circle-ir 3.58.0 → 3.62.0

package/dist/core/circle-ir-core.js

@@ -4321,7 +4321,7 @@ function detectLanguage(tree) {
 }
 function extractTypes(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -5707,7 +5707,7 @@ function detectLanguageFromTree(tree, cache) {
 function extractCalls(tree, cache, language) {
   const calls = [];
   const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
+  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript" || detectedLanguage === "tsx";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
   if (detectedLanguage === "go") {
@@ -5756,8 +5756,137 @@ function extractJavaScriptCalls(tree, cache) {
       calls.push(callInfo);
     }
   }
+  const jsxAttributes = getNodesFromCache(tree.rootNode, "jsx_attribute", cache);
+  for (const attr of jsxAttributes) {
+    const callInfo = extractJSXAttributeSink(attr);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  const assignments = getNodesFromCache(tree.rootNode, "assignment_expression", cache);
+  for (const assign of assignments) {
+    const callInfo = extractDomPropertyAssignmentSink(assign);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
   return calls;
 }
+var DOM_XSS_ASSIGNMENT_PROPERTIES = /* @__PURE__ */ new Set([
+  "innerHTML",
+  "outerHTML"
+]);
+function extractDomPropertyAssignmentSink(node) {
+  const leftNode = node.childForFieldName("left");
+  const rightNode = node.childForFieldName("right");
+  if (!leftNode || !rightNode) return null;
+  if (leftNode.type !== "member_expression") return null;
+  const propertyNode = leftNode.childForFieldName("property");
+  const objectNode = leftNode.childForFieldName("object");
+  if (!propertyNode) return null;
+  const propertyName = getNodeText(propertyNode);
+  if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName)) return null;
+  const receiver = objectNode ? getNodeText(objectNode) : null;
+  const expression = getNodeText(rightNode);
+  const { variable, literal } = analyzeJSArgument(rightNode);
+  const enclosingFunc = findJSEnclosingFunction(node);
+  return {
+    method_name: propertyName,
+    receiver,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: `DOM.${propertyName}`
+    }
+  };
+}
+function extractJSXAttributeSink(attr) {
+  let nameNode = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "property_identifier") {
+      nameNode = child;
+      break;
+    }
+  }
+  if (!nameNode) return null;
+  const attrName = getNodeText(nameNode);
+  if (attrName !== "dangerouslySetInnerHTML") return null;
+  let valueExpr = null;
+  for (let i2 = 0; i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "jsx_expression") {
+      valueExpr = child;
+      break;
+    }
+  }
+  if (!valueExpr) return null;
+  let htmlValue = null;
+  for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+    const inner = valueExpr.child(i2);
+    if (!inner || inner.type !== "object") continue;
+    for (let j = 0; j < inner.childCount; j++) {
+      const pair = inner.child(j);
+      if (!pair || pair.type !== "pair") continue;
+      const keyNode = pair.childForFieldName("key");
+      if (!keyNode) continue;
+      const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, "");
+      if (keyText === "__html") {
+        htmlValue = pair.childForFieldName("value");
+        break;
+      }
+    }
+    if (htmlValue) break;
+  }
+  if (!htmlValue) {
+    for (let i2 = 0; i2 < valueExpr.childCount; i2++) {
+      const inner = valueExpr.child(i2);
+      if (inner && inner.type !== "{" && inner.type !== "}") {
+        htmlValue = inner;
+        break;
+      }
+    }
+  }
+  if (!htmlValue) return null;
+  const expression = getNodeText(htmlValue);
+  const { variable, literal } = analyzeJSArgument(htmlValue);
+  const enclosingFunc = findJSEnclosingFunction(attr);
+  return {
+    method_name: "dangerouslySetInnerHTML",
+    receiver: null,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: attr.startPosition.row + 1,
+      column: attr.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: "react.dangerouslySetInnerHTML"
+    }
+  };
+}
 function buildJSResolutionContext(tree, cache) {
   const context = {
     functionNames: /* @__PURE__ */ new Set(),
@@ -7265,7 +7394,7 @@ function detectLanguage2(tree) {
 }
 function extractImports(tree, language) {
   const effectiveLanguage = language ?? detectLanguage2(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -7957,7 +8086,7 @@ function detectLanguage3(tree) {
 }
 function buildCFG(tree, language) {
   const effectiveLanguage = language ?? detectLanguage3(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
@@ -8532,7 +8661,7 @@ function detectLanguage4(tree) {
 }
 function buildDFG(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage4(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   if (isJavaScript) {
     return buildJavaScriptDFG(tree, cache);
   }
@@ -9340,7 +9469,18 @@ function buildBashDFG(tree) {
       if (varNameNode) {
         const varName = getNodeText(varNameNode);
         if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
+          let reachingDef = findReachingDef(varName, scopeStack);
+          if (reachingDef === null && !positionalParams.includes(varName)) {
+            const def = {
+              id: defIdCounter++,
+              variable: varName,
+              line: 0,
+              kind: "param"
+            };
+            defs.push(def);
+            scopeStack[0].set(varName, def.id);
+            reachingDef = def.id;
+          }
           uses.push({
             id: useIdCounter++,
             variable: varName,
@@ -9353,7 +9493,18 @@ function buildBashDFG(tree) {
       const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
