circle-ir 3.8.4 → 3.9.8

package/dist/analysis/passes/infinite-loop-pass.js

@@ -0,0 +1,126 @@
+/**
+ * Pass #28: infinite-loop (CWE-835, category: reliability)
+ *
+ * Detects loops with no reachable exit edge — i.e., loops that can run
+ * forever because every execution path through the loop body leads back to
+ * the loop header without a break, return, throw, or continue-to-outer.
+ *
+ * Detection strategy:
+ *   1. Identify loop headers: back-edge targets in the CFG (`edge.type === 'back'`).
+ *   2. For each loop, collect the loop body blocks via BFS from the header,
+ *      stopping at back-edge sources (the "tail" blocks).
+ *   3. Check whether any block in the body has an outgoing edge that exits
+ *      the loop (target not in body set and not back to header).
+ *   4. As a text-level fallback, scan source lines in the loop body for
+ *      `return`, `throw`/`raise`, `break`, `System.exit` keywords.
+ *   5. Emit a finding at the loop header's start_line if no exit is found.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust. Skip Bash.
+ */
+/** Exit keywords to scan for as a text-level fallback. */
+const EXIT_KEYWORDS = /\b(return|throw|raise|break|System\.exit|process\.exit|os\._exit|exit!\()\b/;
+export class InfiniteLoopPass {
+    name = 'infinite-loop';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash') {
+            return { potentialInfiniteLoops: [] };
+        }
+        const { blocks, edges } = graph.ir.cfg;
+        if (blocks.length === 0)
+            return { potentialInfiniteLoops: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        // Build adjacency maps
+        const outgoing = new Map();
+        for (const edge of edges) {
+            const list = outgoing.get(edge.from) ?? [];
+            list.push({ to: edge.to, type: edge.type });
+            outgoing.set(edge.from, list);
+        }
+        // Find back-edges: each back-edge defines a loop
+        const backEdges = edges.filter(e => e.type === 'back');
+        const potentialInfiniteLoops = [];
+        const reportedHeaders = new Set();
+        for (const backEdge of backEdges) {
+            const headerId = backEdge.to;
+            const tailId = backEdge.from;
+            const header = graph.blockById.get(headerId);
+            const tail = graph.blockById.get(tailId);
+            if (!header || !tail)
+                continue;
+            // Deduplicate: one finding per header
+            if (reportedHeaders.has(headerId))
+                continue;
+            // Collect loop body blocks via BFS from header, stopping at tail
+            const bodyIds = new Set();
+            const queue = [headerId];
+            bodyIds.add(headerId);
+            while (queue.length > 0) {
+                const cur = queue.shift();
+                for (const { to, type } of outgoing.get(cur) ?? []) {
+                    // Don't follow back edges (stay inside the loop)
+                    if (type === 'back')
+                        continue;
+                    if (!bodyIds.has(to)) {
+                        bodyIds.add(to);
+                        queue.push(to);
+                    }
+                }
+                // Stop expanding from tail (the back-edge source)
+                if (cur === tailId)
+                    break;
+            }
+            // Check for any exit edge: an edge from a body block to a non-body block
+            let hasExit = false;
+            for (const bodyId of bodyIds) {
+                for (const { to, type } of outgoing.get(bodyId) ?? []) {
+                    if (type === 'back')
+                        continue;
+                    if (!bodyIds.has(to)) {
+                        hasExit = true;
+                        break;
+                    }
+                }
+                if (hasExit)
+                    break;
+            }
+            if (hasExit)
+                continue;
+            // Text-level fallback: scan source lines for exit keywords
+            const bodyStart = header.start_line;
+            const bodyEnd = tail.end_line;
+            let hasKeywordExit = false;
+            for (let ln = bodyStart; ln <= bodyEnd && ln <= codeLines.length; ln++) {
+                if (EXIT_KEYWORDS.test(codeLines[ln - 1] ?? '')) {
+                    hasKeywordExit = true;
+                    break;
+                }
+            }
+            if (hasKeywordExit)
+                continue;
