npm - circle-ir - Versions diffs - 3.81.0 → 3.82.0 - Mend

circle-ir 3.81.0 → 3.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +20 -3
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts +48 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts.map +1 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js +222 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts +46 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js +193 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js.map +1 -0
package/dist/analyzer.d.ts.map +1 -1
package/dist/analyzer.js +6 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +348 -3
package/dist/core/circle-ir-core.cjs +20 -3
package/dist/core/circle-ir-core.js +20 -3
package/package.json +1 -1

package/dist/analysis/config-loader.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,~~EA4PhD~~,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1	+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js CHANGED Viewed

@@ -1966,9 +1966,26 @@ export const DEFAULT_SANITIZERS = [
     // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
     { method: 'parse', class: 'JSON', removes: ['xss', 'code_injection'] },
     // Type coercion (removes string-based injections)
-    { method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss'] },
-    { method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
-    { method: 'Number', removes: ['sql_injection', 'nosql_injection', 'command_injection'] },
+    // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+    // carry an unvalidated string payload across a function boundary.
+    { method: 'parseInt', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'xss', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    { method: 'parseFloat', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    { method: 'Number', removes: ['sql_injection', 'nosql_injection', 'command_injection', 'external_taint_escape', 'path_traversal', 'code_injection'] },
+    // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+    // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+    // safely bounded and cannot resource-exhaust downstream. Only suppress
+    // external_taint_escape — these helpers do NOT sanitize string injection.
+    { method: 'min', class: 'Math', removes: ['external_taint_escape'] },
+    { method: 'max', class: 'Math', removes: ['external_taint_escape'] },
+    // Sprint 29 (#113): allow-list / membership guards — when an external value
+    // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+    // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+    // Only suppress `external_taint_escape`; real string-injection sinks should
+    // still rely on their own escaping.
+    { method: 'includes', removes: ['external_taint_escape'] },
+    { method: 'has', removes: ['external_taint_escape'] },
+    { method: 'contains', removes: ['external_taint_escape'] },
+    { method: 'indexOf', removes: ['external_taint_escape'] },
     // Path sanitization
     { method: 'basename', class: 'path', removes: ['path_traversal'] },
     { method: 'normalize', class: 'path', removes: ['path_traversal'] },