       if (varNameNode && varNameNode.type === "variable_name") {
         const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
+        let reachingDef = findReachingDef(varName, scopeStack);
+        if (reachingDef === null && !positionalParams.includes(varName)) {
+          const def = {
+            id: defIdCounter++,
+            variable: varName,
+            line: 0,
+            kind: "param"
+          };
+          defs.push(def);
+          scopeStack[0].set(varName, def.id);
+          reachingDef = def.id;
+        }
         uses.push({
           id: useIdCounter++,
           variable: varName,
@@ -10102,8 +10253,12 @@ var DEFAULT_SOURCES = [
   { method: "get", class: "cookies", type: "http_cookie", severity: "high", return_tainted: true },
   { property: "json", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "data", object: "request", type: "http_body", severity: "high", property_tainted: true },
+  { property: "stream", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "path", object: "request", type: "http_path", severity: "medium", property_tainted: true },
   { property: "query_string", object: "request", type: "http_query", severity: "high", property_tainted: true },
+  // Flask request.get_data() — raw request bytes (method form, parallel to request.data property)
+  { method: "get_data", class: "request", type: "http_body", severity: "high", return_tainted: true },
+  { method: "get_json", class: "request", type: "http_body", severity: "high", return_tainted: true },
   // Django request object
   { method: "get", class: "GET", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "POST", type: "http_param", severity: "high", return_tainted: true },
@@ -10315,14 +10470,19 @@ var DEFAULT_SINKS = [
   { method: "setExecutable", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommand", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Java", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Shell/Bash utilities
-  { method: "bash", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "sh", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Shell/Bash utilities — these are method-call sinks in host languages
+  // (Java Runtime/ProcessBuilder, JS child_process spawn/exec, Python subprocess, etc.).
+  // When the analyzed file IS a bash/shell script, the bash plugin's per-flag entries
+  // (argPositions: [1] for `bash -c <cmd>`) MUST win. Restrict these generic entries
+  // to non-shell languages so they don't collide on the dedup key
+  // `${location}:${call.location.line}:${pattern.cwe}`.
+  { method: "bash", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "shell", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "sh", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "spawn", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "fork", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "popen", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "system", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Apache Commons Exec
   // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10412,6 +10572,12 @@ var DEFAULT_SINKS = [
   { method: "unzip", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
+  // Python zipfile/tarfile use lowercase extractall (PEP 8 naming)
+  { method: "extractall", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["python"] },
+  // Python zipfile.ZipFile(path) — tainted archive path enables Zip-Slip via malicious archive
+  { method: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  // Flask send_from_directory: untrusted filename can escape directory via ../
+  { method: "send_from_directory", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [1], languages: ["python"] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11496,16 +11662,42 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
-  // Mass-assignment (CWE-915) — Sprint 6, #86.
-  // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
-  // source is request-tainted, every key gets written onto the target. We
-  // flag the source positions; the analyzer only needs one tainted to fire.
-  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  // Lodash bulk-merge helpers behave identically.
-  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
+  // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
+  // `Object.defineProperty` — when fed an attacker-controlled bag, they write
+  // arbitrary keys onto the target (or, for `__proto__`/`constructor.prototype`,
+  // pollute the prototype chain). The CWE is CWE-1321 (Prototype Pollution),
+  // which subsumes mass assignment for JS sinks operating on plain Objects.
+  // We keep the existing `mass_assignment` SinkType so consumers route the
+  // findings the same way; only the CWE shifts to flag prototype-pollution.
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defineProperty", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "defineProperties", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1], languages: ["javascript", "typescript"] },
+  // Lodash bulk-merge helpers behave identically. `_.merge` and `lodash.merge`
+  // are aliases — match both receivers.
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
   // jQuery $.extend(target, source) (legacy).
-  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "jQuery", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  // DOM-XSS via property assignment (CWE-79) — cognium-dev #68 Sprint 10.
+  // `el.innerHTML = tainted` / `el.outerHTML = tainted`. The JS call extractor
+  // emits a synthetic CallInfo with method=`innerHTML`/`outerHTML` for each
+  // matching assignment_expression. These classless entries catch them.