+            reportedHeaders.add(headerId);
+            potentialInfiniteLoops.push({ headerLine: header.start_line, bodyEndLine: bodyEnd });
+            const loc = bodyStart === bodyEnd
+                ? `line ${bodyStart}`
+                : `lines ${bodyStart}–${bodyEnd}`;
+            ctx.addFinding({
+                id: `infinite-loop-${file}-${header.start_line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-835',
+                severity: 'medium',
+                level: 'warning',
+                message: `Potential infinite loop: no reachable break, return, or throw found in loop body (${loc})`,
+                file,
+                line: header.start_line,
+                end_line: bodyEnd > header.start_line ? bodyEnd : undefined,
+                fix: 'Ensure the loop has a reachable exit condition (break, return, or throw) on all paths',
+            });
+        }
+        return { potentialInfiniteLoops };
+    }
+}
+//# sourceMappingURL=infinite-loop-pass.js.map

package/dist/analysis/passes/infinite-loop-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"infinite-loop-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/infinite-loop-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,0DAA0D;AAC1D,MAAM,aAAa,GAAG,6EAA6E,CAAC;AAMpG,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC;QACxC,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC;QACvC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC;QAE/D,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEnC,uBAAuB;QACvB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA+C,CAAC;QACxE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QAED,iDAAiD;QACjD,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;QAEvD,MAAM,sBAAsB,GAAiD,EAAE,CAAC;QAChF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAE1C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC;YAE7B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE/B,sCAAsC;YACtC,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE5C,iEAAiE;YACjE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEtB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;gBAC3B,KAAK,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;oBACnD,iDAAiD;oBACjD,IAAI,IAAI,KAAK,MAAM;wBAAE,SAAS;oBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;wBACrB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;wBAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACjB,CAAC;gBACH,CAAC;gBACD,kDAAkD;gBAClD,IAAI,GAAG,KAAK,MAAM;oBAAE,MAAM;YAC5B,CAAC;YAED,yEAAyE;YACzE,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,KAAK,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;oBACtD,IAAI,IAAI,KAAK,MAAM;wBAAE,SAAS;oBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;wBACrB,OAAO,GAAG,IAAI,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,OAAO;oBAAE,MAAM;YACrB,CAAC;YAED,IAAI,OAAO;gBAAE,SAAS;YAEtB,2DAA2D;YAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC9B,IAAI,cAAc,GAAG,KAAK,CAAC;YAC3B,KAAK,IAAI,EAAE,GAAG,SAAS,EAAE,EAAE,IAAI,OAAO,IAAI,EAAE,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;gBACvE,IAAI,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;oBAChD,cAAc,GAAG,IAAI,CAAC;oBACtB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,cAAc;gBAAE,SAAS;YAE7B,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC9B,sBAAsB,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YAErF,MAAM,GAAG,GAAG,SAAS,KAAK,OAAO;gBAC/B,CAAC,CAAC,QAAQ,SAAS,EAAE;gBACrB,CAAC,CAAC,SAAS,SAAS,IAAI,OAAO,EAAE,CAAC;YAEpC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,iBAAiB,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE;gBAChD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,qFAAqF,GAAG,GAAG;gBAC7F,IAAI;gBACJ,IAAI,EAAE,MAAM,CAAC,UAAU;gBACvB,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAC3D,GAAG,EAAE,uFAAuF;aAC7F,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,sBAAsB,EAAE,CAAC;IACpC,CAAC;CACF"}

package/dist/analysis/passes/interprocedural-pass.d.ts

@@ -0,0 +1,29 @@
+/**
+ * InterproceduralPass
+ *
+ * Performs inter-procedural taint analysis: finds taint escaping the current
+ * method into callees and surfaces sinks inside those callees.
+ *
+ * Handles two scenarios:
+ *   A) Sources + sinks already found → find additional sinks inside callees
+ *      and generate inter-procedural flows between them.
+ *   B) Sources found but no sinks yet → detect external taint escapes
+ *      (CWE-668 "external_taint_escape") as a fallback.
