circle-ir 3.58.0 → 3.62.0

package/dist/browser/circle-ir.js

@@ -4341,7 +4341,7 @@ function detectLanguage(tree) {
 }
 function extractTypes(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -5727,7 +5727,7 @@ function detectLanguageFromTree(tree, cache) {
 function extractCalls(tree, cache, language) {
   const calls = [];
   const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
+  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript" || detectedLanguage === "tsx";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
   if (detectedLanguage === "go") {
@@ -5776,8 +5776,137 @@ function extractJavaScriptCalls(tree, cache) {
       calls.push(callInfo);
     }
   }
+  const jsxAttributes = getNodesFromCache(tree.rootNode, "jsx_attribute", cache);
+  for (const attr of jsxAttributes) {
+    const callInfo = extractJSXAttributeSink(attr);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  const assignments = getNodesFromCache(tree.rootNode, "assignment_expression", cache);
+  for (const assign of assignments) {
+    const callInfo = extractDomPropertyAssignmentSink(assign);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
   return calls;
 }
+var DOM_XSS_ASSIGNMENT_PROPERTIES = /* @__PURE__ */ new Set([
+  "innerHTML",
+  "outerHTML"
+]);
+function extractDomPropertyAssignmentSink(node) {
+  const leftNode = node.childForFieldName("left");
+  const rightNode = node.childForFieldName("right");
+  if (!leftNode || !rightNode) return null;
+  if (leftNode.type !== "member_expression") return null;
+  const propertyNode = leftNode.childForFieldName("property");
+  const objectNode = leftNode.childForFieldName("object");
+  if (!propertyNode) return null;
+  const propertyName = getNodeText(propertyNode);
+  if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName)) return null;
+  const receiver = objectNode ? getNodeText(objectNode) : null;
+  const expression = getNodeText(rightNode);
+  const { variable, literal } = analyzeJSArgument(rightNode);
+  const enclosingFunc = findJSEnclosingFunction(node);
+  return {
+    method_name: propertyName,
+    receiver,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: `DOM.${propertyName}`
+    }
+  };
+}
+function extractJSXAttributeSink(attr) {
+  let nameNode = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "property_identifier") {
+      nameNode = child;
+      break;
+    }
+  }
+  if (!nameNode) return null;
+  const attrName = getNodeText(nameNode);
+  if (attrName !== "dangerouslySetInnerHTML") return null;
+  let valueExpr = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "jsx_expression") {
+      valueExpr = child;
+      break;
+    }
+  }
+  if (!valueExpr) return null;
+  let htmlValue = null;
+  for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+    const inner = valueExpr.child(i2);
+    if (!inner || inner.type !== "object") continue;
+    for (let j = 0; j < inner.childCount; j++) {
+      const pair = inner.child(j);
+      if (!pair || pair.type !== "pair") continue;
+      const keyNode = pair.childForFieldName("key");
+      if (!keyNode) continue;
+      const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, "");
+      if (keyText === "__html") {
+        htmlValue = pair.childForFieldName("value");
+        break;
+      }
+    }
+    if (htmlValue) break;
+  }
+  if (!htmlValue) {
+    for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+      const inner = valueExpr.child(i2);
+      if (inner && inner.type !== "{" && inner.type !== "}") {
+        htmlValue = inner;
+        break;
+      }
+    }
+  }
+  if (!htmlValue) return null;
+  const expression = getNodeText(htmlValue);
+  const { variable, literal } = analyzeJSArgument(htmlValue);
+  const enclosingFunc = findJSEnclosingFunction(attr);
+  return {
+    method_name: "dangerouslySetInnerHTML",
+    receiver: null,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: attr.startPosition.row + 1,
+      column: attr.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: "react.dangerouslySetInnerHTML"
+    }
+  };
+}
 function buildJSResolutionContext(tree, cache) {
   const context = {
     functionNames: /* @__PURE__ */ new Set(),
@@ -7285,7 +7414,7 @@ function detectLanguage2(tree) {
 }
 function extractImports(tree, language) {
   const effectiveLanguage = language ?? detectLanguage2(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -7977,7 +8106,7 @@ function detectLanguage3(tree) {
 }
 function buildCFG(tree, language) {
   const effectiveLanguage = language ?? detectLanguage3(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
@@ -8552,7 +8681,7 @@ function detectLanguage4(tree) {
 }
 function buildDFG(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage4(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   if (isJavaScript) {
     return buildJavaScriptDFG(tree, cache);
   }
@@ -9360,7 +9489,18 @@ function buildBashDFG(tree) {
       if (varNameNode) {
         const varName = getNodeText(varNameNode);
         if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
+          let reachingDef = findReachingDef(varName, scopeStack);
