circle-ir 3.80.0 → 3.82.0

package/dist/browser/circle-ir.js

@@ -11377,7 +11377,12 @@ var DEFAULT_SINKS = [
   // Class-less XSS patterns for cases where receiver type is inferred
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
+  // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+  // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+  // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+  // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+  // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+  // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -12574,9 +12579,26 @@ var DEFAULT_SANITIZERS = [
   // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
   // Type coercion (removes string-based injections)
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+  // carry an unvalidated string payload across a function boundary.
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+  // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+  // safely bounded and cannot resource-exhaust downstream. Only suppress
+  // external_taint_escape — these helpers do NOT sanitize string injection.
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  // Sprint 29 (#113): allow-list / membership guards — when an external value
+  // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+  // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+  // Only suppress `external_taint_escape`; real string-injection sinks should
+  // still rely on their own escaping.
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   // Path sanitization
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },
@@ -29981,6 +30003,886 @@ var WeakRandomPass = class {
   }
 };
 
+// src/analysis/passes/_credential-helpers.ts
+var CRED_KEYWORD_RE2 = /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i;
+function isCredentialIdentifier(name2) {
+  if (!name2) return false;
+  if (name2.length < 3) return false;
+  return CRED_KEYWORD_RE2.test(name2);
+}
+function argLooksLikeCredential(arg) {
+  if (!arg) return false;
+  if (arg.variable && isCredentialIdentifier(arg.variable)) return true;
+  const expr = (arg.expression ?? "").trim();
+  if (!expr) return false;
+  const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+  return isCredentialIdentifier(head);
+}
+function stripQuotes6(s) {
+  const t = s.trim();
+  if (t.startsWith('"') && t.endsWith('"') || t.startsWith("'") && t.endsWith("'") || t.startsWith("`") && t.endsWith("`")) {
+    return t.slice(1, -1);
+  }
+  return t;
+}
+function literalAt(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg) return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const trimmed = raw.trim();
+  if (trimmed.startsWith('"') || trimmed.startsWith("'") || trimmed.startsWith("`")) {
+    return stripQuotes6(trimmed);
+  }
+  if (arg.literal) return stripQuotes6(arg.literal);
+  return null;
+}
+function isHashFunctionCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+    return method === "hashpw" || method === "hash" || method === "hashSync" || method === "GenerateFromPassword" || method === "generate_password_hash";
+  }
+  if (recvLower === "argon2" || recvLower.endsWith(".argon2")) {
+    return method === "hash" || method === "Hash" || method === "PasswordHash";
+  }
+  if (recvLower === "hashlib") return true;
+  if (recvLower === "passlib" || recvLower.includes("passlib.hash")) return true;
+  if (method === "PBKDF2HMAC" || method === "derive") return true;
+  if (recvLower === "crypto") {
+    return method === "createHash" || method === "createHmac" || method === "pbkdf2" || method === "pbkdf2Sync" || method === "scrypt" || method === "scryptSync";
+  }
+  if (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest")) {
+    return method === "getInstance" || method === "update" || method === "digest";
+  }
+  if (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils")) {
+    return true;
+  }
+  if (receiver === "SecretKeyFactory" || receiver.endsWith(".SecretKeyFactory")) {
+    return method === "getInstance" || method === "generateSecret";
+  }
+  if (method === "PBEKeySpec") return true;
+  if (receiver === "md5" || receiver === "sha1" || receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver.endsWith("/md5") || receiver.endsWith("/sha1") || receiver.endsWith("/sha256") || receiver.endsWith("/sha512")) {
+    return method === "New" || method === "Sum" || method === "New224" || method === "New384";
+  }
+  const m = method.toLowerCase();
+  if (m === "hash" || m === "hashpw" || m === "hashsync" || m === "pbkdf2" || m === "pbkdf2sync" || m === "scrypt" || m === "scryptsync") return true;
+  return false;
+}
+function priorHashOf(varName, priorCalls) {
+  for (const c of priorCalls) {
+    if (!isHashFunctionCall(c)) continue;
+    for (const a of c.arguments) {
+      if (a.variable === varName) return true;
+      const head = (a.expression ?? "").trim().split(/[.\s(]/, 1)[0];
+      if (head === varName) return true;
+    }
+  }
+  return false;
+}
+
+// src/analysis/passes/weak-password-hash-pass.ts
+var FAST_HASH_NAMES = /* @__PURE__ */ new Set([
+  "sha224",
+  "sha-224",
+  "sha256",
+  "sha-256",
+  "sha384",
+  "sha-384",
+  "sha512",
+  "sha-512",
+  "sha3",
+  "sha-3",
+  "sha3-256",
+  "sha3-512"
+  // MD/SHA1 are covered by weak-hash; not duplicating here.
