circle-ir 3.57.0 → 3.59.0

package/dist/core/circle-ir-core.cjs

@@ -10245,11 +10245,14 @@ var DEFAULT_SOURCES = [
   // Rocket
   { method: "param", class: "Request", type: "http_param", severity: "high", return_tainted: true },
   { method: "cookies", class: "Request", type: "http_cookie", severity: "high", return_tainted: true },
-  // Axum extractors
-  { method: "Json", type: "http_body", severity: "high", return_tainted: true },
-  { method: "Query", type: "http_param", severity: "high", return_tainted: true },
-  { method: "Path", type: "http_path", severity: "high", return_tainted: true },
-  { method: "Form", type: "http_param", severity: "high", return_tainted: true },
+  // Axum extractors — Rust-only. The simple names `Json`/`Query`/`Path`/`Form`
+  // collide with stdlib types in other ecosystems (notably Python's
+  // `pathlib.Path` constructor and `flask.Form`), so they MUST be
+  // language-scoped to Rust to avoid spurious source matches.
+  { method: "Json", type: "http_body", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Query", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Path", type: "http_path", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Form", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
   // Rust std library
   { method: "var", class: "env", type: "env_input", severity: "medium", return_tainted: true },
   { method: "var_os", class: "env", type: "env_input", severity: "medium", return_tainted: true },
@@ -10452,10 +10455,15 @@ var DEFAULT_SINKS = [
   { method: "PathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Additional resource/file patterns
   { method: "forFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
+  // Java NIO `Path.resolve(other)` — joining with an untrusted `other` can
+  // escape the parent directory. Language-scoped to Java because the simple
+  // name `resolve` collides with Python `pathlib.Path.resolve()`
+  // (a canonicalization SANITIZER, no argument), JS `Promise.resolve(...)`,
+  // and Rust `Path::canonicalize` variants. Sprint 9 #48.2.
+  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["java"] },
   // Static file configuration
   { method: "staticFiles", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "setRoot", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11612,6 +11620,16 @@ var DEFAULT_SANITIZERS = [
   // Returns just filename, strips path
   { method: "canonicalize", removes: ["path_traversal"] },
   // Resolves symlinks and normalizes
+  // Go path sanitizers (#51) — filepath.Base strips directory components
+  // (fully sanitizes), filepath.Clean / path.Clean normalize away ../ segments
+  // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
+  // stricter Clean+HasPrefix guard recognition is tracked separately).
+  // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
+  { method: "Base", class: "filepath", removes: ["path_traversal"] },
+  { method: "Base", class: "path", removes: ["path_traversal"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
+  { method: "Clean", class: "path", removes: ["path_traversal"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -11706,6 +11724,8 @@ var DEFAULT_SANITIZERS = [
   { method: "abspath", class: "os.path", removes: ["path_traversal"] },
   { method: "realpath", class: "path", removes: ["path_traversal"] },
   { method: "abspath", class: "path", removes: ["path_traversal"] },
+  // pathlib.Path.resolve() — canonicalizes path, resolves symlinks (Python 3)
+  { method: "resolve", class: "Path", removes: ["path_traversal"] },
   // Python Type coercion
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
@@ -11738,8 +11758,36 @@ var DEFAULT_SANITIZERS = [
   { method: "encode_attribute", class: "html_escape", removes: ["xss"] },
   { method: "escape_html", removes: ["xss"] },
   // Rust Type coercion (parsing)
-  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] }
+  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] },
   // str.parse::<i32>()
+  // =========================================================================
+  // Type-cast taint barriers (#57)
+  // Numeric/UUID casts cannot carry a string-injection payload.
+  // =========================================================================
+  // Java numeric parse — Integer.parseInt, Long.parseLong, etc.