+          if (reachingDef === null && !positionalParams.includes(varName)) {
+            const def = {
+              id: defIdCounter++,
+              variable: varName,
+              line: 0,
+              kind: "param"
+            };
+            defs.push(def);
+            scopeStack[0].set(varName, def.id);
+            reachingDef = def.id;
+          }
           uses.push({
             id: useIdCounter++,
             variable: varName,
@@ -9373,7 +9513,18 @@ function buildBashDFG(tree) {
       const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
       if (varNameNode && varNameNode.type === "variable_name") {
         const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
+        let reachingDef = findReachingDef(varName, scopeStack);
+        if (reachingDef === null && !positionalParams.includes(varName)) {
+          const def = {
+            id: defIdCounter++,
+            variable: varName,
+            line: 0,
+            kind: "param"
+          };
+          defs.push(def);
+          scopeStack[0].set(varName, def.id);
+          reachingDef = def.id;
+        }
         uses.push({
           id: useIdCounter++,
           variable: varName,
@@ -9835,7 +9986,7 @@ var FRAMEWORK_MODULE_PATTERNS = [
   /^@nestjs\/core$/
 ];
 function extractRuntimeRegistrations(tree, cache, language, imports) {
-  if (language === "javascript" || language === "typescript") {
+  if (language === "javascript" || language === "typescript" || language === "tsx") {
     return extractJSRuntimeRegistrations(tree, cache, imports);
   }
   if (language === "python") {
@@ -10786,8 +10937,12 @@ var DEFAULT_SOURCES = [
   { method: "get", class: "cookies", type: "http_cookie", severity: "high", return_tainted: true },
   { property: "json", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "data", object: "request", type: "http_body", severity: "high", property_tainted: true },
+  { property: "stream", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "path", object: "request", type: "http_path", severity: "medium", property_tainted: true },
   { property: "query_string", object: "request", type: "http_query", severity: "high", property_tainted: true },
+  // Flask request.get_data() — raw request bytes (method form, parallel to request.data property)
+  { method: "get_data", class: "request", type: "http_body", severity: "high", return_tainted: true },
+  { method: "get_json", class: "request", type: "http_body", severity: "high", return_tainted: true },
   // Django request object
   { method: "get", class: "GET", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "POST", type: "http_param", severity: "high", return_tainted: true },
@@ -10999,14 +11154,19 @@ var DEFAULT_SINKS = [
   { method: "setExecutable", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommand", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Java", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Shell/Bash utilities
-  { method: "bash", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "sh", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Shell/Bash utilities — these are method-call sinks in host languages
+  // (Java Runtime/ProcessBuilder, JS child_process spawn/exec, Python subprocess, etc.).
+  // When the analyzed file IS a bash/shell script, the bash plugin's per-flag entries
+  // (argPositions: [1] for `bash -c <cmd>`) MUST win. Restrict these generic entries
+  // to non-shell languages so they don't collide on the dedup key
+  // `${location}:${call.location.line}:${pattern.cwe}`.
+  { method: "bash", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "shell", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "sh", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "spawn", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "fork", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "popen", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "system", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Apache Commons Exec
   // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -11096,6 +11256,12 @@ var DEFAULT_SINKS = [
   { method: "unzip", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
+  // Python zipfile/tarfile use lowercase extractall (PEP 8 naming)
+  { method: "extractall", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["python"] },
+  // Python zipfile.ZipFile(path) — tainted archive path enables Zip-Slip via malicious archive
+  { method: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Flask send_from_directory: untrusted filename can escape directory via ../
+  { method: "send_from_directory", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [1], languages: ["python"] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -12180,16 +12346,42 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
-  // Mass-assignment (CWE-915) — Sprint 6, #86.
-  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
-  // source is request-tainted, every key gets written onto the target. We
-  // flag the source positions; the analyzer only needs one tainted to fire.
