'python') {
+        // `name = b"…"` (preferred form) or `name = "…"` (legacy / Python 2).
+        const re = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(b[rR]?["'][^"']*["']|[rR]?b["'][^"']*["']|["'][^"']*["'])\s*(?:$|#)/gm;
+        let m;
+        while ((m = re.exec(code)) !== null) {
+            if (m[1] && m[2])
+                out.set(m[1], m[2]);
+        }
+        return out;
+    }
+    if (language === 'go') {
+        // `name := []byte("…")` / `var name = []byte("…")` / `const name = "…"` /
+        // `name := "…"`.
+        const reByte = /^[ \t]*(?:var\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*(?::=|=)\s*(\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\))/gm;
+        let m;
+        while ((m = reByte.exec(code)) !== null) {
+            if (m[1] && m[2])
+                out.set(m[1], m[2]);
+        }
+        const reStr = /^[ \t]*(?:var|const)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(["'`][^"'`]*["'`])/gm;
+        while ((m = reStr.exec(code)) !== null) {
+            if (m[1] && m[2])
+                out.set(m[1], m[2]);
+        }
+        const reShort = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*:=\s*(["'`][^"'`]*["'`])/gm;
+        while ((m = reShort.exec(code)) !== null) {
+            if (m[1] && m[2])
+                out.set(m[1], m[2]);
+        }
+        return out;
+    }
+    return out;
+}
 /** Map issue kind → CWE identifier. */
 const ISSUE_CWE = {
     'weak-cipher': 'CWE-327',
@@ -176,11 +363,24 @@ export class WeakCryptoPass {
     name = 'weak-crypto';
     category = 'security';
     run(ctx) {
-        const { graph, language } = ctx;
+        const { graph, language, code } = ctx;
         const file = graph.ir.meta.file;
         const findings = [];
+        // Optional constant-propagation result — used to resolve a variable whose
+        // assigned value is a literal bytes/string (Python `key = b"…"` → AES.new).
+        const constProp = ctx.hasResult('constant-propagation')
+            ? ctx.getResult('constant-propagation')
+            : null;
+        // Lightweight per-language source scan for `<name> = <literal>`
+        // bindings. Python's constant-propagation pass does not yet track
+        // `name = b"…"` style assignments, and Go's does not track
+        // `name := []byte("…")`. We do a one-pass regex over `ctx.code` to
+        // build a `name → literal` map used by hardcoded-key detection.
+        // This is a conservative augmentation — only inline literal RHSes
+        // are recognised; runtime values stay invisible.
+        const literalBindings = scanLiteralBindings(code, language);
         for (const call of graph.ir.calls) {
-            const detections = this.detect(call, language);
+            const detections = this.detect(call, language, constProp, literalBindings);
             for (const det of detections) {
                 const line = call.location.line;
                 findings.push({ line, language, ...det });
@@ -250,7 +450,7 @@ export class WeakCryptoPass {
                     'use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.');
         }
     }
-    detect(call, language) {
+    detect(call, language, constProp, literalBindings) {
         const method = call.method_name;
         const receiver = call.receiver ?? '';
         const out = [];
@@ -326,6 +526,15 @@ export class WeakCryptoPass {
                         out.push({ issue: 'ecb-mode', detail: 'AES.MODE_ECB', api: `${receiver}.new` });
                     }
                 }
+                // Hardcoded symmetric key — issue #87 (CWE-321). First arg is a bytes
+                // literal `b"…"` either inline or via a constant-propagated variable.
+                if (lastSeg === 'aes' || lastSeg.endsWith('.aes') ||
+                    WEAK_CIPHER_BASES.has(lastSeg)) {
+                    const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+                    if (keyDetail) {
+                        out.push({ issue: 'hardcoded-key', detail: keyDetail, api: `${receiver}.new` });
+                    }
+                }
             }
             // cryptography.hazmat ciphers — algorithms.TripleDES(key) / Blowfish(key) / ARC4(key) / IDEA(key) / SEED(key) / CAST5(key)
             // Receiver here is `algorithms` (or full path); method is the algo name.
