circle-ir 3.57.0 → 3.58.0

package/dist/browser/circle-ir.js

@@ -10863,11 +10863,14 @@ var DEFAULT_SOURCES = [
   // Rocket
   { method: "param", class: "Request", type: "http_param", severity: "high", return_tainted: true },
   { method: "cookies", class: "Request", type: "http_cookie", severity: "high", return_tainted: true },
-  // Axum extractors
-  { method: "Json", type: "http_body", severity: "high", return_tainted: true },
-  { method: "Query", type: "http_param", severity: "high", return_tainted: true },
-  { method: "Path", type: "http_path", severity: "high", return_tainted: true },
-  { method: "Form", type: "http_param", severity: "high", return_tainted: true },
+  // Axum extractors — Rust-only. The simple names `Json`/`Query`/`Path`/`Form`
+  // collide with stdlib types in other ecosystems (notably Python's
+  // `pathlib.Path` constructor and `flask.Form`), so they MUST be
+  // language-scoped to Rust to avoid spurious source matches.
+  { method: "Json", type: "http_body", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Query", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Path", type: "http_path", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Form", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
   // Rust std library
   { method: "var", class: "env", type: "env_input", severity: "medium", return_tainted: true },
   { method: "var_os", class: "env", type: "env_input", severity: "medium", return_tainted: true },
@@ -11070,10 +11073,15 @@ var DEFAULT_SINKS = [
   { method: "PathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Additional resource/file patterns
   { method: "forFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
+  // Java NIO `Path.resolve(other)` — joining with an untrusted `other` can
+  // escape the parent directory. Language-scoped to Java because the simple
+  // name `resolve` collides with Python `pathlib.Path.resolve()`
+  // (a canonicalization SANITIZER, no argument), JS `Promise.resolve(...)`,
+  // and Rust `Path::canonicalize` variants. Sprint 9 #48.2.
+  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["java"] },
   // Static file configuration
   { method: "staticFiles", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "setRoot", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -12230,6 +12238,16 @@ var DEFAULT_SANITIZERS = [
   // Returns just filename, strips path
   { method: "canonicalize", removes: ["path_traversal"] },
   // Resolves symlinks and normalizes
+  // Go path sanitizers (#51) — filepath.Base strips directory components
+  // (fully sanitizes), filepath.Clean / path.Clean normalize away ../ segments
+  // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
+  // stricter Clean+HasPrefix guard recognition is tracked separately).
+  // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
+  { method: "Base", class: "filepath", removes: ["path_traversal"] },
+  { method: "Base", class: "path", removes: ["path_traversal"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
+  { method: "Clean", class: "path", removes: ["path_traversal"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -12324,6 +12342,8 @@ var DEFAULT_SANITIZERS = [
   { method: "abspath", class: "os.path", removes: ["path_traversal"] },
   { method: "realpath", class: "path", removes: ["path_traversal"] },
   { method: "abspath", class: "path", removes: ["path_traversal"] },
+  // pathlib.Path.resolve() — canonicalizes path, resolves symlinks (Python 3)
+  { method: "resolve", class: "Path", removes: ["path_traversal"] },
   // Python Type coercion
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
@@ -12356,8 +12376,36 @@ var DEFAULT_SANITIZERS = [
   { method: "encode_attribute", class: "html_escape", removes: ["xss"] },
   { method: "escape_html", removes: ["xss"] },
   // Rust Type coercion (parsing)
-  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] }
+  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] },
   // str.parse::<i32>()
+  // =========================================================================
+  // Type-cast taint barriers (#57)
+  // Numeric/UUID casts cannot carry a string-injection payload.
+  // =========================================================================
+  // Java numeric parse — Integer.parseInt, Long.parseLong, etc.