+  { method: "parseInt", class: "Integer", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseLong", class: "Long", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseFloat", class: "Float", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseDouble", class: "Double", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseShort", class: "Short", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseByte", class: "Byte", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Java UUID parse — UUID.fromString rejects non-UUID strings
+  { method: "fromString", class: "UUID", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // JavaScript numeric coercion (Number/parseInt/parseFloat already covered above; add path_traversal/code_injection)
+  { method: "BigInt", removes: ["sql_injection", "nosql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Go numeric parse — strconv.Atoi, ParseInt, ParseFloat, ParseUint, ParseBool
+  { method: "Atoi", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseInt", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseFloat", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseUint", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseBool", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Go UUID parse
+  { method: "Parse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "MustParse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  // Python — int/float already covered above; add bool + UUID/Decimal casts
+  { method: "bool", removes: ["sql_injection", "command_injection", "xss", "code_injection"] },
+  { method: "UUID", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "Decimal", class: "decimal", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] }
 ];
 function getDefaultConfig() {
   return {
@@ -11769,7 +11817,7 @@ function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy,
   const sourceLines = code !== void 0 ? code.split("\n") : void 0;
   const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
-  const sanitizers = findSanitizers(calls, types, config.sanitizers);
+  const sanitizers = findSanitizers(calls, types, config.sanitizers, sourceLines);
   return { sources, sinks, sanitizers };
 }
 function attachSourceLineCode(sources, sinks, code) {
@@ -11789,6 +11837,9 @@ function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
+      if (pattern.languages && pattern.languages.length > 0 && language !== void 0 && !pattern.languages.includes(language)) {
+        continue;
+      }
       if (matchesSourcePattern(call, pattern)) {
         sources.push({
           type: pattern.type,
@@ -12425,6 +12476,15 @@ function receiverMightBeClass(receiver, className) {
   if (receiver === className) {
     return true;
   }
+  if (receiver.endsWith(")")) {
+    const ctorMatch = receiver.match(/^(\w+)\(/);
+    if (ctorMatch) {
+      const ctorName = ctorMatch[1];
+      if (ctorName === className || ctorName.toLowerCase() === className.toLowerCase()) {
+        return true;
+      }
+    }
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {
@@ -12692,7 +12752,7 @@ function calculateSinkConfidence(call, pattern) {
   }
   return Math.min(confidence, 1);
 }
-function findSanitizers(calls, types, patterns) {
+function findSanitizers(calls, types, patterns, sourceLines) {
   const sanitizers = [];
   const sanitizerMethods = /* @__PURE__ */ new Set();
   for (const type of types) {
@@ -12702,6 +12762,66 @@ function findSanitizers(calls, types, patterns) {
       }
     }
   }
+  const wrapperSanitizers = /* @__PURE__ */ new Map();
+  for (const type of types) {
+    for (const method of type.methods) {
+      const bodySize = method.end_line - method.start_line;
+      if (bodySize < 0 || bodySize > 2) continue;
+      const paramNames = new Set(method.parameters.map((p) => p.name));
+      if (paramNames.size === 0) continue;
+      const inside = [];
+      for (const c of calls) {
+        if (c.location.line < method.start_line || c.location.line > method.end_line) continue;
+        if (c.method_name === method.name) continue;
+        inside.push(c);
+      }
+      if (inside.length !== 1) continue;
+      const innerCall = inside[0];
+      let matched;
+      for (const pattern of patterns) {
+        if (matchesSanitizerPattern(innerCall, pattern)) {
+          matched = pattern;
+          break;
+        }
+      }
+      if (!matched || !matched.removes || matched.removes.length === 0) continue;
+      let argOk = false;
+      for (const arg of innerCall.arguments) {
+        if (arg.variable && paramNames.has(arg.variable)) {
+          argOk = true;
+          break;
+        }
+      }
+      if (!argOk) continue;
+      if (sourceLines) {
+        const lineText = sourceLines[innerCall.location.line - 1] ?? "";
+        const stripped = lineText.trim();
+        const returnMatch = stripped.match(/^return\s+(?:await\s+)?(.*)$/);
+        if (!returnMatch) continue;