@@ -336,6 +545,32 @@ export class WeakCryptoPass {
                 if (WEAK_CIPHER_BASES.has(normalized)) {
                     out.push({ issue: 'weak-cipher', detail: normalized, api: `algorithms.${method}` });
                 }
+                // algorithms.AES(b"literal") — hardcoded key (CWE-321, issue #87).
+                if (m === 'aes') {
+                    const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+                    if (keyDetail) {
+                        out.push({ issue: 'hardcoded-key', detail: keyDetail, api: `algorithms.${method}` });
+                    }
+                }
+            }
+            // cryptography.hazmat modes — modes.ECB() — issue #87 (CWE-327).
+            // Receiver is `modes` (or full path ending in `.modes`); method is `ECB`.
+            if (method === 'ECB' && (receiver === 'modes' || receiver.endsWith('.modes'))) {
+                out.push({ issue: 'ecb-mode', detail: 'modes.ECB()', api: `${receiver}.ECB` });
+            }
+            // cryptography.hazmat asymmetric — rsa.generate_private_key(key_size=N)
+            // / dsa.generate_private_key(key_size=N) — issue #87 (CWE-326).
+            if (method === 'generate_private_key' &&
+                (receiver === 'rsa' || receiver === 'dsa' ||
+                    receiver.endsWith('.rsa') || receiver.endsWith('.dsa'))) {
+                const n = parseWeakRsaKeySizePython(call);
+                if (n !== null) {
+                    out.push({
+                        issue: 'weak-rsa-key',
+                        detail: String(n),
+                        api: `${receiver}.generate_private_key`,
+                    });
+                }
             }
             return out;
         }
@@ -384,6 +619,31 @@ export class WeakCryptoPass {
             if ((method === 'NewECBEncrypter' || method === 'NewECBDecrypter') && receiver === 'cipher') {
                 out.push({ issue: 'ecb-mode', detail: method, api: `cipher.${method}` });
             }
+            // aes.NewCipher / des.NewCipher / des.NewTripleDESCipher hardcoded key —
+            // issue #87 (CWE-321). First arg is `[]byte("literal")` or a variable
+            // assigned from such a literal.
+            if ((receiver === 'aes' && method === 'NewCipher') ||
+                (receiver === 'des' && (method === 'NewCipher' || method === 'NewTripleDESCipher')) ||
+                (receiver === 'rc4' && method === 'NewCipher')) {
+                const keyDetail = detectHardcodedKeyGo(call, constProp, literalBindings);
+                if (keyDetail) {
+                    out.push({ issue: 'hardcoded-key', detail: keyDetail, api: `${receiver}.${method}` });
+                }
+            }
+            // crypto/rsa: rsa.GenerateKey(rand.Reader, bits) — issue #87 (CWE-326).
+            // Second positional arg is the key size in bits.
+            if (receiver === 'rsa' && method === 'GenerateKey') {
+                const bitsArg = call.arguments.find((a) => a.position === 1);
+                const expr = (bitsArg?.literal ?? bitsArg?.expression ?? '').trim();
+                const n = parseInt(expr, 10);
+                if (Number.isFinite(n) && n > 0 && n < 2048) {
+                    out.push({
+                        issue: 'weak-rsa-key',
+                        detail: String(n),
+                        api: 'rsa.GenerateKey',
+                    });
+                }
+            }
             return out;
         }
         return out;

package/dist/analysis/passes/weak-crypto-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"weak-crypto-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW;IACpC,KAAK,EAAE,KAAK,EAAE,MAAM;IACpB,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,MAAM,EAAE,OAAO;CACxB,CAAC,CAAC;AAEH,kFAAkF;AAClF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAyC,EAAE,CAAC;IACxD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxD,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IACtC,4FAA4F;IAC5F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IAC5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,QAAgB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CAAC,IAAc;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,4EAA4E;IAC5E,sEAAsE;IACtE,yEAAyE;IACzE,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,eAAe,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,0DAA0D;IAC1D,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,uEAAuE;IACvE,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,4EAA4E;IAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH;;;;;;;;;GASG;AACH,SAAS,UAAU,CAAC,IAAc,EAAE,SAAiB;IACnD,