circle-ir 3.77.0 → 3.80.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/analysis/config-loader.d.ts.map +1 -1
  2. package/dist/analysis/config-loader.js +11 -4
  3. package/dist/analysis/config-loader.js.map +1 -1
  4. package/dist/analysis/passes/insecure-cookie-pass.d.ts.map +1 -1
  5. package/dist/analysis/passes/insecure-cookie-pass.js +10 -5
  6. package/dist/analysis/passes/insecure-cookie-pass.js.map +1 -1
  7. package/dist/analysis/passes/scan-secrets-pass.d.ts.map +1 -1
  8. package/dist/analysis/passes/scan-secrets-pass.js +88 -0
  9. package/dist/analysis/passes/scan-secrets-pass.js.map +1 -1
  10. package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
  11. package/dist/analysis/passes/weak-crypto-pass.js +24 -5
  12. package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
  13. package/dist/analysis/passes/weak-hash-pass.d.ts.map +1 -1
  14. package/dist/analysis/passes/weak-hash-pass.js +117 -5
  15. package/dist/analysis/passes/weak-hash-pass.js.map +1 -1
  16. package/dist/browser/circle-ir.js +128 -12
  17. package/dist/core/circle-ir-core.cjs +11 -4
  18. package/dist/core/circle-ir-core.js +11 -4
  19. package/package.json +1 -1
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAg+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAu+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -1133,10 +1133,17 @@ export const DEFAULT_SINKS = [
1133
1133
  // These patterns are detected by call-site literal inspection, not taint flow,
1134
1134
  // so they are NOT registered here as sinks (they could never match a "tainted
1135
1135
  // value flowing into a sink" because the bad value is a hard-coded constant).
1136
- // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
1137
- // The vulnerability is attacker controlling which key to use, not the value
1138
- { method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
1139
- { method: 'putValue', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
1136
+ // Trust Boundary (CWE-501) tainted VALUE crossing into shared session
1137
+ // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
1138
+ // the violation: untrusted data enters server-side state where downstream
1139
+ // code reads it as if trusted. Both arg positions are flagged so either a
1140
+ // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
1141
+ // the sink. (cognium-dev #117)
1142
+ { method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
1143
+ { method: 'putValue', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
1144
+ // ServletContext + request scopes — same trust-boundary semantics.
1145
+ { method: 'setAttribute', class: 'ServletContext', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
1146
+ { method: 'setAttribute', class: 'HttpServletRequest', type: 'trust_boundary', cwe: 'CWE-501', severity: 'low', arg_positions: [0, 1] },
1140
1147
  // Additional XSS patterns (JDOM/XML output)
1141
1148
  { method: 'outputElementContent', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
1142
1149
  { method: 'output', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },