npm - circle-ir - Versions diffs - 3.70.0 → 3.72.0 - Mend

circle-ir 3.70.0 → 3.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +54 -0
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/constant-propagation/index.d.ts.map +1 -1
package/dist/analysis/constant-propagation/index.js +14 -0
package/dist/analysis/constant-propagation/index.js.map +1 -1
package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
package/dist/analysis/passes/language-sources-pass.js +93 -22
package/dist/analysis/passes/language-sources-pass.js.map +1 -1
package/dist/analysis/passes/sink-filter-pass.d.ts.map +1 -1
package/dist/analysis/passes/sink-filter-pass.js +19 -0
package/dist/analysis/passes/sink-filter-pass.js.map +1 -1
package/dist/analysis/passes/taint-propagation-pass.d.ts.map +1 -1
package/dist/analysis/passes/taint-propagation-pass.js +131 -0
package/dist/analysis/passes/taint-propagation-pass.js.map +1 -1
package/dist/browser/circle-ir.js +195 -20
package/dist/core/circle-ir-core.cjs +57 -0
package/dist/core/circle-ir-core.js +57 -0
package/package.json +1 -1

package/dist/core/circle-ir-core.cjs CHANGED Viewed

@@ -11400,6 +11400,41 @@ var DEFAULT_SINKS = [
   // pattern with a language-scoped classless entry. The method name
   // `redirect` is rare outside HTTP frameworks so the FP risk is low.
   { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js LDAP Injection (ldapjs) — CWE-90
+  // cognium-dev#104 Sprint 22: receiver matches the canonical ldapjs
+  // import name (`const ldap = require('ldapjs')` → ldap.search/...).
+  { method: "search", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  // Node.js XPath Injection (xpath module) — CWE-643
+  // cognium-dev#104 Sprint 22: `const xpath = require('xpath')` → xpath.select/select1/evaluate.
+  { method: "select", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "select1", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "evaluate", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js XXE (libxmljs, xmldom) — CWE-611
+  // cognium-dev#104 Sprint 22: `const libxml = require('libxmljs')` (or 'libxml')
+  // → libxml.parseXml(src, {noent: true}). xmldom DOMParser via parseFromString.
+  { method: "parseXml", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "DOMParser", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "xmldom", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js Server-Side Template Injection (SSTI) — CWE-94
+  // cognium-dev#104 Sprint 22: ejs/handlebars/pug template render with
+  // tainted templates → arbitrary JS execution. Uses `code_injection`
+  // SinkType to mirror the Python Jinja2/Mako pattern above.
+  { method: "render", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "mustache", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "renderString", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   // =========================================================================
   // Python Sinks
   // =========================================================================
@@ -11509,6 +11544,16 @@ var DEFAULT_SINKS = [
   { method: "delete_one", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "delete_many", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "aggregate", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
+  // pymongo dynamic attribute-access pattern: `db.users.find({...})` — receiver
+  // class isn't statically known. Method-only entries restricted to Python.
+  // cognium-dev#104 Sprint 22.
+  { method: "find_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "update_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "update_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "delete_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "delete_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "replace_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "count_documents", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
   // Python Template Injection (Jinja2, Mako)
   { method: "from_string", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "jinja2", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11519,6 +11564,15 @@ var DEFAULT_SINKS = [
   { method: "error", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "debug", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "critical", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  // Python `logging` module top-level functions (e.g. logging.info(...))
+  // — cognium-dev#104 Sprint 22: OOP fixtures use `import logging; logging.info(self.msg)`.
+  { method: "info", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "warning", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "error", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "debug", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "critical", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "log", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1] },
+  { method: "exception", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   // =========================================================================
   // Java CWE-Bench Enhancement Patterns (Collection/Builder)
   // =========================================================================
@@ -16231,6 +16285,9 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
+  if (taintedVar.startsWith("self.") || taintedVar.startsWith("this.")) {
+    return { isFalsePositive: false, reason: null };
+  }
   if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }

package/dist/core/circle-ir-core.js CHANGED Viewed

@@ -11334,6 +11334,41 @@ var DEFAULT_SINKS = [
   // pattern with a language-scoped classless entry. The method name
   // `redirect` is rare outside HTTP frameworks so the FP risk is low.
   { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js LDAP Injection (ldapjs) — CWE-90
+  // cognium-dev#104 Sprint 22: receiver matches the canonical ldapjs
+  // import name (`const ldap = require('ldapjs')` → ldap.search/...).
+  { method: "search", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  // Node.js XPath Injection (xpath module) — CWE-643
+  // cognium-dev#104 Sprint 22: `const xpath = require('xpath')` → xpath.select/select1/evaluate.
+  { method: "select", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "select1", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "evaluate", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js XXE (libxmljs, xmldom) — CWE-611
+  // cognium-dev#104 Sprint 22: `const libxml = require('libxmljs')` (or 'libxml')
+  // → libxml.parseXml(src, {noent: true}). xmldom DOMParser via parseFromString.
+  { method: "parseXml", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "DOMParser", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "xmldom", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  // Node.js Server-Side Template Injection (SSTI) — CWE-94
+  // cognium-dev#104 Sprint 22: ejs/handlebars/pug template render with
+  // tainted templates → arbitrary JS execution. Uses `code_injection`
+  // SinkType to mirror the Python Jinja2/Mako pattern above.
+  { method: "render", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "mustache", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "renderString", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   // =========================================================================
   // Python Sinks
   // =========================================================================
@@ -11443,6 +11478,16 @@ var DEFAULT_SINKS = [
   { method: "delete_one", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "delete_many", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "aggregate", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
+  // pymongo dynamic attribute-access pattern: `db.users.find({...})` — receiver
+  // class isn't statically known. Method-only entries restricted to Python.
+  // cognium-dev#104 Sprint 22.
+  { method: "find_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "update_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "update_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "delete_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "delete_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "replace_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "count_documents", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
   // Python Template Injection (Jinja2, Mako)
   { method: "from_string", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "jinja2", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11453,6 +11498,15 @@ var DEFAULT_SINKS = [
   { method: "error", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "debug", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "critical", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  // Python `logging` module top-level functions (e.g. logging.info(...))
+  // — cognium-dev#104 Sprint 22: OOP fixtures use `import logging; logging.info(self.msg)`.
+  { method: "info", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "warning", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "error", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "debug", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "critical", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "log", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1] },
+  { method: "exception", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   // =========================================================================
   // Java CWE-Bench Enhancement Patterns (Collection/Builder)
   // =========================================================================
@@ -16165,6 +16219,9 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
+  if (taintedVar.startsWith("self.") || taintedVar.startsWith("this.")) {
+    return { isFalsePositive: false, reason: null };
+  }
   if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.70.0",
+  "version": "3.72.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",