cognium-dev 3.46.0 → 3.48.0

package/dist/cli.js

@@ -3391,11 +3391,14 @@ function disposeTree(tree) {
   } catch {}
 }
 function walkTree(node, visitor) {
-  visitor(node);
-  for (let i2 = 0;i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkTree(child, visitor);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    visitor(current);
+    for (let i2 = current.childCount - 1;i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child)
+        stack.push(child);
     }
   }
 }
@@ -13202,9 +13205,11 @@ class ConstantPropagator {
     return findAssignments(methodBody);
   }
   collectClassFields(root) {
-    const traverse = (n, inClass, inMethod) => {
+    const stack = [root];
+    while (stack.length > 0) {
+      const n = stack.pop();
       if (!n)
-        return;
+        continue;
       if (n.type === "class_body") {
         for (const child of n.children) {
           if (child.type === "field_declaration") {
@@ -13218,34 +13223,30 @@ class ConstantPropagator {
               }
             }
           }
-          if (child.type === "method_declaration" || child.type === "constructor_declaration") {
-            traverse(child, true, true);
-          } else {
-            traverse(child, true, false);
-          }
+          stack.push(child);
         }
-        return;
+        continue;
       }
       for (const child of n.children) {
-        traverse(child, inClass, inMethod);
+        stack.push(child);
       }
-    };
-    traverse(root, false, false);
+    }
   }
   findAllMethods(node) {
     const methods = [];
-    const traverse = (n) => {
+    const stack = [node];
+    while (stack.length > 0) {
+      const n = stack.pop();
       if (!n)
-        return;
+        continue;
       if (n.type === "method_declaration" || n.type === "function_declaration") {
         methods.push(n);
       }
       for (const child of n.children) {
         if (child)
-          traverse(child);
+          stack.push(child);
       }
-    };
-    traverse(node);
+    }
     return methods;
   }
   getMethodName(method) {
@@ -13290,9 +13291,20 @@ class ConstantPropagator {
     }
   }
   visit(node) {
+    const stack = [node];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      if (this.visitOne(current))
+        continue;
+      for (let i2 = current.children.length - 1;i2 >= 0; i2--) {
+        stack.push(current.children[i2]);
+      }
+    }
+  }
+  visitOne(node) {
     const line = getNodeLine(node);
     if (this.unreachableLines.has(line)) {
-      return;
+      return true;
     }
     if (this.conditionStack.length > 0 && !this.lineConditions.has(line)) {
       this.lineConditions.set(line, this.conditionStack[this.conditionStack.length - 1]);
@@ -13301,42 +13313,40 @@ class ConstantPropagator {
       case "method_declaration":
       case "constructor_declaration":
         this.handleMethodDeclaration(node);
-        return;
+        return true;
       case "local_variable_declaration":
         this.handleVariableDeclaration(node);
-        break;
+        return false;
       case "assignment_expression":
         this.handleAssignment(node);
-        break;
+        return false;
       case "update_expression":
         this.handleUpdateExpression(node);
-        break;
+        return false;
       case "if_statement":
         this.handleIfStatement(node);
-        return;
+        return true;
       case "switch_expression":
       case "switch_statement":
         this.handleSwitch(node);
-        return;
+        return true;
       case "ternary_expression":
         this.handleTernary(node);
-        break;
+        return false;
       case "expression_statement":
         this.handleExpressionStatement(node);
-        break;
+        return false;
       case "for_statement":
       case "enhanced_for_statement":
       case "while_statement":
       case "do_statement":
         this.handleLoopStatement(node);
-        return;
+        return true;
       case "synchronized_statement":
         this.handleSynchronizedStatement(node);
-        return;
+        return true;
       default:
-        for (const child of node.children) {
-          this.visit(child);
-        }
+        return false;
     }
   }
   handleMethodDeclaration(node) {
@@ -14038,6 +14048,21 @@ class ConstantPropagator {
     return null;
   }
   isTaintedExpression(node) {
+    const stack = [node];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      const result = this.isTaintedExpressionStep(current);
+      if (result === true)
+        return true;
+      if (result === false)
+        continue;
+      for (let i2 = current.children.length - 1;i2 >= 0; i2--) {
+        stack.push(current.children[i2]);
+      }
+    }
+    return false;
+  }
+  isTaintedExpressionStep(node) {
     const text = getNodeText2(node, this.source);