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAc;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC9E,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC5F,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAEpD,OAAO,IAAI,CAAC;AACd,CAAC;AAUD,uCAAuC;AACvC,MAAM,SAAS,GAAoC;IACjD,aAAa,EAAE,SAAS;IACxB,UAAU,EAAE,SAAS;IACrB,gBAAgB,EAAE,SAAS;IAC3B,WAAW,EAAE,SAAS;IACtB,eAAe,EAAE,SAAS;IAC1B,cAAc,EAAE,SAAS;CAC1B,CAAC;AAYF,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAiC,EAAE,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBACvC,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC;oBACzB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO;oBACP,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;oBAC7B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,YAAY,CAAC,GAA4D;QAC/E,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,OAAO,CACL,2BAA2B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc;oBACjE,KAAK,GAAG,CAAC,GAAG,yDAAyD;oBACrE,gDAAgD,CACjD,CAAC;YACJ,KAAK,UAAU;gBACb,OAAO,CACL,oCAAoC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACrE,0EAA0E;oBAC1E,iCAAiC,CAClC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,OAAO,CACL,2BAA2B,GAAG,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,OAAO;oBACxE,iEAAiE,CAClE,CAAC;YACJ,KAAK,WAAW;gBACd,OAAO,CACL,wCAAwC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACzE,sEAAsE;oBACtE,uCAAuC,CACxC,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,gDAAgD,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACjF,uEAAuE;oBACvE,kEAAkE,CACnE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,uBAAuB,GAAG,CAAC,MAAM,sBAAsB,GAAG,CAAC,GAAG,MAAM;oBACpE,iEAAiE;oBACjE,8BAA8B,CAC/B,CAAC;YACJ;gBACE,OAAO,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,KAAsB;QACrC,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,WAAW;gBACd,OAAO,CACL,6DAA6D;oBAC7D,6EAA6E;oBAC7E,6DAA6D,CAC9D,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,8DAA8D;oBAC9D,uEAAuE,CACxE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,kEAAkE;oBAClE,uDAAuD,CACxD,CAAC;YACJ;gBACE,OAAO,CACL,+DAA+D;oBAC/D,oEAAoE;oBACpE,iEAAiE,CAClE,CAAC;QACN,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAK7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAmE,EAAE,CAAC;QAE/E,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,0DAA0D;YAC1D,MAAM,eAAe,GACnB,MAAM,KAAK,aAAa;gBACxB,CAAC,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACrD,QAAQ,KAAK,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YACtE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,GAAG,QAAQ,cAAc,CAAC;oBACtC,IAAI,QAAQ;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;oBACxE,IAAI,GAAG;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAED,2DAA2D;YAC3D,gEAAgE;YAChE,8DAA8D;YAC9D,kEAAkE;YAClE,iCAAiC;YACjC,IAAI,MAAM,KAAK,iBAAiB,IAAI,UAAU,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;gBACxE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,QAAQ,EAAE,CAAC;oBACb,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;YAED,mFAAmF;YACnF,IAAI,MAAM,KAAK,eAAe,IAAI,UAAU,CAAC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;gBACpE,MAAM,SAAS,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,SAAS,EAAE,CAAC;oBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,gEAAgE;YAChE,yEAAyE;YACzE,6EAA6E;YAC7E,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;gBAC5B,MAAM,KAAK,GACT,IAAI,CAAC,aAAa,KAAK,kBAAkB;oBACzC,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;gBAC/D,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC7D,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACpE,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;wBAC5C,GAAG,CAAC,IAAI,CAAC;4BACP,KAAK,EAAE,cAAc;4BACrB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;4BACjB,GAAG,EAAE,6BAA6B;yBACnC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,iEAAiE;YACjE,iFAAiF;YACjF,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;gBACtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC9E,CAAC;gBACD,iDAAiD;gBACjD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAClC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,2HAA2H;YAC3H,yEAAyE;YACzE,MAAM,aAAa,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,8DAA8D;YAC9D,IAAI,MAAM,KAAK,cAAc,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAClF,CAAC;YACD,uDAAuD;YACvD,IAAI,MAAM,KAAK,gBAAgB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjC,kEAAkE;oBAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBACrC,IAAI,cAAc,GAAG,IAAI,CAAC;oBAC1B,IAAI,IAAI,KAAK,IAAI;wBAAE,cAAc,GAAG,UAAU,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,MAAM;wBAAE,cAAc,GAAG,MAAM,CAAC;oBACzF,IAAI,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC3F,CAAC;oBACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;wBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,qDAAqD;YACrD,IAAI,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtF,MAAM,IAAI,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,MAAM,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,4BAA4B;YAC5B,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YAC1E,CAAC;YACD,+EAA+E;YAC/E,qEAAqE;YACrE,IAAI,CAAC,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,CAAC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC5F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}
