cognium-dev 3.54.0 → 3.56.0

package/dist/cli.js

@@ -10476,8 +10476,8 @@ var DEFAULT_SINKS = [
   { method: "print", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "println", class: "ServletOutputStream", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "sendError", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "setHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
-  { method: "addHeader", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
+  { method: "setHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
+  { method: "addHeader", class: "HttpServletResponse", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1] },
   { method: "setContentType", class: "HttpServletResponse", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "setAttribute", class: "PageContext", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "addAttribute", class: "Model", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -11163,7 +11163,18 @@ var DEFAULT_SINKS = [
   { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
   { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
-  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "setHeader", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "writeHead", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [2], languages: ["javascript", "typescript"] },
+  { method: "cookie", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "location", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -21503,7 +21514,9 @@ var KNOWN_SINK_TYPES = new Set([
   "code_injection",
   "mybatis_mapper_call",
   "redos",
-  "format_string"
+  "format_string",
+  "crlf",
+  "mass_assignment"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -21558,19 +21571,19 @@ function buildTaintFlow(source, sink, taintInfo) {
 // ../circle-ir/dist/analysis/findings.js
 function canSourceReachSink(sourceType, sinkType) {
   const sourceToSinkMapping = {
-    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call"],
-    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
-    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection"],
+    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
+    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
+    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf"],
+    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
     http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
-    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
     io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
     env_input: ["command_injection", "path_traversal"],
     db_input: ["xss", "sql_injection"],
     file_input: ["deserialization", "xxe", "path_traversal", "command_injection", "code_injection"],
     network_input: ["sql_injection", "command_injection", "xss", "ssrf"],
     config_param: ["sql_injection", "command_injection", "path_traversal", "xss", "ssrf"],
-    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call"],
+    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call", "crlf", "mass_assignment"],
     plugin_param: ["sql_injection", "command_injection", "path_traversal", "xss", "code_injection"]
   };
   const validSinks = sourceToSinkMapping[sourceType];
@@ -27501,6 +27514,113 @@ function detectHardcodedKeyJava(call) {
     return `literal string`;
   return null;
 }
+function detectHardcodedKeyPython(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.expression ?? arg.literal ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^[bB][rR]?["'][^"']*["']$/.test(expr) || /^[rR][bB]["'][^"']*["']$/.test(expr)) {
+    return `literal bytes ${expr.slice(0, 24)}${expr.length > 24 ? "…" : ""}`;
+  }
+  if (/^["'][^"']*["']$/.test(expr)) {
+    return `literal string ${expr.slice(0, 24)}${expr.length > 24 ? "…" : ""}`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated bytes from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "…" : ""}`;
+    }
+  }
+  return null;
+}
+function detectHardcodedKeyGo(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\)$/.test(expr)) {
+    return `literal []byte("…")`;
+  }
+  if (/^\[\s*\]\s*byte\s*\{[^}]*\}$/.test(expr)) {
+    return `literal []byte{…} composite`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated key from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "…" : ""}`;
+    }
+  }
+  return null;
+}
+function parseWeakRsaKeySizePython(call) {
+  for (const arg of call.arguments) {
+    const expr = (arg.expression ?? "").trim();
+    const lit = (arg.literal ?? "").trim();
+    const m = expr.match(/^key_size\s*=\s*(-?\d+)\s*$/);
+    if (m && m[1]) {
+      const n = parseInt(m[1], 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048)
+        return n;
+      return null;
+    }
+    if (/^key_size\s*=/.test(expr) && lit) {
+      const n = parseInt(lit, 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048)
+        return n;
+    }
+  }
+  return null;
+}
+function scanLiteralBindings(code, language) {
+  const out2 = new Map;
+  if (!code)
+    return out2;
+  if (language === "python") {
+    const re = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(b[rR]?["'][^"']*["']|[rR]?b["'][^"']*["']|["'][^"']*["'])\s*(?:$|#)/gm;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  if (language === "go") {
+    const reByte = /^[ \t]*(?:var\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*(?::=|=)\s*(\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\))/gm;
+    let m;
+    while ((m = reByte.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    const reStr = /^[ \t]*(?:var|const)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reStr.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    const reShort = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*:=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reShort.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  return out2;
+}
 var ISSUE_CWE = {
   "weak-cipher": "CWE-327",
   "ecb-mode": "CWE-327",
@@ -27514,11 +27634,13 @@ class WeakCryptoPass {
   name = "weak-crypto";
   category = "security";
   run(ctx) {
-    const { graph, language } = ctx;
+    const { graph, language, code } = ctx;
     const file = graph.ir.meta.file;
     const findings = [];
+    const constProp = ctx.hasResult("constant-propagation") ? ctx.getResult("constant-propagation") : null;
+    const literalBindings = scanLiteralBindings(code, language);
     for (const call of graph.ir.calls) {
-      const detections = this.detect(call, language);
+      const detections = this.detect(call, language, constProp, literalBindings);
       for (const det of detections) {
         const line = call.location.line;
         findings.push({ line, language, ...det });
@@ -27571,7 +27693,7 @@ class WeakCryptoPass {
         return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.";
     }
   }
-  detect(call, language) {
+  detect(call, language, constProp, literalBindings) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
     const out2 = [];
@@ -27631,6 +27753,12 @@ class WeakCryptoPass {
             out2.push({ issue: "ecb-mode", detail: "AES.MODE_ECB", api: `${receiver}.new` });
           }
         }
+        if (lastSeg === "aes" || lastSeg.endsWith(".aes") || WEAK_CIPHER_BASES.has(lastSeg)) {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.new` });
+          }
+        }
       }
       const isHazmatAlgos = receiver === "algorithms" || receiver.endsWith(".algorithms");
       if (isHazmatAlgos) {
@@ -27639,6 +27767,25 @@ class WeakCryptoPass {
         if (WEAK_CIPHER_BASES.has(normalized)) {
           out2.push({ issue: "weak-cipher", detail: normalized, api: `algorithms.${method}` });
         }
+        if (m === "aes") {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `algorithms.${method}` });
+          }
+        }
+      }
+      if (method === "ECB" && (receiver === "modes" || receiver.endsWith(".modes"))) {
+        out2.push({ issue: "ecb-mode", detail: "modes.ECB()", api: `${receiver}.ECB` });
+      }
+      if (method === "generate_private_key" && (receiver === "rsa" || receiver === "dsa" || receiver.endsWith(".rsa") || receiver.endsWith(".dsa"))) {
+        const n = parseWeakRsaKeySizePython(call);
+        if (n !== null) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: `${receiver}.generate_private_key`
+          });
+        }
       }
       return out2;
     }
@@ -27680,6 +27827,24 @@ class WeakCryptoPass {
       if ((method === "NewECBEncrypter" || method === "NewECBDecrypter") && receiver === "cipher") {
         out2.push({ issue: "ecb-mode", detail: method, api: `cipher.${method}` });
       }
+      if (receiver === "aes" && method === "NewCipher" || receiver === "des" && (method === "NewCipher" || method === "NewTripleDESCipher") || receiver === "rc4" && method === "NewCipher") {
+        const keyDetail = detectHardcodedKeyGo(call, constProp, literalBindings);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.${method}` });
+        }
+      }
+      if (receiver === "rsa" && method === "GenerateKey") {
+        const bitsArg = call.arguments.find((a) => a.position === 1);
+        const expr = (bitsArg?.literal ?? bitsArg?.expression ?? "").trim();
+        const n = parseInt(expr, 10);
+        if (Number.isFinite(n) && n > 0 && n < 2048) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: "rsa.GenerateKey"
+          });
+        }
+      }
       return out2;
     }
     return out2;
@@ -28154,6 +28319,356 @@ class JwtVerifyDisabledPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/csrf-protection-disabled-pass.js
+var JAVA_CSRF_DISABLE_RE = /\.csrf\s*\([^)]*\)\s*\.\s*disable\b/;
+var JAVA_CSRF_LAMBDA_DISABLE_RE = /\bcsrf\s*\(\s*\w+\s*->\s*\w+\s*\.\s*disable\s*\(/;
+var JAVA_CSRF_METHODREF_RE = /\bcsrf\s*\(\s*[\w.]+::disable\s*\)/;
+var JAVA_CSRF_NULL_REPO_RE = /\.csrfTokenRepository\s*\(\s*null\s*\)/;
+
+class CsrfProtectionDisabledPass {
+  name = "csrf-protection-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detectCall(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-352",
+          severity: "critical",
+          level: "error",
+          message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` + `(${det.api}). Any browser session can be silently used to ` + "perform state-changing requests from a malicious origin.",
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    if (language === "java") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split(`
