circle-ir 3.54.0 → 3.56.0

package/dist/browser/circle-ir.js

@@ -11177,9 +11177,16 @@ var DEFAULT_SINKS = [
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // XSS in error messages (CWE-81)
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  // Response header injection (can lead to header XSS)
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  // Response header injection — re-categorised from `xss` to `crlf`
+  // (CWE-113) in Sprint 6 of #86. Header injection is HTTP response
+  // splitting / cache-poisoning / cookie forging; reflected XSS via header
+  // reflection remains a downstream concern of body-writing sinks.
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  // Note: `sendRedirect` is primarily classified as `ssrf` / open-redirect
+  // (CWE-601) further down — see entry near line 1195. CRLF via Location
+  // header is a secondary concern; keeping the canonical SSRF entry avoids
+  // double-emission that would mask the open-redirect chain.
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // JSP output
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -12148,7 +12155,33 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // CRLF / HTTP response splitting (CWE-113) — Sprint 6, #86.
+  // Node.js / Express response header / cookie sinks. The header *name* (arg 0)
+  // is also CRLF-sensitive but is almost always a string literal; we model
+  // arg 1 (the value) as the primary sink.
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  // Express: res.cookie(name, value, options) — value is CRLF-sensitive.
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Express: res.location(url) and res.redirect(url) — Location header.
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Go net/http: w.Header().Set(k, v) / Add(k, v) — first arg is the value
+  // (Header is a map; the actual `value` is arg 1 of the call). We flag the
+  // value position so a tainted variable is detected.
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Mass-assignment (CWE-915) — Sprint 6, #86.
+  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
+  // source is request-tainted, every key gets written onto the target. We
+  // flag the source positions; the analyzer only needs one tainted to fire.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // jQuery $.extend(target, source) (legacy).
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -13618,12 +13651,17 @@ function canSourceReachSink(sourceType, sinkType) {
     // code_injection added to http_param/http_query/http_header/http_cookie:
     // `eval(req.query.x)`, `Function(req.header('x'))`, `vm.runInThisContext(req.cookies.c)`
     // are all real RCE patterns in JS web apps (cognium-dev #83).
-    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call"],
-    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection"],
+    // crlf added to http_param/http_query/http_header/http_cookie/http_body:
+    // setHeader/setCookie/redirect of any user-controlled string is CRLF / response
+    // splitting (CWE-113) — Sprint 6, issue #86.
+    // mass_assignment added to http_body / http_param: Object.assign(user, req.body),
+    // User(**request.form) — CWE-915.
+    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
+    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
+    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf"],
+    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
     http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
-    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
     io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
     env_input: ["command_injection", "path_traversal"],
     db_input: ["xss", "sql_injection"],
@@ -13632,7 +13670,7 @@ function canSourceReachSink(sourceType, sinkType) {
     network_input: ["sql_injection", "command_injection", "xss", "ssrf"],
     config_param: ["sql_injection", "command_injection", "path_traversal", "xss", "ssrf"],
     // Servlet init params
-    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call"],
+    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
     // Cross-method taint
     plugin_param: ["sql_injection", "command_injection", "path_traversal", "xss", "code_injection"]
     // Plugin/config parameters
@@ -14833,7 +14871,9 @@ var KNOWN_SINK_TYPES = /* @__PURE__ */ new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -27445,6 +27485,102 @@ function detectHardcodedKeyJava(call) {
   if (/^"[^"]*"$/.test(expr)) return `literal string`;
   return null;
 }
+function detectHardcodedKeyPython(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.expression ?? arg.literal ?? "").trim();
+  if (!expr) return null;
+  if (/^[bB][rR]?["'][^"']*["']$/.test(expr) || /^[rR][bB]["'][^"']*["']$/.test(expr)) {
+    return `literal bytes ${expr.slice(0, 24)}${expr.length > 24 ? "\u2026" : ""}`;
+  }
+  if (/^["'][^"']*["']$/.test(expr)) {
+    return `literal string ${expr.slice(0, 24)}${expr.length > 24 ? "\u2026" : ""}`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated bytes from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "\u2026" : ""}`;
+    }
+  }
+  return null;
+}
+function detectHardcodedKeyGo(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\)$/.test(expr)) {
+    return `literal []byte("\u2026")`;
+  }
+  if (/^\[\s*\]\s*byte\s*\{[^}]*\}$/.test(expr)) {
