cognium-dev 3.54.0 → 3.55.0

package/dist/cli.js

@@ -10476,8 +10476,8 @@ var DEFAULT_SINKS = [
   { method: "print", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "addAttribute", class: "Model", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -11163,7 +11163,18 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -21503,7 +21514,9 @@ var KNOWN_SINK_TYPES = new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -21558,19 +21571,19 @@ function buildTaintFlow(source, sink, taintInfo) {
 // ../circle-ir/dist/analysis/findings.js
 function canSourceReachSink(sourceType, sinkType) {
   const sourceToSinkMapping = {
-    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call"],
-    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection"],
+    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
+    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
+    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf"],
+    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
     http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
-    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
     io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
     env_input: ["command_injection", "path_traversal"],
     db_input: ["xss", "sql_injection"],
     file_input: ["deserialization", "xxe", "path_traversal", "command_injection", "code_injection"],
     network_input: ["sql_injection", "command_injection", "xss", "ssrf"],
     config_param: ["sql_injection", "command_injection", "path_traversal", "xss", "ssrf"],
-    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call"],
+    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
     plugin_param: ["sql_injection", "command_injection", "path_traversal", "xss", "code_injection"]
   };
   const validSinks = sourceToSinkMapping[sourceType];
@@ -28154,6 +28167,356 @@ class JwtVerifyDisabledPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/csrf-protection-disabled-pass.js
+var JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
+var JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
+var JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
+var JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
+
+class CsrfProtectionDisabledPass {
+  name = "csrf-protection-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detectCall(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-352",
+          severity: "critical",
+          level: "error",
+          message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` + `(${det.api}). Any browser session can be silently used to ` + "perform state-changing requests from a malicious origin.",
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    if (language === "java") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split(`
+`);
+        for (let i2 = 0;i2 < lines.length; i2++) {
+          const line = i2 + 1;
+          const text = lines[i2] ?? "";
+          let det = null;
+          if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf(c -> c.disable())", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_METHODREF_RE.test(text)) {
+            det = { pattern: "csrf(::disable)", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
+            det = { pattern: "csrfTokenRepository(null)", api: "HttpSecurity.csrfTokenRepository" };
+          } else if (JAVA_CSRF_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf().disable()", api: "HttpSecurity.csrf" };
+          }
+          if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` + `(${det.api}). Any browser session can be silently used to ` + "perform state-changing requests from a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split(`
+`);
+        for (let i2 = 0;i2 < lines.length; i2++) {
+          const text = lines[i2] ?? "";
+          if (/^\s*@csrf_exempt\b/.test(text)) {
+            const line = i2 + 1;
+            const det = { pattern: "@csrf_exempt", api: "django.views.decorators.csrf" };
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: "Django view is decorated with `@csrf_exempt`, bypassing the " + "framework CSRF middleware for this endpoint. Any browser " + "session can be silently used to invoke this handler from " + "a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const out2 = [];
+    if (language !== "java")
+      return out2;
+    if (call.method_name === "disable") {
+      const recv = call.receiver ?? "";
+      if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith(".csrf()")) {
+        out2.push({ pattern: "csrf().disable()", api: "HttpSecurity.csrf" });
+      }
+    }
+    if (call.method_name === "csrfTokenRepository") {
+      const arg = call.arguments.find((a) => a.position === 0);
+      const expr = (arg?.expression ?? arg?.literal ?? "").trim();
+      if (expr === "null") {
+        out2.push({
+          pattern: "csrfTokenRepository(null)",
+          api: "HttpSecurity.csrfTokenRepository"
+        });
+      }
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "java") {
+      return "Leave Spring Security CSRF protection enabled. If you need to " + "exempt a specific endpoint (e.g. webhook), use " + '`.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than ' + "`.disable()`. For stateless APIs, prefer a per-request token over " + "disabling CSRF entirely.";
+    }
+    if (language === "python") {
+      return "Remove `@csrf_exempt`. For stateless API endpoints, use Django REST " + "Framework with a token / session auth backend that does not rely on " + "cookies. For webhook receivers, verify a shared-secret signature " + "instead of disabling CSRF.";
+    }
+    return "Re-enable framework CSRF protection or replace with origin / token validation.";
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/xml-entity-expansion-pass.js
+var JAVA_FACTORIES = new Set([
+  "SAXParserFactory",
+  "DocumentBuilderFactory",
+  "XMLInputFactory",
+  "SchemaFactory",
+  "TransformerFactory"
+]);
+var JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+var PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+
+class XmlEntityExpansionPass {
+  name = "xml-entity-expansion";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (language === "java") {
+      const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+      if (safeInFile)
+        return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectJavaCall(call);
+        if (!det)
