circle-ir 3.82.0 → 3.84.0

package/dist/core/circle-ir-core.cjs

@@ -10560,11 +10560,16 @@ var DEFAULT_SINKS = [
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Process-related utilities
-  { method: "waitFor", class: "Process", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
-  { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
+  // Process-related utilities — removed in 3.83.0 (#124):
+  // - Process.waitFor() blocks on an already-spawned process; has no args,
+  //   no command string flows into it.
+  // - ProcessBuilder.inheritIO() takes no args.
+  // - ProcessBuilder.redirectOutput/redirectInput take a File destination/source,
+  //   not a command. If treated as sinks they would be path_traversal, not
+  //   command_injection — and even then the threat model is marginal.
+  // The actual command-execution sinks (Runtime.exec, ProcessBuilder.start,
+  // ProcessBuilder.command, ProcessBuilder(constructor)) remain configured
+  // elsewhere in this file / in configs/sinks/command.yaml.
   // Path Traversal (CWE-22)
   // File: covers both File(String pathname) and File(parent, child). The 2-arg
   // overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
@@ -10893,7 +10898,9 @@ var DEFAULT_SINKS = [
   { method: "ok", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // Code Injection (CWE-94)
   { method: "eval", class: "ScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", class: "Pattern", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Pattern.compile removed in 3.83.0 (#124): regex compilation does not execute
+  // code. The real risk from a tainted regex is ReDoS, covered by the
+  // `Pattern.compile` -> `redos` rule below (line ~1945).
   // Expression Language injection (SpEL, OGNL, MVEL, EL)
   { method: "parseExpression", class: "ExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseExpression", class: "SpelExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11590,7 +11597,8 @@ var DEFAULT_SINKS = [
   // =========================================================================
   // Collection-based command injection (ProcessBuilder with List)
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
+  // ProcessBuilder.inheritIO removed in 3.83.0 (#124): no args, no command
+  // string flows into it. See note above next to the Process-related cluster.
   // Jenkins DSL patterns
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "invokeMethod", class: "Script", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
@@ -12495,6 +12503,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12517,6 +12574,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }

package/dist/core/circle-ir-core.js

@@ -10494,11 +10494,16 @@ var DEFAULT_SINKS = [
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Process-related utilities
-  { method: "waitFor", class: "Process", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
-  { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
+  // Process-related utilities — removed in 3.83.0 (#124):
+  // - Process.waitFor() blocks on an already-spawned process; has no args,
+  //   no command string flows into it.
+  // - ProcessBuilder.inheritIO() takes no args.
+  // - ProcessBuilder.redirectOutput/redirectInput take a File destination/source,
+  //   not a command. If treated as sinks they would be path_traversal, not
+  //   command_injection — and even then the threat model is marginal.
+  // The actual command-execution sinks (Runtime.exec, ProcessBuilder.start,
+  // ProcessBuilder.command, ProcessBuilder(constructor)) remain configured
+  // elsewhere in this file / in configs/sinks/command.yaml.
   // Path Traversal (CWE-22)
   // File: covers both File(String pathname) and File(parent, child). The 2-arg
   // overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
@@ -10827,7 +10832,9 @@ var DEFAULT_SINKS = [
   { method: "ok", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   // Code Injection (CWE-94)
   { method: "eval", class: "ScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", class: "Pattern", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Pattern.compile removed in 3.83.0 (#124): regex compilation does not execute
+  // code. The real risk from a tainted regex is ReDoS, covered by the
+  // `Pattern.compile` -> `redos` rule below (line ~1945).
   // Expression Language injection (SpEL, OGNL, MVEL, EL)
   { method: "parseExpression", class: "ExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseExpression", class: "SpelExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11524,7 +11531,8 @@ var DEFAULT_SINKS = [
   // =========================================================================
   // Collection-based command injection (ProcessBuilder with List)
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
+  // ProcessBuilder.inheritIO removed in 3.83.0 (#124): no args, no command
+  // string flows into it. See note above next to the Process-related cluster.
   // Jenkins DSL patterns
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "invokeMethod", class: "Script", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
@@ -12429,6 +12437,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12451,6 +12508,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.82.0",
+  "version": "3.84.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",