+  { method: "parseInt", class: "Integer", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseLong", class: "Long", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseFloat", class: "Float", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseDouble", class: "Double", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseShort", class: "Short", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseByte", class: "Byte", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Java UUID parse — UUID.fromString rejects non-UUID strings
+  { method: "fromString", class: "UUID", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)
+  { method: "BigInt", removes: ["sql_injection", "nosql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Go numeric parse — strconv.Atoi, ParseInt, ParseFloat, ParseUint, ParseBool
+  { method: "Atoi", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseInt", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseFloat", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseUint", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseBool", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Go UUID parse
+  { method: "Parse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "MustParse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Python — int/float already covered above; add bool + UUID/Decimal casts
+  { method: "bool", removes: ["sql_injection", "command_injection", "xss", "code_injection"] },
+  { method: "UUID", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "Decimal", class: "decimal", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] }
 ];
 function getDefaultConfig() {
   return {
@@ -12474,7 +12522,7 @@ function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy,
   const sourceLines = code !== void 0 ? code.split("\n") : void 0;
   const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
-  const sanitizers = findSanitizers(calls, types, config.sanitizers);
+  const sanitizers = findSanitizers(calls, types, config.sanitizers, sourceLines);
   return { sources, sinks, sanitizers };
 }
 function attachSourceLineCode(sources, sinks, code) {
@@ -12494,6 +12542,9 @@ function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
+      if (pattern.languages && pattern.languages.length > 0 && language !== void 0 && !pattern.languages.includes(language)) {
+        continue;
+      }
       if (matchesSourcePattern(call, pattern)) {
         sources.push({
           type: pattern.type,
@@ -13130,6 +13181,15 @@ function receiverMightBeClass(receiver, className) {
   if (receiver === className) {
     return true;
   }
+  if (receiver.endsWith(")")) {
+    const ctorMatch = receiver.match(/^(\w+)\(/);
+    if (ctorMatch) {
+      const ctorName = ctorMatch[1];
+      if (ctorName === className || ctorName.toLowerCase() === className.toLowerCase()) {
+        return true;
+      }
+    }
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {
@@ -13397,7 +13457,7 @@ function calculateSinkConfidence(call, pattern) {
   }
   return Math.min(confidence, 1);
 }
-function findSanitizers(calls, types, patterns) {
+function findSanitizers(calls, types, patterns, sourceLines) {
   const sanitizers = [];
   const sanitizerMethods = /* @__PURE__ */ new Set();
   for (const type of types) {
@@ -13407,6 +13467,66 @@ function findSanitizers(calls, types, patterns) {
       }
     }
   }
+  const wrapperSanitizers = /* @__PURE__ */ new Map();
+  for (const type of types) {
+    for (const method of type.methods) {
+      const bodySize = method.end_line - method.start_line;
+      if (bodySize < 0 || bodySize > 2) continue;
+      const paramNames = new Set(method.parameters.map((p) => p.name));
+      if (paramNames.size === 0) continue;
+      const inside = [];
+      for (const c of calls) {
+        if (c.location.line < method.start_line || c.location.line > method.end_line) continue;
+        if (c.method_name === method.name) continue;
+        inside.push(c);
+      }
+      if (inside.length !== 1) continue;
+      const innerCall = inside[0];
+      let matched;
+      for (const pattern of patterns) {
+        if (matchesSanitizerPattern(innerCall, pattern)) {
+          matched = pattern;
+          break;
+        }
+      }
+      if (!matched || !matched.removes || matched.removes.length === 0) continue;
+      let argOk = false;
+      for (const arg of innerCall.arguments) {
+        if (arg.variable && paramNames.has(arg.variable)) {
+          argOk = true;
+          break;
+        }
+      }
+      if (!argOk) continue;
+      if (sourceLines) {
+        const lineText = sourceLines[innerCall.location.line - 1] ?? "";
+        const stripped = lineText.trim();
+        const returnMatch = stripped.match(/^return\s+(?:await\s+)?(.*)$/);
+        if (!returnMatch) continue;
+        const after = returnMatch[1].replace(/;\s*$/, "").trimEnd();
