circle-ir 3.80.0 → 3.82.0

package/dist/analysis/passes/info-disclosure-stacktrace-pass.js

@@ -0,0 +1,222 @@
+/**
+ * Pass: info-disclosure-stacktrace (CWE-209, category: security)
+ *
+ * Detects exception stack traces / messages being returned to remote clients
+ * via an HTTP response handler. This leaks framework internals, file paths,
+ * SQL fragments, and class names — useful reconnaissance for an attacker.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `e.printStackTrace(response.getWriter())` / `.printStackTrace(out)`
+ *       where `out` is a response writer.
+ *     - `response.getWriter().write(e.toString())`
+ *     - `response.getWriter().println(e.getMessage())`
+ *     - `new ResponseEntity<>(e.getStackTrace(), …)`
+ *
+ *   Python:
+ *     - `return traceback.format_exc()` from a handler-like function
+ *     - `flask.jsonify(error=traceback.format_exc())`
+ *     - Bare `return str(e)` / `return {"error": str(e)}` in handler
+ *
+ *   JS/TS:
+ *     - `res.send(err.stack)` / `res.json({error: err.stack})`
+ *     - `res.json(err)` (whole error object)
+ *     - `res.status(N).send(err.message + err.stack)` / similar
+ *
+ *   Go:
+ *     - `http.Error(w, err.Error()+debug.Stack(), 500)` — narrow
+ *     - `fmt.Fprintln(w, err)` in an HTTP handler
+ *
+ * Negative guard: if the consumer is a logger (`console.error`,
+ * `logger.error`, `log.Error`), do NOT fire — logging stack traces
+ * server-side is not a leak.
+ */
+/** Receiver names that almost always indicate an HTTP response handle. */
+const RESPONSE_RECEIVER_RE = /^(res|response|w|writer|ctx|c)$/i;
+/** Logger receivers (negative guard). */
+const LOGGER_RECEIVER_RE = /^(log|logger|slog|console|pino|winston|sentry)$/i;
+/** Method names on a response that send data to the client. */
+const RESPONSE_SEND_METHODS = new Set([
+    'send', 'json', 'write', 'writeHead', 'end', 'sendFile',
+    'println', 'print', 'getWriter',
+    'Fprintln', 'Fprintf', 'Fprint',
+]);
+/** Expression heuristics for "this is an exception value". */
+function isExceptionExpression(expr) {
+    if (!expr)
+        return false;
+    const e = expr.trim();
+    // err.stack | err.message | e.toString() | e.getMessage() | e.getStackTrace()
+    // exc.format_exc() | traceback.format_exc() | str(e)
+    return (/\b(err|error|exc|exception|e|t|throwable)\.(stack|message|toString\(|getMessage\(|getStackTrace\(|getLocalizedMessage\(|getCause\()/i.test(e) ||
+        /\btraceback\.(format_exc|format_exception|print_exc)\b/i.test(e) ||
+        /\bdebug\.Stack\(\)/.test(e) ||
+        /\bstr\(\s*(err|error|exc|exception|e)\s*\)/i.test(e) ||
+        /\bString\(\s*(err|error|exc|exception|e)\s*\)/i.test(e));
+}
+/** True if an argument carries an exception-like value. */
+function argIsException(arg) {
+    if (!arg)
+        return false;
+    if (arg.variable && /^(err|error|exc|exception|e|t|throwable)$/i.test(arg.variable)) {
+        return true;
+    }
+    return isExceptionExpression(arg.expression);
+}
+/** Detect Java: e.printStackTrace(out) where out is a response writer. */
+function detectJavaPrintStackTrace(call) {
+    if (call.method_name !== 'printStackTrace')
+        return null;
+    // Receiver should look like an exception variable name.
+    const rec = call.receiver ?? '';
+    if (!/^(e|ex|exc|exception|err|error|t|throwable)$/i.test(rec))
+        return null;
+    // Arg 0 should be a response writer expression.