+ *
+ * Depends on: sink-filter, constant-propagation, taint-propagation
+ */
+import type { TaintSink, TaintFlowInfo, InterproceduralInfo } from '../../types/index.js';
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface InterproceduralPassResult {
+    /** Additional sinks surfaced by inter-procedural analysis. */
+    additionalSinks: TaintSink[];
+    /** Additional flows generated from inter-procedural paths. */
+    additionalFlows: TaintFlowInfo[];
+    /** Structured inter-procedural summary for the IR output. */
+    interprocedural?: InterproceduralInfo;
+}
+export declare class InterproceduralPass implements AnalysisPass<InterproceduralPassResult> {
+    readonly name = "interprocedural";
+    readonly category: "security";
+    run(ctx: PassContext): InterproceduralPassResult;
+}

package/dist/analysis/passes/interprocedural-pass.js

@@ -0,0 +1,169 @@
+/**
+ * InterproceduralPass
+ *
+ * Performs inter-procedural taint analysis: finds taint escaping the current
+ * method into callees and surfaces sinks inside those callees.
+ *
+ * Handles two scenarios:
+ *   A) Sources + sinks already found → find additional sinks inside callees
+ *      and generate inter-procedural flows between them.
+ *   B) Sources found but no sinks yet → detect external taint escapes
+ *      (CWE-668 "external_taint_escape") as a fallback.
+ *
+ * Depends on: sink-filter, constant-propagation, taint-propagation
+ */
+import { analyzeInterprocedural, findTaintBridges } from '../interprocedural.js';
+export class InterproceduralPass {
+    name = 'interprocedural';
+    category = 'security';
+    run(ctx) {
+        const { graph } = ctx;
+        const constProp = ctx.getResult('constant-propagation');
+        const sinkFilter = ctx.getResult('sink-filter');
+        const taintProp = ctx.getResult('taint-propagation');
+        const { sources, sinks, sanitizers } = sinkFilter;
+        if (sources.length === 0) {
+            return { additionalSinks: [], additionalFlows: [] };
+        }
+        const additionalSinks = [];
+        const additionalFlows = [...taintProp.flows];
+        let interprocedural;
+        // --- Scenario A: sources AND sinks present --------------------------------
+        if (sinks.length > 0) {
+            const interProc = analyzeInterprocedural(graph, sources, sinks, sanitizers, {
+                taintedVariables: constProp.tainted,
+            });
+            // Collect propagated sinks (skip external_taint_escape — only used in fallback)
+            for (const sink of interProc.propagatedSinks) {
+                if (sink.type === 'external_taint_escape')
+                    continue;
+                if (!sinks.some(s => s.line === sink.line)) {
+                    additionalSinks.push(sink);
+                }
+            }
+            // Build inter-procedural flows for newly surfaced sinks
+            if (interProc.propagatedSinks.length > 0) {
+                const sanitizerMethodNames = new Set();
+                for (const san of sanitizers) {
+                    if (san.type === 'javadoc_sanitizer') {
+                        const match = san.method.match(/^(\w+)\(\)$/);
+                        sanitizerMethodNames.add(match ? match[1] : san.method);
+                    }
+                }
+                for (const sink of interProc.propagatedSinks) {
+                    if (sink.type === 'external_taint_escape')
+                        continue;
+                    for (const edge of interProc.callEdges) {
+                        if (!interProc.taintedMethods.has(edge.calleeMethod))
+                            continue;
+                        const method = interProc.methodNodes.get(edge.calleeMethod);
+                        if (!method)
+                            continue;
+                        if (sink.line < method.startLine || sink.line > method.endLine)
+                            continue;
+                        if (sanitizerMethodNames.has(method.name))
+                            continue;
+                        for (const source of sources) {
+                            if (source.line > edge.callLine)
+                                continue;
+                            if (source.type === 'interprocedural_param' && source.confidence < 0.6)
+                                continue;
+                            if (additionalFlows.some(f => f.source_line === source.line && f.sink_line === sink.line))
+                                continue;
+                            additionalFlows.push({
+                                source_line: source.line,
+                                sink_line: sink.line,
+                                source_type: source.type,
+                                sink_type: sink.type,
+                                path: [
+                                    { variable: source.location, line: source.line, type: 'source' },
+                                    { variable: `call to ${method.name}()`, line: edge.callLine, type: 'use' },
+                                    { variable: sink.location, line: sink.line, type: 'sink' },
+                                ],
+                                confidence: sink.confidence * source.confidence * 0.85,
+                                sanitized: false,
+                            });
+                            break; // one source per sink is enough
+                        }
+                        break; // one call edge per sink is enough
+                    }
+                }
+            }
+            const taintBridges = findTaintBridges(interProc);
+            interprocedural = {
+                tainted_methods: Array.from(interProc.taintedMethods),
+                taint_bridges: taintBridges,
+                method_flows: interProc.callEdges
+                    .filter(edge => interProc.taintedMethods.has(edge.calleeMethod))
+                    .map(edge => ({
+                    caller: edge.callerMethod,
+                    callee: edge.calleeMethod,
+                    call_line: edge.callLine,
+                    tainted_args: edge.taintedArgs,
+                    returns_taint: interProc.taintedReturns.has(edge.calleeMethod),
+                })),
+            };
+        }
+        // --- Scenario B: sources present, no sinks --------------------------------
+        if (sinks.length === 0) {
+            // `constructor_field` sources are generated by the Java getter pattern
+            // detector and are not real external inputs in TypeScript/library code.
