npm - circle-ir - Versions diffs - 3.81.0 → 3.82.0 - Mend

circle-ir 3.81.0 → 3.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +20 -3
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts +48 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts.map +1 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js +222 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts +46 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js +193 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js.map +1 -0
package/dist/analyzer.d.ts.map +1 -1
package/dist/analyzer.js +6 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +348 -3
package/dist/core/circle-ir-core.cjs +20 -3
package/dist/core/circle-ir-core.js +20 -3
package/package.json +1 -1

package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Pass: info-disclosure-stacktrace (CWE-209, category: security)
+ *
+ * Detects exception stack traces / messages being returned to remote clients
+ * via an HTTP response handler. This leaks framework internals, file paths,
+ * SQL fragments, and class names — useful reconnaissance for an attacker.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `e.printStackTrace(response.getWriter())` / `.printStackTrace(out)`
+ *       where `out` is a response writer.
+ *     - `response.getWriter().write(e.toString())`
+ *     - `response.getWriter().println(e.getMessage())`
+ *     - `new ResponseEntity<>(e.getStackTrace(), …)`
+ *
+ *   Python:
+ *     - `return traceback.format_exc()` from a handler-like function
+ *     - `flask.jsonify(error=traceback.format_exc())`
+ *     - Bare `return str(e)` / `return {"error": str(e)}` in handler
+ *
+ *   JS/TS:
+ *     - `res.send(err.stack)` / `res.json({error: err.stack})`
+ *     - `res.json(err)` (whole error object)
+ *     - `res.status(N).send(err.message + err.stack)` / similar
+ *
+ *   Go:
+ *     - `http.Error(w, err.Error()+debug.Stack(), 500)` — narrow
+ *     - `fmt.Fprintln(w, err)` in an HTTP handler
+ *
+ * Negative guard: if the consumer is a logger (`console.error`,
+ * `logger.error`, `log.Error`), do NOT fire — logging stack traces
+ * server-side is not a leak.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface InfoDisclosureStacktraceResult {
+    findings: Array<{
+        line: number;
+        api: string;
+        language: string;
+    }>;
+}
+export declare class InfoDisclosureStacktracePass implements AnalysisPass<InfoDisclosureStacktraceResult> {
+    readonly name = "info-disclosure-stacktrace";
+    readonly category: "security";
+    run(ctx: PassContext): InfoDisclosureStacktraceResult;
+    private makeFinding;
+}
+//# sourceMappingURL=info-disclosure-stacktrace-pass.d.ts.map

package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"info-disclosure-stacktrace-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/info-disclosure-stacktrace-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAG9E,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClE;AAoHD,qBAAa,4BAA6B,YAAW,YAAY,CAAC,8BAA8B,CAAC;IAC/F,QAAQ,CAAC,IAAI,gCAAgC;IAC7C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,8BAA8B;IAqDrD,OAAO,CAAC,WAAW;CAsBpB"}

package/dist/analysis/passes/info-disclosure-stacktrace-pass.js ADDED Viewed

@@ -0,0 +1,222 @@
+/**
+ * Pass: info-disclosure-stacktrace (CWE-209, category: security)
+ *
+ * Detects exception stack traces / messages being returned to remote clients
+ * via an HTTP response handler. This leaks framework internals, file paths,
+ * SQL fragments, and class names — useful reconnaissance for an attacker.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `e.printStackTrace(response.getWriter())` / `.printStackTrace(out)`
+ *       where `out` is a response writer.
+ *     - `response.getWriter().write(e.toString())`
+ *     - `response.getWriter().println(e.getMessage())`
+ *     - `new ResponseEntity<>(e.getStackTrace(), …)`
+ *
+ *   Python:
+ *     - `return traceback.format_exc()` from a handler-like function
+ *     - `flask.jsonify(error=traceback.format_exc())`
+ *     - Bare `return str(e)` / `return {"error": str(e)}` in handler
+ *
+ *   JS/TS:
+ *     - `res.send(err.stack)` / `res.json({error: err.stack})`
+ *     - `res.json(err)` (whole error object)
+ *     - `res.status(N).send(err.message + err.stack)` / similar
+ *
+ *   Go:
+ *     - `http.Error(w, err.Error()+debug.Stack(), 500)` — narrow
+ *     - `fmt.Fprintln(w, err)` in an HTTP handler
+ *
+ * Negative guard: if the consumer is a logger (`console.error`,
+ * `logger.error`, `log.Error`), do NOT fire — logging stack traces
+ * server-side is not a leak.