+{"version":3,"file":"weak-crypto-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AAMH,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW;IACpC,KAAK,EAAE,KAAK,EAAE,MAAM;IACpB,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,MAAM,EAAE,OAAO;CACxB,CAAC,CAAC;AAEH,kFAAkF;AAClF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAyC,EAAE,CAAC;IACxD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxD,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IACtC,4FAA4F;IAC5F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IAC5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,QAAgB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CAAC,IAAc;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,4EAA4E;IAC5E,sEAAsE;IACtE,yEAAyE;IACzE,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,eAAe,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,0DAA0D;IAC1D,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,uEAAuE;IACvE,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,4EAA4E;IAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH;;;;;;;;;GASG;AACH,SAAS,UAAU,CAAC,IAAc,EAAE,SAAiB;IACnD,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAc;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC9E,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC5F,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAEpD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,wBAAwB,CAC/B,IAAc,EACd,SAA0C,EAC1C,eAAoC;IAEpC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,qEAAqE;IACrE,kEAAkE;IAClE,kBAAkB;IAClB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,oDAAoD;IACpD,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpF,OAAO,iBAAiB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC5E,CAAC;IACD,yCAAyC;IACzC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,kBAAkB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC7E,CAAC;IACD,iEAAiE;IACjE,IAAI,GAAG,CAAC,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YAClE,OAAO,oCAAoC,GAAG,CAAC,QAAQ,IAAI,CAAC;QAC9D,CAAC;IACH,CAAC;IACD,kEAAkE;IAClE,kEAAkE;IAClE,6BAA6B;IAC7B,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,iBAAiB,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC5F,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAC3B,IAAc,EACd,SAA0C,EAC1C,eAAoC;IAEpC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,wCAAwC;IACxC,IAAI,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChE,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IACD,wBAAwB;IACxB,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,6BAA6B,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,IAAI,GAAG,CAAC,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YAClE,OAAO,kCAAkC,GAAG,CAAC,QAAQ,IAAI,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,mEAAmE;IACnE,8CAA8C;IAC9C,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,iBAAiB,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC5F,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,yBAAyB,CAAC,IAAc;IAC/C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACpD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACd,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI;gBAAE,OAAO,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,0EAA0E;QAC1E,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC;YACtC,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAC5B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI;gBAAE,OAAO,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAS,mBAAmB,CAAC,IAAY,EAAE,QAAgB;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC;IAEtB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,sEAAsE;QACtE,MAAM,EAAE,GAAG,8GAA8G,CAAC;QAC1H,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,0EAA0E;QAC1E,iBAAiB;QACjB,MAAM,MAAM,GAAG,0GAA0G,CAAC;QAC1H,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,KAAK,GAAG,6EAA6E,CAAC;QAC5F,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACvC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,OAAO,GAAG,8DAA8D,CAAC;QAC/E,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAUD,uCAAuC;AACvC,MAAM,SAAS,GAAoC;IACjD,aAAa,EAAE,SAAS;IACxB,UAAU,EAAE,SAAS;IACrB,gBAAgB,EAAE,SAAS;IAC3B,WAAW,EAAE,SAAS;IACtB,eAAe,EAAE,SAAS;IAC1B,cAAc,EAAE,SAAS;CAC1B,CAAC;AAYF,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAiC,EAAE,CAAC;QAElD,0EAA0E;QAC1E,4EAA4E;QAC5E,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC;YACrD,CAAC,CAAC,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC;YACjE,CAAC,CAAC,IAAI,CAAC;QAET,gEAAgE;QAChE,kEAAkE;QAClE,2DAA2D;QAC3D,mEAAmE;QACnE,gEAAgE;QAChE,kEAAkE;QAClE,iDAAiD;QACjD,MAAM,eAAe,GAAG,mBAAmB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE5D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;YAC3E,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBACvC,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC;oBACzB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO;oBACP,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;oBAC7B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,YAAY,CAAC,GAA4D;QAC/E,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,OAAO,CACL,2BAA2B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc;oBACjE,KAAK,GAAG,CAAC,GAAG,yDAAyD;oBACrE,gDAAgD,CACjD,CAAC;YACJ,KAAK,UAAU;gBACb,OAAO,CACL,oCAAoC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACrE,0EAA0E;oBAC1E,iCAAiC,CAClC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,OAAO,CACL,2BAA2B,GAAG,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,OAAO;oBACxE,iEAAiE,CAClE,CAAC;YACJ,KAAK,WAAW;gBACd,OAAO,CACL,wCAAwC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACzE,sEAAsE;oBACtE,uCAAuC,CACxC,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,gDAAgD,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACjF,uEAAuE;oBACvE,kEAAkE,CACnE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,uBAAuB,GAAG,CAAC,MAAM,sBAAsB,GAAG,CAAC,GAAG,MAAM;oBACpE,iEAAiE;oBACjE,8BAA8B,CAC/B,CAAC;YACJ;gBACE,OAAO,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,KAAsB;QACrC,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,WAAW;gBACd,OAAO,CACL,6DAA6D;oBAC7D,6EAA6E;oBAC7E,6DAA6D,CAC9D,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,8DAA8D;oBAC9D,uEAAuE,CACxE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,kEAAkE;oBAClE,uDAAuD,CACxD,CAAC;YACJ;gBACE,OAAO,CACL,+DAA+D;oBAC/D,oEAAoE;oBACpE,iEAAiE,CAClE,CAAC;QACN,CAAC;IACH,CAAC;IAEO,MAAM,CACZ,IAAc,EACd,QAAgB,EAChB,SAA0C,EAC1C,eAAoC;QAMpC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAmE,EAAE,CAAC;QAE/E,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,0DAA0D;YAC1D,MAAM,eAAe,GACnB,MAAM,KAAK,aAAa;gBACxB,CAAC,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACrD,QAAQ,KAAK,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YACtE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,GAAG,QAAQ,cAAc,CAAC;oBACtC,IAAI,QAAQ;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;oBACxE,IAAI,GAAG;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAED,2DAA2D;YAC3D,gEAAgE;YAChE,8DAA8D;YAC9D,kEAAkE;YAClE,iCAAiC;YACjC,IAAI,MAAM,KAAK,iBAAiB,IAAI,UAAU,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;gBACxE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,QAAQ,EAAE,CAAC;oBACb,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;YAED,mFAAmF;YACnF,IAAI,MAAM,KAAK,eAAe,IAAI,UAAU,CAAC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;gBACpE,MAAM,SAAS,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,SAAS,EAAE,CAAC;oBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,gEAAgE;YAChE,yEAAyE;YACzE,6EAA6E;YAC7E,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;gBAC5B,MAAM,KAAK,GACT,IAAI,CAAC,aAAa,KAAK,kBAAkB;oBACzC,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;gBAC/D,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC7D,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACpE,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;wBAC5C,GAAG,CAAC,IAAI,CAAC;4BACP,KAAK,EAAE,cAAc;4BACrB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;4BACjB,GAAG,EAAE,6BAA6B;yBACnC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,iEAAiE;YACjE,iFAAiF;YACjF,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;gBACtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC9E,CAAC;gBACD,iDAAiD;gBACjD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAClC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;gBACD,sEAAsE;gBACtE,sEAAsE;gBACtE,IACE,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC7C,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAC9B,CAAC;oBACD,MAAM,SAAS,GAAG,wBAAwB,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;oBAC7E,IAAI,SAAS,EAAE,CAAC;wBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,2HAA2H;YAC3H,yEAAyE;YACzE,MAAM,aAAa,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;gBACtF,CAAC;gBACD,mEAAmE