-  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  // Lodash bulk-merge helpers behave identically.
-  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
+  // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
+  // `Object.defineProperty` — when fed an attacker-controlled bag, they write
+  // arbitrary keys onto the target (or, for `__proto__`/`constructor.prototype`,
+  // pollute the prototype chain). The CWE is CWE-1321 (Prototype Pollution),
+  // which subsumes mass assignment for JS sinks operating on plain Objects.
+  // We keep the existing `mass_assignment` SinkType so consumers route the
+  // findings the same way; only the CWE shifts to flag prototype-pollution.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defineProperty", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "defineProperties", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically. `_.merge` and `lodash.merge`
+  // are aliases — match both receivers.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
   // jQuery $.extend(target, source) (legacy).
-  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "jQuery", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // DOM-XSS via property assignment (CWE-79) — cognium-dev #68 Sprint 10.
+  // `el.innerHTML = tainted` / `el.outerHTML = tainted`. The JS call extractor
+  // emits a synthetic CallInfo with method=`innerHTML`/`outerHTML` for each
+  // matching assignment_expression. These classless entries catch them.
+  { method: "innerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "outerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // node-serialize.unserialize (CWE-502) — cognium-dev #68 Sprint 10.
+  // The node-serialize package evaluates `_$$ND_FUNC$$_` IIFE payloads on
+  // decode, turning untrusted input into RCE. Match both receiver-bound
+  // calls (`serialize.unserialize(x)`) and destructured imports
+  // (`const { unserialize } = require('node-serialize')`).
+  { method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -12883,7 +13075,12 @@ function matchesSourcePattern(call, pattern) {
       if (call.receiver_type && call.receiver_type === pattern.class) {
       } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
       } else if (!call.receiver) {
-        return false;
+        const target = call.resolution?.target;
+        const expectedTail = `${pattern.class}.${pattern.method}`;
+        if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+        } else {
+          return false;
+        }
       } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
@@ -13150,7 +13347,12 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
-      return false;
+      const target = call.resolution?.target;
+      const expectedTail = `${pattern.class}.${pattern.method}`;
+      if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+      } else {
+        return false;
+      }
     }
   }
   if (!pattern.class && call.receiver) {
@@ -14939,6 +15141,21 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
         });
       }
     }
+    if (source.variable) {
+      const paramDefs = defsByLine.get(0) ?? [];
+      for (const def of paramDefs) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          tainted.push({
+            variable: def.variable,
+            defId: def.id,
+            line: def.line,
+            sourceType: source.type,
+            sourceLine: source.line,
+            confidence: source.confidence
+          });
+        }
+      }
+    }
   }
   return tainted;
 }
@@ -15107,6 +15324,13 @@ function analyzeInterprocedural(graphOrTypes, callsOrSources, dfgOrSinks, source
     for (const def of graph.defsAtLine(source.line)) {
       seedIds.add(def.id);
     }
+    if (source.variable) {
+      for (const def of graph.defsAtLine(0)) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          seedIds.add(def.id);
+        }
+      }
+    }
   }
   const taintedDefIds = graph.propagateTaintedDefIds(seedIds);
   const taintedVarsFromCP = options.taintedVariables ?? /* @__PURE__ */ new Set();
@@ -15258,7 +15482,36 @@ function analyzeInterprocedural(graphOrTypes, callsOrSources, dfgOrSinks, source
     const targetMethod = getMethodNode(methodNodes, call.method_name);
     if (!targetMethod) {
       if (taintedArgPositions.length > 0 && !collectionMethods.has(call.method_name) && !sanitizerMethods.has(call.method_name) && !safeUtilityMethods.has(call.method_name)) {
-        const sink = {
+        const isBash = graph.ir.meta.language === "bash";
+        const bashSafeBuiltins = /* @__PURE__ */ new Set([
+          "echo",
+          "printf",
+          "test",
+          "[",
+          "[[",
+          "true",
+          "false",
+          ":",
+          "declare",
+          "local",
+          "export",
+          "readonly",
+          "typeset"
+        ]);
+        if (isBash && bashSafeBuiltins.has(call.method_name)) {
+          continue;
+        }
+        const sink = isBash ? {
+          type: "command_injection",
+          cwe: "CWE-78",
+          location: `Tainted data (${taintedArgVars.join(", ")}) passed unquoted to shell utility ${call.method_name}`,
+          line: call.location.line,
+          confidence: 0.6,
+          method: call.method_name,
+          argPositions: taintedArgPositions
+        } : {
+          // Create an "external_taint_escape" sink for this call
+          // This represents tainted data being passed to code we can't analyze
           type: "external_taint_escape",
           cwe: "CWE-668",
           // Exposure of Resource to Wrong Sphere
@@ -18154,6 +18407,9 @@ var DefaultLanguageRegistry = class {
     }
   }
   get(language) {
+    if (language === "tsx") {
+      return this.plugins.get("javascript");
+    }
     return this.plugins.get(language);
   }
   getForFile(filePath) {
@@ -20590,6 +20846,23 @@ var BashPlugin = class extends BaseLanguagePlugin {
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
+      },
+      // File inclusion — `source` and POSIX `.` execute arbitrary shell code
+      // from the file at the supplied path. With user-controlled input this is
+      // an RCE primitive equivalent to eval() on file contents (CWE-98).
