circle-ir 3.66.0 → 3.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/configs/sinks/nodejs.json +27 -0
  2. package/dist/analysis/config-loader.d.ts.map +1 -1
  3. package/dist/analysis/config-loader.js +10 -3
  4. package/dist/analysis/config-loader.js.map +1 -1
  5. package/dist/analysis/passes/sink-filter-pass.d.ts.map +1 -1
  6. package/dist/analysis/passes/sink-filter-pass.js +34 -0
  7. package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
  8. package/dist/analysis/taint-matcher.d.ts.map +1 -1
  9. package/dist/analysis/taint-matcher.js +11 -0
  10. package/dist/analysis/taint-matcher.js.map +1 -1
  11. package/dist/browser/circle-ir.js +65 -3
  12. package/dist/core/circle-ir-core.cjs +19 -3
  13. package/dist/core/circle-ir-core.js +19 -3
  14. package/dist/core/extractors/calls.js +15 -0
  15. package/dist/core/extractors/calls.js.map +1 -1
  16. package/dist/languages/plugins/python.d.ts.map +1 -1
  17. package/dist/languages/plugins/python.js +18 -0
  18. package/dist/languages/plugins/python.js.map +1 -1
  19. package/dist/languages/registry.d.ts.map +1 -1
  20. package/dist/languages/registry.js +7 -0
  21. package/dist/languages/registry.js.map +1 -1
  22. package/dist/types/config.d.ts +9 -0
  23. package/dist/types/config.d.ts.map +1 -1
  24. package/package.json +1 -1
package/configs/sinks/nodejs.json CHANGED
@@ -450,6 +450,33 @@
450
450
  "arg_positions": [0],
451
451
  "note": "VM code execution in current context"
452
452
  },
453
+ {
454
+ "method": "parse",
455
+ "class": "protobuf",
456
+ "type": "code_injection",
457
+ "cwe": "CWE-94",
458
+ "severity": "critical",
459
+ "arg_positions": [0],
460
+ "note": "protobufjs parse(schemaText) compiles a textual schema into JS at runtime; tainted schema = code execution (CVE-2026-41242)"
461
+ },
462
+ {
463
+ "method": "parse",
464
+ "class": "protobufjs",
465
+ "type": "code_injection",
466
+ "cwe": "CWE-94",
467
+ "severity": "critical",
468
+ "arg_positions": [0],
469
+ "note": "protobufjs.parse(schemaText) - same as protobuf.parse (CVE-2026-41242)"
470
+ },
471
+ {
472
+ "method": "parse",
473
+ "class": "Root",
474
+ "type": "code_injection",
475
+ "cwe": "CWE-94",
476
+ "severity": "critical",
477
+ "arg_positions": [0],
478
+ "note": "protobufjs Root.parse(schemaText) - alternate API for schema compilation (CVE-2026-41242)"
479
+ },
453
480
  {
454
481
  "method": "compileFunction",
455
482
  "class": "vm",
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAk5CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAy5CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -1307,9 +1307,11 @@ export const DEFAULT_SINKS = [
1307
1307
  // Node.js SQL (mysql, pg, sqlite, etc.)
1308
1308
  // Language-scoped: generic class names `Pool`/`Connection`/`Client` substring-match
1309
1309
  // unrelated Java identifiers like `cachedThreadPool`, `dbConnection`. See issue #14.
1310
- { method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1311
- { method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1312
- { method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1310
+ { method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1311
+ { method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1312
+ { method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1313
+ { method: 'execute', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1314
+ { method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'], allow_unresolved_receiver: true },
1313
1315
  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
1314
1316
  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
1315
1317
  // Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
@@ -1328,6 +1330,11 @@ export const DEFAULT_SINKS = [
1328
1330
  { method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1329
1331
  { method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1330
1332
  { method: 'runInThisContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
1333
+ // protobufjs Root.parse(schemaText) compiles a textual schema into JS at runtime;
1334
+ // tainted schema → code execution (CVE-2026-41242). Issue #94.
1335
+ { method: 'parse', class: 'protobuf', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1336
+ { method: 'parse', class: 'protobufjs', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1337
+ { method: 'parse', class: 'Root', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
1331
1338
  // Node.js NoSQL Injection (MongoDB native driver + mongoose) — CWE-943
1332
1339
  // Issue #45: the bare `class: 'Collection'` constraint missed mongoose's
1333
1340
  // fluent chains (mongoose.connection.db.collection('x').find({...})) and