;gBACnE,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;oBAChB,MAAM,SAAS,GAAG,wBAAwB,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;oBAC7E,IAAI,SAAS,EAAE,CAAC;wBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;oBACvF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,iEAAiE;YACjE,0EAA0E;YAC1E,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;YACjF,CAAC;YACD,wEAAwE;YACxE,gEAAgE;YAChE,IACE,MAAM,KAAK,sBAAsB;gBACjC,CAAC,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,KAAK;oBACxC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EACxD,CAAC;gBACD,MAAM,CAAC,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;oBACf,GAAG,CAAC,IAAI,CAAC;wBACP,KAAK,EAAE,cAAc;wBACrB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;wBACjB,GAAG,EAAE,GAAG,QAAQ,uBAAuB;qBACxC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,8DAA8D;YAC9D,IAAI,MAAM,KAAK,cAAc,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAClF,CAAC;YACD,uDAAuD;YACvD,IAAI,MAAM,KAAK,gBAAgB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjC,kEAAkE;oBAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBACrC,IAAI,cAAc,GAAG,IAAI,CAAC;oBAC1B,IAAI,IAAI,KAAK,IAAI;wBAAE,cAAc,GAAG,UAAU,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,MAAM;wBAAE,cAAc,GAAG,MAAM,CAAC;oBACzF,IAAI,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC3F,CAAC;oBACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;wBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,qDAAqD;YACrD,IAAI,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtF,MAAM,IAAI,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,MAAM,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,4BAA4B;YAC5B,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YAC1E,CAAC;YACD,+EAA+E;YAC/E,qEAAqE;YACrE,IAAI,CAAC,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,CAAC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC5F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,yEAAyE;YACzE,sEAAsE;YACtE,gCAAgC;YAChC,IACE,CAAC,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,CAAC;gBAC9C,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,CAAC;gBACnF,CAAC,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,CAAC,EAC9C,CAAC;gBACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBACzE,IAAI,SAAS,EAAE,CAAC;oBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;gBACxF,CAAC;YACH,CAAC;YACD,wEAAwE;YACxE,iDAAiD;YACjD,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;gBACnD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBAC7D,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpE,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;oBAC5C,GAAG,CAAC,IAAI,CAAC;wBACP,KAAK,EAAE,cAAc;wBACrB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;wBACjB,GAAG,EAAE,iBAAiB;qBACvB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Pass: xml-entity-expansion (CWE-776 / CWE-611, category: security)
+ *
+ * Pattern pass — flags XML parser instantiation that does *not* disable
+ * DTD / external-entity processing in the same file. This covers:
+ *   - Billion-laughs / quadratic blow-up DoS (CWE-776)
+ *   - External-entity disclosure (CWE-611) [already partially covered by
+ *     existing xxe taint sinks; this pass adds the config-level signal]
+ *
+ * Detection (Java):
+ *   Factory instantiation:
+ *     - `SAXParserFactory.newInstance()`
+ *     - `DocumentBuilderFactory.newInstance()`
+ *     - `XMLInputFactory.newInstance()` (StAX)
+ *     - `SchemaFactory.newInstance(...)`
+ *     - `TransformerFactory.newInstance()`
+ *   Safe-feature setters (any of these in the same file silences the
+ *   finding for that factory class):
+ *     - `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)`
+ *     - `setFeature("http://xml.org/sax/features/external-general-entities", false)`
+ *     - `setFeature("http://xml.org/sax/features/external-parameter-entities", false)`
+ *     - `setProperty(XMLInputFactory.SUPPORT_DTD, false)`
+ *     - `setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")`
+ *
+ * Detection (Python):
+ *   - `xml.etree.ElementTree.parse` / `fromstring` — defxml advises
+ *     `defusedxml.ElementTree` instead.
+ *   - `lxml.etree.parse(...)` without `XMLParser(resolve_entities=False)`
+ *     argument. We only fire if `resolve_entities=False` does NOT appear
+ *     in the file.
+ *
+ * Note: the existing `xxe` taint sinks (`SAXParser.parse`, `XMLReader.parse`,
+ * etc.) already fire when *tainted* XML reaches the parser. This pass is
+ * the orthogonal *configuration* signal — fire even on hard-coded inputs
+ * because billion-laughs is exploitable via any attacker-supplied entity
+ * file even when the parse() argument itself is trusted.
