circle-ir 3.73.0 → 3.75.0

package/dist/core/circle-ir-core.cjs

@@ -11795,6 +11795,18 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+  // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+  // the IR does not emit subscript writes as calls — a known limitation, see
+  // cognium-dev #111. The method-call forms below ARE captured (receiver
+  // suffix-match on `.headers` via receiverMightBeClass).
+  { method: "set", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "add", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "setdefault", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "extend", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "__setitem__", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+  { method: "set_cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
   // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
   // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
   // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -11884,11 +11896,21 @@ var DEFAULT_SANITIZERS = [
   // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
   // stricter Clean+HasPrefix guard recognition is tracked separately).
   // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
-  { method: "Base", class: "filepath", removes: ["path_traversal"] },
-  { method: "Base", class: "path", removes: ["path_traversal"] },
-  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
-  { method: "Clean", class: "path", removes: ["path_traversal"] },
-  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
+  // Sprint 24 (#102 FP-27): broadened to cover external_taint_escape (CWE-668)
+  // fallback so canonicalised paths don't trigger the synthetic sink.
+  { method: "Base", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Base", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  // Go html/template escape helpers (#102 FP-27) — registered explicitly because
+  // configs/sinks/golang.json is not loaded at runtime.
+  { method: "EscapeString", class: "html", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "HTMLEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "JSEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection"] },
+  { method: "URLQueryEscaper", class: "template", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "QueryEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "PathEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -12408,6 +12430,42 @@ function isSafePythonSubprocessCall(call, pattern, language) {
   }
   return true;
 }
+function isSafeGoExecCommandCall(call, pattern, language) {
+  if (language !== "go") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "exec") return false;
+  if (pattern.method !== "Command" && pattern.method !== "CommandContext") return false;
+  const programArgPos = pattern.method === "CommandContext" ? 1 : 0;
+  const programArg = call.arguments.find((a) => a.position === programArgPos);
+  if (!programArg) return false;
+  let program;
+  if (programArg.literal !== null && programArg.literal !== void 0) {
+    program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+  } else {
+    const expr = (programArg.expression ?? "").trim();
+    if (!(expr.startsWith('"') || expr.startsWith("`") || expr.startsWith("'"))) {
+      return false;
+    }
+    const stripped = expr.slice(1, -1);
+    program = stripped.split("/").pop() ?? stripped;
+  }
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  if (SHELL_PROGRAMS.has(program)) return false;
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12427,6 +12485,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafePythonSubprocessCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeGoExecCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -12785,6 +12846,10 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
+  const chainedCallSuffix = `.${className}()`;
+  if (receiver.endsWith(chainedCallSuffix) || receiver.toLowerCase().endsWith(chainedCallSuffix.toLowerCase())) {
+    return true;
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {

package/dist/core/circle-ir-core.js

@@ -11729,6 +11729,18 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+  // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+  // the IR does not emit subscript writes as calls — a known limitation, see
+  // cognium-dev #111. The method-call forms below ARE captured (receiver
+  // suffix-match on `.headers` via receiverMightBeClass).
+  { method: "set", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "add", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "setdefault", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "extend", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "__setitem__", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+  { method: "set_cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
   // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
   // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
   // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -11818,11 +11830,21 @@ var DEFAULT_SANITIZERS = [
   // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
   // stricter Clean+HasPrefix guard recognition is tracked separately).
   // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
-  { method: "Base", class: "filepath", removes: ["path_traversal"] },
-  { method: "Base", class: "path", removes: ["path_traversal"] },
-  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
-  { method: "Clean", class: "path", removes: ["path_traversal"] },
-  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
+  // Sprint 24 (#102 FP-27): broadened to cover external_taint_escape (CWE-668)
+  // fallback so canonicalised paths don't trigger the synthetic sink.
+  { method: "Base", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Base", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  // Go html/template escape helpers (#102 FP-27) — registered explicitly because
+  // configs/sinks/golang.json is not loaded at runtime.
+  { method: "EscapeString", class: "html", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "HTMLEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "JSEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection"] },
+  { method: "URLQueryEscaper", class: "template", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "QueryEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "PathEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -12342,6 +12364,42 @@ function isSafePythonSubprocessCall(call, pattern, language) {
   }
   return true;
 }
+function isSafeGoExecCommandCall(call, pattern, language) {
+  if (language !== "go") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "exec") return false;
+  if (pattern.method !== "Command" && pattern.method !== "CommandContext") return false;
+  const programArgPos = pattern.method === "CommandContext" ? 1 : 0;
+  const programArg = call.arguments.find((a) => a.position === programArgPos);
+  if (!programArg) return false;
+  let program;
+  if (programArg.literal !== null && programArg.literal !== void 0) {
+    program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+  } else {
+    const expr = (programArg.expression ?? "").trim();
+    if (!(expr.startsWith('"') || expr.startsWith("`") || expr.startsWith("'"))) {
+      return false;
+    }
+    const stripped = expr.slice(1, -1);
+    program = stripped.split("/").pop() ?? stripped;
+  }
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  if (SHELL_PROGRAMS.has(program)) return false;
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12361,6 +12419,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafePythonSubprocessCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeGoExecCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -12719,6 +12780,10 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
+  const chainedCallSuffix = `.${className}()`;
+  if (receiver.endsWith(chainedCallSuffix) || receiver.toLowerCase().endsWith(chainedCallSuffix.toLowerCase())) {
+    return true;
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.73.0",
+  "version": "3.75.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",