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (!arg0)
+        return null;
+    const expr = (arg0.expression ?? arg0.variable ?? '').trim();
+    if (/\bresponse\.getWriter\(\)/.test(expr) ||
+        /\bresp\.getWriter\(\)/.test(expr) ||
+        /\bout\b/.test(expr) || // common name; conservative
+        /\bgetWriter\(\)/.test(expr)) {
+        return 'e.printStackTrace(response.getWriter())';
+    }
+    return null;
+}
+/** Detect calls of the shape `response.send(err.stack)` / `.json(err)`. */
+function detectResponseLeakCall(call) {
+    const method = call.method_name ?? '';
+    const receiver = call.receiver ?? '';
+    if (!RESPONSE_SEND_METHODS.has(method))
+        return null;
+    if (LOGGER_RECEIVER_RE.test(receiver))
+        return null;
+    // Accept either a bare known receiver name, or one whose tail is a known name
+    // (e.g. `ctx.response`, `event.res`, `response.status(500)` chained returns).
+    const recTail = receiver.split('.').pop() ?? receiver;
+    const recHead = receiver.split('.')[0] ?? receiver;
+    if (!RESPONSE_RECEIVER_RE.test(recTail) && !RESPONSE_RECEIVER_RE.test(recHead)) {
+        // Allow chained: res.status(500).send(...) — receiver text often contains
+        // `.status(` substring.
+        if (!/(?:^|[.\s])(res|response)\.(?:status|set|header|cookie)\b/i.test(receiver)) {
+            return null;
+        }
+    }
+    // Any argument contains an exception expression?
+    for (const a of call.arguments) {
+        if (argIsException(a)) {
+            return `${receiver || ''}${receiver ? '.' : ''}${method}(${(a.expression ?? a.variable ?? '').trim()})`;
+        }
+    }
+    return null;
+}
+/** Detect Python: `return traceback.format_exc()` inside any function. */
+function detectPythonTracebackReturn(ctx) {
+    const out = [];
+    const lines = ctx.code.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const ln = lines[i] ?? '';
+        if (/\breturn\s+traceback\.format_exc\s*\(\s*\)/.test(ln) ||
+            /\breturn\s+\{[^}]*traceback\.format_exc\s*\(\s*\)[^}]*\}/.test(ln) ||
+            /\bjsonify\s*\([^)]*traceback\.format_exc\s*\(\s*\)/.test(ln)) {
+            out.push({ line: i + 1, api: 'return traceback.format_exc()' });
+            continue;
+        }
+        // `return str(e)` in a handler context — conservative: require the
+        // surrounding 5-line window to contain a Flask/FastAPI/Django marker.
+        if (/\breturn\s+(?:str|repr)\s*\(\s*(?:e|err|error|exc|exception)\s*\)/.test(ln)) {
+            const start = Math.max(0, i - 8);
+            const end = Math.min(lines.length, i + 2);
+            const window = lines.slice(start, end).join('\n');
+            if (/@(?:app|router|blueprint)\.(?:route|get|post|put|delete|patch)\b/.test(window)) {
+                out.push({ line: i + 1, api: 'return str(e) in handler' });
+            }
+        }
+    }
+    return out;
+}
+export class InfoDisclosureStacktracePass {
+    name = 'info-disclosure-stacktrace';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        if (language === 'python') {
+            for (const f of detectPythonTracebackReturn(ctx)) {
+                findings.push({ line: f.line, api: f.api, language });
+                ctx.addFinding(this.makeFinding(file, f.line, f.api));
+            }
+        }
+        for (const call of graph.ir.calls) {
+            let api = null;
+            if (language === 'java') {
+                api = detectJavaPrintStackTrace(call);
+                if (!api)
+                    api = detectResponseLeakCall(call);
+            }
+            else if (language === 'javascript' || language === 'typescript') {
+                api = detectResponseLeakCall(call);
+            }
+            else if (language === 'go') {
+                // http.Error(w, err.Error()+debug.Stack(), 500)
+                // fmt.Fprintln(w, err)
+                const method = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                if (rec === 'http' && method === 'Error') {
+                    const arg1 = call.arguments.find((a) => a.position === 1);
+                    if (argIsException(arg1))