+      {
+        method: "source",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: ".",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
       }
     ];
   }
@@ -21739,6 +22012,7 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const allSources = [];
   const allSinks = [];
   const allSanitizers = [];
+  const allFlows = [];
   const allImports = [];
   const allExports = [];
   const allFindings = [];
@@ -21824,6 +22098,14 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
         line: sanitizer.line + lineShift
       });
     }
+    for (const flow of ir.taint.flows ?? []) {
+      allFlows.push({
+        ...flow,
+        source_line: flow.source_line + lineShift,
+        sink_line: flow.sink_line + lineShift,
+        path: flow.path.map((step) => ({ ...step, line: step.line + lineShift }))
+      });
+    }
     for (const imp of ir.imports) {
       allImports.push({
         ...imp,
@@ -21843,7 +22125,8 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const taint = {
     sources: allSources,
     sinks: allSinks,
-    sanitizers: allSanitizers.length > 0 ? allSanitizers : void 0
+    sanitizers: allSanitizers.length > 0 ? allSanitizers : void 0,
+    flows: allFlows.length > 0 ? allFlows : void 0
   };
   const cfg = {
     blocks: allCfgBlocks,
@@ -22044,7 +22327,9 @@ var LanguageSourcesPass = class {
     const constProp = ctx.getResult("constant-propagation");
     const additionalSources = [];
     const additionalSinks = [];
+    const additionalSanitizers = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
+    additionalSources.push(...findOopFieldReadSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -22096,9 +22381,10 @@ var LanguageSourcesPass = class {
       for (const finding of bashFindings) {
         ctx.addFinding(finding);
       }
+      additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
     }
     attachSourceLineCode(additionalSources, additionalSinks, code);
-    return { additionalSources, additionalSinks, pyTaintedVars, pySanitizedVars, jsTaintedVars };
+    return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
 };
 function findGetterSources(types, instanceFieldTaint, _sourceCode) {
@@ -22149,6 +22435,115 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   }
   return sources;
 }
+function findOopFieldReadSources(types, sourceCode, language) {
+  if (language !== "java" && language !== "python") return [];
+  const sources = [];
+  const lines = sourceCode.split("\n");
+  const isPython = language === "python";
+  const SELF = isPython ? "self" : "this";
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const commentPrefix = isPython ? "#" : "//";
+  for (const type of types) {
+    if (type.kind !== "class") continue;
+    if (type.name === "<module>") continue;
+    let ctor;
+    for (const m of type.methods) {
+      if (isPython) {
+        if (m.name === "__init__") {
+          ctor = m;
+          break;
+        }
+      } else {
+        if (m.name === type.name) {
+          ctor = m;
+          break;
+        }
+      }
+    }
+    if (!ctor) continue;
+    const paramNames = /* @__PURE__ */ new Set();
+    for (const p of ctor.parameters) {
+      if (p.name === "self" || p.name === "this") continue;
+      paramNames.add(p.name);
+    }
+    const fieldTaint = /* @__PURE__ */ new Map();
+    const ctorStart = ctor.start_line;
+    const ctorEnd = ctor.end_line;
+    for (let i2 = ctorStart - 1; i2 < Math.min(ctorEnd, lines.length); i2++) {
+      const line = lines[i2] ?? "";
+      if (line.trim().startsWith(commentPrefix)) continue;
+      const m = line.match(fieldAssignRe);
+      if (!m) continue;
+      const fieldName = m[1];
+      const rhs = m[2].trim().replace(/;\s*$/, "");
+      let sourceType = null;
+      if (paramNames.has(rhs)) {
+        sourceType = "interprocedural_param";
+      } else if (!isPython && javaHttpPattern.test(rhs)) {
+        sourceType = "http_param";
+      } else if (isPython) {
+        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+          if (pattern.test(rhs)) {
+            sourceType = type2;
+            break;
+          }
+        }
