circle-ir 3.74.0 → 3.77.0

package/dist/browser/circle-ir.js

@@ -12413,6 +12413,18 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+  // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+  // the IR does not emit subscript writes as calls — a known limitation, see
+  // cognium-dev #111. The method-call forms below ARE captured (receiver
+  // suffix-match on `.headers` via receiverMightBeClass).
+  { method: "set", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "add", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "setdefault", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "extend", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "__setitem__", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+  { method: "set_cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
   // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
   // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
   // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -13539,6 +13551,10 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
+  const chainedCallSuffix = `.${className}()`;
+  if (receiver.endsWith(chainedCallSuffix) || receiver.toLowerCase().endsWith(chainedCallSuffix.toLowerCase())) {
+    return true;
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {
@@ -24641,6 +24657,43 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
           }
         }
       }
+      const aliasChains = [];
+      {
+        const codeLines2 = code.split("\n");
+        for (let i2 = 0; i2 < codeLines2.length; i2++) {
+          const ln = codeLines2[i2];
+          if (ln.trimStart().startsWith("#")) continue;
+          const m = ln.match(/^\s*([\p{L}\p{N}_]+)\s*=\s*([\p{L}\p{N}_]+)\s*$/u);
+          if (!m) continue;
+          const lineNum = i2 + 1;
+          const lhs = m[1];
+          if (derived.get(lhs) !== lineNum) continue;
+          aliasChains.push({ lhs, upstream: m[2], line: lineNum });
+        }
+      }
+      if (aliasChains.length > 0) {
+        let changed = true;
+        let guard = 0;
+        while (changed && guard < aliasChains.length + 2) {
+          changed = false;
+          guard++;
+          for (const { lhs, upstream } of aliasChains) {
+            const upCov = aliasSanitizedFor.get(upstream);
+            if (!upCov || upCov.size === 0) continue;
+            let downCov = aliasSanitizedFor.get(lhs);
+            if (!downCov) {
+              downCov = /* @__PURE__ */ new Set();
+              aliasSanitizedFor.set(lhs, downCov);
+            }
+            for (const t of upCov) {
+              if (!downCov.has(t)) {
+                downCov.add(t);
+                changed = true;
+              }
+            }
+          }
+        }
+      }
     }
   }
   if (language === "rust" && typeof code === "string" && sourcesWithVar.length > 0) {
@@ -29758,6 +29811,10 @@ var WeakRandomPass = class {
           return `${rt}.${method}`;
         }
       }
+      if (JAVA_RANDOM_METHODS.has(method)) {
+        if (/^new\s+Random\s*\(/.test(receiver)) return `new Random.${method}`;
+        if (/^new\s+SplittableRandom\s*\(/.test(receiver)) return `new SplittableRandom.${method}`;
+      }
       if (JAVA_RANDOM_METHODS.has(method) && /ThreadLocalRandom\.current\(\)/.test(receiver)) {
         return `ThreadLocalRandom.current.${method}`;
       }
@@ -30576,7 +30633,7 @@ var JwtVerifyDisabledPass = class {
           out2.push({ pattern: "Algorithm.none()", api: "JWT.require" });
         }
       }
-      if (method === "parse" && receiver.includes("parser")) {
+      if (method === "parse" && /\bJwts\s*\.\s*parser\s*\(/.test(receiver)) {
         out2.push({ pattern: "parse() instead of parseClaimsJws()", api: "Jwts.parser().parse" });
       }
       return out2;

package/dist/core/circle-ir-core.cjs

@@ -11795,6 +11795,18 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+  // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+  // the IR does not emit subscript writes as calls — a known limitation, see
+  // cognium-dev #111. The method-call forms below ARE captured (receiver
+  // suffix-match on `.headers` via receiverMightBeClass).
+  { method: "set", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "add", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "setdefault", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "extend", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "__setitem__", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+  { method: "set_cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
   // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
   // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
   // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -12834,6 +12846,10 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
+  const chainedCallSuffix = `.${className}()`;
+  if (receiver.endsWith(chainedCallSuffix) || receiver.toLowerCase().endsWith(chainedCallSuffix.toLowerCase())) {
+    return true;
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {

package/dist/core/circle-ir-core.js

@@ -11729,6 +11729,18 @@ var DEFAULT_SINKS = [
   // value position so a tainted variable is detected.
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  // Python: Flask/Werkzeug/FastAPI/Django response header sinks (CWE-113).
+  // Subscript assignment (`resp.headers['X-A'] = name`) is NOT covered because
+  // the IR does not emit subscript writes as calls — a known limitation, see
+  // cognium-dev #111. The method-call forms below ARE captured (receiver
+  // suffix-match on `.headers` via receiverMightBeClass).
+  { method: "set", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "add", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "setdefault", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  { method: "extend", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "__setitem__", class: "headers", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
+  // Flask/Werkzeug response.set_cookie(name, value, ...) — value is CRLF-sensitive.
+  { method: "set_cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["python"] },
   // Mass-assignment (CWE-915 / CWE-1321) — Sprint 6, #86; cognium-dev #68 Sprint 10.
   // JS Object.assign(target, ...sources), `_.merge`, `_.extend`, `$.extend`,
   // `Object.defineProperty` — when fed an attacker-controlled bag, they write
@@ -12768,6 +12780,10 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
+  const chainedCallSuffix = `.${className}()`;
+  if (receiver.endsWith(chainedCallSuffix) || receiver.toLowerCase().endsWith(chainedCallSuffix.toLowerCase())) {
+    return true;
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.74.0",
+  "version": "3.77.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",