+ */
+/** Receiver names that almost always indicate an HTTP response handle. */
+const RESPONSE_RECEIVER_RE = /^(res|response|w|writer|ctx|c)$/i;
+/** Logger receivers (negative guard). */
+const LOGGER_RECEIVER_RE = /^(log|logger|slog|console|pino|winston|sentry)$/i;
+/** Method names on a response that send data to the client. */
+const RESPONSE_SEND_METHODS = new Set([
+    'send', 'json', 'write', 'writeHead', 'end', 'sendFile',
+    'println', 'print', 'getWriter',
+    'Fprintln', 'Fprintf', 'Fprint',
+]);
+/** Expression heuristics for "this is an exception value". */
+function isExceptionExpression(expr) {
+    if (!expr)
+        return false;
+    const e = expr.trim();
+    // err.stack | err.message | e.toString() | e.getMessage() | e.getStackTrace()
+    // exc.format_exc() | traceback.format_exc() | str(e)
+    return (/\b(err|error|exc|exception|e|t|throwable)\.(stack|message|toString\(|getMessage\(|getStackTrace\(|getLocalizedMessage\(|getCause\()/i.test(e) ||
+        /\btraceback\.(format_exc|format_exception|print_exc)\b/i.test(e) ||
+        /\bdebug\.Stack\(\)/.test(e) ||
+        /\bstr\(\s*(err|error|exc|exception|e)\s*\)/i.test(e) ||
+        /\bString\(\s*(err|error|exc|exception|e)\s*\)/i.test(e));
+}
+/** True if an argument carries an exception-like value. */
+function argIsException(arg) {
+    if (!arg)
+        return false;
+    if (arg.variable && /^(err|error|exc|exception|e|t|throwable)$/i.test(arg.variable)) {
+        return true;
+    }
+    return isExceptionExpression(arg.expression);
+}
+/** Detect Java: e.printStackTrace(out) where out is a response writer. */
+function detectJavaPrintStackTrace(call) {
+    if (call.method_name !== 'printStackTrace')
+        return null;
+    // Receiver should look like an exception variable name.
+    const rec = call.receiver ?? '';
+    if (!/^(e|ex|exc|exception|err|error|t|throwable)$/i.test(rec))
+        return null;
+    // Arg 0 should be a response writer expression.
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (!arg0)
+        return null;
+    const expr = (arg0.expression ?? arg0.variable ?? '').trim();
+    if (/\bresponse\.getWriter\(\)/.test(expr) ||
+        /\bresp\.getWriter\(\)/.test(expr) ||
+        /\bout\b/.test(expr) || // common name; conservative
+        /\bgetWriter\(\)/.test(expr)) {
+        return 'e.printStackTrace(response.getWriter())';
+    }
+    return null;
+}
+/** Detect calls of the shape `response.send(err.stack)` / `.json(err)`. */
+function detectResponseLeakCall(call) {
+    const method = call.method_name ?? '';
+    const receiver = call.receiver ?? '';
+    if (!RESPONSE_SEND_METHODS.has(method))
+        return null;
+    if (LOGGER_RECEIVER_RE.test(receiver))
+        return null;
+    // Accept either a bare known receiver name, or one whose tail is a known name
+    // (e.g. `ctx.response`, `event.res`, `response.status(500)` chained returns).
+    const recTail = receiver.split('.').pop() ?? receiver;
+    const recHead = receiver.split('.')[0] ?? receiver;
+    if (!RESPONSE_RECEIVER_RE.test(recTail) && !RESPONSE_RECEIVER_RE.test(recHead)) {
+        // Allow chained: res.status(500).send(...) — receiver text often contains
+        // `.status(` substring.
