cognium-dev 3.46.0 → 3.47.0

package/dist/cli.js

@@ -26547,6 +26547,214 @@ class ScanSecretsPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/spring4shell-pass.js
+var CONTROLLER_ANNOTATIONS = new Set([
+  "Controller",
+  "RestController",
+  "ControllerAdvice",
+  "RestControllerAdvice"
+]);
+var ROUTE_ANNOTATIONS = new Set([
+  "RequestMapping",
+  "GetMapping",
+  "PostMapping",
+  "PutMapping",
+  "DeleteMapping",
+  "PatchMapping"
+]);
+var BINDING_ANNOTATIONS = new Set([
+  "RequestBody",
+  "RequestParam",
+  "PathVariable",
+  "RequestHeader",
+  "CookieValue",
+  "MatrixVariable",
+  "ModelAttribute",
+  "Valid",
+  "Validated",
+  "RequestPart",
+  "SessionAttribute",
+  "RequestAttribute"
+]);
+var FRAMEWORK_PARAM_TYPES = new Set([
+  "HttpServletRequest",
+  "HttpServletResponse",
+  "ServletRequest",
+  "ServletResponse",
+  "HttpSession",
+  "ServletContext",
+  "Cookie",
+  "Model",
+  "ModelMap",
+  "ModelAndView",
+  "Map",
+  "BindingResult",
+  "Errors",
+  "RedirectAttributes",
+  "SessionStatus",
+  "WebRequest",
+  "NativeWebRequest",
+  "ServletWebRequest",
+  "UriComponentsBuilder",
+  "UriBuilder",
+  "HttpEntity",
+  "RequestEntity",
+  "ResponseEntity",
+  "HttpHeaders",
+  "InputStream",
+  "OutputStream",
+  "Reader",
+  "Writer",
+  "ServerHttpRequest",
+  "ServerHttpResponse",
+  "ServerWebExchange",
+  "Principal",
+  "Authentication",
+  "Locale",
+  "TimeZone",
+  "ZoneId",
+  "MultipartFile",
+  "Part",
+  "TimeZone"
+]);
+var SIMPLE_JAVA_TYPES = new Set([
+  "boolean",
+  "byte",
+  "char",
+  "short",
+  "int",
+  "long",
+  "float",
+  "double",
+  "void",
+  "Boolean",
+  "Byte",
+  "Character",
+  "Short",
+  "Integer",
+  "Long",
+  "Float",
+  "Double",
+  "String",
+  "CharSequence",
+  "BigInteger",
+  "BigDecimal",
+  "UUID",
+  "Date",
+  "Calendar",
+  "Instant",
+  "LocalDate",
+  "LocalTime",
+  "LocalDateTime",
+  "OffsetDateTime",
+  "OffsetTime",
+  "ZonedDateTime",
+  "Duration",
+  "Period",
+  "List",
+  "Set",
+  "Collection",
+  "Iterable",
+  "Optional"
+]);
+
+class Spring4ShellPass {
+  name = "spring4shell";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") {
+      return { controllerMethodsScanned: 0, findingsEmitted: 0 };
+    }
+    const file = graph.ir.meta.file;
+    let scanned = 0;
+    let emitted = 0;
+    for (const type of graph.ir.types) {
+      if (!isController(type))
+        continue;
+      for (const method of type.methods) {
+        if (!isRouteHandler(method))
+          continue;
+        scanned++;
+        for (const param of method.parameters) {
+          if (!isVulnerableParameter(param))
+            continue;
+          ctx.addFinding({
+            id: `${this.name}-${file}-${method.start_line}-${param.name}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-94",
+            severity: "high",
+            level: "error",
+            message: `Spring MVC controller method '${type.name}.${method.name}' binds parameter '${param.name}' of type '${param.type ?? "?"}' via implicit form-data binding (no @RequestBody / @RequestParam / @ModelAttribute) — vulnerable to Spring4Shell (CVE-2022-22965) class-graph RCE on Spring < 5.3.18 / 5.2.20`,
+            file,
+            line: param.line ?? method.start_line,
+            fix: "Annotate the parameter with @RequestBody (JSON) or @ModelAttribute + @InitBinder/setAllowedFields whitelisting, upgrade Spring to ≥ 5.3.18 / 5.2.20, and ensure JDK is patched.",
+            evidence: {
+              controller_class: type.name,
+              controller_annotations: type.annotations,
+              method: method.name,
+              method_annotations: method.annotations,
+              parameter_name: param.name,
+              parameter_type: param.type
+            }
+          });
+          emitted++;
+        }
+      }
+    }
+    return { controllerMethodsScanned: scanned, findingsEmitted: emitted };
+  }
+}
+function annotationHead(annotation) {
+  const parenIdx = annotation.indexOf("(");
+  return parenIdx >= 0 ? annotation.slice(0, parenIdx) : annotation;
+}
+function hasAnnotation(annotations, names) {
+  for (const a of annotations) {
+    if (names.has(annotationHead(a)))
+      return true;
+  }
+  return false;
+}
+function isController(type) {
+  return hasAnnotation(type.annotations, CONTROLLER_ANNOTATIONS);
+}
+function isRouteHandler(method) {
+  return hasAnnotation(method.annotations, ROUTE_ANNOTATIONS);
+}
+function isVulnerableParameter(param) {
+  if (hasAnnotation(param.annotations, BINDING_ANNOTATIONS))
+    return false;
+  if (!param.type)
+    return false;
+  const type = stripGenerics2(param.type).trim();
+  if (!type)
+    return false;
+  if (type.endsWith("[]")) {
+    const elem = type.slice(0, -2).trim();
+    return !SIMPLE_JAVA_TYPES.has(elem) && isPotentialPojo(elem);
+  }
+  if (SIMPLE_JAVA_TYPES.has(type))
+    return false;
+  if (FRAMEWORK_PARAM_TYPES.has(type))
+    return false;
+  if (!isPotentialPojo(type))
+    return false;
+  return true;
+}
+function stripGenerics2(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx >= 0 ? type.slice(0, ltIdx) : type;
+}
+function isPotentialPojo(type) {
+  if (type.length === 0)
+    return false;
+  const first = type.charCodeAt(0);
+  return first >= 65 && first <= 90;
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -27655,6 +27863,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new NamingConventionPass(passOpts.namingConvention));
     if (!disabledPasses.has("security-headers"))
       pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    if (!disabledPasses.has("spring4shell"))
+      pipeline.add(new Spring4ShellPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -27848,7 +28058,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.46.0";
+var version = "3.47.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.46.0",
+  "version": "3.47.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.46.0"
+    "circle-ir": "^3.47.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",