circle-ir 3.56.0 → 3.58.0

package/configs/sinks/golang.json

@@ -157,6 +157,67 @@
       "class": "template",
       "removes": ["xss"],
       "note": "template.HTMLEscapeString escapes HTML"
+    },
+    {
+      "method": "Atoi",
+      "class": "strconv",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Numeric cast — output cannot carry string injection"
+    },
+    {
+      "method": "ParseInt",
+      "class": "strconv",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "ParseFloat",
+      "class": "strconv",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "ParseUint",
+      "class": "strconv",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "ParseBool",
+      "class": "strconv",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "Parse",
+      "class": "uuid",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "uuid.Parse() — throws on non-UUID input"
+    },
+    {
+      "method": "MustParse",
+      "class": "uuid",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "Base",
+      "class": "filepath",
+      "removes": ["path_traversal"],
+      "note": "filepath.Base returns final element only — strips traversal segments"
+    },
+    {
+      "method": "EvalSymlinks",
+      "class": "filepath",
+      "removes": ["path_traversal"],
+      "note": "filepath.EvalSymlinks resolves symlinks to absolute path"
+    },
+    {
+      "method": "Clean",
+      "class": "path",
+      "removes": ["path_traversal"],
+      "note": "path.Clean (slash-only) normalizes ../ segments"
+    },
+    {
+      "method": "Base",
+      "class": "path",
+      "removes": ["path_traversal"],
+      "note": "path.Base returns final slash-element only"
     }
   ]
 }

package/configs/sinks/nodejs.json

@@ -625,18 +625,23 @@
     },
     {
       "method": "parseInt",
-      "removes": ["sql_injection", "command_injection"],
-      "note": "Converts to integer - safe for numeric values"
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Numeric cast — output cannot carry string injection"
     },
     {
       "method": "parseFloat",
-      "removes": ["sql_injection", "command_injection"],
-      "note": "Converts to float - safe for numeric values"
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Numeric cast — output cannot carry string injection"
     },
     {
       "method": "Number",
-      "removes": ["sql_injection", "command_injection"],
-      "note": "Number constructor - safe for numeric values"
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Number() constructor — output cannot carry string injection"
+    },
+    {
+      "method": "BigInt",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "BigInt() constructor — output cannot carry string injection"
     },
     {
       "method": "encodeURIComponent",

package/configs/sinks/python.json

@@ -505,6 +505,30 @@
       "class": "werkzeug.utils",
       "sanitizes": ["path_traversal"],
       "note": "werkzeug secure_filename() - filename sanitization"
+    },
+    {
+      "method": "int",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Python numeric cast — output cannot carry string injection"
+    },
+    {
+      "method": "float",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "bool",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "UUID",
+      "class": "uuid",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "uuid.UUID() throws on non-UUID input — output is a typed UUID"
+    },
+    {
+      "method": "Decimal",
+      "class": "decimal",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
     }
   ]
 }

package/configs/sinks/rust.json

@@ -474,6 +474,18 @@
       "removes": ["xss"],
       "note": "html_escape::encode_quoted_attribute()"
     },
+    {
+      "method": "encode_safe",
+      "class": "html_escape",
+      "removes": ["xss"],
+      "note": "html_escape::encode_safe() — broad-safe HTML entity encoding"
+    },
+    {
+      "method": "encode_double_quoted_attribute",
+      "class": "html_escape",
+      "removes": ["xss"],
+      "note": "html_escape::encode_double_quoted_attribute()"
+    },
     {
       "method": "clean",
       "class": "ammonia",
@@ -485,6 +497,24 @@
       "class": "Builder",
       "removes": ["xss"],
       "note": "ammonia::Builder::clean() HTML sanitizer"
+    },
+    {
+      "method": "file_name",
+      "class": "Path",
+      "removes": ["path_traversal"],
+      "note": "Path::file_name() returns final component only — strips traversal segments"
+    },
+    {
+      "method": "canonicalize",
+      "class": "Path",
+      "removes": ["path_traversal"],
+      "note": "Path::canonicalize() resolves symlinks and `..` to absolute path"
+    },
+    {
+      "method": "components",
+      "class": "Path",
+      "removes": ["path_traversal"],
+      "note": "Path::components() — iterator gives normalized components, used for prefix checks"
     }
   ]
 }

package/configs/sinks/sql.yaml

@@ -262,6 +262,59 @@
       "removes": [
         "sql_injection"
       ]
+    },
+    {
+      "method": "parseInt",
+      "class": "Integer",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Java numeric cast — output cannot carry string injection"
+    },
+    {
+      "method": "parseLong",
+      "class": "Long",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "parseDouble",
+      "class": "Double",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "parseFloat",
+      "class": "Float",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "parseShort",
+      "class": "Short",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "parseByte",
+      "class": "Byte",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "valueOf",
+      "class": "Integer",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "valueOf",
+      "class": "Long",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"]
+    },
+    {
+      "method": "fromString",
+      "class": "UUID",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "UUID.fromString throws on non-UUID input — output is a typed UUID"
+    },
+    {
+      "method": "valueOf",
+      "class": "Enum",
+      "removes": ["sql_injection", "command_injection", "path_traversal", "code_injection"],
+      "note": "Enum.valueOf throws on unknown name — output is a typed enum"
     }
   ]
 }