+                        api = 'http.Error(w, err.Error())';
+                }
+                else if (rec === 'fmt' && (method === 'Fprintln' || method === 'Fprintf' || method === 'Fprint')) {
+                    const arg0 = call.arguments.find((a) => a.position === 0);
+                    if (arg0 && /^(w|writer|resp|response)$/i.test((arg0.variable ?? arg0.expression ?? '').trim())) {
+                        for (const a of call.arguments) {
+                            if (a.position === 0)
+                                continue;
+                            if (argIsException(a)) {
+                                api = `fmt.${method}(w, err)`;
+                                break;
+                            }
+                        }
+                    }
+                }
+                else {
+                    api = detectResponseLeakCall(call);
+                }
+            }
+            else if (language === 'python') {
+                // Handle response leak shape too: e.g. `return jsonify(stack=...)`
+                api = detectResponseLeakCall(call);
+            }
+            if (!api)
+                continue;
+            const line = call.location.line;
+            findings.push({ line, api, language });
+            ctx.addFinding(this.makeFinding(file, line, api));
+        }
+        return { findings };
+    }
+    makeFinding(file, line, api) {
+        return {
+            id: `${this.name}-${file}-${line}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: 'CWE-209',
+            severity: 'medium',
+            level: 'warning',
+            message: `Exception detail returned to client via \`${api}\`. ` +
+                'Leaking stack traces / exception messages reveals framework internals, ' +
+                'file paths, and class names — useful reconnaissance for an attacker.',
+            file,
+            line,
+            fix: 'Return a generic error response to the client (e.g. status 500 + a ' +
+                'request id) and log the full exception server-side via your logger ' +
+                '(e.g. `logger.error("…", e)` or `console.error(err)`).',
+            evidence: { api },
+        };
+    }
+}
+//# sourceMappingURL=info-disclosure-stacktrace-pass.js.map

package/dist/analysis/passes/info-disclosure-stacktrace-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"info-disclosure-stacktrace-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/info-disclosure-stacktrace-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AASH,0EAA0E;AAC1E,MAAM,oBAAoB,GAAG,kCAAkC,CAAC;AAEhE,yCAAyC;AACzC,MAAM,kBAAkB,GAAG,kDAAkD,CAAC;AAE9E,+DAA+D;AAC/D,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU;IACvD,SAAS,EAAE,OAAO,EAAE,WAAW;IAC/B,UAAU,EAAE,SAAS,EAAE,QAAQ;CAChC,CAAC,CAAC;AAEH,8DAA8D;AAC9D,SAAS,qBAAqB,CAAC,IAA+B;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACtB,8EAA8E;IAC9E,qDAAqD;IACrD,OAAO,CACL,sIAAsI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9I,yDAAyD,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5B,6CAA6C,CAAC,IAAI,CAAC,CAAC,CAAC;QACrD,gDAAgD,CAAC,IAAI,CAAC,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,2DAA2D;AAC3D,SAAS,cAAc,CAAC,GAA6B;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,IAAI,GAAG,CAAC,QAAQ,IAAI,4CAA4C,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED,0EAA0E;AAC1E,SAAS,yBAAyB,CAAC,IAAc;IAC/C,IAAI,IAAI,CAAC,WAAW,KAAK,iBAAiB;QAAE,OAAO,IAAI,CAAC;IACxD,wDAAwD;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IAChC,IAAI,CAAC,+CAA+C,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5E,gDAAgD;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7D,IACE,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;QACtC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;QAClC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,4BAA4B;QACpD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAC5B,CAAC;QACD,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2EAA2E;AAC3E,SAAS,sBAAsB,CAAC,IAAc;IAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IAErC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,8EAA8E;IAC9E,8EAA8E;IAC9E,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;IACtD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;IACnD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,0EAA0E;QAC1E,wBAAwB;QACxB,IAAI,CAAC,4DAA4D,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,GAAG,QAAQ,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC;QAC1G,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0EAA0E;AAC1E,SAAS,2BAA2B,CAAC,GAAgB;IACnD,MAAM,GAAG,GAAyC,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1B,IACE,4CAA4C,CAAC,IAAI,CAAC,EAAE,CAAC;YACrD,0DAA0D,CAAC,IAAI,CAAC,EAAE,CAAC;YACnE,oDAAoD,CAAC,IAAI,CAAC,EAAE,CAAC,EAC7D,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,+BAA+B,EAAE,CAAC,CAAC;YAChE,SAAS;QACX,CAAC;QACD,mEAAmE;QACnE,sEAAsE;QACtE,IAAI,mEAAmE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,IAAI,kEAAkE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACpF,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,4BAA4B;IAC9B,IAAI,GAAG,4BAA4B,CAAC;IACpC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA+C,EAAE,CAAC;QAEhE,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,IAAI,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACtD,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,GAAG,GAAkB,IAAI,CAAC;YAE9B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,GAAG,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,GAAG;oBAAE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YAC/C,CAAC;iBAAM,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAClE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;iBAAM,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBAC7B,gDAAgD;gBAChD,uBAAuB;gBACvB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAChC,IAAI,GAAG,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;oBACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,IAAI,cAAc,CAAC,IAAI,CAAC;wBAAE,GAAG,GAAG,4BAA4B,CAAC;gBAC/D,CAAC;qBAAM,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,QAAQ,CAAC,EAAE,CAAC;oBACnG,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,IAAI,IAAI,IAAI,6BAA6B,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;wBAChG,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;4BAC/B,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC;gCAAE,SAAS;4BAC/B,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;gCAAC,GAAG,GAAG,OAAO,MAAM,UAAU,CAAC;gCAAC,MAAM;4BAAC,CAAC;wBAClE,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjC,mEAAmE;gBACnE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;YACvC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,WAAW,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW;QACzD,OAAO;YACL,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,QAAiB;YAC3B,KAAK,EAAE,SAAkB;YACzB,OAAO,EACL,6CAA6C,GAAG,MAAM;gBACtD,yEAAyE;gBACzE,sEAAsE;YACxE,IAAI;YACJ,IAAI;YACJ,GAAG,EACD,qEAAqE;gBACrE,qEAAqE;gBACrE,wDAAwD;YAC1D,QAAQ,EAAE,EAAE,GAAG,EAAE;SAClB,CAAC;IACJ,CAAC;CACF"}

package/dist/analysis/passes/plaintext-password-storage-pass.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Pass: plaintext-password-storage (CWE-256, category: security)
+ *
+ * Detects writing a credential-named identifier to a persistent store
+ * (file, KV store, cookie, database) without first passing it through a
+ * cryptographic hash / KDF.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `open(...).write(password)` / `f.write(password)`
+ *     - `pickle.dump(password, ...)` / `json.dump(...)` / `yaml.dump(...)`
+ *     - `redis.set(key, password)`
+ *   JS/TS:
+ *     - `fs.writeFile|writeFileSync|appendFile(path, password)`
+ *     - `localStorage.setItem(key, password)` / `sessionStorage.setItem`
+ *     - `redis.set(key, password)`
+ *   Java:
+ *     - `Files.write|writeString(path, password)`
+ *     - `FileWriter.write(password)`
+ *   Go:
+ *     - `os.WriteFile(name, []byte(password), ...)`
+ *     - `f.WriteString(password)` / `f.Write([]byte(password))`
+ *
+ * Heuristic for "not hashed": intraprocedural — walk all calls earlier
+ * in the same `in_method` scope; if any of them is a known hash/KDF
+ * (see _credential-helpers `isHashFunctionCall`) and consumes the
+ * credential identifier, suppress.
