circle-ir 3.68.0 → 3.70.0

package/dist/browser/circle-ir.js

@@ -29413,6 +29413,500 @@ var TlsVerifyDisabledPass = class {
   }
 };
 
+// src/analysis/passes/module-side-effect-pass.ts
+var JS_EXEC_METHODS = /* @__PURE__ */ new Set([
+  "exec",
+  "spawn",
+  "execSync",
+  "spawnSync",
+  "execFile",
+  "execFileSync"
+]);
+var JS_EXEC_RECEIVERS = /* @__PURE__ */ new Set([
+  "child_process",
+  "cp"
+]);
+var JS_NETWORK_RECEIVER_METHOD = /* @__PURE__ */ new Set([
+  "https:request",
+  "http:request",
+  "https:get",
+  "http:get"
+]);
+var JS_NETWORK_MAYBE = /* @__PURE__ */ new Set([
+  "fetch"
+]);
+var JS_ENV_SIGNAL_RE = /\bprocess\.env\b|\bos\.homedir\b|\/etc\/(passwd|shadow)\b|\.ssh\/id_(rsa|dsa|ed25519)\b|\bhomedir\b/;
+var PKG_JSON_BENIGN_INSTALL = /* @__PURE__ */ new Set([
+  "node-gyp rebuild",
+  "prebuild-install",
+  "prebuild-install || node-gyp rebuild",
+  "husky install",
+  "patch-package",
+  "npm run build"
+]);
+var PKG_JSON_INSTALL_SHELL_RE = /\b(curl|wget|nc|ncat|node\s+-e|node\s+-r|sh\s+-c|bash\s+-c|eval|base64\s+-d)\b/;
+var PY_NETWORK_RECEIVER_METHODS = [
+  { receiver: "requests", method: "post" },
+  { receiver: "requests", method: "put" },
+  { receiver: "urllib.request", method: "urlopen" },
+  { receiver: "socket", method: "create_connection" },
+  { receiver: "socket", method: "connect" },
+  { receiver: "subprocess", method: "run" },
+  { receiver: "subprocess", method: "Popen" },
+  { receiver: "os", method: "system" }
+];
+var PY_ENV_SIGNAL_RE = /\bos\.environ\b|\bpwd\.getpw\b|\bid_(rsa|dsa|ed25519)\b|\bhome\b|\b\/etc\/(passwd|shadow)\b|\bPath\.home\b|\bglob\.glob\b/;
+var GO_INIT_DANGEROUS = [
+  { receiver: "exec", method: "Command" },
+  { receiver: "http", method: "Post" },
+  { receiver: "http", method: "Get" },
+  { receiver: "net", method: "LookupTXT" },
+  { receiver: "os", method: "Setenv" }
+];
+var RUST_DANGEROUS_METHODS = /* @__PURE__ */ new Set([
+  "Command::new",
+  "process::Command::new",
+  "std::process::Command::new",
+  "new"
+  // Command::new appears as method='new', receiver='Command' / etc.
+]);
+var RUST_DANGEROUS_RECEIVERS = /* @__PURE__ */ new Set([
+  "Command",
+  "process::Command",
+  "std::process::Command",
+  "reqwest",
+  "reqwest::blocking"
+]);
+var ModuleSideEffectPass = class {
+  name = "module-side-effect";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const emit = (line, pattern, api) => {
+      if (findings.some((f) => f.line === line && f.pattern === pattern)) return;
+      findings.push({ line, language, pattern, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}-${pattern.replace(/\W+/g, "-")}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-829",
+        severity: "high",
+        level: "error",
+        message: `Module-level / install-time side effect (${pattern}) in \`${api}\`. Code that runs at import / build / install time is invisible to runtime defenses and is the standard delivery vector for supply-chain droppers (shai-hulud-style harvesters, malicious typosquats, build.rs exfil). If this side effect is intentional, move it into an explicit function invoked at runtime; if it is install-time configuration, restrict it to documented APIs (e.g. \`cargo:\` directives, \`node-gyp rebuild\`).`,
+        file,
+        line,
+        fix: this.fixFor(language, pattern),
+        evidence: { language, api, pattern }
+      });
+    };
+    const isRustBuildScript = language === "rust" && /\bbuild\.rs$/.test(file);
+    for (const call of graph.ir.calls) {
+      if (language === "rust" && !isRustBuildScript) continue;
+      const det = this.detectCall(call, language);
+      if (!det) continue;
+      emit(call.location.line, det.pattern, det.api);
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (/\bpackage\.json$/.test(file)) {
+        for (const extra of this.scanPackageJson(code)) {
+          emit(extra.line, extra.pattern, extra.api);
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    if (language === "javascript" || language === "typescript") {