+        if (!/(?:^|[.\s])(res|response)\.(?:status|set|header|cookie)\b/i.test(receiver)) {
+            return null;
+        }
+    }
+    // Any argument contains an exception expression?
+    for (const a of call.arguments) {
+        if (argIsException(a)) {
+            return `${receiver || ''}${receiver ? '.' : ''}${method}(${(a.expression ?? a.variable ?? '').trim()})`;
+        }
+    }
+    return null;
+}
+/** Detect Python: `return traceback.format_exc()` inside any function. */
+function detectPythonTracebackReturn(ctx) {
+    const out = [];
+    const lines = ctx.code.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const ln = lines[i] ?? '';
+        if (/\breturn\s+traceback\.format_exc\s*\(\s*\)/.test(ln) ||
+            /\breturn\s+\{[^}]*traceback\.format_exc\s*\(\s*\)[^}]*\}/.test(ln) ||
+            /\bjsonify\s*\([^)]*traceback\.format_exc\s*\(\s*\)/.test(ln)) {
+            out.push({ line: i + 1, api: 'return traceback.format_exc()' });
+            continue;
+        }
+        // `return str(e)` in a handler context — conservative: require the
+        // surrounding 5-line window to contain a Flask/FastAPI/Django marker.
+        if (/\breturn\s+(?:str|repr)\s*\(\s*(?:e|err|error|exc|exception)\s*\)/.test(ln)) {
+            const start = Math.max(0, i - 8);
+            const end = Math.min(lines.length, i + 2);
+            const window = lines.slice(start, end).join('\n');
+            if (/@(?:app|router|blueprint)\.(?:route|get|post|put|delete|patch)\b/.test(window)) {
+                out.push({ line: i + 1, api: 'return str(e) in handler' });
+            }
+        }
+    }
+    return out;
+}
+export class InfoDisclosureStacktracePass {
+    name = 'info-disclosure-stacktrace';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        if (language === 'python') {
+            for (const f of detectPythonTracebackReturn(ctx)) {
+                findings.push({ line: f.line, api: f.api, language });
+                ctx.addFinding(this.makeFinding(file, f.line, f.api));
+            }
+        }
+        for (const call of graph.ir.calls) {
+            let api = null;
+            if (language === 'java') {
+                api = detectJavaPrintStackTrace(call);
+                if (!api)
+                    api = detectResponseLeakCall(call);
+            }
+            else if (language === 'javascript' || language === 'typescript') {
+                api = detectResponseLeakCall(call);
+            }
+            else if (language === 'go') {
+                // http.Error(w, err.Error()+debug.Stack(), 500)
+                // fmt.Fprintln(w, err)
+                const method = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                if (rec === 'http' && method === 'Error') {
+                    const arg1 = call.arguments.find((a) => a.position === 1);
+                    if (argIsException(arg1))
+                        api = 'http.Error(w, err.Error())';
+                }
+                else if (rec === 'fmt' && (method === 'Fprintln' || method === 'Fprintf' || method === 'Fprint')) {
+                    const arg0 = call.arguments.find((a) => a.position === 0);
+                    if (arg0 && /^(w|writer|resp|response)$/i.test((arg0.variable ?? arg0.expression ?? '').trim())) {
+                        for (const a of call.arguments) {
+                            if (a.position === 0)
+                                continue;
+                            if (argIsException(a)) {
+                                api = `fmt.${method}(w, err)`;
+                                break;
+                            }
+                        }
+                    }
+                }
+                else {
+                    api = detectResponseLeakCall(call);
+                }
+            }
+            else if (language === 'python') {
+                // Handle response leak shape too: e.g. `return jsonify(stack=...)`
+                api = detectResponseLeakCall(call);
+            }
+            if (!api)
+                continue;
+            const line = call.location.line;
+            findings.push({ line, api, language });
+            ctx.addFinding(this.makeFinding(file, line, api));
+        }
+        return { findings };
+    }
+    makeFinding(file, line, api) {
+        return {
+            id: `${this.name}-${file}-${line}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: 'CWE-209',
+            severity: 'medium',
+            level: 'warning',
+            message: `Exception detail returned to client via \`${api}\`. ` +
+                'Leaking stack traces / exception messages reveals framework internals, ' +
+                'file paths, and class names — useful reconnaissance for an attacker.',
+            file,
+            line,
+            fix: 'Return a generic error response to the client (e.g. status 500 + a ' +
+                'request id) and log the full exception server-side via your logger ' +
+                '(e.g. `logger.error("…", e)` or `console.error(err)`).',
+            evidence: { api },