+  { method: "innerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "outerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // node-serialize.unserialize (CWE-502) — cognium-dev #68 Sprint 10.
+  // The node-serialize package evaluates `_$$ND_FUNC$$_` IIFE payloads on
+  // decode, turning untrusted input into RCE. Match both receiver-bound
+  // calls (`serialize.unserialize(x)`) and destructured imports
+  // (`const { unserialize } = require('node-serialize')`).
+  { method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   // SQL Injection - proper parameter binding sanitizes input
@@ -12112,7 +12304,12 @@ function matchesSourcePattern(call, pattern) {
       if (call.receiver_type && call.receiver_type === pattern.class) {
       } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
       } else if (!call.receiver) {
-        return false;
+        const target = call.resolution?.target;
+        const expectedTail = `${pattern.class}.${pattern.method}`;
+        if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+        } else {
+          return false;
+        }
       } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
@@ -12379,7 +12576,12 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
-      return false;
+      const target = call.resolution?.target;
+      const expectedTail = `${pattern.class}.${pattern.method}`;
+      if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {
+      } else {
+        return false;
+      }
     }
   }
   if (!pattern.class && call.receiver) {
@@ -13221,6 +13423,21 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
         });
       }
     }
+    if (source.variable) {
+      const paramDefs = defsByLine.get(0) ?? [];
+      for (const def of paramDefs) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          tainted.push({
+            variable: def.variable,
+            defId: def.id,
+            line: def.line,
+            sourceType: source.type,
+            sourceLine: source.line,
+            confidence: source.confidence
+          });
+        }
+      }
+    }
   }
   return tainted;
 }

package/dist/core/extractors/calls.js

@@ -57,7 +57,7 @@ export function extractCalls(tree, cache, language) {
     const calls = [];
     // Use language hint if provided, otherwise detect from tree
     const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-    const isJavaScript = detectedLanguage === 'javascript' || detectedLanguage === 'typescript';
+    const isJavaScript = detectedLanguage === 'javascript' || detectedLanguage === 'typescript' || detectedLanguage === 'tsx';
     const isPython = detectedLanguage === 'python';
     const isRust = detectedLanguage === 'rust';
     if (detectedLanguage === 'go') {
@@ -115,8 +115,188 @@ function extractJavaScriptCalls(tree, cache) {
             calls.push(callInfo);
         }
     }
+    // Find JSX attributes that act as XSS sinks (e.g. dangerouslySetInnerHTML).
+    // The TSX/JSX grammar represents these as `jsx_attribute` nodes, not
+    // `call_expression`. To let the taint matcher reuse the standard method-
+    // call sink path, we emit a synthetic CallInfo per matching attribute.
+    // (cognium-dev #68 — Phase D.1)
+    const jsxAttributes = getNodesFromCache(tree.rootNode, 'jsx_attribute', cache);
+    for (const attr of jsxAttributes) {
+        const callInfo = extractJSXAttributeSink(attr);
+        if (callInfo) {
+            calls.push(callInfo);
+        }
+    }
+    // Find DOM property assignments that act as XSS sinks
+    // (e.g. `el.innerHTML = userInput`). Same rationale as JSX attributes:
+    // emit a synthetic CallInfo so the standard taint matcher path picks them
+    // up via property-named sink entries. (cognium-dev #68 — Phase D.3)
+    const assignments = getNodesFromCache(tree.rootNode, 'assignment_expression', cache);
+    for (const assign of assignments) {
+        const callInfo = extractDomPropertyAssignmentSink(assign);
+        if (callInfo) {
+            calls.push(callInfo);
+        }
+    }
     return calls;
 }
+/**
+ * DOM properties whose assignment is an XSS sink. Keeping this list small
+ * and explicit so we don't over-flag (the YAML config in
+ * `configs/sinks/javascript_dom_xss.yaml` lists more, but most of those are
+ * element-conditional and would need DOM-type tracking to flag without FPs).
+ */
+const DOM_XSS_ASSIGNMENT_PROPERTIES = new Set([
+    'innerHTML',
+    'outerHTML',
+]);
+/**
+ * Emit a synthetic CallInfo for DOM property assignments that are XSS sinks.
+ *
+ * Matches `<obj>.<prop> = <expr>` where `<prop>` is in
+ * `DOM_XSS_ASSIGNMENT_PROPERTIES`. The synthetic call has method=`<prop>`,
+ * receiver=`<obj>` text, single argument=`<expr>`.