+      }
+      if (sourceType) {
+        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+      }
+    }
+    if (fieldTaint.size === 0) continue;
+    for (const [fieldName, info2] of fieldTaint) {
+      sources.push({
+        type: info2.type,
+        location: `${type.name}.${SELF}.${fieldName} (constructor-injected field, #78)`,
+        severity: "high",
+        line: info2.line,
+        confidence: 0.85,
+        variable: `${SELF}.${fieldName}`
+      });
+    }
+    for (const m of type.methods) {
+      if (m === ctor) continue;
+      const nonSelfParams = m.parameters.filter((p) => p.name !== "self" && p.name !== "this");
+      if (nonSelfParams.length !== 0) continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      let returnedField = null;
+      let returnStatementCount = 0;
+      const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      for (let i2 = mStart - 1; i2 < Math.min(mEnd, lines.length); i2++) {
+        const raw = lines[i2] ?? "";
+        const trimmed = raw.trim();
+        if (!trimmed) continue;
+        if (trimmed.startsWith(commentPrefix)) continue;
+        const rm = trimmed.match(returnRe);
+        if (rm) {
+          returnedField = rm[1];
+          returnStatementCount++;
+        } else if (/\breturn\b/.test(trimmed)) {
+          returnStatementCount = 99;
+          break;
+        }
+      }
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+        const fieldInfo = fieldTaint.get(returnedField);
+        const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
+        sources.push({
+          type: fieldInfo.type,
+          location: `${type.name}.${m.name} returns tainted field '${returnedField}' (#78)`,
+          severity: "high",
+          line: m.start_line,
+          confidence: 0.85,
+          variable: getterVar
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language)) return [];
   const sources = [];
@@ -22217,55 +22612,55 @@ function buildPythonTaintedVars(sourceCode) {
   for (let i2 = 0; i2 < lines.length; i2++) {
     const line = lines[i2];
     if (line.trimStart().startsWith("#")) continue;
-    const subscriptAssign = line.match(/^\s*(\w+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/);
+    const subscriptAssign = line.match(/^\s*([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/u);
     if (subscriptAssign) {
       const [, container, , key, rhs2] = subscriptAssign;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs) containerTainted.set(`${container}['${key}']`, i2 + 1);
       continue;
     }
-    const setCallMatch = line.match(/^\s*(\w+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/);
+    const setCallMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/u);
     if (setCallMatch) {
       const [, obj, , section, , key, rhs2] = setCallMatch;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs) containerTainted.set(`${obj}['${section}']['${key}']`, i2 + 1);
       continue;
     }
-    const containerAppendMatch = line.match(/^\s*(\w+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/);
+    const containerAppendMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/u);
     if (containerAppendMatch) {
       const [, receiver, , argExpr] = containerAppendMatch;
-      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(argExpr));
+      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(argExpr));
       const argIsDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(argExpr));
       if (argIsTainted || argIsDirectSource) tainted.set(receiver, tainted.get(receiver) ?? i2 + 1);
       continue;
     }
-    const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
+    const augAssign = line.match(/^\s*([\p{L}\p{N}_]+)\s*\+=\s*(.+)$/u);
     if (augAssign) {
       const [, augLhs, augRhs] = augAssign;
-      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(augRhs));
+      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(augRhs));
       if (rhsTainted || tainted.has(augLhs)) tainted.set(augLhs, tainted.get(augLhs) ?? i2 + 1);
       continue;
     }
-    const forLoopMatch = line.match(/^\s*for\s+(\w+)\s+in\s+(.+?)(?:\s*:\s*)?$/);