+    return `literal []byte{\u2026} composite`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated key from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "\u2026" : ""}`;
+    }
+  }
+  return null;
+}
+function parseWeakRsaKeySizePython(call) {
+  for (const arg of call.arguments) {
+    const expr = (arg.expression ?? "").trim();
+    const lit = (arg.literal ?? "").trim();
+    const m = expr.match(/^key_size\s*=\s*(-?\d+)\s*$/);
+    if (m && m[1]) {
+      const n = parseInt(m[1], 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048) return n;
+      return null;
+    }
+    if (/^key_size\s*=/.test(expr) && lit) {
+      const n = parseInt(lit, 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048) return n;
+    }
+  }
+  return null;
+}
+function scanLiteralBindings(code, language) {
+  const out2 = /* @__PURE__ */ new Map();
+  if (!code) return out2;
+  if (language === "python") {
+    const re = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(b[rR]?["'][^"']*["']|[rR]?b["'][^"']*["']|["'][^"']*["'])\s*(?:$|#)/gm;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      if (m[1] && m[2]) out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  if (language === "go") {
+    const reByte = /^[ \t]*(?:var\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*(?::=|=)\s*(\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\))/gm;
+    let m;
+    while ((m = reByte.exec(code)) !== null) {
+      if (m[1] && m[2]) out2.set(m[1], m[2]);
+    }
+    const reStr = /^[ \t]*(?:var|const)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reStr.exec(code)) !== null) {
+      if (m[1] && m[2]) out2.set(m[1], m[2]);
+    }
+    const reShort = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*:=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reShort.exec(code)) !== null) {
+      if (m[1] && m[2]) out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  return out2;
+}
 var ISSUE_CWE = {
   "weak-cipher": "CWE-327",
   "ecb-mode": "CWE-327",
@@ -27457,11 +27593,13 @@ var WeakCryptoPass = class {
   name = "weak-crypto";
   category = "security";
   run(ctx) {
-    const { graph, language } = ctx;
+    const { graph, language, code } = ctx;
     const file = graph.ir.meta.file;
     const findings = [];
+    const constProp = ctx.hasResult("constant-propagation") ? ctx.getResult("constant-propagation") : null;
+    const literalBindings = scanLiteralBindings(code, language);
     for (const call of graph.ir.calls) {
-      const detections = this.detect(call, language);
+      const detections = this.detect(call, language, constProp, literalBindings);
       for (const det of detections) {
         const line = call.location.line;
         findings.push({ line, language, ...det });
@@ -27514,7 +27652,7 @@ var WeakCryptoPass = class {
         return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.";
     }
   }
-  detect(call, language) {
+  detect(call, language, constProp, literalBindings) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
     const out2 = [];
@@ -27572,6 +27710,12 @@ var WeakCryptoPass = class {
             out2.push({ issue: "ecb-mode", detail: "AES.MODE_ECB", api: `${receiver}.new` });
           }
         }
+        if (lastSeg === "aes" || lastSeg.endsWith(".aes") || WEAK_CIPHER_BASES.has(lastSeg)) {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.new` });
+          }
+        }
       }
       const isHazmatAlgos = receiver === "algorithms" || receiver.endsWith(".algorithms");
       if (isHazmatAlgos) {
@@ -27580,6 +27724,25 @@ var WeakCryptoPass = class {
         if (WEAK_CIPHER_BASES.has(normalized)) {
           out2.push({ issue: "weak-cipher", detail: normalized, api: `algorithms.${method}` });
         }
+        if (m === "aes") {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `algorithms.${method}` });
+          }
+        }
+      }
+      if (method === "ECB" && (receiver === "modes" || receiver.endsWith(".modes"))) {
+        out2.push({ issue: "ecb-mode", detail: "modes.ECB()", api: `${receiver}.ECB` });
+      }
+      if (method === "generate_private_key" && (receiver === "rsa" || receiver === "dsa" || receiver.endsWith(".rsa") || receiver.endsWith(".dsa"))) {
+        const n = parseWeakRsaKeySizePython(call);
+        if (n !== null) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: `${receiver}.generate_private_key`
+          });
+        }
       }
       return out2;
     }
@@ -27619,6 +27782,24 @@ var WeakCryptoPass = class {
       if ((method === "NewECBEncrypter" || method === "NewECBDecrypter") && receiver === "cipher") {
         out2.push({ issue: "ecb-mode", detail: method, api: `cipher.${method}` });
       }
+      if (receiver === "aes" && method === "NewCipher" || receiver === "des" && (method === "NewCipher" || method === "NewTripleDESCipher") || receiver === "rc4" && method === "NewCipher") {
+        const keyDetail = detectHardcodedKeyGo(call, constProp, literalBindings);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.${method}` });
+        }
+      }
+      if (receiver === "rsa" && method === "GenerateKey") {
+        const bitsArg = call.arguments.find((a) => a.position === 1);
+        const expr = (bitsArg?.literal ?? bitsArg?.expression ?? "").trim();
+        const n = parseInt(expr, 10);
+        if (Number.isFinite(n) && n > 0 && n < 2048) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: "rsa.GenerateKey"