+`);
+        for (let i2 = 0;i2 < lines.length; i2++) {
+          const line = i2 + 1;
+          const text = lines[i2] ?? "";
+          let det = null;
+          if (JAVA_CSRF_LAMBDA_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf(c -> c.disable())", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_METHODREF_RE.test(text)) {
+            det = { pattern: "csrf(::disable)", api: "HttpSecurity.csrf" };
+          } else if (JAVA_CSRF_NULL_REPO_RE.test(text)) {
+            det = { pattern: "csrfTokenRepository(null)", api: "HttpSecurity.csrfTokenRepository" };
+          } else if (JAVA_CSRF_DISABLE_RE.test(text)) {
+            det = { pattern: "csrf().disable()", api: "HttpSecurity.csrf" };
+          }
+          if (det && !findings.some((f) => f.line === line && f.pattern === det.pattern)) {
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: `CSRF protection explicitly disabled via \`${det.pattern}\` ` + `(${det.api}). Any browser session can be silently used to ` + "perform state-changing requests from a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      const src = ctx.code ?? "";
+      if (src) {
+        const lines = src.split(`
+`);
+        for (let i2 = 0;i2 < lines.length; i2++) {
+          const text = lines[i2] ?? "";
+          if (/^\s*@csrf_exempt\b/.test(text)) {
+            const line = i2 + 1;
+            const det = { pattern: "@csrf_exempt", api: "django.views.decorators.csrf" };
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+              id: `${this.name}-${file}-${line}-${det.pattern}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              cwe: "CWE-352",
+              severity: "critical",
+              level: "error",
+              message: "Django view is decorated with `@csrf_exempt`, bypassing the " + "framework CSRF middleware for this endpoint. Any browser " + "session can be silently used to invoke this handler from " + "a malicious origin.",
+              file,
+              line,
+              fix: this.fixFor(language),
+              evidence: { ...det, language }
+            });
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const out2 = [];
+    if (language !== "java")
+      return out2;
+    if (call.method_name === "disable") {
+      const recv = call.receiver ?? "";
+      if (/\bcsrf\s*\(\s*\)\s*$/.test(recv) || recv.endsWith(".csrf()")) {
+        out2.push({ pattern: "csrf().disable()", api: "HttpSecurity.csrf" });
+      }
+    }
+    if (call.method_name === "csrfTokenRepository") {
+      const arg = call.arguments.find((a) => a.position === 0);
+      const expr = (arg?.expression ?? arg?.literal ?? "").trim();
+      if (expr === "null") {
+        out2.push({
+          pattern: "csrfTokenRepository(null)",
+          api: "HttpSecurity.csrfTokenRepository"
+        });
+      }
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "java") {
+      return "Leave Spring Security CSRF protection enabled. If you need to " + "exempt a specific endpoint (e.g. webhook), use " + '`.csrf(c -> c.ignoringRequestMatchers("/webhook"))` rather than ' + "`.disable()`. For stateless APIs, prefer a per-request token over " + "disabling CSRF entirely.";
+    }
+    if (language === "python") {
+      return "Remove `@csrf_exempt`. For stateless API endpoints, use Django REST " + "Framework with a token / session auth backend that does not rely on " + "cookies. For webhook receivers, verify a shared-secret signature " + "instead of disabling CSRF.";
+    }
+    return "Re-enable framework CSRF protection or replace with origin / token validation.";
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/xml-entity-expansion-pass.js
+var JAVA_FACTORIES = new Set([
+  "SAXParserFactory",
+  "DocumentBuilderFactory",
+  "XMLInputFactory",
+  "SchemaFactory",
+  "TransformerFactory"
+]);
+var JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+var PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+
+class XmlEntityExpansionPass {
+  name = "xml-entity-expansion";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (language === "java") {
+      const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+      if (safeInFile)
+        return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectJavaCall(call);
+        if (!det)
+          continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} created without disabling DTD / external-entity ` + "processing. Vulnerable to billion-laughs / quadratic " + "blow-up DoS (CWE-776) and external-entity disclosure " + '(CWE-611). Add `setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` (or the equivalent) before ' + "parsing.",
+          file,
+          line,
+          fix: this.fixForJava(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    if (language === "python") {
+      const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) || /\bdefusedxml\b/.test(code);
+      if (safeInFile)
+        return { findings };
+      for (const call of graph.ir.calls) {
+        const det = this.detectPythonCall(call);
+        if (!det)
+          continue;
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.api}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: det.cwe,
