circle-ir 3.59.0 → 3.64.0

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAub1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA22CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAk5CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -341,8 +341,12 @@ export const DEFAULT_SOURCES = [
     { method: 'get', class: 'cookies', type: 'http_cookie', severity: 'high', return_tainted: true },
     { property: 'json', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
     { property: 'data', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
+    { property: 'stream', object: 'request', type: 'http_body', severity: 'high', property_tainted: true },
     { property: 'path', object: 'request', type: 'http_path', severity: 'medium', property_tainted: true },
     { property: 'query_string', object: 'request', type: 'http_query', severity: 'high', property_tainted: true },
+    // Flask request.get_data() — raw request bytes (method form, parallel to request.data property)
+    { method: 'get_data', class: 'request', type: 'http_body', severity: 'high', return_tainted: true },
+    { method: 'get_json', class: 'request', type: 'http_body', severity: 'high', return_tainted: true },
     // Django request object
     { method: 'get', class: 'GET', type: 'http_param', severity: 'high', return_tainted: true },
     { method: 'get', class: 'POST', type: 'http_param', severity: 'high', return_tainted: true },
@@ -554,14 +558,19 @@ export const DEFAULT_SINKS = [
     { method: 'setExecutable', class: 'ExecTask', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     { method: 'setCommand', class: 'ExecTask', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     { method: 'execute', class: 'Java', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    // Shell/Bash utilities
-    { method: 'bash', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'shell', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'sh', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'spawn', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'fork', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'popen', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'system', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    // Shell/Bash utilities — these are method-call sinks in host languages
+    // (Java Runtime/ProcessBuilder, JS child_process spawn/exec, Python subprocess, etc.).
+    // When the analyzed file IS a bash/shell script, the bash plugin's per-flag entries
+    // (argPositions: [1] for `bash -c <cmd>`) MUST win. Restrict these generic entries
+    // to non-shell languages so they don't collide on the dedup key
+    // `${location}:${call.location.line}:${pattern.cwe}`.
+    { method: 'bash', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'shell', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'sh', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'spawn', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'fork', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'popen', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    { method: 'system', languages: ['java', 'javascript', 'typescript', 'python', 'go', 'rust'], type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     // Apache Commons Exec
     // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
     { method: 'setCommandline', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
@@ -651,6 +660,12 @@ export const DEFAULT_SINKS = [
     { method: 'unzip', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
     { method: 'extract', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
     { method: 'extractAll', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
+    // Python zipfile/tarfile use lowercase extractall (PEP 8 naming)
+    { method: 'extractall', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0], languages: ['python'] },
+    // Python zipfile.ZipFile(path) — tainted archive path enables Zip-Slip via malicious archive
+    { method: 'ZipFile', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['python'] },
+    // Flask send_from_directory: untrusted filename can escape directory via ../
+    { method: 'send_from_directory', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [1], languages: ['python'] },
     { method: 'unjar', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0, 1] },
     // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
     { method: 'PrintWriter', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
@@ -1734,16 +1749,42 @@ export const DEFAULT_SINKS = [
     // value position so a tainted variable is detected.
     { method: 'Set', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
     { method: 'Add', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
-    // Mass-assignment (CWE-915) — Sprint 6, #86.
-    // JS Object.assign(target, ...sources) — sources are arg 1..N, and if any
-    // source is request-tainted, every key gets written onto the target. We
-    // flag the source positions; the analyzer only needs one tainted to fire.
-    { method: 'assign', class: 'Object', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
-    // Lodash bulk-merge helpers behave identically.
-    { method: 'merge', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
-    { method: 'extend', class: '_', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
+    // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
+    // `Object.defineProperty` — when fed an attacker-controlled bag, they write
+    // arbitrary keys onto the target (or, for `__proto__`/`constructor.prototype`,
+    // pollute the prototype chain). The CWE is CWE-1321 (Prototype Pollution),
+    // which subsumes mass assignment for JS sinks operating on plain Objects.
+    // We keep the existing `mass_assignment` SinkType so consumers route the
+    // findings the same way; only the CWE shifts to flag prototype-pollution.
+    { method: 'assign', class: 'Object', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'defineProperty', class: 'Object', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2], languages: ['javascript', 'typescript'] },
+    { method: 'defineProperties', class: 'Object', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1], languages: ['javascript', 'typescript'] },
+    // Lodash bulk-merge helpers behave identically. `_.merge` and `lodash.merge`
+    // are aliases — match both receivers.
+    { method: 'merge', class: '_', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'merge', class: 'lodash', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'extend', class: '_', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'extend', class: 'lodash', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'defaultsDeep', class: '_', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'defaultsDeep', class: 'lodash', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
     // jQuery $.extend(target, source) (legacy).
-    { method: 'extend', class: '$', type: 'mass_assignment', cwe: 'CWE-915', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'extend', class: '$', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    { method: 'extend', class: 'jQuery', type: 'mass_assignment', cwe: 'CWE-1321', severity: 'high', arg_positions: [1, 2, 3], languages: ['javascript', 'typescript'] },
+    // DOM-XSS via property assignment (CWE-79) — cognium-dev #68 Sprint 10.
+    // `el.innerHTML = tainted` / `el.outerHTML = tainted`. The JS call extractor
+    // emits a synthetic CallInfo with method=`innerHTML`/`outerHTML` for each
+    // matching assignment_expression. These classless entries catch them.
+    { method: 'innerHTML', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    { method: 'outerHTML', type: 'xss', cwe: 'CWE-79', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    // node-serialize.unserialize (CWE-502) — cognium-dev #68 Sprint 10.
+    // The node-serialize package evaluates `_$$ND_FUNC$$_` IIFE payloads on
+    // decode, turning untrusted input into RCE. Match both receiver-bound
+    // calls (`serialize.unserialize(x)`) and destructured imports
+    // (`const { unserialize } = require('node-serialize')`).
+    { method: 'unserialize', class: 'serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    { method: 'unserialize', class: 'node-serialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
+    { method: 'unserialize', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
 ];
 export const DEFAULT_SANITIZERS = [
     // SQL Injection - proper parameter binding sanitizes input