+]);
+var BCRYPT_MIN_COST = 10;
+var PBKDF2_MIN_ITERATIONS = 1e5;
+function intLiteral(s) {
+  if (s == null) return null;
+  const t = s.trim();
+  if (!/^-?\d+$/.test(t)) return null;
+  const n = parseInt(t, 10);
+  return Number.isFinite(n) ? n : null;
+}
+function pyKwargInt(call, name2) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? "").trim();
+    const m = expr.match(new RegExp(`^${name2}\\s*=\\s*(-?\\d+)$`));
+    if (m) return parseInt(m[1], 10);
+  }
+  return null;
+}
+var WeakPasswordHashPass = class {
+  name = "weak-password-hash";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection) continue;
+      const { kind, api } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, kind, api });
+      const message = kind === "fast-unsalted-hash" ? `Fast/unsalted hash \`${api}\` applied to a password. General-purpose hashes (SHA-256/512) are unsuitable for password storage.` : kind === "low-bcrypt-cost" ? `bcrypt called with insufficient cost factor (< ${BCRYPT_MIN_COST}).` : `PBKDF2 called with insufficient iteration count (< ${PBKDF2_MIN_ITERATIONS}).`;
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-916",
+        severity: "high",
+        level: "warning",
+        message,
+        file,
+        line,
+        fix: "Use a memory-hard password-hashing function with appropriate cost: Argon2id (recommended), bcrypt (cost \u2265 12), scrypt, or PBKDF2 with \u2265 600k iterations.",
+        evidence: { kind, api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+      if (method === "gensalt") {
+        const rounds = pyKwargInt(call, "rounds");
+        if (rounds !== null && rounds < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.gensalt" };
+        }
+      }
+      if (method === "hash" || method === "hashSync") {
+        const cost = intLiteral(literalAt(call, 1));
+        if (cost !== null && cost < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: `bcrypt.${method}` };
+        }
+      }
+      if (method === "GenerateFromPassword") {
+        const arg1 = call.arguments.find((a) => a.position === 1);
+        const expr = (arg1?.expression ?? "").trim();
+        const n = intLiteral(expr);
+        if (n !== null && n < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+        if (expr === "bcrypt.MinCost") {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+      }
+    }
+    if (method === "PBKDF2HMAC") {
+      const iters = pyKwargInt(call, "iterations");
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBKDF2HMAC" };
+      }
+    }
+    if ((method === "pbkdf2" || method === "pbkdf2Sync") && (recvLower === "crypto" || recvLower.endsWith(".crypto"))) {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: `crypto.${method}` };
+      }
+    }
+    if (method === "PBEKeySpec" && language === "java") {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBEKeySpec" };
+      }
+    }
+    if (language === "python" && (recvLower === "hashlib" || recvLower.endsWith(".hashlib"))) {
+      if (FAST_HASH_NAMES.has(method.toLowerCase())) {
+        if (argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.${method}` };
+        }
+      }
+      if (method === "new") {
+        const algo = literalAt(call, 0)?.toLowerCase() ?? "";
+        if (FAST_HASH_NAMES.has(algo) && argLooksLikeCredential(call.arguments.find((a) => a.position === 1))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.new(${algo})` };
+        }
+      }
+    }
+    if ((language === "javascript" || language === "typescript") && method === "update") {
+      const recvExpr = (receiver ?? "").toLowerCase();
+      const hashLike = recvExpr.includes("hash") || recvExpr.includes("createhash") || recvExpr.includes("sha") || recvExpr.includes("md");
+      if (hashLike && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "crypto.createHash().update" };
+      }
+    }
+    if (language === "java" && method === "update") {
+      const recvName = (receiver ?? "").toLowerCase();
+      const looksLikeDigest = recvName.includes("digest") || recvName.includes("md") || recvName.includes("hash");