+        const callPrefix = innerCall.receiver ? `${innerCall.receiver}.${innerCall.method_name}(` : `${innerCall.method_name}(`;
+        if (!after.startsWith(callPrefix)) continue;
+        if (!after.endsWith(")")) continue;
+      }
+      const existing = wrapperSanitizers.get(method.name);
+      if (existing) {
+        const set = /* @__PURE__ */ new Set([...existing, ...matched.removes]);
+        wrapperSanitizers.set(method.name, Array.from(set));
+      } else {
+        wrapperSanitizers.set(method.name, [...matched.removes]);
+      }
+    }
+  }
+  for (const call of calls) {
+    const removes = wrapperSanitizers.get(call.method_name);
+    if (!removes) continue;
+    sanitizers.push({
+      type: "derived_wrapper",
+      method: formatSanitizerMethod(call),
+      line: call.location.line,
+      sanitizes: removes
+    });
+  }
   for (const call of calls) {
     if (sanitizerMethods.has(call.method_name)) {
       sanitizers.push({
@@ -14676,6 +14796,15 @@ var AnalysisPipeline = class {
 };
 
 // src/analysis/taint-propagation.ts
+function buildSanitizersByLine(sanitizers) {
+  const out2 = /* @__PURE__ */ new Map();
+  for (const san of sanitizers) {
+    const existing = out2.get(san.line);
+    if (existing) existing.push(san);
+    else out2.set(san.line, [san]);
+  }
+  return out2;
+}
 function propagateTaint(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanitizers, sanitizersArg) {
   let graph;
   let sources;
@@ -14711,7 +14840,7 @@ function propagateTaint(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanit
   const defsByLine = graph.defsByLine;
   const usesByLine = graph.usesByLine;
   const callsByLine = graph.callsByLine;
-  const sanitizersByLine = graph.sanitizersByLine;
+  const sanitizersByLine = sanitizers.length > 0 ? buildSanitizersByLine(sanitizers) : graph.sanitizersByLine;
   const defById = graph.defById;
   const rawInitialTaint = findInitialTaint(sources, callsByLine, defsByLine);
   const initialTaint = rawInitialTaint.filter((tv) => {
@@ -15826,7 +15955,32 @@ var SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "validatePath",
   "validateCityName",
   "validateInput",
-  "sanitizeInput"
+  "sanitizeInput",
+  // Type-cast barriers (#57) — numeric/boolean casts cannot carry a string
+  // injection payload. Conservative whitelist; ambiguous names like `valueOf`,
+  // `Parse`, `fromString` are intentionally excluded.
+  // Java
+  "parseInt",
+  "parseLong",
+  "parseFloat",
+  "parseDouble",
+  "parseShort",
+  "parseByte",
+  "fromString",
+  // UUID.fromString — parses strict UUID format, rejects injection
+  // JS/TS (parseInt/parseFloat covered above)
+  "Number",
+  "BigInt",
+  // Go
+  "Atoi",
+  "ParseInt",
+  "ParseFloat",
+  "ParseUint",
+  "ParseBool",
+  // Python
+  "int",
+  "float",
+  "bool"
 ]);
 var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   // URL decoding (reverses URL encoding)
@@ -15956,6 +16110,10 @@ var ConstantPropagator = class _ConstantPropagator {
   inConstructor = false;
   // Map constructor parameter names to their positions (0-indexed)
   constructorParamPositions = /* @__PURE__ */ new Map();
+  // Sprint 9 #58.1 — names of `static final Pattern` fields whose compiled
+  // regex is strict-anchored (provably matches a bounded character set).
+  // Populated lazily on first access via `getSafePatternFields()`.
+  safePatternFieldsCache = null;
   /**
    * Analyze source code and build constant propagation state.
    */
@@ -15989,6 +16147,7 @@ var ConstantPropagator = class _ConstantPropagator {
     this.currentClassName = null;
     this.inConstructor = false;
     this.constructorParamPositions.clear();
+    this.safePatternFieldsCache = null;
     this.collectClassFields(tree.rootNode);
     for (const methodName of sanitizerMethods) {
       this.methodReturnsSanitized.add(methodName);
@@ -15998,6 +16157,7 @@ var ConstantPropagator = class _ConstantPropagator {
       (name2) => this.lookupSymbol(name2)
     );
     this.analyzeMethodReturns(tree.rootNode);
+    this.seedPythonModuleConstants(tree.rootNode);
     this.visit(tree.rootNode);
     this.refineTaintFromConstants();
     const resultTainted = new Set(this.tainted);
@@ -16358,6 +16518,162 @@ var ConstantPropagator = class _ConstantPropagator {
       }
     }
   }
+  /**
+   * Sprint 9 #55 — seed the symbol table with Python module-level constant
+   * assignments. Walks only direct children of the `module` root and adds
+   * `IDENT = <primitive literal>` to `symbols` so `if IDENT:` guards inside
+   * downstream functions can be folded to dead code.
+   *
+   * Recognized literal RHS kinds: `true`/`false` (booleans), integer/float
+   * literals, string literals. The ExpressionEvaluator already understands
+   * each via the same lookup callback; we just need the symbol present.
+   */
+  /**
+   * Sprint 9 #55 — gate `field_declaration` folding to primitive literals.