+      if (call.in_method != null) return null;
+      if (JS_EXEC_RECEIVERS.has(receiver) && JS_EXEC_METHODS.has(method)) {
+        return {
+          pattern: "module-level child_process call",
+          api: `${receiver}.${method}`
+        };
+      }
+      const recvMethod = `${receiver}:${method}`;
+      if (JS_NETWORK_RECEIVER_METHOD.has(recvMethod)) {
+        return {
+          pattern: "module-level network request",
+          api: `${receiver}.${method}`
+        };
+      }
+      if (JS_NETWORK_MAYBE.has(method) && receiver === "") {
+        for (const arg of call.arguments) {
+          if (JS_ENV_SIGNAL_RE.test(arg.expression ?? "")) {
+            return {
+              pattern: "module-level fetch of process.env",
+              api: method
+            };
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "python") {
+      if (call.in_method != null) return null;
+      for (const tuple of PY_NETWORK_RECEIVER_METHODS) {
+        if (receiver === tuple.receiver && method === tuple.method) {
+          for (const arg of call.arguments) {
+            if (PY_ENV_SIGNAL_RE.test(arg.expression ?? "")) {
+              return {
+                pattern: "import-time network call with env signal",
+                api: `${receiver}.${method}`
+              };
+            }
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "go") {
+      if (call.in_method !== "init") return null;
+      for (const tuple of GO_INIT_DANGEROUS) {
+        if (receiver === tuple.receiver && method === tuple.method) {
+          return {
+            pattern: "init() install-time side effect",
+            api: `${receiver}.${method}`
+          };
+        }
+      }
+      return null;
+    }
+    if (language === "rust") {
+      const recv = receiver.trim();
+      if (RUST_DANGEROUS_RECEIVERS.has(recv) || recv.startsWith("Command::")) {
+        if (method === "new" || RUST_DANGEROUS_METHODS.has(method) || method === "get" || method === "post") {
+          return {
+            pattern: "build.rs side effect",
+            api: `${recv || method}.${method}`
+          };
+        }
+      }
+      return null;
+    }
+    return null;
+  }
+  /**
+   * Scan a package.json file for dangerous install-lifecycle scripts.
+   * Best-effort regex extraction — package.json is not a JS source per se but
+   * the analyzer routes it through the JS pipeline.
+   */
+  scanPackageJson(code) {
+    const out2 = [];
+    const lines = code.split("\n");
+    const installRe = /"(pre|post)?install"\s*:\s*"([^"]+)"/i;
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const m = lines[i2].match(installRe);
+      if (!m) continue;
+      const value = m[2].trim();
+      if (PKG_JSON_BENIGN_INSTALL.has(value)) continue;
+      if (!PKG_JSON_INSTALL_SHELL_RE.test(value)) continue;
+      out2.push({
+        line: i2 + 1,
+        pattern: "npm lifecycle hook executes shell",
+        api: `scripts.${m[1] ?? ""}install`
+      });
+    }
+    return out2;
+  }
+  fixFor(language, pattern) {
+    if (pattern.includes("child_process")) {
+      return "Remove the module-level child_process call. If an install-time step is genuinely required, move it into an explicit function and document why it must run at install time.";
+    }
+    if (pattern.includes("module-level network")) {
+      return "Network requests should not run at module load. Move the call inside an exported function called explicitly by the caller.";
+    }
+    if (pattern.includes("module-level fetch of process.env")) {
+      return "Exfiltrating `process.env` at module load is the canonical supply-chain dropper shape. Remove this code or, if intentional, gate it behind an explicit opt-in.";
+    }
+    if (pattern.includes("npm lifecycle hook")) {
+      return "Replace the install-script shell payload with a build tool (e.g. `node-gyp rebuild`, `prebuild-install`). Lifecycle scripts that invoke curl/wget/node -e/sh -c are how supply-chain droppers are delivered.";