+      if (looksLikeDigest && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "MessageDigest.update" };
+      }
+    }
+    if (language === "go") {
+      const isFastPkg = receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver === "sha224";
+      if (isFastPkg && (method === "Sum256" || method === "Sum512" || method === "Sum224" || method === "Sum384" || method === "Sum")) {
+        const expr = (call.arguments.find((a) => a.position === 0)?.expression ?? "").trim();
+        const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+        if (argLooksLikeCredential({ position: 0, expression: inner, variable: inner })) {
+          return { kind: "fast-unsalted-hash", api: `${receiver}.${method}` };
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/analysis/passes/weak-password-encoding-pass.ts
+function isBasicAuthContext(call, code) {
+  const line = call.location.line;
+  if (line < 1) return false;
+  const lines = code.split("\n");
+  const start2 = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 1);
+  const window2 = lines.slice(start2, end).join("\n");
+  return /["'`]Basic\s/i.test(window2);
+}
+var WeakPasswordEncodingPass = class {
+  name = "weak-password-encoding";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const api = this.detect(call, language);
+      if (!api) continue;
+      if (isBasicAuthContext(call, code)) continue;
+      const line = call.location.line;
+      findings.push({ line, language, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-261",
+        severity: "medium",
+        level: "warning",
+        message: `Credential encoded via \`${api}\` \u2014 encoding is NOT encryption. Base64/hex provide no confidentiality; anyone with the encoded value can decode it.`,
+        file,
+        line,
+        fix: "For storage, use a password hash (Argon2id / bcrypt). For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).",
+        evidence: { api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (language === "python") {
+      if (recvLower === "base64" && (method === "b64encode" || method === "urlsafe_b64encode" || method === "standard_b64encode")) {
+        if (argLooksLikeCredential(arg0)) return `base64.${method}`;
+      }
+      if (recvLower === "binascii" && method === "hexlify") {
+        if (argLooksLikeCredential(arg0)) return "binascii.hexlify";
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "toString") {
+        const encoding = literalAt(call, 0);
+        if (encoding === "base64" || encoding === "hex" || encoding === "base64url") {
+          const recv = (receiver ?? "").toLowerCase();
+          if (recv.includes("buffer.from") && /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i.test(receiver ?? "")) {
+            return `Buffer.from().toString('${encoding}')`;
+          }
+        }
+      }
+      if (method === "btoa" && receiver === "") {
+        if (argLooksLikeCredential(arg0)) return "btoa";
+      }
+    }
+    if (language === "java") {
+      if (method === "encodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("encoder") || recv.includes("base64")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return "Base64.encodeToString";
+          }
+        }
+      }
+      if (method === "encodeHexString" && (receiver === "Hex" || receiver.endsWith(".Hex"))) {
+        const expr = (arg0?.expression ?? "").trim();
+        const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+        if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+          return "Hex.encodeHexString";
+        }
+      }
+    }
+    if (language === "go") {
+      if (method === "EncodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("base64") || recv.includes("hex") || recv.includes("encoding")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+          const head = inner.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return recv.includes("hex") ? "hex.EncodeToString" : "base64.EncodeToString";
+          }
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/analysis/passes/info-disclosure-stacktrace-pass.ts