+        const after = returnMatch[1].replace(/;\s*$/, "").trimEnd();
+        const callPrefix = innerCall.receiver ? `${innerCall.receiver}.${innerCall.method_name}(` : `${innerCall.method_name}(`;
+        if (!after.startsWith(callPrefix)) continue;
+        if (!after.endsWith(")")) continue;
+      }
+      const existing = wrapperSanitizers.get(method.name);
+      if (existing) {
+        const set = /* @__PURE__ */ new Set([...existing, ...matched.removes]);
+        wrapperSanitizers.set(method.name, Array.from(set));
+      } else {
+        wrapperSanitizers.set(method.name, [...matched.removes]);
+      }
+    }
+  }
+  for (const call of calls) {
+    const removes = wrapperSanitizers.get(call.method_name);
+    if (!removes) continue;
+    sanitizers.push({
+      type: "derived_wrapper",
+      method: formatSanitizerMethod(call),
+      line: call.location.line,
+      sanitizes: removes
+    });
+  }
   for (const call of calls) {
     if (sanitizerMethods.has(call.method_name)) {
       sanitizers.push({
@@ -13024,6 +13144,15 @@ var CodeGraph = class {
 };
 
 // src/analysis/taint-propagation.ts
+function buildSanitizersByLine(sanitizers) {
+  const out2 = /* @__PURE__ */ new Map();
+  for (const san of sanitizers) {
+    const existing = out2.get(san.line);
+    if (existing) existing.push(san);
+    else out2.set(san.line, [san]);
+  }
+  return out2;
+}
 function propagateTaint(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanitizers, sanitizersArg) {
   let graph;
   let sources;
@@ -13059,7 +13188,7 @@ function propagateTaint(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanit
   const defsByLine = graph.defsByLine;
   const usesByLine = graph.usesByLine;
   const callsByLine = graph.callsByLine;
-  const sanitizersByLine = graph.sanitizersByLine;
+  const sanitizersByLine = sanitizers.length > 0 ? buildSanitizersByLine(sanitizers) : graph.sanitizersByLine;
   const defById = graph.defById;
   const rawInitialTaint = findInitialTaint(sources, callsByLine, defsByLine);
   const initialTaint = rawInitialTaint.filter((tv) => {
@@ -13732,7 +13861,32 @@ var SANITIZER_METHODS = /* @__PURE__ */ new Set([
   "validatePath",
   "validateCityName",
   "validateInput",
-  "sanitizeInput"
+  "sanitizeInput",
+  // Type-cast barriers (#57) — numeric/boolean casts cannot carry a string
+  // injection payload. Conservative whitelist; ambiguous names like `valueOf`,
+  // `Parse`, `fromString` are intentionally excluded.
+  // Java
+  "parseInt",
+  "parseLong",
+  "parseFloat",
+  "parseDouble",
+  "parseShort",
+  "parseByte",
+  "fromString",
+  // UUID.fromString — parses strict UUID format, rejects injection
+  // JS/TS (parseInt/parseFloat covered above)
+  "Number",
+  "BigInt",
+  // Go
+  "Atoi",
+  "ParseInt",
+  "ParseFloat",
+  "ParseUint",
+  "ParseBool",
+  // Python
+  "int",
+  "float",
+  "bool"
 ]);
 var ANTI_SANITIZER_METHODS = /* @__PURE__ */ new Set([
   // URL decoding (reverses URL encoding)
@@ -13862,6 +14016,10 @@ var ConstantPropagator = class _ConstantPropagator {
   inConstructor = false;
   // Map constructor parameter names to their positions (0-indexed)
   constructorParamPositions = /* @__PURE__ */ new Map();
+  // Sprint 9 #58.1 — names of `static final Pattern` fields whose compiled
+  // regex is strict-anchored (provably matches a bounded character set).
+  // Populated lazily on first access via `getSafePatternFields()`.
+  safePatternFieldsCache = null;
   /**
    * Analyze source code and build constant propagation state.
    */
@@ -13895,6 +14053,7 @@ var ConstantPropagator = class _ConstantPropagator {
     this.currentClassName = null;
     this.inConstructor = false;
     this.constructorParamPositions.clear();
+    this.safePatternFieldsCache = null;
     this.collectClassFields(tree.rootNode);
     for (const methodName of sanitizerMethods) {
       this.methodReturnsSanitized.add(methodName);
@@ -13904,6 +14063,7 @@ var ConstantPropagator = class _ConstantPropagator {
       (name2) => this.lookupSymbol(name2)
     );
     this.analyzeMethodReturns(tree.rootNode);
+    this.seedPythonModuleConstants(tree.rootNode);
     this.visit(tree.rootNode);
     this.refineTaintFromConstants();
     const resultTainted = new Set(this.tainted);
@@ -14264,6 +14424,162 @@ var ConstantPropagator = class _ConstantPropagator {
       }
     }
   }
+  /**
+   * Sprint 9 #55 — seed the symbol table with Python module-level constant
+   * assignments. Walks only direct children of the `module` root and adds
+   * `IDENT = <primitive literal>` to `symbols` so `if IDENT:` guards inside
+   * downstream functions can be folded to dead code.
+   *
+   * Recognized literal RHS kinds: `true`/`false` (booleans), integer/float
+   * literals, string literals. The ExpressionEvaluator already understands
+   * each via the same lookup callback; we just need the symbol present.
+   */
+  /**
+   * Sprint 9 #55 — gate `field_declaration` folding to primitive literals.
