circle-ir 3.82.0 → 3.84.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +15 -7
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +291 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +96 -0
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/browser/circle-ir.js +247 -7
- package/dist/core/circle-ir-core.cjs +67 -7
- package/dist/core/circle-ir-core.js +67 -7
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAo/CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA+QhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -576,11 +576,16 @@ export const DEFAULT_SINKS = [
|
|
|
576
576
|
{ method: 'setCommandline', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
577
577
|
{ method: 'parse', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
578
578
|
{ method: 'addArgument', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
579
|
-
// Process-related utilities
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
|
|
579
|
+
// Process-related utilities — removed in 3.83.0 (#124):
|
|
580
|
+
// - Process.waitFor() blocks on an already-spawned process; has no args,
|
|
581
|
+
// no command string flows into it.
|
|
582
|
+
// - ProcessBuilder.inheritIO() takes no args.
|
|
583
|
+
// - ProcessBuilder.redirectOutput/redirectInput take a File destination/source,
|
|
584
|
+
// not a command. If treated as sinks they would be path_traversal, not
|
|
585
|
+
// command_injection — and even then the threat model is marginal.
|
|
586
|
+
// The actual command-execution sinks (Runtime.exec, ProcessBuilder.start,
|
|
587
|
+
// ProcessBuilder.command, ProcessBuilder(constructor)) remain configured
|
|
588
|
+
// elsewhere in this file / in configs/sinks/command.yaml.
|
|
584
589
|
// Path Traversal (CWE-22)
|
|
585
590
|
// File: covers both File(String pathname) and File(parent, child). The 2-arg
|
|
586
591
|
// overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
|
|
@@ -909,7 +914,9 @@ export const DEFAULT_SINKS = [
|
|
|
909
914
|
{ method: 'ok', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
910
915
|
// Code Injection (CWE-94)
|
|
911
916
|
{ method: 'eval', class: 'ScriptEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
912
|
-
|
|
917
|
+
// Pattern.compile removed in 3.83.0 (#124): regex compilation does not execute
|
|
918
|
+
// code. The real risk from a tainted regex is ReDoS, covered by the
|
|
919
|
+
// `Pattern.compile` -> `redos` rule below (line ~1945).
|
|
913
920
|
// Expression Language injection (SpEL, OGNL, MVEL, EL)
|
|
914
921
|
{ method: 'parseExpression', class: 'ExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
915
922
|
{ method: 'parseExpression', class: 'SpelExpressionParser', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
@@ -1605,7 +1612,8 @@ export const DEFAULT_SINKS = [
|
|
|
1605
1612
|
// =========================================================================
|
|
1606
1613
|
// Collection-based command injection (ProcessBuilder with List)
|
|
1607
1614
|
{ method: 'command', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1608
|
-
|
|
1615
|
+
// ProcessBuilder.inheritIO removed in 3.83.0 (#124): no args, no command
|
|
1616
|
+
// string flows into it. See note above next to the Process-related cluster.
|
|
1609
1617
|
// Jenkins DSL patterns
|
|
1610
1618
|
{ method: 'step', class: 'StepExecution', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1611
1619
|
{ method: 'invokeMethod', class: 'Script', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
|