+   *
+   * The deep-nesting regression (cognium-ai#88) constructs a Java
+   * `static final String hyphenData = "a" + "b" + ... (10k segments)` at the
+   * class level. `handleVariableDeclaration` would otherwise dispatch
+   * `evaluateExpression` on the deeply nested binary AST and blow the V8
+   * stack. The dead-code-by-const-guard pattern (`if (DEBUG)`) only requires
+   * `boolean`/`integer`/`string` (single-literal) RHS folding, so restrict
+   * to those node types.
+   */
+  fieldDeclHasPrimitiveLiteralValue(node) {
+    const primitive = /* @__PURE__ */ new Set([
+      // Java literal node types
+      "true",
+      "false",
+      "null_literal",
+      "decimal_integer_literal",
+      "hex_integer_literal",
+      "octal_integer_literal",
+      "binary_integer_literal",
+      "decimal_floating_point_literal",
+      "hex_floating_point_literal",
+      "character_literal",
+      "string_literal",
+      // JS/TS literal node types (defensive, in case other langs reuse it)
+      "number",
+      "string"
+    ]);
+    for (const child of node.children) {
+      if (child.type !== "variable_declarator") continue;
+      const value = child.childForFieldName("value");
+      if (!value) continue;
+      if (!primitive.has(value.type)) return false;
+    }
+    return true;
+  }
+  /**
+   * Sprint 9 #58.1 — collect the set of class-level `Pattern` field names
+   * whose compiled regex is strict-anchored, i.e. provably matches a
+   * bounded character set with no wildcard escape. A subsequent
+   * `if (!FIELD.matcher(var).matches()) throw ...;` guard then proves
+   * `var` is sanitized after the if.
+   *
+   * Recognized initializer shapes (scanned via source-text regex to avoid
+   * threading another AST walk):
+   *   `static final Pattern FIELD = Pattern.compile("regex");`
+   *
+   * Strict-anchored regex criteria:
+   *   - starts with `^` and ends with `$`
+   *   - after stripping `[...]` character classes, must not contain `.` or
+   *     `|` (a `.` could match anything; `|` admits an arbitrary alternative)
+   */
+  getSafePatternFields() {
+    if (this.safePatternFieldsCache !== null) return this.safePatternFieldsCache;
+    const set = /* @__PURE__ */ new Set();
+    const re = /\b(?:public\s+|private\s+|protected\s+)?(?:static\s+final|final\s+static)\s+(?:java\.util\.regex\.)?Pattern\s+(\w+)\s*=\s*(?:java\.util\.regex\.)?Pattern\s*\.\s*compile\s*\(\s*"((?:[^"\\]|\\.)*)"/g;
+    let m;
+    while ((m = re.exec(this.source)) !== null) {
+      const name2 = m[1];
+      const regex = m[2];
+      if (this.isStrictAnchoredRegex(regex)) set.add(name2);
+    }
+    this.safePatternFieldsCache = set;
+    return set;
+  }
+  isStrictAnchoredRegex(re) {
+    if (!re.startsWith("^") || !re.endsWith("$")) return false;
+    const stripped = re.replace(/\[(?:[^\]\\]|\\.)*\]/g, "");
+    const cleaned = stripped.replace(/\\./g, "");
+    if (cleaned.includes(".")) return false;
+    if (cleaned.includes("|")) return false;
+    return true;
+  }
+  /**
+   * Sprint 9 #58.1 — detect the regex-allowlist guard pattern.
+   *
+   *   if (!SAFE_NAME.matcher(var).matches()) { throw ...; }
+   *
+   * Returns the guarded variable name if the pattern matches AND
+   * `SAFE_NAME` is a recognized strict-anchored Pattern field, otherwise
+   * null. Caller drops the variable from `tainted` after the if-block.