+ *
+ * Issue: #86, Sprint 6.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface XmlEntityExpansionResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class XmlEntityExpansionPass implements AnalysisPass<XmlEntityExpansionResult> {
+    readonly name = "xml-entity-expansion";
+    readonly category: "security";
+    run(ctx: PassContext): XmlEntityExpansionResult;
+    private detectJavaCall;
+    private detectPythonCall;
+    private fixForJava;
+    private fixForPython;
+}
+//# sourceMappingURL=xml-entity-expansion-pass.d.ts.map

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-entity-expansion-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/xml-entity-expansion-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAyB9E,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,sBACX,YAAW,YAAY,CAAC,wBAAwB,CAAC;IAEjD,QAAQ,CAAC,IAAI,0BAA0B;IACvC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,wBAAwB;IA0E/C,OAAO,CAAC,cAAc;IAiBtB,OAAO,CAAC,gBAAgB;IAyBxB,OAAO,CAAC,UAAU;IA6BlB,OAAO,CAAC,YAAY;CAarB"}

package/dist/analysis/passes/xml-entity-expansion-pass.js

@@ -0,0 +1,196 @@
+/**
+ * Pass: xml-entity-expansion (CWE-776 / CWE-611, category: security)
+ *
+ * Pattern pass — flags XML parser instantiation that does *not* disable
+ * DTD / external-entity processing in the same file. This covers:
+ *   - Billion-laughs / quadratic blow-up DoS (CWE-776)
+ *   - External-entity disclosure (CWE-611) [already partially covered by
+ *     existing xxe taint sinks; this pass adds the config-level signal]
+ *
+ * Detection (Java):
+ *   Factory instantiation:
+ *     - `SAXParserFactory.newInstance()`
+ *     - `DocumentBuilderFactory.newInstance()`
+ *     - `XMLInputFactory.newInstance()` (StAX)
+ *     - `SchemaFactory.newInstance(...)`
+ *     - `TransformerFactory.newInstance()`
+ *   Safe-feature setters (any of these in the same file silences the
+ *   finding for that factory class):
+ *     - `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)`
+ *     - `setFeature("http://xml.org/sax/features/external-general-entities", false)`
+ *     - `setFeature("http://xml.org/sax/features/external-parameter-entities", false)`
+ *     - `setProperty(XMLInputFactory.SUPPORT_DTD, false)`
+ *     - `setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")`
+ *
+ * Detection (Python):
+ *   - `xml.etree.ElementTree.parse` / `fromstring` — defxml advises
+ *     `defusedxml.ElementTree` instead.
+ *   - `lxml.etree.parse(...)` without `XMLParser(resolve_entities=False)`
+ *     argument. We only fire if `resolve_entities=False` does NOT appear
+ *     in the file.
+ *
+ * Note: the existing `xxe` taint sinks (`SAXParser.parse`, `XMLReader.parse`,
+ * etc.) already fire when *tainted* XML reaches the parser. This pass is
+ * the orthogonal *configuration* signal — fire even on hard-coded inputs
+ * because billion-laughs is exploitable via any attacker-supplied entity
+ * file even when the parse() argument itself is trusted.
+ *
+ * Issue: #86, Sprint 6.
+ */
+const JAVA_FACTORIES = new Set([
+    'SAXParserFactory',
+    'DocumentBuilderFactory',
+    'XMLInputFactory',
+    'SchemaFactory',
+    'TransformerFactory',
+]);
+// "Disallow DTD" / safe-feature evidence — any one of these in the file
+// suppresses the warning. Conservative on purpose: a missed feature still
+// fires; FPs only on cross-file configuration.