+var RESPONSE_RECEIVER_RE = /^(res|response|w|writer|ctx|c)$/i;
+var LOGGER_RECEIVER_RE = /^(log|logger|slog|console|pino|winston|sentry)$/i;
+var RESPONSE_SEND_METHODS = /* @__PURE__ */ new Set([
+  "send",
+  "json",
+  "write",
+  "writeHead",
+  "end",
+  "sendFile",
+  "println",
+  "print",
+  "getWriter",
+  "Fprintln",
+  "Fprintf",
+  "Fprint"
+]);
+function isExceptionExpression(expr) {
+  if (!expr) return false;
+  const e = expr.trim();
+  return /\b(err|error|exc|exception|e|t|throwable)\.(stack|message|toString\(|getMessage\(|getStackTrace\(|getLocalizedMessage\(|getCause\()/i.test(e) || /\btraceback\.(format_exc|format_exception|print_exc)\b/i.test(e) || /\bdebug\.Stack\(\)/.test(e) || /\bstr\(\s*(err|error|exc|exception|e)\s*\)/i.test(e) || /\bString\(\s*(err|error|exc|exception|e)\s*\)/i.test(e);
+}
+function argIsException(arg) {
+  if (!arg) return false;
+  if (arg.variable && /^(err|error|exc|exception|e|t|throwable)$/i.test(arg.variable)) {
+    return true;
+  }
+  return isExceptionExpression(arg.expression);
+}
+function detectJavaPrintStackTrace(call) {
+  if (call.method_name !== "printStackTrace") return null;
+  const rec = call.receiver ?? "";
+  if (!/^(e|ex|exc|exception|err|error|t|throwable)$/i.test(rec)) return null;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0) return null;
+  const expr = (arg0.expression ?? arg0.variable ?? "").trim();
+  if (/\bresponse\.getWriter\(\)/.test(expr) || /\bresp\.getWriter\(\)/.test(expr) || /\bout\b/.test(expr) || // common name; conservative
+  /\bgetWriter\(\)/.test(expr)) {
+    return "e.printStackTrace(response.getWriter())";
+  }
+  return null;
+}
+function detectResponseLeakCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  if (!RESPONSE_SEND_METHODS.has(method)) return null;
+  if (LOGGER_RECEIVER_RE.test(receiver)) return null;
+  const recTail = receiver.split(".").pop() ?? receiver;
+  const recHead = receiver.split(".")[0] ?? receiver;
+  if (!RESPONSE_RECEIVER_RE.test(recTail) && !RESPONSE_RECEIVER_RE.test(recHead)) {
+    if (!/(?:^|[.\s])(res|response)\.(?:status|set|header|cookie)\b/i.test(receiver)) {
+      return null;
+    }
+  }
+  for (const a of call.arguments) {
+    if (argIsException(a)) {
+      return `${receiver || ""}${receiver ? "." : ""}${method}(${(a.expression ?? a.variable ?? "").trim()})`;
+    }
+  }
+  return null;
+}
+function detectPythonTracebackReturn(ctx) {
+  const out2 = [];
+  const lines = ctx.code.split("\n");
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const ln = lines[i2] ?? "";
+    if (/\breturn\s+traceback\.format_exc\s*\(\s*\)/.test(ln) || /\breturn\s+\{[^}]*traceback\.format_exc\s*\(\s*\)[^}]*\}/.test(ln) || /\bjsonify\s*\([^)]*traceback\.format_exc\s*\(\s*\)/.test(ln)) {
+      out2.push({ line: i2 + 1, api: "return traceback.format_exc()" });
+      continue;
+    }
+    if (/\breturn\s+(?:str|repr)\s*\(\s*(?:e|err|error|exc|exception)\s*\)/.test(ln)) {
+      const start2 = Math.max(0, i2 - 8);
+      const end = Math.min(lines.length, i2 + 2);
+      const window2 = lines.slice(start2, end).join("\n");
+      if (/@(?:app|router|blueprint)\.(?:route|get|post|put|delete|patch)\b/.test(window2)) {
+        out2.push({ line: i2 + 1, api: "return str(e) in handler" });
+      }
+    }
+  }
+  return out2;
+}
+var InfoDisclosureStacktracePass = class {
+  name = "info-disclosure-stacktrace";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    if (language === "python") {
+      for (const f of detectPythonTracebackReturn(ctx)) {
+        findings.push({ line: f.line, api: f.api, language });
+        ctx.addFinding(this.makeFinding(file, f.line, f.api));
+      }
+    }
+    for (const call of graph.ir.calls) {
+      let api = null;
+      if (language === "java") {
+        api = detectJavaPrintStackTrace(call);
+        if (!api) api = detectResponseLeakCall(call);
+      } else if (language === "javascript" || language === "typescript") {
+        api = detectResponseLeakCall(call);
+      } else if (language === "go") {