+        };
+    }
+}
+//# sourceMappingURL=info-disclosure-stacktrace-pass.js.map

package/dist/analysis/passes/info-disclosure-stacktrace-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"info-disclosure-stacktrace-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/info-disclosure-stacktrace-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AASH,0EAA0E;AAC1E,MAAM,oBAAoB,GAAG,kCAAkC,CAAC;AAEhE,yCAAyC;AACzC,MAAM,kBAAkB,GAAG,kDAAkD,CAAC;AAE9E,+DAA+D;AAC/D,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU;IACvD,SAAS,EAAE,OAAO,EAAE,WAAW;IAC/B,UAAU,EAAE,SAAS,EAAE,QAAQ;CAChC,CAAC,CAAC;AAEH,8DAA8D;AAC9D,SAAS,qBAAqB,CAAC,IAA+B;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACtB,8EAA8E;IAC9E,qDAAqD;IACrD,OAAO,CACL,sIAAsI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9I,yDAAyD,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5B,6CAA6C,CAAC,IAAI,CAAC,CAAC,CAAC;QACrD,gDAAgD,CAAC,IAAI,CAAC,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,2DAA2D;AAC3D,SAAS,cAAc,CAAC,GAA6B;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,IAAI,GAAG,CAAC,QAAQ,IAAI,4CAA4C,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED,0EAA0E;AAC1E,SAAS,yBAAyB,CAAC,IAAc;IAC/C,IAAI,IAAI,CAAC,WAAW,KAAK,iBAAiB;QAAE,OAAO,IAAI,CAAC;IACxD,wDAAwD;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IAChC,IAAI,CAAC,+CAA+C,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5E,gDAAgD;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7D,IACE,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;QACtC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;QAClC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,4BAA4B;QACpD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAC5B,CAAC;QACD,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2EAA2E;AAC3E,SAAS,sBAAsB,CAAC,IAAc;IAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IAErC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,8EAA8E;IAC9E,8EAA8E;IAC9E,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;IACtD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;IACnD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,0EAA0E;QAC1E,wBAAwB;QACxB,IAAI,CAAC,4DAA4D,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,GAAG,QAAQ,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC;QAC1G,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0EAA0E;AAC1E,SAAS,2BAA2B,CAAC,GAAgB;IACnD,MAAM,GAAG,GAAyC,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1B,IACE,4CAA4C,CAAC,IAAI,CAAC,EAAE,CAAC;YACrD,0DAA0D,CAAC,IAAI,CAAC,EAAE,CAAC;YACnE,oDAAoD,CAAC,IAAI,CAAC,EAAE,CAAC,EAC7D,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,+BAA+B,EAAE,CAAC,CAAC;YAChE,SAAS;QACX,CAAC;QACD,mEAAmE;QACnE,sEAAsE;QACtE,IAAI,mEAAmE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,IAAI,kEAAkE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACpF,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,4BAA4B;IAC9B,IAAI,GAAG,4BAA4B,CAAC;IACpC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA+C,EAAE,CAAC;QAEhE,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,IAAI,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACtD,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,GAAG,GAAkB,IAAI,CAAC;YAE9B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,GAAG,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,GAAG;oBAAE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YAC/C,CAAC;iBAAM,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAClE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;iBAAM,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBAC7B,gDAAgD;gBAChD,uBAAuB;gBACvB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAChC,IAAI,GAAG,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;oBACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,IAAI,cAAc,CAAC,IAAI,CAAC;wBAAE,GAAG,GAAG,4BAA4B,CAAC;gBAC/D,CAAC;qBAAM,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,QAAQ,CAAC,EAAE,CAAC;oBACnG,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,IAAI,IAAI,IAAI,6BAA6B,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;wBAChG,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;4BAC/B,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC;gCAAE,SAAS;4BAC/B,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;gCAAC,GAAG,GAAG,OAAO,MAAM,UAAU,CAAC;gCAAC,MAAM;4BAAC,CAAC;wBAClE,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjC,mEAAmE;gBACnE,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;YACvC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,WAAW,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW;QACzD,OAAO;YACL,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,QAAiB;YAC3B,KAAK,EAAE,SAAkB;YACzB,OAAO,EACL,6CAA6C,GAAG,MAAM;gBACtD,yEAAyE;gBACzE,sEAAsE;YACxE,IAAI;YACJ,IAAI;YACJ,GAAG,EACD,qEAAqE;gBACrE,qEAAqE;gBACrE,wDAAwD;YAC1D,QAAQ,EAAE,EAAE,GAAG,EAAE;SAClB,CAAC;IACJ,CAAC;CACF"}

package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Pass: unrestricted-file-upload (CWE-434, category: security)
+ *
+ * Detects when an HTTP-uploaded file is saved to disk WITHOUT a filename
+ * allow-list (extension check) or `secure_filename` normalization.