+   *
+   * The deep-nesting regression (cognium-ai#88) constructs a Java
+   * `static final String hyphenData = "a" + "b" + ... (10k segments)` at the
+   * class level. `handleVariableDeclaration` would otherwise dispatch
+   * `evaluateExpression` on the deeply nested binary AST and blow the V8
+   * stack. The dead-code-by-const-guard pattern (`if (DEBUG)`) only requires
+   * `boolean`/`integer`/`string` (single-literal) RHS folding, so restrict
+   * to those node types.
+   */
+  fieldDeclHasPrimitiveLiteralValue(node) {
+    const primitive = /* @__PURE__ */ new Set([
+      // Java literal node types
+      "true",
+      "false",
+      "null_literal",
+      "decimal_integer_literal",
+      "hex_integer_literal",
+      "octal_integer_literal",
+      "binary_integer_literal",
+      "decimal_floating_point_literal",
+      "hex_floating_point_literal",
+      "character_literal",
+      "string_literal",
+      // JS/TS literal node types (defensive, in case other langs reuse it)
+      "number",
+      "string"
+    ]);
+    for (const child of node.children) {
+      if (child.type !== "variable_declarator") continue;
+      const value = child.childForFieldName("value");
+      if (!value) continue;
+      if (!primitive.has(value.type)) return false;
+    }
+    return true;
+  }
+  /**
+   * Sprint 9 #58.1 — collect the set of class-level `Pattern` field names
+   * whose compiled regex is strict-anchored, i.e. provably matches a
+   * bounded character set with no wildcard escape. A subsequent
+   * `if (!FIELD.matcher(var).matches()) throw ...;` guard then proves
+   * `var` is sanitized after the if.
+   *
+   * Recognized initializer shapes (scanned via source-text regex to avoid
+   * threading another AST walk):
+   *   `static final Pattern FIELD = Pattern.compile("regex");`
+   *
+   * Strict-anchored regex criteria:
+   *   - starts with `^` and ends with `$`
+   *   - after stripping `[...]` character classes, must not contain `.` or
+   *     `|` (a `.` could match anything; `|` admits an arbitrary alternative)
+   */
+  getSafePatternFields() {
+    if (this.safePatternFieldsCache !== null) return this.safePatternFieldsCache;
+    const set = /* @__PURE__ */ new Set();
+    const re = /\b(?:public\s+|private\s+|protected\s+)?(?:static\s+final|final\s+static)\s+(?:java\.util\.regex\.)?Pattern\s+(\w+)\s*=\s*(?:java\.util\.regex\.)?Pattern\s*\.\s*compile\s*\(\s*"((?:[^"\\]|\\.)*)"/g;
+    let m;
+    while ((m = re.exec(this.source)) !== null) {
+      const name2 = m[1];
+      const regex = m[2];
+      if (this.isStrictAnchoredRegex(regex)) set.add(name2);
+    }
+    this.safePatternFieldsCache = set;
+    return set;
+  }
+  isStrictAnchoredRegex(re) {
+    if (!re.startsWith("^") || !re.endsWith("$")) return false;
+    const stripped = re.replace(/\[(?:[^\]\\]|\\.)*\]/g, "");
+    const cleaned = stripped.replace(/\\./g, "");
+    if (cleaned.includes(".")) return false;
+    if (cleaned.includes("|")) return false;
+    return true;
+  }
+  /**
+   * Sprint 9 #58.1 — detect the regex-allowlist guard pattern.
+   *
+   *   if (!SAFE_NAME.matcher(var).matches()) { throw ...; }
+   *
+   * Returns the guarded variable name if the pattern matches AND
+   * `SAFE_NAME` is a recognized strict-anchored Pattern field, otherwise
+   * null. Caller drops the variable from `tainted` after the if-block.