     if (node.type === "method_invocation") {
       const nameNode = node.childForFieldName("name");
@@ -14290,12 +14315,7 @@ class ConstantPropagator {
       }
       return isTainted;
     }
-    for (const child of node.children) {
-      if (this.isTaintedExpression(child)) {
-        return true;
-      }
-    }
-    return false;
+    return;
   }
   checkCollectionTaint(node) {
     const objectNode = node.childForFieldName("object");
@@ -14597,19 +14617,18 @@ class BaseLanguagePlugin {
   }
   findNodes(root, type) {
     const nodes = [];
-    const cursor = root.walk();
-    const visit = () => {
-      if (cursor.nodeType === type) {
-        nodes.push(cursor.currentNode);
+    const stack = [root];
+    while (stack.length > 0) {
+      const node = stack.pop();
+      if (node.type === type) {
+        nodes.push(node);
       }
-      if (cursor.gotoFirstChild()) {
-        do {
-          visit();
-        } while (cursor.gotoNextSibling());
-        cursor.gotoParent();
+      for (let i2 = node.childCount - 1;i2 >= 0; i2--) {
+        const child = node.child(i2);
+        if (child)
+          stack.push(child);
       }
-    };
-    visit();
+    }
     return nodes;
   }
   findChildByType(node, type) {
@@ -14930,17 +14949,18 @@ class JavaPlugin extends BaseLanguagePlugin {
         }
       }
     };
-    const walk = (node) => {
+    const stack = [tree.rootNode];
+    while (stack.length > 0) {
+      const node = stack.pop();
       if (node.type === "field_declaration" || node.type === "local_variable_declaration") {
         collectDecl(node);
       }
       for (let i2 = 0;i2 < node.childCount; i2++) {
         const child = node.child(i2);
         if (child)
-          walk(child);
+          stack.push(child);
       }
-    };
-    walk(tree.rootNode);
+    }
     this._typeMapCache.set(tree, map);
     return map;
   }
@@ -19455,16 +19475,19 @@ function extractHtmlContent(rootNode) {
   return { scriptBlocks, eventHandlers };
 }
 function walkNode(node, scriptBlocks, eventHandlers) {
-  if (node.type === "script_element") {
-    extractScriptBlock(node, scriptBlocks);
-  }
-  if (node.type === "element" || node.type === "self_closing_tag") {
-    extractEventHandlers(node, eventHandlers);
-  }
-  for (let i2 = 0;i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkNode(child, scriptBlocks, eventHandlers);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current.type === "script_element") {
+      extractScriptBlock(current, scriptBlocks);
+    }
+    if (current.type === "element" || current.type === "self_closing_tag") {
+      extractEventHandlers(current, eventHandlers);
+    }
+    for (let i2 = current.childCount - 1;i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child)
+        stack.push(child);
     }
   }
 }
@@ -19569,13 +19592,16 @@ function runHtmlAttributeSecurityChecks(rootNode, filePath) {
   return findings;
 }
 function walkForSecurityChecks(node, filePath, findings) {
-  if (node.type === "element" || node.type === "self_closing_tag" || node.type === "script_element" || node.type === "style_element") {
-    checkElement(node, filePath, findings);
-  }
-  for (let i2 = 0;i2 < node.childCount; i2++) {
-    const child = node.child(i2);
-    if (child) {
-      walkForSecurityChecks(child, filePath, findings);
+  const stack = [node];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (current.type === "element" || current.type === "self_closing_tag" || current.type === "script_element" || current.type === "style_element") {
+      checkElement(current, filePath, findings);
+    }
+    for (let i2 = current.childCount - 1;i2 >= 0; i2--) {
+      const child = current.child(i2);
+      if (child)
+        stack.push(child);
     }
   }
 }
@@ -26547,6 +26573,214 @@ class ScanSecretsPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/spring4shell-pass.js
+var CONTROLLER_ANNOTATIONS = new Set([
+  "Controller",
+  "RestController",
+  "ControllerAdvice",
+  "RestControllerAdvice"
+]);
+var ROUTE_ANNOTATIONS = new Set([
+  "RequestMapping",
+  "GetMapping",
+  "PostMapping",
+  "PutMapping",
+  "DeleteMapping",
+  "PatchMapping"
+]);
+var BINDING_ANNOTATIONS = new Set([
+  "RequestBody",
+  "RequestParam",
+  "PathVariable",
+  "RequestHeader",
+  "CookieValue",
+  "MatrixVariable",
+  "ModelAttribute",
+  "Valid",
+  "Validated",
+  "RequestPart",
+  "SessionAttribute",
+  "RequestAttribute"
+]);
+var FRAMEWORK_PARAM_TYPES = new Set([
+  "HttpServletRequest",
+  "HttpServletResponse",
+  "ServletRequest",
+  "ServletResponse",
+  "HttpSession",
+  "ServletContext",
+  "Cookie",
+  "Model",
+  "ModelMap",
+  "ModelAndView",
+  "Map",
+  "BindingResult",
+  "Errors",
+  "RedirectAttributes",
+  "SessionStatus",
+  "WebRequest",
+  "NativeWebRequest",
+  "ServletWebRequest",
+  "UriComponentsBuilder",
+  "UriBuilder",
+  "HttpEntity",