+    const forLoopMatch = line.match(/^\s*for\s+([\p{L}\p{N}_]+)\s+in\s+(.+?)(?:\s*:\s*)?$/u);
     if (forLoopMatch) {
       const [, iterVar, iterExpr] = forLoopMatch;
       const isDirectSource2 = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(iterExpr));
-      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(iterExpr));
+      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(iterExpr));
       if (isDirectSource2 || isPropagated) tainted.set(iterVar, i2 + 1);
       continue;
     }
-    const assignMatch = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+    const assignMatch = line.match(/^\s*([\p{L}\p{N}_]+)\s*=\s*(.+)$/u);
     if (!assignMatch) continue;
     const [, lhs, rhs] = assignMatch;
     const isDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(rhs));
     let propagatedFrom;
-    const dictAccessMatch = rhs.trim().match(/^(\w+)\[(['"])([^'"]+)\2\]$/);
+    const dictAccessMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]$/u);
     if (dictAccessMatch) {
       const [, container, , key] = dictAccessMatch;
       if (containerTainted.has(`${container}['${key}']`)) propagatedFrom = `${container}['${key}']`;
     }
     if (!propagatedFrom) {
-      const confGetMatch = rhs.trim().match(/^(\w+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/);
+      const confGetMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/u);
       if (confGetMatch) {
         const [, obj, , section, , key] = confGetMatch;
         if (containerTainted.has(`${obj}['${section}']['${key}']`)) propagatedFrom = `${obj}['${section}']['${key}']`;
@@ -22273,7 +22668,7 @@ function buildPythonTaintedVars(sourceCode) {
     }
     if (!propagatedFrom) {
       const isSafeEnvRead = /\bos\.environ\.get\s*\(/.test(rhs) || /\bos\.getenv\s*\(/.test(rhs);
-      if (!isSafeEnvRead) propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+      if (!isSafeEnvRead) propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs));
     }
     if (isDirectSource) {
       tainted.set(lhs, i2 + 1);
@@ -22634,6 +23029,52 @@ function findBashPatternFindings(sourceCode, file) {
   }
   return findings;
 }
+function findBashRegexAllowlistSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const guardRe = /^\s*if\s+\[\[\s*!\s*"?\$\{?(\w+)\}?"?\s*=~\s*(\S+)\s*\]\]\s*;\s*then\s+(exit|return|die)\b/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const m = guardRe.exec(lines[i2]);
+    if (!m) continue;
+    const regexLiteral = m[2];
+    if (!isSafeBashAllowlistRegex(regexLiteral)) continue;
+    const ifLine1Indexed = i2 + 1;
+    for (let l = ifLine1Indexed + 1; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "regex_allowlist",
+        method: "=~",
+        line: l,
+        sanitizes: [
+          "command_injection",
+          "path_traversal",
+          "sql_injection",
+          "code_injection",
+          "ssrf",
+          "xss",
+          "open_redirect",
+          "log_injection"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function isSafeBashAllowlistRegex(literal) {
+  if (!literal.startsWith("^") || !literal.endsWith("$")) return false;
+  const body2 = literal.slice(1, -1);
+  if (body2.length === 0) return false;
+  if (body2.includes(".*") || body2.includes(".+")) return false;
+  if (body2.includes("|")) return false;
+  if (/\\\d/.test(body2)) return false;
+  const safeToken = /\[[^\]]+\][+*?]?|\\.|[A-Za-z0-9_\-./]|[+*?]/g;
+  let consumed = 0;
+  let match;
+  while ((match = safeToken.exec(body2)) !== null) {
+    if (match.index !== consumed) return false;
+    consumed += match[0].length;
+  }
+  return consumed === body2.length;
+}
 
 // src/analysis/passes/sink-filter-pass.ts
 var JS_XSS_SANITIZERS = [
@@ -22673,7 +23114,10 @@ var SinkFilterPass = class {
         sinks.push(s);
       }
     }
-    const sanitizers = taintMatcher.sanitizers;
+    const sanitizers = [
+      ...taintMatcher.sanitizers,
+      ...langSources.additionalSanitizers ?? []
+    ];
     let filtered = sinks.filter((sink) => !constProp.unreachableLines.has(sink.line));
     filtered = filterCleanArraySinks(filtered, calls, constProp.taintedArrayElements, constProp.symbols);
