circle-ir 3.73.0 → 3.75.0

package/configs/sinks/golang.json

@@ -143,19 +143,19 @@
     {
       "method": "Clean",
       "class": "filepath",
-      "removes": ["path_traversal"],
+      "removes": ["path_traversal", "external_taint_escape"],
       "note": "filepath.Clean normalizes path, preventing traversal"
     },
     {
       "method": "EscapeString",
       "class": "html",
-      "removes": ["xss"],
-      "note": "html.EscapeString escapes HTML entities"
+      "removes": ["xss", "external_taint_escape", "log_injection", "open_redirect"],
+      "note": "html.EscapeString escapes HTML entities — safe for HTML output and structured logs"
     },
     {
       "method": "HTMLEscapeString",
       "class": "template",
-      "removes": ["xss"],
+      "removes": ["xss", "external_taint_escape", "log_injection", "open_redirect"],
       "note": "template.HTMLEscapeString escapes HTML"
     },
     {
@@ -198,25 +198,25 @@
     {
       "method": "Base",
       "class": "filepath",
-      "removes": ["path_traversal"],
+      "removes": ["path_traversal", "external_taint_escape"],
       "note": "filepath.Base returns final element only — strips traversal segments"
     },
     {
       "method": "EvalSymlinks",
       "class": "filepath",
-      "removes": ["path_traversal"],
+      "removes": ["path_traversal", "external_taint_escape"],
       "note": "filepath.EvalSymlinks resolves symlinks to absolute path"
     },
     {
       "method": "Clean",
       "class": "path",
-      "removes": ["path_traversal"],
+      "removes": ["path_traversal", "external_taint_escape"],
       "note": "path.Clean (slash-only) normalizes ../ segments"
     },
     {
       "method": "Base",
       "class": "path",
-      "removes": ["path_traversal"],
+      "removes": ["path_traversal", "external_taint_escape"],
       "note": "path.Base returns final slash-element only"
     }
   ]

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAm9CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAiPhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAg+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -1810,6 +1810,18 @@ export const DEFAULT_SINKS = [
     // value position so a tainted variable is detected.
     { method: 'Set', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
     { method: 'Add', class: 'Header', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['go'] },
+    // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+    // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+    // the IR does not emit subscript writes as calls — a known limitation, see
+    // cognium-dev #111. The method-call forms below ARE captured (receiver
+    // suffix-match on `.headers` via receiverMightBeClass).
+    { method: 'set', class: 'headers', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['python'] },
+    { method: 'add', class: 'headers', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['python'] },
+    { method: 'setdefault', class: 'headers', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['python'] },
+    { method: 'extend', class: 'headers', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [0], languages: ['python'] },
+    { method: '__setitem__', class: 'headers', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['python'] },
+    // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+    { method: 'set_cookie', type: 'crlf', cwe: 'CWE-113', severity: 'medium', arg_positions: [1], languages: ['python'] },
     // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
     // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
     // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -1890,11 +1902,21 @@ export const DEFAULT_SANITIZERS = [
     // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
     // stricter Clean+HasPrefix guard recognition is tracked separately).
     // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
-    { method: 'Base', class: 'filepath', removes: ['path_traversal'] },
-    { method: 'Base', class: 'path', removes: ['path_traversal'] },
-    { method: 'Clean', class: 'filepath', removes: ['path_traversal'] },
-    { method: 'Clean', class: 'path', removes: ['path_traversal'] },
-    { method: 'EvalSymlinks', class: 'filepath', removes: ['path_traversal'] },
+    // Sprint 24 (#102 FP-27): broadened to cover external_taint_escape (CWE-668)
+    // fallback so canonicalised paths don't trigger the synthetic sink.
+    { method: 'Base', class: 'filepath', removes: ['path_traversal', 'external_taint_escape'] },
+    { method: 'Base', class: 'path', removes: ['path_traversal', 'external_taint_escape'] },
+    { method: 'Clean', class: 'filepath', removes: ['path_traversal', 'external_taint_escape'] },
+    { method: 'Clean', class: 'path', removes: ['path_traversal', 'external_taint_escape'] },
+    { method: 'EvalSymlinks', class: 'filepath', removes: ['path_traversal', 'external_taint_escape'] },
+    // Go html/template escape helpers (#102 FP-27) — registered explicitly because
+    // configs/sinks/golang.json is not loaded at runtime.
+    { method: 'EscapeString', class: 'html', removes: ['xss', 'external_taint_escape', 'log_injection', 'open_redirect'] },
+    { method: 'HTMLEscapeString', class: 'template', removes: ['xss', 'external_taint_escape', 'log_injection', 'open_redirect'] },
+    { method: 'JSEscapeString', class: 'template', removes: ['xss', 'external_taint_escape', 'log_injection'] },
+    { method: 'URLQueryEscaper', class: 'template', removes: ['xss', 'external_taint_escape', 'open_redirect'] },
+    { method: 'QueryEscape', class: 'url', removes: ['xss', 'external_taint_escape', 'open_redirect'] },
+    { method: 'PathEscape', class: 'url', removes: ['xss', 'external_taint_escape', 'open_redirect'] },
     // Log Injection sanitizers
     { method: 'replace', removes: ['log_injection'] }, // Used to remove newlines/control chars
     // LDAP Injection