+ *
+ * This is intentionally lightweight (no full DFG); FP risk skewed toward
+ * recall loss for cross-function hashing (controller → service.hash →
+ * repo.store), which is acceptable for v1.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface PlaintextPasswordStorageResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        api: string;
+        identifier: string;
+    }>;
+}
+export declare class PlaintextPasswordStoragePass implements AnalysisPass<PlaintextPasswordStorageResult> {
+    readonly name = "plaintext-password-storage";
+    readonly category: "security";
+    run(ctx: PassContext): PlaintextPasswordStorageResult;
+}
+//# sourceMappingURL=plaintext-password-storage-pass.d.ts.map

package/dist/analysis/passes/plaintext-password-storage-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plaintext-password-storage-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/plaintext-password-storage-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAc9E,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ;AAsED,qBAAa,4BACX,YAAW,YAAY,CAAC,8BAA8B,CAAC;IAEvD,QAAQ,CAAC,IAAI,gCAAgC;IAC7C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,8BAA8B;CAkEtD"}

package/dist/analysis/passes/plaintext-password-storage-pass.js

@@ -0,0 +1,159 @@
+/**
+ * Pass: plaintext-password-storage (CWE-256, category: security)
+ *
+ * Detects writing a credential-named identifier to a persistent store
+ * (file, KV store, cookie, database) without first passing it through a
+ * cryptographic hash / KDF.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `open(...).write(password)` / `f.write(password)`
+ *     - `pickle.dump(password, ...)` / `json.dump(...)` / `yaml.dump(...)`
+ *     - `redis.set(key, password)`
+ *   JS/TS:
+ *     - `fs.writeFile|writeFileSync|appendFile(path, password)`
+ *     - `localStorage.setItem(key, password)` / `sessionStorage.setItem`
+ *     - `redis.set(key, password)`
+ *   Java:
+ *     - `Files.write|writeString(path, password)`
+ *     - `FileWriter.write(password)`
+ *   Go:
+ *     - `os.WriteFile(name, []byte(password), ...)`
+ *     - `f.WriteString(password)` / `f.Write([]byte(password))`
+ *
+ * Heuristic for "not hashed": intraprocedural — walk all calls earlier
+ * in the same `in_method` scope; if any of them is a known hash/KDF
+ * (see _credential-helpers `isHashFunctionCall`) and consumes the
+ * credential identifier, suppress.
+ *
+ * This is intentionally lightweight (no full DFG); FP risk skewed toward
+ * recall loss for cross-function hashing (controller → service.hash →
+ * repo.store), which is acceptable for v1.
+ */
+import { argLooksLikeCredential, priorHashOf, } from './_credential-helpers.js';
+function isWriteStorageCall(call, language) {
+    const method = call.method_name ?? '';
+    const receiver = call.receiver ?? '';
+    const recvLower = receiver.toLowerCase();
+    if (language === 'python') {
+        // open(...).write(pw) — receiver is a file handle; we approximate by
+        // method name `write` and check arg credential below.
+        if (method === 'write' || method === 'writelines') {
+            return { credPos: 0, api: `<file>.${method}` };
+        }
+        if ((recvLower === 'pickle' || recvLower === 'json' || recvLower === 'yaml') &&
+            (method === 'dump' || method === 'dumps')) {
+            return { credPos: 0, api: `${receiver}.${method}` };
+        }
+        if (recvLower === 'redis' && (method === 'set' || method === 'setex' || method === 'hset')) {
+            return { credPos: 1, api: `redis.${method}` };
+        }
+    }
+    if (language === 'javascript' || language === 'typescript') {
+        if ((recvLower === 'fs' || recvLower.endsWith('.fs')) &&
+            (method === 'writeFile' || method === 'writeFileSync' ||
+                method === 'appendFile' || method === 'appendFileSync')) {
+            return { credPos: 1, api: `fs.${method}` };
+        }
+        if ((recvLower === 'localstorage' || recvLower === 'sessionstorage') &&
+            method === 'setItem') {
+            return { credPos: 1, api: `${receiver}.setItem` };
+        }
+        if (recvLower === 'redis' && (method === 'set' || method === 'setex' || method === 'hset')) {
+            return { credPos: 1, api: `redis.${method}` };
+        }
+    }
+    if (language === 'java') {
+        if ((receiver === 'Files' || receiver.endsWith('.Files')) &&
+            (method === 'write' || method === 'writeString')) {
+            return { credPos: 1, api: `Files.${method}` };
+        }
+        // FileWriter.write(pw) — instance call, single arg.