+   */
+  detectRegexAllowlistGuard(condition, consequence) {
+    if (!consequence) return null;
+    let condText = getNodeText2(condition, this.source).replace(/\s+/g, "");
+    while (condText.startsWith("(") && condText.endsWith(")")) {
+      const inner = condText.slice(1, -1);
+      let depth = 0;
+      let balanced = true;
+      for (let i2 = 0; i2 < inner.length; i2++) {
+        if (inner[i2] === "(") depth++;
+        else if (inner[i2] === ")") depth--;
+        if (depth < 0) {
+          balanced = false;
+          break;
+        }
+      }
+      if (!balanced || depth !== 0) break;
+      condText = inner;
+    }
+    const m = condText.match(/^!(\w+)\.matcher\((\w+)\)\.matches\(\)$/);
+    if (!m) return null;
+    const patternName = m[1];
+    const varName = m[2];
+    if (!this.getSafePatternFields().has(patternName)) return null;
+    if (!this.consequenceContainsThrow(consequence)) return null;
+    return varName;
+  }
+  consequenceContainsThrow(node) {
+    if (node.type === "throw_statement") return true;
+    const stack = [node];
+    while (stack.length > 0) {
+      const n = stack.pop();
+      if (!n) continue;
+      if (n.type === "throw_statement") return true;
+      if (n.type === "if_statement" || n.type === "switch_statement") continue;
+      for (const c of n.children) stack.push(c);
+    }
+    return false;
+  }
+  seedPythonModuleConstants(root) {
+    if (root.type !== "module") return;
+    for (const child of root.children) {
+      const target = child.type === "assignment" ? child : child.type === "expression_statement" && child.children.length > 0 ? child.children[0] : null;
+      if (!target || target.type !== "assignment") continue;
+      const left = target.childForFieldName("left");
+      const right = target.childForFieldName("right");
+      if (!left || !right) continue;
+      if (left.type !== "identifier") continue;
+      const allowed = /* @__PURE__ */ new Set([
+        "true",
+        "false",
+        "none",
+        "integer",
+        "float",
+        "string"
+      ]);
+      if (!allowed.has(right.type)) continue;
+      const name2 = getNodeText2(left, this.source);
+      if (!name2) continue;
+      const value = this.evaluateExpression(right);
+      if (!isKnown(value)) continue;
+      this.symbols.set(name2, value);
+    }
+  }
   findAllMethods(node) {
     const methods = [];
     const stack = [node];
@@ -16452,6 +16768,11 @@ var ConstantPropagator = class _ConstantPropagator {
       case "local_variable_declaration":
         this.handleVariableDeclaration(node);
         return false;
+      case "field_declaration":
+        if (this.fieldDeclHasPrimitiveLiteralValue(node)) {
+          this.handleVariableDeclaration(node);
+        }
+        return false;
       case "assignment_expression":
         this.handleAssignment(node);
         return false;
@@ -16942,6 +17263,16 @@ var ConstantPropagator = class _ConstantPropagator {
       }
       this.inConditionalBranch = wasInConditional;
       this.tainted = /* @__PURE__ */ new Set([...taintedBefore, ...taintedAfterThen, ...taintedAfterElse]);
+      const guardedVar = this.detectRegexAllowlistGuard(condition, consequence);
+      if (guardedVar) {
+        this.tainted.delete(guardedVar);
+        this.sanitizedVars.add(guardedVar);
+        const scoped = this.getScopedName(guardedVar);
+        if (scoped !== guardedVar) {
+          this.tainted.delete(scoped);
+          this.sanitizedVars.add(scoped);
+        }
+      }
     }
   }
   /**
@@ -17132,17 +17463,33 @@ var ConstantPropagator = class _ConstantPropagator {
   /**
    * Check if an expression is a call to a sanitizer method.
    * This includes both built-in sanitizers and @sanitizer annotated methods.
+   * Handles Java (`method_invocation`), Go/JS/TS (`call_expression`), and
+   * Python (`call`) AST shapes.
    */
   isSanitizerMethodCall(node) {
-    if (node.type !== "method_invocation") {
-      return false;
+    const methodName = this.extractCallName(node);
+    if (!methodName) return false;
+    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+  }
+  /**
+   * Extract the trailing method/function name from any call node shape:
+   *   Java   `method_invocation`        — name field
+   *   Go/JS  `call_expression`          — function field (identifier or selector/member)
+   *   Python `call`                     — function field (identifier or attribute)
+   */
+  extractCallName(node) {
+    let fnNode = null;
+    if (node.type === "method_invocation") {
+      fnNode = node.childForFieldName("name");
+    } else if (node.type === "call_expression" || node.type === "call") {
+      fnNode = node.childForFieldName("function");
     }
-    const nameNode = node.childForFieldName("name");
-    if (!nameNode) {
-      return false;
+    if (!fnNode) return null;
+    if (fnNode.type === "selector_expression" || fnNode.type === "member_expression" || fnNode.type === "attribute") {
+      const tail = fnNode.childForFieldName("field") || fnNode.childForFieldName("property") || fnNode.childForFieldName("attribute");
+      if (tail) return getNodeText2(tail, this.source);
     }
-    const methodName = getNodeText2(nameNode, this.source);
-    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+    return getNodeText2(fnNode, this.source);
   }
   /**
    * Check if an expression is a call to an anti-sanitizer method.
