circle-ir 3.80.0 → 3.82.0

package/dist/core/circle-ir-core.cjs

@@ -10759,7 +10759,12 @@ var DEFAULT_SINKS = [
   // Class-less XSS patterns for cases where receiver type is inferred
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
+  // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+  // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+  // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+  // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+  // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+  // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -11956,9 +11961,26 @@ var DEFAULT_SANITIZERS = [
   // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
   // Type coercion (removes string-based injections)
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+  // carry an unvalidated string payload across a function boundary.
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+  // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+  // safely bounded and cannot resource-exhaust downstream. Only suppress
+  // external_taint_escape — these helpers do NOT sanitize string injection.
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  // Sprint 29 (#113): allow-list / membership guards — when an external value
+  // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+  // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+  // Only suppress `external_taint_escape`; real string-injection sinks should
+  // still rely on their own escaping.
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   // Path sanitization
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },

package/dist/core/circle-ir-core.js

@@ -10693,7 +10693,12 @@ var DEFAULT_SINKS = [
   // Class-less XSS patterns for cases where receiver type is inferred
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
+  // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+  // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+  // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+  // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+  // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+  // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -11890,9 +11895,26 @@ var DEFAULT_SANITIZERS = [
   // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
   // Type coercion (removes string-based injections)
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+  // carry an unvalidated string payload across a function boundary.
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+  // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+  // safely bounded and cannot resource-exhaust downstream. Only suppress
+  // external_taint_escape — these helpers do NOT sanitize string injection.
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  // Sprint 29 (#113): allow-list / membership guards — when an external value
+  // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+  // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+  // Only suppress `external_taint_escape`; real string-injection sinks should
+  // still rely on their own escaping.
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   // Path sanitization
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.80.0",
+  "version": "3.82.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",