circle-ir 3.80.0 → 3.82.0

package/configs/sinks/xss.yaml

@@ -418,13 +418,14 @@
     },
     {
       "method": "write",
+      "class": "ServletOutputStream",
       "type": "xss",
       "cwe": "CWE-79",
       "severity": "high",
       "arg_positions": [
         0
       ],
-      "note": "Auto-mined from CVE analysis"
+      "note": "Servlet response output stream — class-scoped (Sprint 28 #110)"
     },
     {
       "method": "newInstance",

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAu+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -775,7 +775,12 @@ export const DEFAULT_SINKS = [
     // Class-less XSS patterns for cases where receiver type is inferred
     { method: 'println', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     { method: 'print', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
-    { method: 'write', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
+    // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+    // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+    // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+    // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+    // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+    // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
     { method: 'append', class: 'StringBuilder', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     { method: 'append', class: 'StringBuffer', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -1961,9 +1966,26 @@ export const DEFAULT_SANITIZERS = [
     // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
     { method: 'parse', class: 'JSON', removes: ['xss', 'code_injection'] },
     // Type coercion (removes string-based injections)
-    { method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss'] },
-    { method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
-    { method: 'Number', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
+    // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+    // carry an unvalidated string payload across a function boundary.
+    { method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    { method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    { method: 'Number', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+    // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+    // safely bounded and cannot resource-exhaust downstream. Only suppress
+    // external_taint_escape — these helpers do NOT sanitize string injection.
+    { method: 'min', class: 'Math', removes: ['external_taint_escape'] },
+    { method: 'max', class: 'Math', removes: ['external_taint_escape'] },
+    // Sprint 29 (#113): allow-list / membership guards — when an external value
+    // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+    // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+    // Only suppress `external_taint_escape`; real string-injection sinks should
+    // still rely on their own escaping.
+    { method: 'includes', removes: ['external_taint_escape'] },
+    { method: 'has', removes: ['external_taint_escape'] },
+    { method: 'contains', removes: ['external_taint_escape'] },
+    { method: 'indexOf', removes: ['external_taint_escape'] },
     // Path sanitization
     { method: 'basename', class: 'path', removes: ['path_traversal'] },
     { method: 'normalize', class: 'path', removes: ['path_traversal'] },