@@ -22110,25 +22457,42 @@ function findBashTaintSources(sourceCode, dfg) {
   const sources = [];
   const lines = sourceCode.split("\n");
   const definedVars = new Set(dfg.defs.filter((d) => d.kind === "local").map((d) => d.variable));
+  const fnHeaderRe = /^\s*(?:function\s+)?[A-Za-z_][\w-]*\s*\(\s*\)\s*\{?\s*$|^\s*function\s+[A-Za-z_][\w-]*\s*\{?\s*$/;
+  let braceDepth = 0;
   for (let i2 = 0; i2 < lines.length; i2++) {
     const line = lines[i2];
     const trimmed = line.trim();
     const lineNumber = i2 + 1;
     if (trimmed.startsWith("#")) continue;
-    const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
-    let m;
-    while ((m = positionalRe.exec(line)) !== null) {
-      const param = m[1] ?? m[2];
-      const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
-      if (!alreadyExists) {
-        sources.push({
-          type: "io_input",
-          location: `positional parameter $${param}`,
-          severity: "high",
-          line: lineNumber,
-          confidence: 1,
-          variable: param
-        });
+    const insideFunction = braceDepth > 0;
+    if (!insideFunction) {
+      const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
+      let m;
+      while ((m = positionalRe.exec(line)) !== null) {
+        const param = m[1] ?? m[2];
+        const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
+        if (!alreadyExists) {
+          sources.push({
+            type: "io_input",
+            location: `positional parameter $${param}`,
+            severity: "high",
+            line: lineNumber,
+            confidence: 1,
+            variable: param
+          });
+        }
+      }
+    }
+    if (fnHeaderRe.test(line) || /^\s*[A-Za-z_][\w-]*\s*\(\s*\)\s*\{/.test(line)) {
+      const openBracesOnLine = (line.match(/\{/g) ?? []).length;
+      const closeBracesOnLine = (line.match(/\}/g) ?? []).length;
+      braceDepth += openBracesOnLine - closeBracesOnLine;
+    } else {
+      if (braceDepth > 0) {
+        const openBracesOnLine = (line.match(/\{/g) ?? []).length;
+        const closeBracesOnLine = (line.match(/\}/g) ?? []).length;
+        braceDepth += openBracesOnLine - closeBracesOnLine;
+        if (braceDepth < 0) braceDepth = 0;
       }
     }
     const cmdSubAssign = trimmed.match(/^(\w+)=\$\((\w+)\s/);
@@ -22550,10 +22914,14 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
     const callsAtSink = callsByLine.get(sink.line) ?? [];
     const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
     const relevantCalls = sink.method ? callsAtSink.filter((c) => c.method_name === sink.method) : callsAtSink;
+    const trustArgPositions = language !== "bash" && language !== "shell";
     for (const call of relevantCalls) {
       let allArgsAreClean = true;
+      let dangerousArgCount = 0;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
+        if (trustArgPositions && sink.argPositions && sink.argPositions.length > 0 && !sink.argPositions.includes(arg.position)) continue;
+        dangerousArgCount++;
         if (language === "bash" && arg.expression === call.method_name && !arg.variable && arg.literal == null) continue;
         if (arg.variable && !arg.expression?.includes("[")) {
           const varName = arg.variable;
@@ -22576,7 +22944,7 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
           allArgsAreClean = false;
         }
       }
-      if (allArgsAreClean && call.arguments.length > 0) return false;
+      if (allArgsAreClean && dangerousArgCount > 0) return false;
     }
     return true;
   });
@@ -22668,7 +23036,7 @@ var TaintPropagationPass = class {
         flows.push(f);
       }
     }
-    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines) ?? [];
+    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code) ?? [];
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) continue;
       const flowForCheck = {
@@ -22687,13 +23055,13 @@ var TaintPropagationPass = class {
       if (isFP) continue;
       flows.push(f);
     }
-    const paramFlows = detectParameterSinkFlows(types, calls, sources, sinks, constProp.unreachableLines) ?? [];
+    const paramFlows = detectParameterSinkFlows(types, calls, sources, sinks, constProp.unreachableLines, constProp.tainted, ctx.code) ?? [];