+ *
+ * Detection (per language):
+ *
+ *   Java (Spring MultipartFile / Servlet Part):
+ *     - `file.transferTo(new File(dir, file.getOriginalFilename()))`
+ *     - `Files.copy(part.getInputStream(), Path.of(dir, part.getSubmittedFileName()))`
+ *     - Without preceding `ALLOWED_*.contains(ext)` or
+ *       `FilenameUtils.getExtension(name)` + check.
+ *
+ *   JS/TS (multer / express-fileupload):
+ *     - `multer({ dest: '…' })` with NO `fileFilter` option.
+ *     - `fs.writeFile(path, req.file.buffer)` / `req.files.x.mv(path)`
+ *       without prior `path.extname` allow-list check.
+ *
+ *   Python (Flask / Django / FastAPI):
+ *     - `f.save(os.path.join(UPLOAD_DIR, f.filename))` without prior
+ *       `secure_filename(f.filename)` wrapping.
+ *
+ *   Go:
+ *     - `io.Copy(dst, file)` where `dst = os.Create(fileHeader.Filename)`
+ *       without an extension allow-list.
+ *
+ * The pass is intentionally conservative — it only fires when an upload-name
+ * expression flows directly into a save sink in the same function and no
+ * known allow-list / canonicalizer call appears earlier in the function.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UnrestrictedFileUploadResult {
+    findings: Array<{
+        line: number;
+        api: string;
+        language: string;
+    }>;
+}
+export declare class UnrestrictedFileUploadPass implements AnalysisPass<UnrestrictedFileUploadResult> {
+    readonly name = "unrestricted-file-upload";
+    readonly category: "security";
+    run(ctx: PassContext): UnrestrictedFileUploadResult;
+    private emit;
+}
+//# sourceMappingURL=unrestricted-file-upload-pass.d.ts.map

package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unrestricted-file-upload-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/unrestricted-file-upload-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAG9E,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClE;AA2BD,qBAAa,0BAA2B,YAAW,YAAY,CAAC,4BAA4B,CAAC;IAC3F,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,4BAA4B;IAyHnD,OAAO,CAAC,IAAI;CAgCb"}

package/dist/analysis/passes/unrestricted-file-upload-pass.js ADDED Viewed

@@ -0,0 +1,193 @@
+/**
+ * Pass: unrestricted-file-upload (CWE-434, category: security)
+ *
+ * Detects when an HTTP-uploaded file is saved to disk WITHOUT a filename
+ * allow-list (extension check) or `secure_filename` normalization.
+ *
+ * Detection (per language):
+ *
+ *   Java (Spring MultipartFile / Servlet Part):
+ *     - `file.transferTo(new File(dir, file.getOriginalFilename()))`
+ *     - `Files.copy(part.getInputStream(), Path.of(dir, part.getSubmittedFileName()))`
+ *     - Without preceding `ALLOWED_*.contains(ext)` or
+ *       `FilenameUtils.getExtension(name)` + check.