+        if (method === 'write') {
+            // Heuristic: receiver name contains "writer" / "file" / "stream".
+            const lc = (receiver ?? '').toLowerCase();
+            if (lc.includes('writer') || lc.includes('file') || lc.includes('stream')) {
+                return { credPos: 0, api: `${receiver}.write` };
+            }
+        }
+    }
+    if (language === 'go') {
+        if (receiver === 'os' || receiver.endsWith('/os')) {
+            if (method === 'WriteFile')
+                return { credPos: 1, api: 'os.WriteFile' };
+        }
+        if (receiver === 'ioutil' || receiver.endsWith('/ioutil')) {
+            if (method === 'WriteFile')
+                return { credPos: 1, api: 'ioutil.WriteFile' };
+        }
+        if (method === 'WriteString' || method === 'Write') {
+            return { credPos: 0, api: `<file>.${method}` };
+        }
+    }
+    return null;
+}
+export class PlaintextPasswordStoragePass {
+    name = 'plaintext-password-storage';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Group calls by in_method for cheap prior-hash lookup.
+        const callsByScope = new Map();
+        for (const call of graph.ir.calls) {
+            const scope = call.in_method ?? '<top>';
+            const arr = callsByScope.get(scope) ?? [];
+            arr.push(call);
+            callsByScope.set(scope, arr);
+        }
+        for (const call of graph.ir.calls) {
+            const spec = isWriteStorageCall(call, language);
+            if (!spec)
+                continue;
+            const credArg = call.arguments.find((a) => a.position === spec.credPos);
+            if (!credArg)
+                continue;
+            if (!argLooksLikeCredential(credArg))
+                continue;
+            // Resolve the credential identifier name.
+            const identExpr = (credArg.expression ?? '').trim();
+            const head = identExpr.split(/[.\s(]/, 1)[0] ?? '';
+            const identifier = credArg.variable ?? head;
+            if (!identifier)
+                continue;
+            // Suppress if the identifier was hashed earlier in the same scope.
+            const scope = call.in_method ?? '<top>';
+            const scopeCalls = callsByScope.get(scope) ?? [];
+            const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+            if (priorHashOf(identifier, prior))
+                continue;
+            // Suppress if the credArg expression itself contains a hash call
+            // inline: `f.write(bcrypt.hashpw(pw))`.
