npm - circle-ir - Versions diffs - 3.83.0 → 3.84.0 - Mend

circle-ir 3.83.0 → 3.84.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
package/dist/analysis/passes/language-sources-pass.js +291 -0
package/dist/analysis/passes/language-sources-pass.js.map +1 -1
package/dist/analysis/taint-matcher.d.ts.map +1 -1
package/dist/analysis/taint-matcher.js +96 -0
package/dist/analysis/taint-matcher.js.map +1 -1
package/dist/browser/circle-ir.js +232 -0
package/dist/core/circle-ir-core.cjs +52 -0
package/dist/core/circle-ir-core.js +52 -0
package/package.json +1 -1

package/dist/core/circle-ir-core.js CHANGED Viewed

@@ -12437,6 +12437,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12459,6 +12508,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.83.0",
+  "version": "3.84.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",