     for (const f of paramFlows) {
       if (!flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
         flows.push(f);
       }
     }
-    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, constProp.tainted, ctx.code, ctx.language) ?? [];
     for (const f of exprScanFlows) {
       if (flows.some(
         (x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type
@@ -22714,10 +23082,21 @@ var TaintPropagationPass = class {
       if (isFP) continue;
       flows.push(f);
     }
-    return { flows };
+    const sanitizedNames = constProp.sanitizedVars;
+    const finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
+      if (f.path.length === 0) return true;
+      const sourceVar = f.path[0].variable;
+      if (!sourceVar) return true;
+      if (sanitizedNames.has(sourceVar)) return false;
+      for (const s of sanitizedNames) {
+        if (s.endsWith(`:${sourceVar}`)) return false;
+      }
+      return true;
+    });
+    return { flows: finalFlows };
   }
 };
-function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines) {
+function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code) {
   const flows = [];
   const callsByLine = /* @__PURE__ */ new Map();
   for (const call of calls) {
@@ -22739,6 +23118,9 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
           if (taintedVars.has(varName) || taintedVars.has(scopedName)) {
             const source = sources[0];
             if (source) {
+              if (typeof code === "string" && isReassignedToLiteralBetween(code, varName, source.line, sink.line)) {
+                continue;
+              }
               flows.push({
                 source_line: source.line,
                 sink_line: sink.line,
@@ -22773,6 +23155,9 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
               if (taintedVars.has(collectionVar) || taintedVars.has(scopedCollection)) {
                 const source = sources[0];
                 if (source) {
+                  if (typeof code === "string" && isReassignedToLiteralBetween(code, collectionVar, source.line, sink.line)) {
+                    continue;
+                  }
                   flows.push({
                     source_line: source.line,
                     sink_line: sink.line,
@@ -22842,7 +23227,7 @@ function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, un
   }
   return flows;
 }
-function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines) {
+function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines, tainted, code) {
   const flows = [];
   const paramSourcesByMethod = /* @__PURE__ */ new Map();
   for (const source of sources) {
@@ -22884,6 +23269,9 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
           if (paramSource) {
             const exists = flows.some((f) => f.source_line === paramSource.line && f.sink_line === sink.line);
             if (!exists) {
+              if (typeof code === "string" && isReassignedToLiteralBetween(code, arg.variable, paramSource.line, sink.line)) {
+                continue;
+              }
               flows.push({
                 source_line: paramSource.line,
                 sink_line: sink.line,
@@ -22905,7 +23293,27 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   void types;
   return flows;
 }
-function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, code, language) {
+function isReassignedToLiteralBetween(code, variable, srcLine, sinkLine) {
+  if (!variable || sinkLine - srcLine < 2) return false;
+  if (!/^[A-Za-z_][\w]*$/.test(variable)) return false;
+  const lines = code.split("\n");
+  const lo = Math.max(0, srcLine);
+  const hi = Math.min(lines.length, sinkLine - 1);
+  const strLit = `(?:"[^"\\\\]*(?:\\\\.[^"\\\\]*)*"|'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'|\`[^\`\\\\]*(?:\\\\.[^\`\\\\]*)*\`)`;
+  const reNaked = new RegExp(
+    `^\\s*${variable}\\s*(?::?=)\\s*${strLit}\\s*;?\\s*$`
+  );
+  const reGuarded = new RegExp(
+    `^\\s*if\\b.*\\b${variable}\\s*=\\s*${strLit}\\s*;?\\s*$`
+  );
+  for (let i2 = lo; i2 < hi; i2++) {
+    const line = lines[i2];
+    if (!line) continue;
+    if (reNaked.test(line) || reGuarded.test(line)) return true;
+  }
+  return false;
+}