+  "RequestEntity",
+  "ResponseEntity",
+  "HttpHeaders",
+  "InputStream",
+  "OutputStream",
+  "Reader",
+  "Writer",
+  "ServerHttpRequest",
+  "ServerHttpResponse",
+  "ServerWebExchange",
+  "Principal",
+  "Authentication",
+  "Locale",
+  "TimeZone",
+  "ZoneId",
+  "MultipartFile",
+  "Part",
+  "TimeZone"
+]);
+var SIMPLE_JAVA_TYPES = new Set([
+  "boolean",
+  "byte",
+  "char",
+  "short",
+  "int",
+  "long",
+  "float",
+  "double",
+  "void",
+  "Boolean",
+  "Byte",
+  "Character",
+  "Short",
+  "Integer",
+  "Long",
+  "Float",
+  "Double",
+  "String",
+  "CharSequence",
+  "BigInteger",
+  "BigDecimal",
+  "UUID",
+  "Date",
+  "Calendar",
+  "Instant",
+  "LocalDate",
+  "LocalTime",
+  "LocalDateTime",
+  "OffsetDateTime",
+  "OffsetTime",
+  "ZonedDateTime",
+  "Duration",
+  "Period",
+  "List",
+  "Set",
+  "Collection",
+  "Iterable",
+  "Optional"
+]);
+
+class Spring4ShellPass {
+  name = "spring4shell";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") {
+      return { controllerMethodsScanned: 0, findingsEmitted: 0 };
+    }
+    const file = graph.ir.meta.file;
+    let scanned = 0;
+    let emitted = 0;
+    for (const type of graph.ir.types) {
+      if (!isController(type))
+        continue;
+      for (const method of type.methods) {
+        if (!isRouteHandler(method))
+          continue;
+        scanned++;
+        for (const param of method.parameters) {
+          if (!isVulnerableParameter(param))
+            continue;
+          ctx.addFinding({
+            id: `${this.name}-${file}-${method.start_line}-${param.name}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-94",
+            severity: "high",
+            level: "error",
+            message: `Spring MVC controller method '${type.name}.${method.name}' binds parameter '${param.name}' of type '${param.type ?? "?"}' via implicit form-data binding (no @RequestBody / @RequestParam / @ModelAttribute) — vulnerable to Spring4Shell (CVE-2022-22965) class-graph RCE on Spring < 5.3.18 / 5.2.20`,
+            file,
+            line: param.line ?? method.start_line,
+            fix: "Annotate the parameter with @RequestBody (JSON) or @ModelAttribute + @InitBinder/setAllowedFields whitelisting, upgrade Spring to ≥ 5.3.18 / 5.2.20, and ensure JDK is patched.",
+            evidence: {
+              controller_class: type.name,
+              controller_annotations: type.annotations,
+              method: method.name,
+              method_annotations: method.annotations,
+              parameter_name: param.name,
+              parameter_type: param.type
+            }
+          });
+          emitted++;
+        }
+      }
+    }
+    return { controllerMethodsScanned: scanned, findingsEmitted: emitted };
+  }
+}
+function annotationHead(annotation) {
+  const parenIdx = annotation.indexOf("(");
+  return parenIdx >= 0 ? annotation.slice(0, parenIdx) : annotation;
+}
+function hasAnnotation(annotations, names) {
+  for (const a of annotations) {
+    if (names.has(annotationHead(a)))
+      return true;
+  }
+  return false;
+}
+function isController(type) {
+  return hasAnnotation(type.annotations, CONTROLLER_ANNOTATIONS);
+}
+function isRouteHandler(method) {
+  return hasAnnotation(method.annotations, ROUTE_ANNOTATIONS);
+}
+function isVulnerableParameter(param) {
+  if (hasAnnotation(param.annotations, BINDING_ANNOTATIONS))
+    return false;
+  if (!param.type)
+    return false;
+  const type = stripGenerics2(param.type).trim();
+  if (!type)
+    return false;
+  if (type.endsWith("[]")) {
+    const elem = type.slice(0, -2).trim();
+    return !SIMPLE_JAVA_TYPES.has(elem) && isPotentialPojo(elem);
+  }
+  if (SIMPLE_JAVA_TYPES.has(type))
+    return false;
+  if (FRAMEWORK_PARAM_TYPES.has(type))
+    return false;
+  if (!isPotentialPojo(type))
+    return false;
+  return true;
+}
+function stripGenerics2(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx >= 0 ? type.slice(0, ltIdx) : type;
+}
+function isPotentialPojo(type) {
+  if (type.length === 0)
+    return false;
+  const first = type.charCodeAt(0);
+  return first >= 65 && first <= 90;
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -27655,6 +27889,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new NamingConventionPass(passOpts.namingConvention));
     if (!disabledPasses.has("security-headers"))
       pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    if (!disabledPasses.has("spring4shell"))
+      pipeline.add(new Spring4ShellPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -27848,7 +28084,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.46.0";
+var version = "3.48.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.46.0",
+  "version": "3.48.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.46.0"
+    "circle-ir": "^3.48.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",