+ *
+ *   JS/TS (multer / express-fileupload):
+ *     - `multer({ dest: '…' })` with NO `fileFilter` option.
+ *     - `fs.writeFile(path, req.file.buffer)` / `req.files.x.mv(path)`
+ *       without prior `path.extname` allow-list check.
+ *
+ *   Python (Flask / Django / FastAPI):
+ *     - `f.save(os.path.join(UPLOAD_DIR, f.filename))` without prior
+ *       `secure_filename(f.filename)` wrapping.
+ *
+ *   Go:
+ *     - `io.Copy(dst, file)` where `dst = os.Create(fileHeader.Filename)`
+ *       without an extension allow-list.
+ *
+ * The pass is intentionally conservative — it only fires when an upload-name
+ * expression flows directly into a save sink in the same function and no
+ * known allow-list / canonicalizer call appears earlier in the function.
+ */
+/** Receivers / expressions that look like an uploaded file value. */
+const UPLOAD_NAME_RE = /(?:getOriginalFilename|getSubmittedFileName|originalname|originalName|\.filename|\.Filename|FileHeader\.Filename|UploadFile)/;
+/** Identifier-level allow-list / canonicalization calls that defang upload paths. */
+const FILE_SAFE_CALL_RE = /(?:secure_filename|FilenameUtils\.getExtension|\.lastIndexOf\(['"]\.['"]\)|ALLOWED_EXT|ALLOWED_EXTENSIONS|allowedExtensions|\bfileFilter\b|filepath\.Ext|path\.extname)/;
+function lineWindow(code, startLine, endLine) {
+    const lines = code.split('\n');
+    const s = Math.max(0, startLine - 1);
+    const e = Math.min(lines.length, endLine);
+    return lines.slice(s, e).join('\n');
+}
+function callHasUploadName(call) {
+    for (const a of call.arguments) {
+        const expr = (a.expression ?? a.variable ?? '').trim();
+        if (UPLOAD_NAME_RE.test(expr))
+            return true;
+    }
+    // Receiver too (e.g. multipart `file.transferTo(...)`).
+    if (UPLOAD_NAME_RE.test(call.receiver ?? ''))
+        return true;
+    return false;
+}
+export class UnrestrictedFileUploadPass {
+    name = 'unrestricted-file-upload';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Build per-function safety windows: a function is "safe" if its body
+        // contains any FILE_SAFE_CALL_RE marker. Used to suppress findings inside
+        // that scope.
+        const safeFunctionRanges = [];
+        for (const t of graph.ir.types) {
+            for (const m of t.methods) {
+                const body = lineWindow(code, m.start_line, m.end_line);
+                if (FILE_SAFE_CALL_RE.test(body)) {
+                    safeFunctionRanges.push({ start: m.start_line, end: m.end_line });
+                }
+            }
+        }
+        const inSafeRange = (line) => {
+            for (const r of safeFunctionRanges) {
+                if (line >= r.start && line <= r.end)
+                    return true;
+            }
+            // No method information — fall back to a ±20-line window around the call.
+            const win = lineWindow(code, Math.max(1, line - 20), line + 5);
+            return FILE_SAFE_CALL_RE.test(win);
+        };
+        // --- Per-language detection -----------------------------------------------
+        if (language === 'java') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                // file.transferTo(...)
+                if (m === 'transferTo' && callHasUploadName(call)) {
+                    if (inSafeRange(call.location.line))
+                        continue;
+                    this.emit(ctx, findings, file, call.location.line, language, 'MultipartFile.transferTo(<original filename>)');
+                    continue;
+                }
+                // Files.copy(getInputStream, Path.of(dir, getOriginalFilename))
+                if (m === 'copy' && (call.receiver === 'Files' || (call.receiver ?? '').endsWith('.Files'))) {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, 'Files.copy(input, Path.of(dir, <original filename>))');
+                    }
+                }
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                // multer({ dest: '...' }) — flag if same call object lacks fileFilter.
