npm - cognium-dev - Versions diffs - 3.53.0 → 3.54.0 - Mend

cognium-dev 3.53.0 → 3.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +145 -3
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -11134,7 +11134,36 @@ var DEFAULT_SINKS = [
   { method: "from_str", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_reader", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_str", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
-  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] }
+  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
+  { method: "match", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "search", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fullmatch", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "findall", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "finditer", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "sub", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "subn", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "split", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceAll", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceFirst", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "split", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "RegExp", class: "constructor", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "Compile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MustCompile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Match", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MatchString", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "format", class: "String", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "format", class: "Formatter", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", class: "System.out", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fprintf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [1], languages: ["python"] },
+  { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -21472,7 +21501,9 @@ var KNOWN_SINK_TYPES = new Set([
   "xxe",
   "deserialization",
   "code_injection",
-  "mybatis_mapper_call"
+  "mybatis_mapper_call",
+  "redos",
+  "format_string"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -28014,6 +28045,115 @@ class TlsVerifyDisabledPass {
   }
 }
+// ../circle-ir/dist/analysis/passes/jwt-verify-disabled-pass.js
+var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
+var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
+var PY_ALG_NONE_RE = /\balgorithms\s*=\s*[\[\(]\s*["']none["']/i;
+var JS_ALG_NONE_RE = /\balgorithms\s*:\s*\[\s*["']none["']/i;
+class JwtVerifyDisabledPass {
+  name = "jwt-verify-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detect(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-347",
+          severity: "critical",
+          level: "error",
+          message: `JWT signature verification disabled via \`${det.pattern}\` in ` + `\`${det.api}\`. Any attacker can forge a token with arbitrary ` + "claims (user id, roles, expiry) since the signature is not " + "checked.",
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    const out2 = [];
+    if (language === "python") {
+      if (receiver === "jwt" && method === "decode") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr)
+            continue;
+          if (PY_VERIFY_SIGNATURE_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify_signature: False", api: "jwt.decode" });
+          }
+          if (PY_VERIFY_KW_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify=False", api: "jwt.decode" });
+          }
+          if (PY_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms=['none']", api: "jwt.decode" });
+          }
+        }
+      }
+      return out2;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (receiver === "jwt" && method === "verify") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr)
+            continue;
+          if (JS_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms: ['none']", api: "jwt.verify" });
+          }
+          if (/\bverify\s*:\s*false\b/i.test(expr)) {
+            out2.push({ pattern: "verify: false", api: "jwt.verify" });
+          }
+        }
+        const keyArg = call.arguments.find((a) => a.position === 1);
+        const keyExpr = (keyArg?.expression ?? keyArg?.literal ?? "").trim();
+        if (keyExpr === "null" || keyExpr === "undefined" || keyExpr === '""' || keyExpr === "''" || keyExpr === "``") {
+          out2.push({ pattern: `empty key (${keyExpr || "missing"})`, api: "jwt.verify" });
+        }
+      }
+      return out2;
+    }
+    if (language === "java") {
+      if (method === "require" && (receiver === "JWT" || receiver.endsWith(".JWT"))) {
+        const arg = call.arguments.find((a) => a.position === 0);
+        const expr = (arg?.expression ?? "").trim();
+        if (/\bAlgorithm\s*\.\s*none\s*\(/.test(expr)) {
+          out2.push({ pattern: "Algorithm.none()", api: "JWT.require" });
+        }
+      }
+      if (method === "parse" && receiver.includes("parser")) {
+        out2.push({ pattern: "parse() instead of parseClaimsJws()", api: "Jwts.parser().parse" });
+      }
+      return out2;
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "python") {
+      return 'Always pass `options={"verify_signature": True}` (the default in ' + 'PyJWT 2.0+) and a concrete `algorithms=["HS256"|"RS256"]` list. ' + "Never accept `none`.";
+    }
+    if (language === "javascript" || language === "typescript") {
+      return 'Call `jwt.verify(token, secret, { algorithms: ["HS256" | "RS256"] })` ' + 'with a non-empty key. Never use `algorithms: ["none"]` or pass ' + "null/empty as the secret.";
+    }
+    if (language === "java") {
+      return "For auth0/java-jwt: use `JWT.require(Algorithm.HMAC256(secret))` or " + "an RSA algorithm. For jjwt: call `parseClaimsJws(token)` (signature " + "enforced) rather than `parse(token)` (signature ignored).";
+    }
+    return "Enforce JWT signature verification with a concrete algorithm " + "(HS256/RS256/ES256). Never accept `alg: none`.";
+  }
+}
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -29134,6 +29274,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new WeakRandomPass);
     if (!disabledPasses.has("tls-verify-disabled"))
       pipeline.add(new TlsVerifyDisabledPass);
+    if (!disabledPasses.has("jwt-verify-disabled"))
+      pipeline.add(new JwtVerifyDisabledPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -29327,7 +29469,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.53.0";
+var version = "3.54.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.53.0",
+  "version": "3.54.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.53.0"
+    "circle-ir": "^3.54.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",