+        const method = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "http" && method === "Error") {
+          const arg1 = call.arguments.find((a) => a.position === 1);
+          if (argIsException(arg1)) api = "http.Error(w, err.Error())";
+        } else if (rec === "fmt" && (method === "Fprintln" || method === "Fprintf" || method === "Fprint")) {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          if (arg0 && /^(w|writer|resp|response)$/i.test((arg0.variable ?? arg0.expression ?? "").trim())) {
+            for (const a of call.arguments) {
+              if (a.position === 0) continue;
+              if (argIsException(a)) {
+                api = `fmt.${method}(w, err)`;
+                break;
+              }
+            }
+          }
+        } else {
+          api = detectResponseLeakCall(call);
+        }
+      } else if (language === "python") {
+        api = detectResponseLeakCall(call);
+      }
+      if (!api) continue;
+      const line = call.location.line;
+      findings.push({ line, api, language });
+      ctx.addFinding(this.makeFinding(file, line, api));
+    }
+    return { findings };
+  }
+  makeFinding(file, line, api) {
+    return {
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-209",
+      severity: "medium",
+      level: "warning",
+      message: `Exception detail returned to client via \`${api}\`. Leaking stack traces / exception messages reveals framework internals, file paths, and class names \u2014 useful reconnaissance for an attacker.`,
+      file,
+      line,
+      fix: 'Return a generic error response to the client (e.g. status 500 + a request id) and log the full exception server-side via your logger (e.g. `logger.error("\u2026", e)` or `console.error(err)`).',
+      evidence: { api }
+    };
+  }
+};
+
+// src/analysis/passes/unrestricted-file-upload-pass.ts
+var UPLOAD_NAME_RE = /(?:getOriginalFilename|getSubmittedFileName|originalname|originalName|\.filename|\.Filename|FileHeader\.Filename|UploadFile)/;
+var FILE_SAFE_CALL_RE = /(?:secure_filename|FilenameUtils\.getExtension|\.lastIndexOf\(['"]\.['"]\)|ALLOWED_EXT|ALLOWED_EXTENSIONS|allowedExtensions|\bfileFilter\b|filepath\.Ext|path\.extname)/;
+function lineWindow(code, startLine, endLine) {
+  const lines = code.split("\n");
+  const s = Math.max(0, startLine - 1);
+  const e = Math.min(lines.length, endLine);
+  return lines.slice(s, e).join("\n");
+}
+function callHasUploadName(call) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? a.variable ?? "").trim();
+    if (UPLOAD_NAME_RE.test(expr)) return true;
+  }
+  if (UPLOAD_NAME_RE.test(call.receiver ?? "")) return true;
+  return false;
+}
+var UnrestrictedFileUploadPass = class {
+  name = "unrestricted-file-upload";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const safeFunctionRanges = [];
+    for (const t of graph.ir.types) {
+      for (const m of t.methods) {
+        const body2 = lineWindow(code, m.start_line, m.end_line);
+        if (FILE_SAFE_CALL_RE.test(body2)) {
+          safeFunctionRanges.push({ start: m.start_line, end: m.end_line });
+        }
+      }
+    }
+    const inSafeRange = (line) => {
+      for (const r of safeFunctionRanges) {
+        if (line >= r.start && line <= r.end) return true;
+      }
+      const win = lineWindow(code, Math.max(1, line - 20), line + 5);
+      return FILE_SAFE_CALL_RE.test(win);
+    };
+    if (language === "java") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "transferTo" && callHasUploadName(call)) {
+          if (inSafeRange(call.location.line)) continue;
+          this.emit(
+            ctx,
+            findings,
+            file,
+            call.location.line,
+            language,
+            "MultipartFile.transferTo(<original filename>)"
+          );
+          continue;
+        }
+        if (m === "copy" && (call.receiver === "Files" || (call.receiver ?? "").endsWith(".Files"))) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line)) continue;
+            this.emit(
+              ctx,
+              findings,
+              file,
+              call.location.line,