+const JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+const PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+export class XmlEntityExpansionPass {
+    name = 'xml-entity-expansion';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        const code = ctx.code ?? '';
+        if (language === 'java') {
+            const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+            if (safeInFile)
+                return { findings };
+            for (const call of graph.ir.calls) {
+                const det = this.detectJavaCall(call);
+                if (!det)
+                    continue;
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.api}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: det.cwe,
+                    severity: 'high',
+                    level: 'error',
+                    message: `${det.api} created without disabling DTD / external-entity ` +
+                        'processing. Vulnerable to billion-laughs / quadratic ' +
+                        'blow-up DoS (CWE-776) and external-entity disclosure ' +
+                        '(CWE-611). Add `setFeature("http://apache.org/xml/features/' +
+                        'disallow-doctype-decl", true)` (or the equivalent) before ' +
+                        'parsing.',
+                    file,
+                    line,
+                    fix: this.fixForJava(det.api),
+                    evidence: { ...det, language, safeFeatureInFile: false },
+                });
+            }
+            return { findings };
+        }
+        if (language === 'python') {
+            const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) ||
+                /\bdefusedxml\b/.test(code);
+            if (safeInFile)
+                return { findings };
+            for (const call of graph.ir.calls) {
+                const det = this.detectPythonCall(call);
+                if (!det)
+                    continue;
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.api}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: det.cwe,
+                    severity: 'high',
+                    level: 'error',
+                    message: `${det.api} called without an entity-safe parser. Vulnerable ` +
+                        'to billion-laughs / quadratic blow-up DoS (CWE-776) and ' +
+                        'external-entity disclosure (CWE-611). Use `defusedxml` or pass ' +
+                        'an `XMLParser(resolve_entities=False)` to lxml.',
+                    file,
+                    line,
+                    fix: this.fixForPython(det.api),
+                    evidence: { ...det, language, safeFeatureInFile: false },
+                });
+            }
+            return { findings };
+        }
+        return { findings };
+    }
+    detectJavaCall(call) {
+        if (call.method_name !== 'newInstance')
+            return null;
+        const recv = call.receiver ?? '';
+        const recvType = call.receiver_type ?? '';
+        for (const factory of JAVA_FACTORIES) {
+            if (recv === factory || recvType === factory ||
+                recv.endsWith('.' + factory) || recvType.endsWith('.' + factory)) {
+                return {
+                    pattern: `${factory}.newInstance()`,
+                    api: factory,
+                    cwe: 'CWE-776',
+                };
+            }
+        }
+        return null;
+    }
+    detectPythonCall(call) {
+        const recv = call.receiver ?? '';
+        const method = call.method_name;
+        // lxml.etree.parse / lxml.etree.fromstring
+        if ((method === 'parse' || method === 'fromstring' || method === 'XML') &&
+            (recv === 'etree' || recv.endsWith('.etree'))) {
+            return {
+                pattern: `etree.${method}`,
+                api: `lxml.etree.${method}`,
+                cwe: 'CWE-776',
+            };
+        }
+        // xml.etree.ElementTree.parse / fromstring
+        if ((method === 'parse' || method === 'fromstring') &&
+            (recv === 'ET' || recv === 'ElementTree' ||
+                recv.endsWith('.ElementTree'))) {
+            return {
+                pattern: `ElementTree.${method}`,
+                api: `xml.etree.ElementTree.${method}`,
+                cwe: 'CWE-776',
+            };
+        }
+        return null;
+    }
+    fixForJava(api) {
+        if (api === 'SAXParserFactory') {
+            return ('Call `factory.setFeature("http://apache.org/xml/features/' +
+                'disallow-doctype-decl", true)` and ' +
+                '`factory.setXIncludeAware(false)` before `newSAXParser()`.');
+        }
+        if (api === 'DocumentBuilderFactory') {
+            return ('Call `factory.setFeature("http://apache.org/xml/features/' +
+                'disallow-doctype-decl", true)` and ' +
+                '`factory.setExpandEntityReferences(false)` before ' +
+                '`newDocumentBuilder()`.');
+        }
+        if (api === 'XMLInputFactory') {
+            return ('Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` ' +
+                'and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_' +
+                'ENTITIES, false)` before `createXMLStreamReader`.');
+        }
+        return ('Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable ' +
+            'DTD / external-entity loading on the factory before parsing.');
+    }
+    fixForPython(api) {
+        if (api.startsWith('lxml.etree')) {
+            return ('Pass an explicit parser: ' +
+                '`etree.parse(src, parser=etree.XMLParser(resolve_entities=False, ' +
+                'no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.');
+        }
+        return ('Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which ' +
+            'disables DTD / entity processing by default.');
+    }
+}
+//# sourceMappingURL=xml-entity-expansion-pass.js.map