+                if (m === 'multer' || (rec === '' && m === 'multer')) {
+                    const arg0 = call.arguments.find((a) => a.position === 0);
+                    const expr = (arg0?.expression ?? '').trim();
+                    if (/\bdest\s*:/.test(expr) && !/\bfileFilter\s*:/.test(expr)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, 'multer({ dest }) without fileFilter');
+                        continue;
+                    }
+                }
+                // fs.writeFile(<path>, req.file.buffer) / req.files.x.mv(<path>)
+                if (rec === 'fs' && (m === 'writeFile' || m === 'writeFileSync' || m === 'appendFile')) {
+                    if (callHasUploadName(call) ||
+                        call.arguments.some((a) => /\breq\.file(?:s)?\b/.test((a.expression ?? a.variable ?? '')))) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `fs.${m}(<path>, req.file.buffer)`);
+                    }
+                }
+            }
+        }
+        if (language === 'python') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                // f.save(os.path.join(UPLOAD_DIR, f.filename))
+                if (m === 'save') {
+                    const rec = call.receiver ?? '';
+                    // Accept any receiver that looks file-ish or empty (`f.save`, `file.save`).
+                    if (!/^(f|file|upload|attachment)$/i.test(rec) && rec !== '')
+                        continue;
+                    if (!callHasUploadName(call))
+                        continue;
+                    if (inSafeRange(call.location.line))
+                        continue;
+                    this.emit(ctx, findings, file, call.location.line, language, 'f.save(<dir>, f.filename) without secure_filename');
+                }
+            }
+        }
+        if (language === 'go') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                // os.Create(header.Filename)
+                if (rec === 'os' && (m === 'Create' || m === 'OpenFile')) {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `os.${m}(<uploaded filename>)`);
+                    }
+                }
+                // ioutil.WriteFile(header.Filename, …)
+                if ((rec === 'os' || rec === 'ioutil') && m === 'WriteFile') {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `${rec}.WriteFile(<uploaded filename>, …)`);
+                    }
+                }
+            }
+        }
+        return { findings };
+    }
+    emit(ctx, findings, file, line, language, api) {
+        findings.push({ line, api, language });
+        ctx.addFinding({
+            id: `${this.name}-${file}-${line}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: 'CWE-434',
+            severity: 'high',
+            level: 'error',
+            message: `File upload saved using untrusted name (${api}) — no extension allow-list or ` +
+                'filename canonicalization detected. An attacker can upload a `.jsp`/`.php`/`.html` ' +
+                'file and request it back, achieving RCE or stored XSS.',
+            file,
+            line,
+            fix: 'Validate the uploaded extension against an allow-list (e.g. ' +
+                '`Set.of("png","jpg")`), then save with a sanitized filename. In Python use ' +
+                '`werkzeug.utils.secure_filename`. In multer pass a `fileFilter`. Never ' +
+                'concatenate the upload\'s original filename into a save path without ' +
+                'validation.',
+            evidence: { api, language },
+        });
+    }
+}
+//# sourceMappingURL=unrestricted-file-upload-pass.js.map

package/dist/analysis/passes/unrestricted-file-upload-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unrestricted-file-upload-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/unrestricted-file-upload-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AASH,qEAAqE;AACrE,MAAM,cAAc,GAClB,8HAA8H,CAAC;AAEjI,qFAAqF;AACrF,MAAM,iBAAiB,GACrB,yKAAyK,CAAC;AAE5K,SAAS,UAAU,CAAC,IAAY,EAAE,SAAiB,EAAE,OAAe;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACvD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IACD,wDAAwD;IACxD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,0BAA0B;IAC5B,IAAI,GAAG,0BAA0B,CAAC;IAClC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAE9D,sEAAsE;QACtE,0EAA0E;QAC1E,cAAc;QACd,MAAM,kBAAkB,GAA0C,EAAE,CAAC;QACrE,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC1B,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;gBACxD,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,kBAAkB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,IAAY,EAAW,EAAE;YAC5C,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;gBACnC,IAAI,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG;oBAAE,OAAO,IAAI,CAAC;YACpD,CAAC;YACD,0EAA0E;YAC1E,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrC,CAAC,CAAC;QAEF,6EAA6E;QAE7E,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,uBAAuB;gBACvB,IAAI,CAAC,KAAK,YAAY,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAClD,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,+CAA+C,CAAC,CAAC;oBAC3D,SAAS;gBACX,CAAC;gBACD,gEAAgE;gBAChE,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;oBAC5F,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,sDAAsD,CAAC,CAAC;oBACpE,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAEhC,uEAAuE;gBACvE,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;oBACrD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9D,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,qCAAqC,CAAC,CAAC;wBACjD,SAAS;oBACX,CAAC;gBACH,CAAC;gBAED,iEAAiE;gBACjE,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,eAAe,IAAI,CAAC,KAAK,YAAY,CAAC,EAAE,CAAC;oBACvF,IAAI,iBAAiB,CAAC,IAAI,CAAC;wBACvB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC/F,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,MAAM,CAAC,2BAA2B,CAAC,CAAC;oBAChD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC;oBACjB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;oBAChC,4EAA4E;oBAC5E,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,EAAE;wBAAE,SAAS;oBACvE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;wBAAE,SAAS;oBACvC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,mDAAmD,CAAC,CAAC;gBACjE,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAChC,6BAA6B;gBAC7B,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,UAAU,CAAC,EAAE,CAAC;oBACzD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,MAAM,CAAC,uBAAuB,CAAC,CAAC;oBAC5C,CAAC;gBACH,CAAC;gBACD,uCAAuC;gBACvC,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,CAAC,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC;oBAC5D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,GAAG,GAAG,oCAAoC,CAAC,CAAC;oBACxD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,IAAI,CACV,GAAgB,EAChB,QAAkD,EAClD,IAAY,EACZ,IAAY,EACZ,QAAgB,EAChB,GAAW;QAEX,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvC,GAAG,CAAC,UAAU,CAAC;YACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,OAAO;YACd,OAAO,EACL,2CAA2C,GAAG,iCAAiC;gBAC/E,qFAAqF;gBACrF,wDAAwD;YAC1D,IAAI;YACJ,IAAI;YACJ,GAAG,EACD,8DAA8D;gBAC9D,6EAA6E;gBAC7E,yEAAyE;gBACzE,uEAAuE;gBACvE,aAAa;YACf,QAAQ,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;SAC5B,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analyzer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAcL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;~~AAsCzI~~,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AAkID;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,~~CAyLnB~~;AA4GD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAwG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}
1	+ {"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAcL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;AAwCzI,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AAkID;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,CA2LnB;AA4GD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAwG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/analyzer.js CHANGED Viewed

@@ -112,6 +112,8 @@ import { WeakCryptoPass } from './analysis/passes/weak-crypto-pass.js';
 import { WeakRandomPass } from './analysis/passes/weak-random-pass.js';
 import { WeakPasswordHashPass } from './analysis/passes/weak-password-hash-pass.js';
 import { WeakPasswordEncodingPass } from './analysis/passes/weak-password-encoding-pass.js';
+import { InfoDisclosureStacktracePass } from './analysis/passes/info-disclosure-stacktrace-pass.js';
+import { UnrestrictedFileUploadPass } from './analysis/passes/unrestricted-file-upload-pass.js';
 import { PlaintextPasswordStoragePass } from './analysis/passes/plaintext-password-storage-pass.js';
 import { CleartextCredentialTransportPass } from './analysis/passes/cleartext-credential-transport-pass.js';
 import { TlsVerifyDisabledPass } from './analysis/passes/tls-verify-disabled-pass.js';
@@ -443,6 +445,10 @@ export async function analyze(code, filePath, language, options = {}) {
             pipeline.add(new XmlEntityExpansionPass());
         if (!disabledPasses.has('mass-assignment'))
             pipeline.add(new MassAssignmentPass());
+        if (!disabledPasses.has('info-disclosure-stacktrace'))
+            pipeline.add(new InfoDisclosureStacktracePass());
+        if (!disabledPasses.has('unrestricted-file-upload'))
+            pipeline.add(new UnrestrictedFileUploadPass());
         // Run the pipeline
         const { results, findings } = pipeline.run(graph, code, language, config);
         const sinkFilter = results.get('sink-filter');