+    }
+    if (pattern.includes("import-time network call")) {
+      return "Move the network call inside an explicit function. Sending `os.environ` or filesystem secrets at module import is the canonical credential-harvester shape.";
+    }
+    if (pattern.includes("init()")) {
+      return "Move the side effect out of `init()`. Go `init` functions run automatically on package import; network/exec calls there are invisible to the caller and are how supply-chain droppers operate.";
+    }
+    if (pattern.includes("build.rs")) {
+      return "`build.rs` should only emit `cargo:` directives. Spawning subprocesses or making network requests at build time is a documented supply-chain attack vector (see RUSTSEC).";
+    }
+    void language;
+    return "Remove the module-level side effect or move it inside an explicit, runtime-invoked function.";
+  }
+};
+
+// src/analysis/passes/cache-no-vary-pass.ts
+function isSharedCacheable(value) {
+  const v = value.toLowerCase();
+  if (/\b(private|no-store|no-cache)\b/.test(v)) return false;
+  const pub = /\bpublic\b/.test(v);
+  const maxMatch = /\b(?:s-maxage|max-age)\s*=\s*(\d+)/.exec(v);
+  const positiveMax = maxMatch ? Number(maxMatch[1]) > 0 : false;
+  return pub || positiveMax;
+}
+function isVaryCovering(value) {
+  const v = value.toLowerCase();
+  return /\b(cookie|authorization|\*)\b/.test(v);
+}
+var JS_AUTH_SIGNAL_RE = /\b(?:req|request)\s*\.\s*(?:cookies|session|user(?:Id|Name)?)\b|\b(?:req|request)\s*\.\s*headers\s*\.\s*(?:cookie|authorization)\b|\bres(?:ponse)?\s*\.\s*cookie\s*\(/i;
+var PY_AUTH_SIGNAL_RE = /\brequest\s*\.\s*cookies\b|\brequest\s*\.\s*headers\s*\.\s*get\s*\(\s*['"]Authorization['"]|\brequest\s*\.\s*authorization\b|\bsession\s*\[|\b(?:g\.user|current_user)\b|\bset_cookie\s*\(/i;
+var GO_AUTH_SIGNAL_RE = /\br\s*\.\s*Cookie\s*\(|\br\s*\.\s*Header\s*(?:\(\)|\.)\s*\.?\s*Get\s*\(\s*"(?:Cookie|Authorization)"|\br\s*\.\s*BasicAuth\s*\(|\bhttp\s*\.\s*SetCookie\s*\(|\bc\s*\.\s*(?:GetHeader|Cookie|SetCookie)\s*\(/;
+var JAVA_AUTH_SIGNAL_RE = /@CookieValue\b|@RequestHeader\s*\(\s*"(?:Cookie|Authorization)"|\brequest\s*\.\s*getCookies\s*\(|\brequest\s*\.\s*getHeader\s*\(\s*"(?:Cookie|Authorization)"|\bresponse\s*\.\s*addCookie\s*\(|\bSecurityContextHolder\b|\bPrincipal\s+\w+|\bAuthentication\s+\w+/;
+var PY_CACHE_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Cache-Control['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+var PY_VARY_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Vary['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+var PY_VARY_DECORATOR_RE = /^\s*@\s*(?:vary_on_cookie|vary_on_headers)\b/;
+var PY_CACHE_CONTROL_DECORATOR_RE = /^\s*@\s*cache_control\s*\(([^)]*)\)/;
+var JS_HEADER_METHODS = /* @__PURE__ */ new Set(["setHeader", "set", "header"]);
+var GO_HEADER_METHODS = /* @__PURE__ */ new Set(["Set", "Add"]);
+var JAVA_HEADER_METHODS = /* @__PURE__ */ new Set(["setHeader", "addHeader"]);
+var JS_RES_RECEIVERS = /* @__PURE__ */ new Set(["res", "response", "ctx"]);
+function classifyCall(call, language) {
+  const method = call.method_name;
+  const receiver = (call.receiver ?? "").trim();
+  const arg0 = call.arguments[0]?.literal ?? null;
+  const arg1 = call.arguments[1]?.literal ?? null;
+  if (language === "javascript" || language === "typescript") {
+    if (JS_RES_RECEIVERS.has(receiver) && JS_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (JS_RES_RECEIVERS.has(receiver) && method === "vary") {
+      const v = arg0 ?? "";
+      if (isVaryCovering(v) || v === "") return { kind: "vary" };
+    }
+    if (JS_RES_RECEIVERS.has(receiver) && method === "cookie") {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  if (language === "python") {
+    if (receiver === "request.cookies" || receiver === "request.session") {
+      return { kind: "auth" };
+    }
+    if (receiver === "request.headers" && method === "get") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "authorization" || v === "cookie") return { kind: "auth" };