+              language,
+              "Files.copy(input, Path.of(dir, <original filename>))"
+            );
+          }
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (m === "multer" || rec === "" && m === "multer") {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          const expr = (arg0?.expression ?? "").trim();
+          if (/\bdest\s*:/.test(expr) && !/\bfileFilter\s*:/.test(expr)) {
+            if (inSafeRange(call.location.line)) continue;
+            this.emit(
+              ctx,
+              findings,
+              file,
+              call.location.line,
+              language,
+              "multer({ dest }) without fileFilter"
+            );
+            continue;
+          }
+        }
+        if (rec === "fs" && (m === "writeFile" || m === "writeFileSync" || m === "appendFile")) {
+          if (callHasUploadName(call) || call.arguments.some((a) => /\breq\.file(?:s)?\b/.test(a.expression ?? a.variable ?? ""))) {
+            if (inSafeRange(call.location.line)) continue;
+            this.emit(
+              ctx,
+              findings,
+              file,
+              call.location.line,
+              language,
+              `fs.${m}(<path>, req.file.buffer)`
+            );
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "save") {
+          const rec = call.receiver ?? "";
+          if (!/^(f|file|upload|attachment)$/i.test(rec) && rec !== "") continue;
+          if (!callHasUploadName(call)) continue;
+          if (inSafeRange(call.location.line)) continue;
+          this.emit(
+            ctx,
+            findings,
+            file,
+            call.location.line,
+            language,
+            "f.save(<dir>, f.filename) without secure_filename"
+          );
+        }
+      }
+    }
+    if (language === "go") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "os" && (m === "Create" || m === "OpenFile")) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line)) continue;
+            this.emit(
+              ctx,
+              findings,
+              file,
+              call.location.line,
+              language,
+              `os.${m}(<uploaded filename>)`
+            );
+          }
+        }
+        if ((rec === "os" || rec === "ioutil") && m === "WriteFile") {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line)) continue;
+            this.emit(
+              ctx,
+              findings,
+              file,
+              call.location.line,
+              language,
+              `${rec}.WriteFile(<uploaded filename>, \u2026)`
+            );
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  emit(ctx, findings, file, line, language, api) {
+    findings.push({ line, api, language });
+    ctx.addFinding({
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-434",
+      severity: "high",
+      level: "error",
+      message: `File upload saved using untrusted name (${api}) \u2014 no extension allow-list or filename canonicalization detected. An attacker can upload a \`.jsp\`/\`.php\`/\`.html\` file and request it back, achieving RCE or stored XSS.`,
+      file,
+      line,
+      fix: 'Validate the uploaded extension against an allow-list (e.g. `Set.of("png","jpg")`), then save with a sanitized filename. In Python use `werkzeug.utils.secure_filename`. In multer pass a `fileFilter`. Never concatenate the upload\'s original filename into a save path without validation.',
+      evidence: { api, language }
+    });
+  }
+};
+
+// src/analysis/passes/plaintext-password-storage-pass.ts
+function isWriteStorageCall(call, language) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (language === "python") {
+    if (method === "write" || method === "writelines") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+    if ((recvLower === "pickle" || recvLower === "json" || recvLower === "yaml") && (method === "dump" || method === "dumps")) {
+      return { credPos: 0, api: `${receiver}.${method}` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "javascript" || language === "typescript") {