+            if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i
+                .test(credArg.expression ?? '')) {
+                continue;
+            }
+            const line = call.location.line;
+            findings.push({ line, language, api: spec.api, identifier });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-256',
+                severity: 'high',
+                level: 'warning',
+                message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. ` +
+                    'Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.',
+                file,
+                line,
+                fix: 'Hash the credential with Argon2id / bcrypt before writing it to ' +
+                    'disk, cookie, KV store, or database.',
+                evidence: { identifier, api: spec.api, language },
+            });
+        }
+        return { findings };
+    }
+}
+//# sourceMappingURL=plaintext-password-storage-pass.js.map

package/dist/analysis/passes/plaintext-password-storage-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plaintext-password-storage-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/plaintext-password-storage-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAIH,OAAO,EACL,sBAAsB,EACtB,WAAW,GACZ,MAAM,0BAA0B,CAAC;AAkBlC,SAAS,kBAAkB,CACzB,IAAc,EACd,QAAgB;IAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEzC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,qEAAqE;QACrE,sDAAsD;QACtD,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,MAAM,IAAI,SAAS,KAAK,MAAM,CAAC;YACxE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC;QACtD,CAAC;QACD,IAAI,SAAS,KAAK,OAAO,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,CAAC;YAC3F,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACjD,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,eAAe;gBACpD,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,gBAAgB,CAAC,EAAE,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,MAAM,EAAE,EAAE,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,SAAS,KAAK,cAAc,IAAI,SAAS,KAAK,gBAAgB,CAAC;YAChE,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,UAAU,EAAE,CAAC;QACpD,CAAC;QACD,IAAI,SAAS,KAAK,OAAO,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,CAAC;YAC3F,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,aAAa,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;QACD,oDAAoD;QACpD,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,kEAAkE;YAClE,MAAM,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,QAAQ,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,MAAM,KAAK,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1D,IAAI,MAAM,KAAK,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC;QAC7E,CAAC;QACD,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,OAAO,4BAA4B;IAG9B,IAAI,GAAG,4BAA4B,CAAC;IACpC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA+C,EAAE,CAAC;QAEhE,wDAAwD;QACxD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;YACxC,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACf,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC;YACxE,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE/C,0CAA0C;YAC1C,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;YAC5C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,mEAAmE;YACnE,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;YACxC,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC;gBAAE,SAAS;YAE7C,iEAAiE;YACjE,wCAAwC;YACxC,IAAI,6DAA6D;iBAC1D,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;YAE7D,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,UAAU,iCAAiC,IAAI,CAAC,GAAG,MAAM;oBACzE,uEAAuE;gBACzE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,kEAAkE;oBAClE,sCAAsC;gBACxC,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}

package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Pass: unrestricted-file-upload (CWE-434, category: security)
+ *
+ * Detects when an HTTP-uploaded file is saved to disk WITHOUT a filename
+ * allow-list (extension check) or `secure_filename` normalization.
+ *
+ * Detection (per language):
+ *
+ *   Java (Spring MultipartFile / Servlet Part):
+ *     - `file.transferTo(new File(dir, file.getOriginalFilename()))`
+ *     - `Files.copy(part.getInputStream(), Path.of(dir, part.getSubmittedFileName()))`
+ *     - Without preceding `ALLOWED_*.contains(ext)` or
+ *       `FilenameUtils.getExtension(name)` + check.
+ *
+ *   JS/TS (multer / express-fileupload):
+ *     - `multer({ dest: '…' })` with NO `fileFilter` option.
+ *     - `fs.writeFile(path, req.file.buffer)` / `req.files.x.mv(path)`
+ *       without prior `path.extname` allow-list check.
+ *
+ *   Python (Flask / Django / FastAPI):
+ *     - `f.save(os.path.join(UPLOAD_DIR, f.filename))` without prior
+ *       `secure_filename(f.filename)` wrapping.
+ *
+ *   Go:
+ *     - `io.Copy(dst, file)` where `dst = os.Create(fileHeader.Filename)`
+ *       without an extension allow-list.
+ *
+ * The pass is intentionally conservative — it only fires when an upload-name
+ * expression flows directly into a save sink in the same function and no
+ * known allow-list / canonicalizer call appears earlier in the function.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UnrestrictedFileUploadResult {
+    findings: Array<{
+        line: number;
+        api: string;
+        language: string;
+    }>;
+}
+export declare class UnrestrictedFileUploadPass implements AnalysisPass<UnrestrictedFileUploadResult> {
+    readonly name = "unrestricted-file-upload";
+    readonly category: "security";
+    run(ctx: PassContext): UnrestrictedFileUploadResult;
+    private emit;
+}
+//# sourceMappingURL=unrestricted-file-upload-pass.d.ts.map

package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unrestricted-file-upload-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/unrestricted-file-upload-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAG9E,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClE;AA2BD,qBAAa,0BAA2B,YAAW,YAAY,CAAC,4BAA4B,CAAC;IAC3F,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,4BAA4B;IAyHnD,OAAO,CAAC,IAAI;CAgCb"}