+          });
+        }
+      }
       return out2;
     }
     return out2;
@@ -28087,6 +28268,341 @@ var JwtVerifyDisabledPass = class {
   }
 };
 
+// src/analysis/passes/csrf-protection-disabled-pass.ts
+var JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
+var JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
+var JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
+var JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
+var CsrfProtectionDisabledPass = class {
+  name = "csrf-protection-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detectCall(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-352",
+          severity: "critical",
+          level: "error",
+          message: `CSRF protection explicitly disabled via \`${det.pattern}\` (${det.api}). Any browser session can be silently used to perform state-changing requests from a malicious origin.`,
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    if (language === "java") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split("\n");
+        for (let i2 = 0; i2 < lines.length; i2++) {
+          const line = i2 + 1;
+          const text = lines[i2] ?? "";
+          let det = null;
+          if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf(c -> c.disable())", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_METHODREF_RE.test(text)) {
+            det = { pattern: "csrf(::disable)", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
+            det = { pattern: "csrfTokenRepository(null)", api: "HttpSecurity.csrfTokenRepository" };
+          } else if (JAVA_CSRF_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf().disable()", api: "HttpSecurity.csrf" };
+          }
+          if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: `CSRF protection explicitly disabled via \`${det.pattern}\` (${det.api}). Any browser session can be silently used to perform state-changing requests from a malicious origin.`,
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split("\n");
+        for (let i2 = 0; i2 < lines.length; i2++) {
+          const text = lines[i2] ?? "";
+          if (/^\s*@csrf_exempt\b/.test(text)) {
+            const line = i2 + 1;
+            const det = { pattern: "@csrf_exempt", api: "django.views.decorators.csrf" };
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: "Django view is decorated with `@csrf_exempt`, bypassing the framework CSRF middleware for this endpoint. Any browser session can be silently used to invoke this handler from a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const out2 = [];
+    if (language !== "java") return out2;
+    if (call.method_name === "disable") {
+      const recv = call.receiver ?? "";
+      if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith(".csrf()")) {
+        out2.push({ pattern: "csrf().disable()", api: "HttpSecurity.csrf" });
+      }
+    }
+    if (call.method_name === "csrfTokenRepository") {
+      const arg = call.arguments.find((a) => a.position === 0);
+      const expr = (arg?.expression ?? arg?.literal ?? "").trim();
+      if (expr === "null") {
+        out2.push({
+          pattern: "csrfTokenRepository(null)",
+          api: "HttpSecurity.csrfTokenRepository"
+        });
+      }
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "java") {
+      return 'Leave Spring Security CSRF protection enabled. If you need to exempt a specific endpoint (e.g. webhook), use `.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than `.disable()`. For stateless APIs, prefer a per-request token over disabling CSRF entirely.';
+    }
+    if (language === "python") {
+      return "Remove `@csrf_exempt`. For stateless API endpoints, use Django REST Framework with a token / session auth backend that does not rely on cookies. For webhook receivers, verify a shared-secret signature instead of disabling CSRF.";
+    }
+    return "Re-enable framework CSRF protection or replace with origin / token validation.";
+  }
+};
+
+// src/analysis/passes/xml-entity-expansion-pass.ts
+var JAVA_FACTORIES = /* @__PURE__ */ new Set([
+  "SAXParserFactory",
+  "DocumentBuilderFactory",
+  "XMLInputFactory",
+  "SchemaFactory",
+  "TransformerFactory"
+]);
+var JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+var PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+var XmlEntityExpansionPass = class {
+  name = "xml-entity-expansion";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (language === "java") {
+      const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+      if (safeInFile) return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectJavaCall(call);
+        if (!det) continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} created without disabling DTD / external-entity processing. Vulnerable to billion-laughs / quadratic blow-up DoS (CWE-776) and external-entity disclosure (CWE-611). Add \`setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)\` (or the equivalent) before parsing.`,
+          file,
+          line,
+          fix: this.fixForJava(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    if (language === "python") {
+      const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) || /\bdefusedxml\b/.test(code);
+      if (safeInFile) return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectPythonCall(call);