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAob1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAs2CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAub1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA22CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -418,11 +418,14 @@ export const DEFAULT_SOURCES = [
     // Rocket
     { method: 'param', class: 'Request', type: 'http_param', severity: 'high', return_tainted: true },
     { method: 'cookies', class: 'Request', type: 'http_cookie', severity: 'high', return_tainted: true },
-    // Axum extractors
-    { method: 'Json', type: 'http_body', severity: 'high', return_tainted: true },
-    { method: 'Query', type: 'http_param', severity: 'high', return_tainted: true },
-    { method: 'Path', type: 'http_path', severity: 'high', return_tainted: true },
-    { method: 'Form', type: 'http_param', severity: 'high', return_tainted: true },
+    // Axum extractors — Rust-only. The simple names `Json`/`Query`/`Path`/`Form`
+    // collide with stdlib types in other ecosystems (notably Python's
+    // `pathlib.Path` constructor and `flask.Form`), so they MUST be
+    // language-scoped to Rust to avoid spurious source matches.
+    { method: 'Json', type: 'http_body', severity: 'high', return_tainted: true, languages: ['rust'] },
+    { method: 'Query', type: 'http_param', severity: 'high', return_tainted: true, languages: ['rust'] },
+    { method: 'Path', type: 'http_path', severity: 'high', return_tainted: true, languages: ['rust'] },
+    { method: 'Form', type: 'http_param', severity: 'high', return_tainted: true, languages: ['rust'] },
     // Rust std library
     { method: 'var', class: 'env', type: 'env_input', severity: 'medium', return_tainted: true },
     { method: 'var_os', class: 'env', type: 'env_input', severity: 'medium', return_tainted: true },
@@ -625,10 +628,15 @@ export const DEFAULT_SINKS = [
     { method: 'PathResource', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
     // Additional resource/file patterns
     { method: 'forFile', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
-    { method: 'resolve', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
-    { method: 'resolve', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
-    { method: 'resolveSibling', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
-    { method: 'relativize', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0] },
+    // Java NIO `Path.resolve(other)` — joining with an untrusted `other` can
+    // escape the parent directory. Language-scoped to Java because the simple
+    // name `resolve` collides with Python `pathlib.Path.resolve()`
+    // (a canonicalization SANITIZER, no argument), JS `Promise.resolve(...)`,
+    // and Rust `Path::canonicalize` variants. Sprint 9 #48.2.
+    { method: 'resolve', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'resolve', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'resolveSibling', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['java'] },
+    { method: 'relativize', class: 'Path', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0], languages: ['java'] },
     // Static file configuration
     { method: 'staticFiles', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
     { method: 'setRoot', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
@@ -1775,6 +1783,16 @@ export const DEFAULT_SANITIZERS = [
     // Rust path sanitizers
     { method: 'file_name', removes: ['path_traversal'] }, // Returns just filename, strips path
     { method: 'canonicalize', removes: ['path_traversal'] }, // Resolves symlinks and normalizes
+    // Go path sanitizers (#51) — filepath.Base strips directory components
+    // (fully sanitizes), filepath.Clean / path.Clean normalize away ../ segments
+    // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
+    // stricter Clean+HasPrefix guard recognition is tracked separately).
+    // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
+    { method: 'Base', class: 'filepath', removes: ['path_traversal'] },
+    { method: 'Base', class: 'path', removes: ['path_traversal'] },
+    { method: 'Clean', class: 'filepath', removes: ['path_traversal'] },
+    { method: 'Clean', class: 'path', removes: ['path_traversal'] },
+    { method: 'EvalSymlinks', class: 'filepath', removes: ['path_traversal'] },
     // Log Injection sanitizers
     { method: 'replace', removes: ['log_injection'] }, // Used to remove newlines/control chars
     // LDAP Injection
@@ -1868,6 +1886,8 @@ export const DEFAULT_SANITIZERS = [
     { method: 'abspath', class: 'os.path', removes: ['path_traversal'] },
     { method: 'realpath', class: 'path', removes: ['path_traversal'] },
     { method: 'abspath', class: 'path', removes: ['path_traversal'] },
+    // pathlib.Path.resolve() — canonicalizes path, resolves symlinks (Python 3)
+    { method: 'resolve', class: 'Path', removes: ['path_traversal'] },
     // Python Type coercion
     { method: 'int', removes: ['sql_injection', 'command_injection', 'xss'] },
     { method: 'float', removes: ['sql_injection', 'command_injection'] },
@@ -1898,6 +1918,34 @@ export const DEFAULT_SANITIZERS = [
     { method: 'escape_html', removes: ['xss'] },
     // Rust Type coercion (parsing)
     { method: 'parse', removes: ['sql_injection', 'command_injection', 'xss'] }, // str.parse::<i32>()
+    // =========================================================================
+    // Type-cast taint barriers (#57)
+    // Numeric/UUID casts cannot carry a string-injection payload.
+    // =========================================================================
+    // Java numeric parse — Integer.parseInt, Long.parseLong, etc.
+    { method: 'parseInt', class: 'Integer', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'parseLong', class: 'Long', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'parseFloat', class: 'Float', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'parseDouble', class: 'Double', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'parseShort', class: 'Short', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'parseByte', class: 'Byte', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    // Java UUID parse — UUID.fromString rejects non-UUID strings
+    { method: 'fromString', class: 'UUID', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    // JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)
+    { method: 'BigInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    // Go numeric parse — strconv.Atoi, ParseInt, ParseFloat, ParseUint, ParseBool
+    { method: 'Atoi', class: 'strconv', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'ParseInt', class: 'strconv', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'ParseFloat', class: 'strconv', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'ParseUint', class: 'strconv', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'ParseBool', class: 'strconv', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    // Go UUID parse
+    { method: 'Parse', class: 'uuid', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'MustParse', class: 'uuid', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    // Python — int/float already covered above; add bool + UUID/Decimal casts
+    { method: 'bool', removes: ['sql_injection', 'command_injection', 'xss', 'code_injection'] },
+    { method: 'UUID', class: 'uuid', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
+    { method: 'Decimal', class: 'decimal', removes: ['sql_injection', 'command_injection', 'path_traversal', 'code_injection'] },
 ];
 /**
  * Get the default taint configuration.