+function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, tainted, code, language) {
   const flows = [];
   const sourcesWithVar = sources.filter(
     (s) => typeof s.variable === "string" && s.variable.length > 0
@@ -22957,9 +23365,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
           if (!rhsMatch) continue;
           const rhs = rhsMatch[1];
           for (const san of lineSans) {
-            const sanMatch = san.method.match(/^(?:(\w+)\.)?(\w+)\(\)$/);
+            const sanMatch = san.method.match(/(\w+)\(\)$/);
             if (!sanMatch) continue;
-            const sanName = sanMatch[1] ? `${sanMatch[1]}.${sanMatch[2]}` : sanMatch[2];
+            const sanName = sanMatch[1];
             if (!rhs.includes(`${sanName}(`)) continue;
             let set = aliasSanitizedFor.get(varName);
             if (!set) {
@@ -23023,6 +23431,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
           if (aliasSanitizedFor.get(source.variable)?.has(sink.type)) {
             break;
           }
+          if (typeof code === "string" && isReassignedToLiteralBetween(code, source.variable, source.line, sink.line)) {
+            break;
+          }
           flows.push({
             source_line: source.line,
             sink_line: sink.line,
@@ -23053,6 +23464,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
     if (!colocSources || colocSources.length === 0) continue;
     for (const source of colocSources) {
       if (!canSourceReachSink(source.type, sink.type)) continue;
+      if (source.type === "file_input" && sink.type === "path_traversal" && sink.method && source.location.includes(`${sink.method}(`)) {
+        continue;
+      }
       if (flows.some(
         (f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type
       )) continue;
@@ -26530,6 +26944,28 @@ var JS_ROUTE_METHODS = /* @__PURE__ */ new Set([
   "head",
   "options"
 ]);
+var SECURITY_MIDDLEWARE_METHODS = /* @__PURE__ */ new Set([
+  // Node helmet (and sub-modules)
+  "helmet",
+  "frameguard",
+  "contentSecurityPolicy",
+  "hsts",
+  "noSniff",
+  "xssFilter",
+  "referrerPolicy",
+  "permittedCrossDomainPolicies",
+  "dnsPrefetchControl",
+  // Spring HttpSecurity builder chain
+  "frameOptions",
+  "headers",
+  "httpStrictTransportSecurity",
+  "contentTypeOptions",
+  "xssProtection",
+  // Flask / Python
+  "Talisman",
+  "Secure"
+]);
+var SECURITY_MIDDLEWARE_ANNOTATIONS_RE = /\b(EnableWebSecurity|SecurityFilterChain|after_request|before_request)\b/;
 var SecurityHeadersPass = class {
   name = "security-headers";
   category = "security";
@@ -26556,12 +26992,14 @@ var SecurityHeadersPass = class {
       list.push(call);
     }
     const hasHandler = detectHandler(graph, calls);
+    const hasGlobalMiddleware = detectGlobalSecurityMiddleware(graph, calls);
     for (const rule of this.rules) {
       const headerKey = rule.header.toLowerCase();
       const writes = writtenHeaders.get(headerKey) ?? [];
       if (rule.kind === "missing") {
         if (writes.length > 0) continue;
         if (rule.requiresHandler !== false && !hasHandler) continue;
+        if (hasGlobalMiddleware) continue;
         ctx.addFinding({
           id: `${rule.rule_id}-${file}`,
           pass: this.name,
@@ -26715,6 +27153,23 @@ function detectHandler(graph, calls) {
   }
   return false;
 }
+function detectGlobalSecurityMiddleware(graph, calls) {
+  for (const call of calls) {
+    if (SECURITY_MIDDLEWARE_METHODS.has(call.method_name)) return true;
+    if (call.method_name === "use" && call.arguments.length > 0) {
+      const firstArg = call.arguments[0].expression ?? "";
+      if (/\b(helmet|Talisman|secure)\b/.test(firstArg)) return true;
+    }
+  }
+  for (const type of graph.ir.types) {
+    if (type.annotations.some((a) => SECURITY_MIDDLEWARE_ANNOTATIONS_RE.test(a))) return true;
+    for (const method of type.methods) {
+      if (method.annotations.some((a) => SECURITY_MIDDLEWARE_ANNOTATIONS_RE.test(a))) return true;
+      if (/^security[A-Za-z]*FilterChain$/i.test(method.name)) return true;
+    }
+  }
+  return false;
+}
 
 // src/analysis/passes/scan-secrets-pass.ts
 var TEST_PATH_RE3 = /(?:^|[\\/])(?:test|tests|spec|specs|__tests?__|__mocks?__|fixtures?|testdata)(?:[\\/]|$)/i;