     filtered = filterCleanVariableSinks(
@@ -23403,7 +23847,7 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
   for (const s of sourcesWithVar) {
     if (reCache.has(s.variable)) continue;
     const escaped = s.variable.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    reCache.set(s.variable, new RegExp(`\\b${escaped}\\b`));
+    reCache.set(s.variable, new RegExp(`(?<![\\p{L}\\p{N}_])${escaped}(?![\\p{L}\\p{N}_])`, "u"));
   }
   const callsByLine = /* @__PURE__ */ new Map();
   for (const call of calls) {
@@ -23927,6 +24371,7 @@ function isPublicMethod(method, language) {
       return method.modifiers.includes("public");
     case "javascript":
     case "typescript":
+    case "tsx":
       return !method.modifiers.includes("private") && !method.modifiers.includes("protected");
     case "python":
       return !method.name.startsWith("_");
@@ -23945,7 +24390,7 @@ var MissingPublicDocPass = class {
     if (UTIL_DIR_RE.test(graph.ir.meta.file)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
-    if (!["java", "javascript", "typescript", "python"].includes(language)) {
+    if (!["java", "javascript", "typescript", "tsx", "python"].includes(language)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
     const lines = code.split("\n");
@@ -24448,6 +24893,7 @@ function hasDeclKeyword(lineText, language) {
       return /\b(?:int|long|float|double|boolean|byte|char|short|var|final)\b/.test(lineText) || /\b[A-Z]\w*(?:<[^>]*>)?\s+\w/.test(lineText);
     case "javascript":
     case "typescript":
+    case "tsx":
       return /\b(?:let|const|var)\s+[\w{[]/.test(lineText);
     case "rust":
       return /\blet\s+(?:mut\s+)?\w/.test(lineText);
@@ -28386,6 +28832,7 @@ var WeakRandomPass = class {
         return "Use the `secrets` module (`secrets.token_bytes`, `secrets.token_hex`, `secrets.choice`, `secrets.randbelow`).";
       case "javascript":
       case "typescript":
+      case "tsx":
         return "Use `crypto.randomBytes(n)` (Node.js) or `crypto.getRandomValues(typedArray)` (browser).";
       case "go":
         return "Use `crypto/rand` instead of `math/rand`. Example: `b := make([]byte, 32); _, _ = rand.Read(b)` (where `rand` is `crypto/rand`).";
@@ -28422,7 +28869,7 @@ var WeakRandomPass = class {
       }
       return null;
     }
-    if (language === "javascript" || language === "typescript") {
+    if (language === "javascript" || language === "typescript" || language === "tsx") {
       if (method === "random" && (receiver === "Math" || receiver.endsWith(".Math"))) {
         return "Math.random";
       }
@@ -29830,6 +30277,7 @@ function getNodeTypesForLanguage(language) {
       ]);
     case "javascript":
     case "typescript":
+    case "tsx":
       return /* @__PURE__ */ new Set([
         "call_expression",
         "new_expression",
@@ -29842,7 +30290,13 @@ function getNodeTypesForLanguage(language) {
         "import_statement",
         "export_statement",
         "member_expression",
-        "assignment_expression"
+        "assignment_expression",
+        // JSX node types — tree-sitter-tsx grammar (.tsx/.jsx routing)
+        "jsx_element",
+        "jsx_self_closing_element",
+        "jsx_opening_element",
+        "jsx_attribute",
+        "jsx_expression"
       ]);
     case "bash":
       return /* @__PURE__ */ new Set([
@@ -29906,8 +30360,15 @@ async function analyze(code, filePath, language, options = {}) {
   if (language === "html") {
     return analyzeHtmlFile(code, filePath, options);
   }
-  logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
-  const tree = await parse(code, language);
+  let parseGrammar = language;
+  if (language === "javascript" || language === "typescript") {
+    const lower = filePath.toLowerCase();
+    if (lower.endsWith(".tsx") || lower.endsWith(".jsx")) {
+      parseGrammar = "tsx";
+    }
+  }
+  logger.debug("Analyzing file", { filePath, language, parseGrammar, codeLength: code.length });
+  const tree = await parse(code, parseGrammar);
   try {
     logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
     const parseStatus = extractParseStatus(tree);