+            // `interprocedural_param` sources represent "this method's parameter MIGHT be
+            // tainted when called with tainted data" — they are speculative signals, not
+            // confirmed external inputs.  Using them in Scenario B (no YAML sinks) produces
+            // false-positive `external_taint_escape` findings on every internal library
+            // method whose typed parameters flow into arithmetic or other operations
+            // (e.g. `run(ctx: MetricContext)` computing metrics from `ctx.accumulated`).
+            // Real cross-file flows from true web inputs are surfaced by CrossFilePass;
+            // there is no value in re-surfacing them here as unvalidated escapes.
+            const fallbackSources = sources.filter(s => s.type !== 'constructor_field' &&
+                s.type !== 'interprocedural_param');
+            if (fallbackSources.length === 0) {
+                return { additionalSinks, additionalFlows, interprocedural };
+            }
+            const interProc = analyzeInterprocedural(graph, fallbackSources, [], sanitizers, {
+                taintedVariables: constProp.tainted,
+            });
+            for (const sink of interProc.propagatedSinks) {
+                if (!constProp.unreachableLines.has(sink.line)) {
+                    additionalSinks.push(sink);
+                }
+            }
+            if (interProc.taintedMethods.size > 0 || interProc.propagatedSinks.length > 0) {
+                const taintBridges = findTaintBridges(interProc);
+                interprocedural = {
+                    tainted_methods: Array.from(interProc.taintedMethods),
+                    taint_bridges: taintBridges,
+                    method_flows: interProc.callEdges
+                        .filter(edge => interProc.taintedMethods.has(edge.calleeMethod))
+                        .map(edge => ({
+                        caller: edge.callerMethod,
+                        callee: edge.calleeMethod,
+                        call_line: edge.callLine,
+                        tainted_args: edge.taintedArgs,
+                        returns_taint: interProc.taintedReturns.has(edge.calleeMethod),
+                    })),
+                };
+            }
+            // Generate simple source→sink flows for any newly-found sinks
+            if (additionalSinks.length > 0 && sources.length > 0) {
+                for (const sink of additionalSinks) {
+                    additionalFlows.push({
+                        source_line: sources[0].line,
+                        sink_line: sink.line,
+                        source_type: sources[0].type,
+                        sink_type: sink.type,
+                        path: [
+                            { variable: 'input', line: sources[0].line, type: 'source' },
+                            { variable: 'input', line: sink.line, type: 'sink' },
+                        ],
+                        confidence: sources[0].confidence * sink.confidence,
+                        sanitized: false,
+                    });
+                }
+            }
+        }
+        return { additionalSinks, additionalFlows, interprocedural };
+    }
+}
+//# sourceMappingURL=interprocedural-pass.js.map

package/dist/analysis/passes/interprocedural-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interprocedural-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/interprocedural-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAOH,OAAO,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAWjF,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QAEtB,MAAM,SAAS,GAAK,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACpF,MAAM,UAAU,GAAI,GAAG,CAAC,SAAS,CAAmB,aAAa,CAAC,CAAC;QACnE,MAAM,SAAS,GAAK,GAAG,CAAC,SAAS,CAA6B,mBAAmB,CAAC,CAAC;QAEnF,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC;QAElD