circle-ir 3.58.0 → 3.62.0

package/dist/core/circle-ir-core.cjs

@@ -4387,7 +4387,7 @@ function detectLanguage(tree) {
 }
 function extractTypes(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -5773,7 +5773,7 @@ function detectLanguageFromTree(tree, cache) {
 function extractCalls(tree, cache, language) {
   const calls = [];
   const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
+  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript" || detectedLanguage === "tsx";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
   if (detectedLanguage === "go") {
@@ -5822,8 +5822,137 @@ function extractJavaScriptCalls(tree, cache) {
       calls.push(callInfo);
     }
   }
+  const jsxAttributes = getNodesFromCache(tree.rootNode, "jsx_attribute", cache);
+  for (const attr of jsxAttributes) {
+    const callInfo = extractJSXAttributeSink(attr);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  const assignments = getNodesFromCache(tree.rootNode, "assignment_expression", cache);
+  for (const assign of assignments) {
+    const callInfo = extractDomPropertyAssignmentSink(assign);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
   return calls;
 }
+var DOM_XSS_ASSIGNMENT_PROPERTIES = /* @__PURE__ */ new Set([
+  "innerHTML",
+  "outerHTML"
+]);
+function extractDomPropertyAssignmentSink(node) {
+  const leftNode = node.childForFieldName("left");
+  const rightNode = node.childForFieldName("right");
+  if (!leftNode || !rightNode) return null;
+  if (leftNode.type !== "member_expression") return null;
+  const propertyNode = leftNode.childForFieldName("property");
+  const objectNode = leftNode.childForFieldName("object");
+  if (!propertyNode) return null;
+  const propertyName = getNodeText(propertyNode);
+  if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName)) return null;
+  const receiver = objectNode ? getNodeText(objectNode) : null;
+  const expression = getNodeText(rightNode);
+  const { variable, literal } = analyzeJSArgument(rightNode);
+  const enclosingFunc = findJSEnclosingFunction(node);
+  return {
+    method_name: propertyName,
+    receiver,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: `DOM.${propertyName}`
+    }
+  };
+}
+function extractJSXAttributeSink(attr) {
+  let nameNode = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "property_identifier") {
+      nameNode = child;
+      break;
+    }
+  }
+  if (!nameNode) return null;
+  const attrName = getNodeText(nameNode);
+  if (attrName !== "dangerouslySetInnerHTML") return null;
+  let valueExpr = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "jsx_expression") {
+      valueExpr = child;
+      break;
+    }
+  }
+  if (!valueExpr) return null;
+  let htmlValue = null;
+  for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+    const inner = valueExpr.child(i2);
+    if (!inner || inner.type !== "object") continue;
+    for (let j = 0; j < inner.childCount; j++) {
+      const pair = inner.child(j);
+      if (!pair || pair.type !== "pair") continue;
+      const keyNode = pair.childForFieldName("key");
+      if (!keyNode) continue;
+      const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, "");
+      if (keyText === "__html") {
+        htmlValue = pair.childForFieldName("value");
+        break;
+      }
+    }
+    if (htmlValue) break;
+  }
+  if (!htmlValue) {
+    for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+      const inner = valueExpr.child(i2);
+      if (inner && inner.type !== "{" && inner.type !== "}") {
+        htmlValue = inner;
+        break;
+      }
+    }
+  }
+  if (!htmlValue) return null;
+  const expression = getNodeText(htmlValue);
+  const { variable, literal } = analyzeJSArgument(htmlValue);
+  const enclosingFunc = findJSEnclosingFunction(attr);
+  return {
+    method_name: "dangerouslySetInnerHTML",
+    receiver: null,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: attr.startPosition.row + 1,
+      column: attr.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: "react.dangerouslySetInnerHTML"
+    }
+  };
+}
 function buildJSResolutionContext(tree, cache) {
   const context = {
     functionNames: /* @__PURE__ */ new Set(),
@@ -7331,7 +7460,7 @@ function detectLanguage2(tree) {
 }
 function extractImports(tree, language) {
   const effectiveLanguage = language ?? detectLanguage2(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -8023,7 +8152,7 @@ function detectLanguage3(tree) {
 }
 function buildCFG(tree, language) {
   const effectiveLanguage = language ?? detectLanguage3(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
@@ -8598,7 +8727,7 @@ function detectLanguage4(tree) {
 }
 function buildDFG(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage4(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   if (isJavaScript) {
     return buildJavaScriptDFG(tree, cache);
   }
@@ -9406,7 +9535,18 @@ function buildBashDFG(tree) {
       if (varNameNode) {
         const varName = getNodeText(varNameNode);
         if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
+          let reachingDef = findReachingDef(varName, scopeStack);
+          if (reachingDef === null && !positionalParams.includes(varName)) {
+            const def = {
+              id: defIdCounter++,
+              variable: varName,
+              line: 0,
+              kind: "param"
+            };
+            defs.push(def);
+            scopeStack[0].set(varName, def.id);
+            reachingDef = def.id;
+          }
           uses.push({
             id: useIdCounter++,
             variable: varName,
@@ -9419,7 +9559,18 @@ function buildBashDFG(tree) {
       const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
       if (varNameNode && varNameNode.type === "variable_name") {
         const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
+        let reachingDef = findReachingDef(varName, scopeStack);
+        if (reachingDef === null && !positionalParams.includes(varName)) {
+          const def = {
+            id: defIdCounter++,
+            variable: varName,
+            line: 0,
+            kind: "param"
+          };
+          defs.push(def);
+          scopeStack[0].set(varName, def.id);
+          reachingDef = def.id;
+        }
         uses.push({
           id: useIdCounter++,
           variable: varName,
@@ -10168,8 +10319,12 @@ var DEFAULT_SOURCES = [
   { method: "get", class: "cookies", type: "http_cookie", severity: "high", return_tainted: true },
   { property: "json", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "data", object: "request", type: "http_body", severity: "high", property_tainted: true },
+  { property: "stream", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "path", object: "request", type: "http_path", severity: "medium", property_tainted: true },
   { property: "query_string", object: "request", type: "http_query", severity: "high", property_tainted: true },
+  // Flask request.get_data() — raw request bytes (method form, parallel to request.data property)
+  { method: "get_data", class: "request", type: "http_body", severity: "high", return_tainted: true },
+  { method: "get_json", class: "request", type: "http_body", severity: "high", return_tainted: true },
   // Django request object
   { method: "get", class: "GET", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "POST", type: "http_param", severity: "high", return_tainted: true },
@@ -10381,14 +10536,19 @@ var DEFAULT_SINKS = [
   { method: "setExecutable", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommand", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Java", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Shell/Bash utilities
-  { method: "bash", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "sh", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Shell/Bash utilities — these are method-call sinks in host languages
+  // (Java Runtime/ProcessBuilder, JS child_process spawn/exec, Python subprocess, etc.).