+    }
+    if ((receiver === "response" || receiver === "resp") && method === "set_cookie") {
+      return { kind: "auth" };
+    }
+    if (method === "patch_vary_headers") return { kind: "vary" };
+    if (method === "patch_cache_control") {
+      const argTxt = call.arguments.map((a) => a.expression ?? "").join(",");
+      if (/\bpublic\s*=\s*True\b/.test(argTxt)) {
+        return { kind: "cache-public", value: argTxt };
+      }
+    }
+    return null;
+  }
+  if (language === "go") {
+    if ((receiver === "w.Header()" || receiver === "rw.Header()") && GO_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (receiver === "c" && method === "Header") {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (receiver === "r" && (method === "Cookie" || method === "BasicAuth")) {
+      return { kind: "auth" };
+    }
+    if ((receiver === "r.Header" || receiver === "r.Header()") && method === "Get") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "cookie" || v === "authorization") return { kind: "auth" };
+    }
+    if (receiver === "http" && method === "SetCookie") return { kind: "auth" };
+    if (receiver === "c" && (method === "Cookie" || method === "GetHeader" || method === "SetCookie")) {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  if (language === "java") {
+    if ((receiver === "response" || receiver === "resp") && JAVA_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if ((receiver === "headers" || receiver === "httpHeaders") && method === "setCacheControl") {
+      return { kind: "cache-public", value: "HttpHeaders.setCacheControl(...)" };
+    }
+    if ((receiver === "headers" || receiver === "httpHeaders") && method === "setVary") {
+      return { kind: "vary" };
+    }
+    if (receiver === "request" && method === "getCookies") {
+      return { kind: "auth" };
+    }
+    if (receiver === "request" && method === "getHeader") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "cookie" || v === "authorization") return { kind: "auth" };
+    }
+    if ((receiver === "response" || receiver === "resp") && method === "addCookie") {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  return null;
+}
+function authSignalRegex(language) {
+  switch (language) {
+    case "javascript":
+    case "typescript":
+      return JS_AUTH_SIGNAL_RE;
+    case "python":
+      return PY_AUTH_SIGNAL_RE;
+    case "go":
+      return GO_AUTH_SIGNAL_RE;
+    case "java":
+      return JAVA_AUTH_SIGNAL_RE;
+    default:
+      return null;
+  }
+}
+function scanWindow(code, language, startLine, endLine) {
+  const lines = code.split("\n");
+  const lo = Math.max(0, startLine - 1);
+  const hi = Math.min(lines.length, endLine);
+  const out2 = { vary: false, auth: false };
+  const authRe = authSignalRegex(language);
+  for (let i2 = lo; i2 < hi; i2++) {
+    const ln = lines[i2];
+    if (authRe && authRe.test(ln)) out2.auth = true;
+    if (language === "python") {
+      if (!out2.cachePublic) {
+        const mc = PY_CACHE_HEADER_ASSIGN_RE.exec(ln);
+        if (mc && isSharedCacheable(mc[2])) {
+          out2.cachePublic = { line: i2 + 1, value: mc[2] };
+        }
+      }
+      if (!out2.cachePublic) {
+        const md = PY_CACHE_CONTROL_DECORATOR_RE.exec(ln);
+        if (md) {
+          const argTxt = md[1];
+          if (/\bpublic\s*=\s*True\b/.test(argTxt) && (/\bmax_age\s*=\s*[1-9]\d*\b/.test(argTxt) || !/max_age/.test(argTxt))) {
+            out2.cachePublic = { line: i2 + 1, value: argTxt };
+          }
+        }
+      }
+      if (!out2.vary) {
+        const mv = PY_VARY_HEADER_ASSIGN_RE.exec(ln);
+        if (mv && isVaryCovering(mv[2])) out2.vary = true;
+        if (PY_VARY_DECORATOR_RE.test(ln)) out2.vary = true;
+      }
+    }
+  }
+  return out2;
+}
+var CacheNoVaryPass = class {
+  name = "cache-no-vary";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const isSupported = language === "javascript" || language === "typescript" || language === "python" || language === "go" || language === "java";
