npm - circle-ir - Versions diffs - 3.81.0 → 3.83.0 - Mend

circle-ir 3.81.0 → 3.83.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +35 -10
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts +48 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.d.ts.map +1 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js +222 -0
package/dist/analysis/passes/info-disclosure-stacktrace-pass.js.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts +46 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.d.ts.map +1 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js +193 -0
package/dist/analysis/passes/unrestricted-file-upload-pass.js.map +1 -0
package/dist/analyzer.d.ts.map +1 -1
package/dist/analyzer.js +6 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +363 -10
package/dist/core/circle-ir-core.cjs +35 -10
package/dist/core/circle-ir-core.js +35 -10
package/package.json +1 -1

package/dist/core/circle-ir-core.js CHANGED Viewed

@@ -10494,11 +10494,16 @@ var DEFAULT_SINKS = [
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Process-related utilities
-  { method: "waitFor", class: "Process", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
-  { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
+  // Process-related utilities — removed in 3.83.0 (#124):
+  // - Process.waitFor() blocks on an already-spawned process; has no args,
+  //   no command string flows into it.
+  // - ProcessBuilder.inheritIO() takes no args.
+  // - ProcessBuilder.redirectOutput/redirectInput take a File destination/source,
+  //   not a command. If treated as sinks they would be path_traversal, not
+  //   command_injection — and even then the threat model is marginal.
+  // The actual command-execution sinks (Runtime.exec, ProcessBuilder.start,
+  // ProcessBuilder.command, ProcessBuilder(constructor)) remain configured
+  // elsewhere in this file / in configs/sinks/command.yaml.
   // Path Traversal (CWE-22)
   // File: covers both File(String pathname) and File(parent, child). The 2-arg
   // overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
@@ -10827,7 +10832,9 @@ var DEFAULT_SINKS = [
   { method: "ok", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // Code Injection (CWE-94)
   { method: "eval", class: "ScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", class: "Pattern", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Pattern.compile removed in 3.83.0 (#124): regex compilation does not execute
+  // code. The real risk from a tainted regex is ReDoS, covered by the
+  // `Pattern.compile` -> `redos` rule below (line ~1945).
   // Expression Language injection (SpEL, OGNL, MVEL, EL)
   { method: "parseExpression", class: "ExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseExpression", class: "SpelExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11524,7 +11531,8 @@ var DEFAULT_SINKS = [
   // =========================================================================
   // Collection-based command injection (ProcessBuilder with List)
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
+  // ProcessBuilder.inheritIO removed in 3.83.0 (#124): no args, no command
+  // string flows into it. See note above next to the Process-related cluster.
   // Jenkins DSL patterns
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "invokeMethod", class: "Script", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
@@ -11895,9 +11903,26 @@ var DEFAULT_SANITIZERS = [
   // JSON.parse (data is validated against JSON grammar, prevents XSS/code injection)
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
   // Type coercion (removes string-based injections)
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  // Sprint 29 (#113): include external_taint_escape — a numeric cast cannot
+  // carry an unvalidated string payload across a function boundary.
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  // Sprint 29 (#113): bounds-clamp Math.min / Math.max — when used to bound
+  // a numeric/size value (e.g. `Math.min(size, MAX_BYTES)`), the result is
+  // safely bounded and cannot resource-exhaust downstream. Only suppress
+  // external_taint_escape — these helpers do NOT sanitize string injection.
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  // Sprint 29 (#113): allow-list / membership guards — when an external value
+  // is tested against an allow-list (`ALLOWED.includes(x)`, `set.has(x)`,
+  // `list.contains(x)`) before being forwarded, it cannot escape unbounded.
+  // Only suppress `external_taint_escape`; real string-injection sinks should
+  // still rely on their own escaping.
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   // Path sanitization
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.81.0",
+  "version": "3.83.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",