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;QACtD,CAAC;QAED,MAAM,eAAe,GAAgB,EAAE,CAAC;QACxC,MAAM,eAAe,GAAoB,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,eAAgD,CAAC;QAErD,6EAA6E;QAC7E,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;gBAC1E,gBAAgB,EAAE,SAAS,CAAC,OAAO;aACpC,CAAC,CAAC;YAEH,gFAAgF;YAChF,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;gBAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,uBAAuB;oBAAE,SAAS;gBACpD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3C,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,IAAI,SAAS,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzC,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAU,CAAC;gBAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;oBAC7B,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;wBAC9C,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC1D,CAAC;gBACH,CAAC;gBAED,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;oBAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,uBAAuB;wBAAE,SAAS;oBAEpD,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;wBACvC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;4BAAE,SAAS;wBAE/D,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAC5D,IAAI,CAAC,MAAM;4BAAE,SAAS;wBACtB,IAAI,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO;4BAAE,SAAS;wBACzE,IAAI,oBAAoB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAEpD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC7B,IAAI,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,QAAQ;gCAAE,SAAS;4BAC1C,IAAI,MAAM,CAAC,IAAI,KAAK,uBAAuB,IAAI,MAAM,CAAC,UAAU,GAAG,GAAG;gCAAE,SAAS;4BACjF,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,IAAI,CAAC;gCAAE,SAAS;4BAEpG,eAAe,CAAC,IAAI,CAAC;gCACnB,WAAW,EAAE,MAAM,CAAC,IAAI;gCACxB,SAAS,EAAI,IAAI,CAAC,IAAI;gCACtB,WAAW,EAAE,MAAM,CAAC,IAAI;gCACxB,SAAS,EAAI,IAAI,CAAC,IAAI;gCACtB,IAAI,EAAE;oCACJ,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAa,IAAI,EAAE,MAAM,CAAC,IAAI,EAAK,IAAI,EAAE,QAAiB,EAAE;oCACvF,EAAE,QAAQ,EAAE,WAAW,MAAM,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAG,IAAI,EAAE,KAAiB,EAAE;oCACvF,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAe,IAAI,EAAE,IAAI,CAAC,IAAI,EAAO,IAAI,EAAE,MAAiB,EAAE;iCACxF;gCACD,UAAU,EAAE,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI;gCACtD,SAAS,EAAE,KAAK;6BACjB,CAAC,CAAC;4BACH,MAAM,CAAC,gCAAgC;wBACzC,CAAC;wBACD,MAAM,CAAC,mCAAmC;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,YAAY,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;YACjD,eAAe,GAAG;gBAChB,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;gBACrD,aAAa,EAAE,YAAY;gBAC3B,YAAY,EAAE,SAAS,CAAC,SAAS;qBAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;qBAC/D,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACZ,MAAM,EAAS,IAAI,CAAC,YAAY;oBAChC,MAAM,EAAS,IAAI,CAAC,YAAY;oBAChC,SAAS,EAAM,IAAI,CAAC,QAAQ;oBAC5B,YAAY,EAAG,IAAI,CAAC,WAAW;oBAC/B,aAAa,EAAE,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;iBAC/D,CAAC,CAAC;aACN,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,uEAAuE;YACvE,wEAAwE;YACxE,8EAA8E;YAC9E,6EAA6E;YAC7E,gFAAgF;YAChF,4EAA4E;YAC5E,yEAAyE;YACzE,6EAA6E;YAC7E,4EAA4E;YAC5E,sEAAsE;YACtE,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CACpC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB;gBACjC,CAAC,CAAC,IAAI,KAAK,uBAAuB,CACrC,CAAC;YACF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC;YAC/D,CAAC;YACD,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE,UAAU,EAAE;gBAC/E,gBAAgB,EAAE,SAAS,CAAC,OAAO;aACpC,CAAC,CAAC;YAEH,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;gBAC7C,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/C,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YAED,IAAI,SAAS,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,IAAI,SAAS,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9E,MAAM,YAAY,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;gBACjD,eAAe,GAAG;oBAChB,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;oBACrD,aAAa,EAAE,YAAY;oBAC3B,YAAY,EAAE,SAAS,CAAC,SAAS;yBAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;yBAC/D,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACZ,MAAM,EAAS,IAAI,CAAC,YAAY;wBAChC,MAAM,EAAS,IAAI,CAAC,YAAY;wBAChC,SAAS,EAAM,IAAI,CAAC,QAAQ;wBAC5B,YAAY,EAAG,IAAI,CAAC,WAAW;wBAC/B,aAAa,EAAE,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;qBAC/D,CAAC,CAAC;iBACN,CAAC;YACJ,CAAC;YAED,8DAA8D;YAC9D,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;oBACnC,eAAe,CAAC,IAAI,CAAC;wBACnB,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI;wBAC5B,SAAS,EAAI,IAAI,CAAC,IAAI;wBACtB,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI;wBAC5B,SAAS,EAAI,IAAI,CAAC,IAAI;wBACtB,IAAI,EAAE;4BACJ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE;4BACrE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAQ,IAAI,EAAE,MAAiB,EAAE;yBACtE;wBACD,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU;wBACnD,SAAS,EAAE,KAAK;qBACjB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC;IAC/D,CAAC;CACF"}

package/dist/analysis/passes/language-sources-pass.d.ts

@@ -0,0 +1,76 @@
+/**
+ * LanguageSourcesPass
+ *
+ * Detects taint sources and sinks that are not covered by config-based
+ * pattern matching (analyzer.js / taint-matcher).  Handles language-specific
+ * patterns that require text-level heuristics:
+ *   - Java: getter methods returning tainted constructor fields
+ *   - JavaScript/TypeScript: assignment sources, DOM XSS property sinks
+ *   - Python: assignment sources, return-XSS sinks, trust-boundary violations
+ *
+ * Also computes the forward-taint maps (pyTaintedVars / jsTaintedVars) that
+ * SinkFilterPass uses to reduce false positives.
+ *
+ * Depends on: taint-matcher, constant-propagation
+ */
+import type { TaintSource, TaintSink } from '../../types/index.js';
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export declare const JS_TAINTED_PATTERNS: ({
+    pattern: RegExp;
+    type: "http_param";
+} | {
+    pattern: RegExp;
+    type: "http_body";
+} | {
+    pattern: RegExp;
+    type: "http_header";
+} | {
+    pattern: RegExp;
+    type: "http_cookie";
+} | {
+    pattern: RegExp;
+    type: "http_path";
+} | {
+    pattern: RegExp;
+    type: "file_input";
+} | {
+    pattern: RegExp;
+    type: "env_input";
+} | {
+    pattern: RegExp;
+    type: "io_input";
+} | {
+    pattern: RegExp;
+    type: "dom_input";
+})[];
+export interface LanguageSourcesResult {
+    additionalSources: TaintSource[];
+    additionalSinks: TaintSink[];
+    /**
+     * Python forward-taint map: variable name → first tainted line.
+     * Used by SinkFilterPass to reduce XPath/XSS false positives.
+     */
+    pyTaintedVars: Map<string, number>;
+    /**
+     * Python sanitized-variable set (apostrophe-guard + .replace() sanitizers).
+     * Used by SinkFilterPass to suppress sanitized XPath sinks.
+     */
+    pySanitizedVars: Set<string>;
+    /**
+     * JavaScript forward-taint map: variable name → first tainted line.
+     * Used by SinkFilterPass to suppress spurious XSS sinks.
+     */
+    jsTaintedVars: Map<string, number>;
+}
+export declare class LanguageSourcesPass implements AnalysisPass<LanguageSourcesResult> {
+    readonly name = "language-sources";
+    readonly category: "security";
+    run(ctx: PassContext): LanguageSourcesResult;
+}
+export declare function buildPythonTaintedVars(sourceCode: string): Map<string, number>;
+export declare function buildPythonSanitizedVars(sourceCode: string, pyTaintedVars: Map<string, number>): Set<string>;
+export declare function findPythonTrustBoundaryViolations(sourceCode: string, taintedVars: Map<string, number>): Array<{
+    sourceLine: number;
+    sinkLine: number;
+}>;
+export declare function buildJavaScriptTaintedVars(sourceCode: string, language: string): Map<string, number>;