+    if ((recvLower === "fs" || recvLower.endsWith(".fs")) && (method === "writeFile" || method === "writeFileSync" || method === "appendFile" || method === "appendFileSync")) {
+      return { credPos: 1, api: `fs.${method}` };
+    }
+    if ((recvLower === "localstorage" || recvLower === "sessionstorage") && method === "setItem") {
+      return { credPos: 1, api: `${receiver}.setItem` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "java") {
+    if ((receiver === "Files" || receiver.endsWith(".Files")) && (method === "write" || method === "writeString")) {
+      return { credPos: 1, api: `Files.${method}` };
+    }
+    if (method === "write") {
+      const lc = (receiver ?? "").toLowerCase();
+      if (lc.includes("writer") || lc.includes("file") || lc.includes("stream")) {
+        return { credPos: 0, api: `${receiver}.write` };
+      }
+    }
+  }
+  if (language === "go") {
+    if (receiver === "os" || receiver.endsWith("/os")) {
+      if (method === "WriteFile") return { credPos: 1, api: "os.WriteFile" };
+    }
+    if (receiver === "ioutil" || receiver.endsWith("/ioutil")) {
+      if (method === "WriteFile") return { credPos: 1, api: "ioutil.WriteFile" };
+    }
+    if (method === "WriteString" || method === "Write") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+  }
+  return null;
+}
+var PlaintextPasswordStoragePass = class {
+  name = "plaintext-password-storage";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const callsByScope = /* @__PURE__ */ new Map();
+    for (const call of graph.ir.calls) {
+      const scope = call.in_method ?? "<top>";
+      const arr = callsByScope.get(scope) ?? [];
+      arr.push(call);
+      callsByScope.set(scope, arr);
+    }
+    for (const call of graph.ir.calls) {
+      const spec = isWriteStorageCall(call, language);
+      if (!spec) continue;
+      const credArg = call.arguments.find((a) => a.position === spec.credPos);
+      if (!credArg) continue;
+      if (!argLooksLikeCredential(credArg)) continue;
+      const identExpr = (credArg.expression ?? "").trim();
+      const head = identExpr.split(/[.\s(]/, 1)[0] ?? "";
+      const identifier = credArg.variable ?? head;
+      if (!identifier) continue;
+      const scope = call.in_method ?? "<top>";
+      const scopeCalls = callsByScope.get(scope) ?? [];
+      const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+      if (priorHashOf(identifier, prior)) continue;
+      if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i.test(credArg.expression ?? "")) {
+        continue;
+      }
+      const line = call.location.line;
+      findings.push({ line, language, api: spec.api, identifier });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-256",
+        severity: "high",
+        level: "warning",
+        message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.`,
+        file,
+        line,
+        fix: "Hash the credential with Argon2id / bcrypt before writing it to disk, cookie, KV store, or database.",
+        evidence: { identifier, api: spec.api, language }
+      });
+    }
+    return { findings };
+  }
+};
+
+// src/analysis/passes/cleartext-credential-transport-pass.ts
+var LOCALHOST_RE = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)(?::\d+)?$/i;
+function isInsecureHttpUrl(urlLiteral) {
+  if (!urlLiteral) return false;
+  if (!/^http:\/\//i.test(urlLiteral)) return false;
+  const rest = urlLiteral.slice("http://".length);
+  const host = rest.split("/", 1)[0] ?? "";
+  if (LOCALHOST_RE.test(host)) return false;
+  return true;
+}
+function anyArgCarriesCredential(call, startPos) {
+  for (const a of call.arguments) {
+    if (a.position < startPos) continue;
+    if (argLooksLikeCredential(a)) return true;
+    const expr = (a.expression ?? "").trim();
+    if (!expr) continue;
+    if (/(?:["'`]?(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|credential)["'`]?\s*[:=])/i.test(expr)) {
+      return true;
+    }
+    if (/\b(?:password|passwd|pwd|secret|api_key|api-key|apiKey|auth_token|authToken|credential)\w*\b/i.test(expr)) {
+      return true;
+    }
+  }