+  // When the analyzed file IS a bash/shell script, the bash plugin's per-flag entries
+  // (argPositions: [1] for `bash -c <cmd>`) MUST win. Restrict these generic entries
+  // to non-shell languages so they don't collide on the dedup key
+  // `${location}:${call.location.line}:${pattern.cwe}`.
+  { method: "bash", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "shell", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "sh", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "spawn", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "fork", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "popen", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "system", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Apache Commons Exec
   // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10478,6 +10638,12 @@ var DEFAULT_SINKS = [
   { method: "unzip", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
+  // Python zipfile/tarfile use lowercase extractall (PEP 8 naming)
+  { method: "extractall", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["python"] },
+  // Python zipfile.ZipFile(path) — tainted archive path enables Zip-Slip via malicious archive
+  { method: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Flask send_from_directory: untrusted filename can escape directory via ../
+  { method: "send_from_directory", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [1], languages: ["python"] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11562,16 +11728,42 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
-  // Mass-assignment (CWE-915) — Sprint 6, #86.
-  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
-  // source is request-tainted, every key gets written onto the target. We
-  // flag the source positions; the analyzer only needs one tainted to fire.
-  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  // Lodash bulk-merge helpers behave identically.
-  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
+  // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
+  // `Object.defineProperty` — when fed an attacker-controlled bag, they write
+  // arbitrary keys onto the target (or, for `__proto__`/`constructor.prototype`,
+  // pollute the prototype chain). The CWE is CWE-1321 (Prototype Pollution),
+  // which subsumes mass assignment for JS sinks operating on plain Objects.
+  // We keep the existing `mass_assignment` SinkType so consumers route the
+  // findings the same way; only the CWE shifts to flag prototype-pollution.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defineProperty", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "defineProperties", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically. `_.merge` and `lodash.merge`
+  // are aliases — match both receivers.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
   // jQuery $.extend(target, source) (legacy).
-  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "jQuery", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // DOM-XSS via property assignment (CWE-79) — cognium-dev #68 Sprint 10.
+  // `el.innerHTML = tainted` / `el.outerHTML = tainted`. The JS call extractor
+  // emits a synthetic CallInfo with method=`innerHTML`/`outerHTML` for each
+  // matching assignment_expression. These classless entries catch them.
+  { method: "innerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "outerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // node-serialize.unserialize (CWE-502) — cognium-dev #68 Sprint 10.
+  // The node-serialize package evaluates `_$$ND_FUNC$$_` IIFE payloads on
+  // decode, turning untrusted input into RCE. Match both receiver-bound
+  // calls (`serialize.unserialize(x)`) and destructured imports
+  // (`const { unserialize } = require('node-serialize')`).
+  { method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -12178,7 +12370,12 @@ function matchesSourcePattern(call, pattern) {
       if (call.receiver_type && call.receiver_type === pattern.class) {
       } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
       } else if (!call.receiver) {
-        return false;
+        const target = call.resolution?.target;
+        const expectedTail = `${pattern.class}.${pattern.method}`;
+        if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+        } else {
+          return false;
+        }
       } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
@@ -12445,7 +12642,12 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
-      return false;
+      const target = call.resolution?.target;
+      const expectedTail = `${pattern.class}.${pattern.method}`;
+      if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+      } else {
+        return false;
+      }
     }
   }
   if (!pattern.class && call.receiver) {
@@ -13287,6 +13489,21 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
         });
       }
     }
+    if (source.variable) {
+      const paramDefs = defsByLine.get(0) ?? [];
+      for (const def of paramDefs) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          tainted.push({
+            variable: def.variable,
+            defId: def.id,
+            line: def.line,
+            sourceType: source.type,
+            sourceLine: source.line,
+            confidence: source.confidence
+          });
+        }
+      }
+    }
   }
   return tainted;
 }