+   */
+  detectRegexAllowlistGuard(condition, consequence) {
+    if (!consequence) return null;
+    let condText = getNodeText2(condition, this.source).replace(/\s+/g, "");
+    while (condText.startsWith("(") && condText.endsWith(")")) {
+      const inner = condText.slice(1, -1);
+      let depth = 0;
+      let balanced = true;
+      for (let i2 = 0; i2 < inner.length; i2++) {
+        if (inner[i2] === "(") depth++;
+        else if (inner[i2] === ")") depth--;
+        if (depth < 0) {
+          balanced = false;
+          break;
+        }
+      }
+      if (!balanced || depth !== 0) break;
+      condText = inner;
+    }
+    const m = condText.match(/^!(\w+)\.matcher\((\w+)\)\.matches\(\)$/);
+    if (!m) return null;
+    const patternName = m[1];
+    const varName = m[2];
+    if (!this.getSafePatternFields().has(patternName)) return null;
+    if (!this.consequenceContainsThrow(consequence)) return null;
+    return varName;
+  }
+  consequenceContainsThrow(node) {
+    if (node.type === "throw_statement") return true;
+    const stack = [node];
+    while (stack.length > 0) {
+      const n = stack.pop();
+      if (!n) continue;
+      if (n.type === "throw_statement") return true;
+      if (n.type === "if_statement" || n.type === "switch_statement") continue;
+      for (const c of n.children) stack.push(c);
+    }
+    return false;
+  }
+  seedPythonModuleConstants(root) {
+    if (root.type !== "module") return;
+    for (const child of root.children) {
+      const target = child.type === "assignment" ? child : child.type === "expression_statement" && child.children.length > 0 ? child.children[0] : null;
+      if (!target || target.type !== "assignment") continue;
+      const left = target.childForFieldName("left");
+      const right = target.childForFieldName("right");
+      if (!left || !right) continue;
+      if (left.type !== "identifier") continue;
+      const allowed = /* @__PURE__ */ new Set([
+        "true",
+        "false",
+        "none",
+        "integer",
+        "float",
+        "string"
+      ]);
+      if (!allowed.has(right.type)) continue;
+      const name2 = getNodeText2(left, this.source);
+      if (!name2) continue;
+      const value = this.evaluateExpression(right);
+      if (!isKnown(value)) continue;
+      this.symbols.set(name2, value);
+    }
+  }
   findAllMethods(node) {
     const methods = [];
     const stack = [node];
@@ -14358,6 +14674,11 @@ var ConstantPropagator = class _ConstantPropagator {
       case "local_variable_declaration":
         this.handleVariableDeclaration(node);
         return false;
+      case "field_declaration":
+        if (this.fieldDeclHasPrimitiveLiteralValue(node)) {
+          this.handleVariableDeclaration(node);
+        }
+        return false;
       case "assignment_expression":
         this.handleAssignment(node);
         return false;
@@ -14848,6 +15169,16 @@ var ConstantPropagator = class _ConstantPropagator {
       }
       this.inConditionalBranch = wasInConditional;
       this.tainted = /* @__PURE__ */ new Set([...taintedBefore, ...taintedAfterThen, ...taintedAfterElse]);
+      const guardedVar = this.detectRegexAllowlistGuard(condition, consequence);
+      if (guardedVar) {
+        this.tainted.delete(guardedVar);
+        this.sanitizedVars.add(guardedVar);
+        const scoped = this.getScopedName(guardedVar);
+        if (scoped !== guardedVar) {
+          this.tainted.delete(scoped);
+          this.sanitizedVars.add(scoped);
+        }
+      }
     }
   }
   /**
@@ -15038,17 +15369,33 @@ var ConstantPropagator = class _ConstantPropagator {
   /**
    * Check if an expression is a call to a sanitizer method.
    * This includes both built-in sanitizers and @sanitizer annotated methods.
+   * Handles Java (`method_invocation`), Go/JS/TS (`call_expression`), and
+   * Python (`call`) AST shapes.
    */
   isSanitizerMethodCall(node) {
-    if (node.type !== "method_invocation") {
-      return false;
+    const methodName = this.extractCallName(node);
+    if (!methodName) return false;
+    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+  }
+  /**
+   * Extract the trailing method/function name from any call node shape:
+   *   Java   `method_invocation`        — name field
+   *   Go/JS  `call_expression`          — function field (identifier or selector/member)
+   *   Python `call`                     — function field (identifier or attribute)
+   */
+  extractCallName(node) {
+    let fnNode = null;
+    if (node.type === "method_invocation") {
+      fnNode = node.childForFieldName("name");
+    } else if (node.type === "call_expression" || node.type === "call") {
+      fnNode = node.childForFieldName("function");
     }
-    const nameNode = node.childForFieldName("name");
-    if (!nameNode) {
-      return false;
+    if (!fnNode) return null;
+    if (fnNode.type === "selector_expression" || fnNode.type === "member_expression" || fnNode.type === "attribute") {
+      const tail = fnNode.childForFieldName("field") || fnNode.childForFieldName("property") || fnNode.childForFieldName("attribute");
+      if (tail) return getNodeText2(tail, this.source);
     }
-    const methodName = getNodeText2(nameNode, this.source);
-    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+    return getNodeText2(fnNode, this.source);
   }
   /**
    * Check if an expression is a call to an anti-sanitizer method.