+ */
+function extractDomPropertyAssignmentSink(node) {
+    const leftNode = node.childForFieldName('left');
+    const rightNode = node.childForFieldName('right');
+    if (!leftNode || !rightNode)
+        return null;
+    if (leftNode.type !== 'member_expression')
+        return null;
+    const propertyNode = leftNode.childForFieldName('property');
+    const objectNode = leftNode.childForFieldName('object');
+    if (!propertyNode)
+        return null;
+    const propertyName = getNodeText(propertyNode);
+    if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName))
+        return null;
+    const receiver = objectNode ? getNodeText(objectNode) : null;
+    const expression = getNodeText(rightNode);
+    const { variable, literal } = analyzeJSArgument(rightNode);
+    const enclosingFunc = findJSEnclosingFunction(node);
+    return {
+        method_name: propertyName,
+        receiver,
+        arguments: [
+            {
+                position: 0,
+                expression,
+                variable,
+                literal,
+            },
+        ],
+        location: {
+            line: node.startPosition.row + 1,
+            column: node.startPosition.column,
+        },
+        in_method: enclosingFunc,
+        resolved: true,
+        resolution: {
+            status: 'resolved',
+            target: `DOM.${propertyName}`,
+        },
+    };
+}
+/**
+ * Emit a synthetic CallInfo for JSX attributes that are known XSS sinks.
+ *
+ * Currently handles `dangerouslySetInnerHTML={{ __html: expr }}` on any JSX
+ * element. The synthetic call has method `dangerouslySetInnerHTML`, no
+ * receiver, and a single argument carrying the `__html` value expression.
+ * The taint matcher then catches the call via the standard
+ * `dangerouslySetInnerHTML` sink entry in `configs/sinks/nodejs.json`.
+ */
+function extractJSXAttributeSink(attr) {
+    // `jsx_attribute` has children: property_identifier '=' jsx_expression
+    // Get the attribute name (first property_identifier child).
+    let nameNode = null;
+    for (let i = 0; i < attr.childCount; i++) {
+        const child = attr.child(i);
+        if (child && child.type === 'property_identifier') {
+            nameNode = child;
+            break;
+        }
+    }
+    if (!nameNode)
+        return null;
+    const attrName = getNodeText(nameNode);
+    if (attrName !== 'dangerouslySetInnerHTML')
+        return null;
+    // Find the `jsx_expression` value child (the `{{__html: x}}` part).
+    let valueExpr = null;
+    for (let i = 0; i < attr.childCount; i++) {
+        const child = attr.child(i);
+        if (child && child.type === 'jsx_expression') {
+            valueExpr = child;
+            break;
+        }
+    }
+    if (!valueExpr)
+        return null;
+    // Inside the jsx_expression, find the inner `object` literal, then the
+    // `pair` whose key is `__html`, then that pair's `value`.
+    let htmlValue = null;
+    for (let i = 0; i < valueExpr.childCount; i++) {
+        const inner = valueExpr.child(i);
+        if (!inner || inner.type !== 'object')
+            continue;
+        for (let j = 0; j < inner.childCount; j++) {
+            const pair = inner.child(j);
+            if (!pair || pair.type !== 'pair')
+                continue;
+            const keyNode = pair.childForFieldName('key');
+            if (!keyNode)
+                continue;
+            const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, '');
+            if (keyText === '__html') {
+                htmlValue = pair.childForFieldName('value');
+                break;
+            }
+        }
+        if (htmlValue)
+            break;
+    }
+    // If the `__html` field wasn't found (or the prop was passed a spread/var
+    // like `{...props}`), fall back to using the entire jsx_expression body
+    // so the matcher still sees the data dependency.
+    if (!htmlValue) {
+        for (let i = 0; i < valueExpr.childCount; i++) {
+            const inner = valueExpr.child(i);
+            if (inner && inner.type !== '{' && inner.type !== '}') {
+                htmlValue = inner;
+                break;
+            }
+        }
+    }
+    if (!htmlValue)
+        return null;
+    const expression = getNodeText(htmlValue);
+    const { variable, literal } = analyzeJSArgument(htmlValue);
+    const enclosingFunc = findJSEnclosingFunction(attr);
+    return {
+        method_name: 'dangerouslySetInnerHTML',
+        receiver: null,
+        arguments: [
+            {
+                position: 0,
+                expression,
+                variable,
+                literal,
+            },
+        ],
+        location: {
+            line: attr.startPosition.row + 1,
+            column: attr.startPosition.column,
+        },
+        in_method: enclosingFunc,
+        resolved: true,
+        resolution: {
+            status: 'resolved',
+            target: 'react.dangerouslySetInnerHTML',
+        },
+    };
+}
 function buildJSResolutionContext(tree, cache) {
     const context = {
         functionNames: new Set(),