+          continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} created without disabling DTD / external-entity ` + "processing. Vulnerable to billion-laughs / quadratic " + "blow-up DoS (CWE-776) and external-entity disclosure " + '(CWE-611). Add `setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` (or the equivalent) before ' + "parsing.",
+          file,
+          line,
+          fix: this.fixForJava(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    if (language === "python") {
+      const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) || /\bdefusedxml\b/.test(code);
+      if (safeInFile)
+        return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectPythonCall(call);
+        if (!det)
+          continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} called without an entity-safe parser. Vulnerable ` + "to billion-laughs / quadratic blow-up DoS (CWE-776) and " + "external-entity disclosure (CWE-611). Use `defusedxml` or pass " + "an `XMLParser(resolve_entities=False)` to lxml.",
+          file,
+          line,
+          fix: this.fixForPython(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+  detectJavaCall(call) {
+    if (call.method_name !== "newInstance")
+      return null;
+    const recv = call.receiver ?? "";
+    const recvType = call.receiver_type ?? "";
+    for (const factory of JAVA_FACTORIES) {
+      if (recv === factory || recvType === factory || recv.endsWith("." + factory) || recvType.endsWith("." + factory)) {
+        return {
+          pattern: `${factory}.newInstance()`,
+          api: factory,
+          cwe: "CWE-776"
+        };
+      }
+    }
+    return null;
+  }
+  detectPythonCall(call) {
+    const recv = call.receiver ?? "";
+    const method = call.method_name;
+    if ((method === "parse" || method === "fromstring" || method === "XML") && (recv === "etree" || recv.endsWith(".etree"))) {
+      return {
+        pattern: `etree.${method}`,
+        api: `lxml.etree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    if ((method === "parse" || method === "fromstring") && (recv === "ET" || recv === "ElementTree" || recv.endsWith(".ElementTree"))) {
+      return {
+        pattern: `ElementTree.${method}`,
+        api: `xml.etree.ElementTree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    return null;
+  }
+  fixForJava(api) {
+    if (api === "SAXParserFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` and ' + "`factory.setXIncludeAware(false)` before `newSAXParser()`.";
+    }
+    if (api === "DocumentBuilderFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` and ' + "`factory.setExpandEntityReferences(false)` before " + "`newDocumentBuilder()`.";
+    }
+    if (api === "XMLInputFactory") {
+      return "Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` " + "and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_" + "ENTITIES, false)` before `createXMLStreamReader`.";
+    }
+    return "Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable " + "DTD / external-entity loading on the factory before parsing.";
+  }
+  fixForPython(api) {
+    if (api.startsWith("lxml.etree")) {
+      return "Pass an explicit parser: " + "`etree.parse(src, parser=etree.XMLParser(resolve_entities=False, " + "no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.";
+    }
+    return "Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which " + "disables DTD / entity processing by default.";
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/mass-assignment-pass.js
+var PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+var JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+
+class MassAssignmentPass {
+  name = "mass-assignment";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (!code)
+      return { findings };
+    const lines = code.split(`
+`);
+    if (language === "python") {
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = PY_KWARGS_SPLAT_RE.exec(text);
+        if (!m)
+          continue;
+        const line = i2 + 1;
+        const det = {
+          pattern: "**request.<bag>",
+          match: m[0]
+        };
+        findings.push({
+          line,
+          language,
+          pattern: det.pattern,
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag splatted into constructor / ORM helper via ` + `\`${det.match}\`. Every form field becomes a settable attribute ` + "on the domain object, including ones the endpoint did not " + "intend to expose (e.g. `is_admin`, `role`, `owner_id`).",
+          file,
+          line,
+          fix: "Replace the `**` splat with an explicit allow-list: " + "`Model(name=request.form['name'], email=request.form['email'])`. " + "For Django, use a `ModelForm` / serializer with `fields = [...]`.",
+          evidence: { pattern: det.pattern, match: det.match, language }
+        });
+      }
+      return { findings };
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = JS_OBJECT_SPREAD_RE.exec(text);
+        if (!m)
+          continue;
+        const line = i2 + 1;
+        findings.push({
+          line,
+          language,
+          pattern: "{...req.<bag>}",
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag spread into object literal via \`${m[0]}\`. ` + "Every body field becomes a settable property on the resulting " + "object, including ones the endpoint did not intend to expose " + "(e.g. `isAdmin`, `role`, `ownerId`).",
+          file,
+          line,
+          fix: "Replace the spread with an explicit pick: " + "`const { name, email } = req.body; const user = { name, email };`. " + "For ORMs, use a DTO / Zod schema with `.pick(...)` or " + "allow-list serializers.",
+          evidence: { pattern: "{...req.<bag>}", match: m[0], language }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -29276,6 +29639,12 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new TlsVerifyDisabledPass);
     if (!disabledPasses.has("jwt-verify-disabled"))
       pipeline.add(new JwtVerifyDisabledPass);
+    if (!disabledPasses.has("csrf-protection-disabled"))
+      pipeline.add(new CsrfProtectionDisabledPass);
+    if (!disabledPasses.has("xml-entity-expansion"))
+      pipeline.add(new XmlEntityExpansionPass);
+    if (!disabledPasses.has("mass-assignment"))
+      pipeline.add(new MassAssignmentPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -29469,7 +29838,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.54.0";
+var version = "3.55.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.54.0",
+  "version": "3.55.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.54.0"
+    "circle-ir": "^3.55.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",