+  return false;
+}
+var CleartextCredentialTransportPass = class {
+  name = "cleartext-credential-transport";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection) continue;
+      const { api, url } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, api, url });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-523",
+        severity: "high",
+        level: "error",
+        message: `Credentials transmitted to \`${url}\` over HTTP via \`${api}\`. Cleartext transport exposes credentials to network observers.`,
+        file,
+        line,
+        fix: "Use HTTPS (https://) for all endpoints that receive credentials. For internal traffic, terminate TLS at the service boundary.",
+        evidence: { api, url, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (language === "python") {
+      if ((recvLower === "requests" || recvLower === "httpx" || recvLower.endsWith(".requests") || recvLower.endsWith(".httpx")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, method === "request" ? 1 : 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `${receiver}.${method}`, url };
+        }
+      }
+      if (method === "urlopen" && recvLower.includes("urllib")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "urllib.request.urlopen", url };
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if ((recvLower === "axios" || recvLower.endsWith(".axios")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `axios.${method}`, url };
+        }
+      }
+      if (method === "fetch" && receiver === "") {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "fetch", url };
+        }
+      }
+      if (method === "request" && (recvLower === "http" || recvLower.endsWith(".http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.request", url };
+        }
+      }
+    }
+    if (language === "java" && method === "URL" && receiver === "") {
+      const url = literalAt(call, 0);
+      if (!isInsecureHttpUrl(url)) return null;
+      const scope = call.in_method ?? null;
+      if (!scope) return null;
+      return null;
+    }
+    if (language === "go") {
+      if (method === "Post" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.Post", url };
+        }
+      }
+      if (method === "NewRequest" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 1);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 2)) {
+          return { api: "http.NewRequest", url };
+        }
+      }
+    }
+    return null;
+  }
+};
+
 // src/analysis/passes/tls-verify-disabled-pass.ts
 var PY_HTTP_METHODS = /* @__PURE__ */ new Set([
   "get",
@@ -32019,6 +32921,10 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-hash")) pipeline.add(new WeakHashPass());
     if (!disabledPasses.has("weak-crypto")) pipeline.add(new WeakCryptoPass());
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
+    if (!disabledPasses.has("weak-password-hash")) pipeline.add(new WeakPasswordHashPass());
+    if (!disabledPasses.has("weak-password-encoding")) pipeline.add(new WeakPasswordEncodingPass());
+    if (!disabledPasses.has("plaintext-password-storage")) pipeline.add(new PlaintextPasswordStoragePass());
+    if (!disabledPasses.has("cleartext-credential-transport")) pipeline.add(new CleartextCredentialTransportPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
     if (!disabledPasses.has("module-side-effect")) pipeline.add(new ModuleSideEffectPass());
     if (!disabledPasses.has("cache-no-vary")) pipeline.add(new CacheNoVaryPass());
@@ -32026,6 +32932,8 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("csrf-protection-disabled")) pipeline.add(new CsrfProtectionDisabledPass());
     if (!disabledPasses.has("xml-entity-expansion")) pipeline.add(new XmlEntityExpansionPass());
     if (!disabledPasses.has("mass-assignment")) pipeline.add(new MassAssignmentPass());
+    if (!disabledPasses.has("info-disclosure-stacktrace")) pipeline.add(new InfoDisclosureStacktracePass());
+    if (!disabledPasses.has("unrestricted-file-upload")) pipeline.add(new UnrestrictedFileUploadPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");