+        if (!det) continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} called without an entity-safe parser. Vulnerable to billion-laughs / quadratic blow-up DoS (CWE-776) and external-entity disclosure (CWE-611). Use \`defusedxml\` or pass an \`XMLParser(resolve_entities=False)\` to lxml.`,
+          file,
+          line,
+          fix: this.fixForPython(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+  detectJavaCall(call) {
+    if (call.method_name !== "newInstance") return null;
+    const recv = call.receiver ?? "";
+    const recvType = call.receiver_type ?? "";
+    for (const factory of JAVA_FACTORIES) {
+      if (recv === factory || recvType === factory || recv.endsWith("." + factory) || recvType.endsWith("." + factory)) {
+        return {
+          pattern: `${factory}.newInstance()`,
+          api: factory,
+          cwe: "CWE-776"
+        };
+      }
+    }
+    return null;
+  }
+  detectPythonCall(call) {
+    const recv = call.receiver ?? "";
+    const method = call.method_name;
+    if ((method === "parse" || method === "fromstring" || method === "XML") && (recv === "etree" || recv.endsWith(".etree"))) {
+      return {
+        pattern: `etree.${method}`,
+        api: `lxml.etree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    if ((method === "parse" || method === "fromstring") && (recv === "ET" || recv === "ElementTree" || recv.endsWith(".ElementTree"))) {
+      return {
+        pattern: `ElementTree.${method}`,
+        api: `xml.etree.ElementTree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    return null;
+  }
+  fixForJava(api) {
+    if (api === "SAXParserFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` and `factory.setXIncludeAware(false)` before `newSAXParser()`.';
+    }
+    if (api === "DocumentBuilderFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` and `factory.setExpandEntityReferences(false)` before `newDocumentBuilder()`.';
+    }
+    if (api === "XMLInputFactory") {
+      return "Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)` before `createXMLStreamReader`.";
+    }
+    return "Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable DTD / external-entity loading on the factory before parsing.";
+  }
+  fixForPython(api) {
+    if (api.startsWith("lxml.etree")) {
+      return "Pass an explicit parser: `etree.parse(src, parser=etree.XMLParser(resolve_entities=False, no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.";
+    }
+    return "Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which disables DTD / entity processing by default.";
+  }
+};
+
+// src/analysis/passes/mass-assignment-pass.ts
+var PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+var JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+var MassAssignmentPass = class {
+  name = "mass-assignment";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (!code) return { findings };
+    const lines = code.split("\n");
+    if (language === "python") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = PY_KWARGS_SPLAT_RE.exec(text);
+        if (!m) continue;
+        const line = i2 + 1;
+        const det = {
+          pattern: "**request.<bag>",
+          match: m[0]
+        };
+        findings.push({
+          line,
+          language,
+          pattern: det.pattern,
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag splatted into constructor / ORM helper via \`${det.match}\`. Every form field becomes a settable attribute on the domain object, including ones the endpoint did not intend to expose (e.g. \`is_admin\`, \`role\`, \`owner_id\`).`,
+          file,
+          line,
+          fix: "Replace the `**` splat with an explicit allow-list: `Model(name=request.form['name'], email=request.form['email'])`. For Django, use a `ModelForm` / serializer with `fields = [...]`.",
+          evidence: { pattern: det.pattern, match: det.match, language }
+        });
+      }
+      return { findings };
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = JS_OBJECT_SPREAD_RE.exec(text);
+        if (!m) continue;
+        const line = i2 + 1;
+        findings.push({
+          line,
+          language,
+          pattern: "{...req.<bag>}",
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag spread into object literal via \`${m[0]}\`. Every body field becomes a settable property on the resulting object, including ones the endpoint did not intend to expose (e.g. \`isAdmin\`, \`role\`, \`ownerId\`).`,
+          file,
+          line,
+          fix: "Replace the spread with an explicit pick: `const { name, email } = req.body; const user = { name, email };`. For ORMs, use a DTO / Zod schema with `.pick(...)` or allow-list serializers.",
+          evidence: { pattern: "{...req.<bag>}", match: m[0], language }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -28989,6 +29505,9 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
     if (!disabledPasses.has("jwt-verify-disabled")) pipeline.add(new JwtVerifyDisabledPass());
+    if (!disabledPasses.has("csrf-protection-disabled")) pipeline.add(new CsrfProtectionDisabledPass());
+    if (!disabledPasses.has("xml-entity-expansion")) pipeline.add(new XmlEntityExpansionPass());
+    if (!disabledPasses.has("mass-assignment")) pipeline.add(new MassAssignmentPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");