+    if (!isSupported) return { findings };
+    if (/(?:\.test|\.spec)\.[jt]sx?$/i.test(file) || /__tests__\/|\/tests?\//i.test(file)) {
+      return { findings };
+    }
+    const callsByHandler = /* @__PURE__ */ new Map();
+    for (const call of graph.ir.calls) {
+      const key = call.in_method ?? "<top>";
+      let arr = callsByHandler.get(key);
+      if (!arr) {
+        arr = [];
+        callsByHandler.set(key, arr);
+      }
+      arr.push(call);
+    }
+    const emit = (line, handler, cacheValue) => {
+      if (findings.some((f) => f.line === line && f.handler === handler)) return;
+      findings.push({ line, language, handler, cacheValue });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-524",
+        severity: "medium",
+        level: "warning",
+        message: `Response sets a shared-cacheable Cache-Control ('${cacheValue}') in a handler that reads authenticated or user-scoped state, but does not set 'Vary: Cookie' or 'Vary: Authorization'. A shared cache (CDN, reverse proxy, ISP cache) keys the response by URL only and may serve one user's body to another. (CWE-524)`,
+        file,
+        line,
+        fix: `Either add 'Vary: Cookie' (or 'Vary: Authorization') so caches key on the user identity, or change the directive to 'private' / 'no-store' so the response is never shared-cached.`,
+        evidence: {
+          language,
+          handler: handler ?? "<top>",
+          cacheValue
+        }
+      });
+    };
+    for (const [handlerKey, calls] of callsByHandler) {
+      const handler = handlerKey === "<top>" ? null : handlerKey;
+      const cachePublicHits = [];
+      let varyFromCalls = false;
+      let authFromCalls = false;
+      for (const call of calls) {
+        const cls = classifyCall(call, language);
+        if (!cls) continue;
+        if (cls.kind === "cache-public") {
+          cachePublicHits.push({
+            line: call.location.line,
+            value: cls.value ?? ""
+          });
+        } else if (cls.kind === "vary") {
+          varyFromCalls = true;
+        } else if (cls.kind === "auth") {
+          authFromCalls = true;
+        }
+      }
+      let minLine = Infinity;
+      let maxLine = -Infinity;
+      for (const c of calls) {
+        if (c.location?.line) {
+          minLine = Math.min(minLine, c.location.line);
+          maxLine = Math.max(maxLine, c.location.line);
+        }
+      }
+      if (minLine === Infinity) continue;
+      const winStart = Math.max(1, minLine - 5);
+      const winEnd = maxLine + 5;
+      const winScan = scanWindow(code, language, winStart, winEnd);
+      if (winScan.cachePublic) cachePublicHits.push(winScan.cachePublic);
+      const vary = varyFromCalls || winScan.vary;
+      const auth = authFromCalls || winScan.auth;
+      if (cachePublicHits.length === 0) continue;
+      if (vary) continue;
+      if (!auth) continue;
+      emit(cachePublicHits[0].line, handler, cachePublicHits[0].value);
+    }
+    return { findings };
+  }
+};
+
 // src/analysis/passes/jwt-verify-disabled-pass.ts
 var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
 var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
@@ -30769,6 +31263,8 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-crypto")) pipeline.add(new WeakCryptoPass());
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
+    if (!disabledPasses.has("module-side-effect")) pipeline.add(new ModuleSideEffectPass());
+    if (!disabledPasses.has("cache-no-vary")) pipeline.add(new CacheNoVaryPass());
     if (!disabledPasses.has("jwt-verify-disabled")) pipeline.add(new JwtVerifyDisabledPass());
     if (!disabledPasses.has("csrf-protection-disabled")) pipeline.add(new CsrfProtectionDisabledPass());
     if (!disabledPasses.has("xml-entity-expansion")) pipeline.add(new XmlEntityExpansionPass());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.68.0",
+  "version": "3.70.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",