+          severity: "high",
+          level: "error",
+          message: `${det.api} called without an entity-safe parser. Vulnerable ` + "to billion-laughs / quadratic blow-up DoS (CWE-776) and " + "external-entity disclosure (CWE-611). Use `defusedxml` or pass " + "an `XMLParser(resolve_entities=False)` to lxml.",
+          file,
+          line,
+          fix: this.fixForPython(det.api),
+          evidence: { ...det, language, safeFeatureInFile: false }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+  detectJavaCall(call) {
+    if (call.method_name !== "newInstance")
+      return null;
+    const recv = call.receiver ?? "";
+    const recvType = call.receiver_type ?? "";
+    for (const factory of JAVA_FACTORIES) {
+      if (recv === factory || recvType === factory || recv.endsWith("." + factory) || recvType.endsWith("." + factory)) {
+        return {
+          pattern: `${factory}.newInstance()`,
+          api: factory,
+          cwe: "CWE-776"
+        };
+      }
+    }
+    return null;
+  }
+  detectPythonCall(call) {
+    const recv = call.receiver ?? "";
+    const method = call.method_name;
+    if ((method === "parse" || method === "fromstring" || method === "XML") && (recv === "etree" || recv.endsWith(".etree"))) {
+      return {
+        pattern: `etree.${method}`,
+        api: `lxml.etree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    if ((method === "parse" || method === "fromstring") && (recv === "ET" || recv === "ElementTree" || recv.endsWith(".ElementTree"))) {
+      return {
+        pattern: `ElementTree.${method}`,
+        api: `xml.etree.ElementTree.${method}`,
+        cwe: "CWE-776"
+      };
+    }
+    return null;
+  }
+  fixForJava(api) {
+    if (api === "SAXParserFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` and ' + "`factory.setXIncludeAware(false)` before `newSAXParser()`.";
+    }
+    if (api === "DocumentBuilderFactory") {
+      return 'Call `factory.setFeature("http://apache.org/xml/features/' + 'disallow-doctype-decl", true)` and ' + "`factory.setExpandEntityReferences(false)` before " + "`newDocumentBuilder()`.";
+    }
+    if (api === "XMLInputFactory") {
+      return "Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` " + "and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_" + "ENTITIES, false)` before `createXMLStreamReader`.";
+    }
+    return "Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable " + "DTD / external-entity loading on the factory before parsing.";
+  }
+  fixForPython(api) {
+    if (api.startsWith("lxml.etree")) {
+      return "Pass an explicit parser: " + "`etree.parse(src, parser=etree.XMLParser(resolve_entities=False, " + "no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.";
+    }
+    return "Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which " + "disables DTD / entity processing by default.";
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/mass-assignment-pass.js
+var PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+var JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+
+class MassAssignmentPass {
+  name = "mass-assignment";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const code = ctx.code ?? "";
+    if (!code)
+      return { findings };
+    const lines = code.split(`
+`);
+    if (language === "python") {
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = PY_KWARGS_SPLAT_RE.exec(text);
+        if (!m)
+          continue;
+        const line = i2 + 1;
+        const det = {
+          pattern: "**request.<bag>",
+          match: m[0]
+        };
+        findings.push({
+          line,
+          language,
+          pattern: det.pattern,
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag splatted into constructor / ORM helper via ` + `\`${det.match}\`. Every form field becomes a settable attribute ` + "on the domain object, including ones the endpoint did not " + "intend to expose (e.g. `is_admin`, `role`, `owner_id`).",
+          file,
+          line,
+          fix: "Replace the `**` splat with an explicit allow-list: " + "`Model(name=request.form['name'], email=request.form['email'])`. " + "For Django, use a `ModelForm` / serializer with `fields = [...]`.",
+          evidence: { pattern: det.pattern, match: det.match, language }
+        });
+      }
+      return { findings };
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const text = lines[i2] ?? "";
+        const m = JS_OBJECT_SPREAD_RE.exec(text);
+        if (!m)
+          continue;
+        const line = i2 + 1;
+        findings.push({
+          line,
+          language,
+          pattern: "{...req.<bag>}",
+          snippet: text.trim().slice(0, 200)
+        });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-915",
+          severity: "high",
+          level: "error",
+          message: `HTTP request bag spread into object literal via \`${m[0]}\`. ` + "Every body field becomes a settable property on the resulting " + "object, including ones the endpoint did not intend to expose " + "(e.g. `isAdmin`, `role`, `ownerId`).",
+          file,
+          line,
+          fix: "Replace the spread with an explicit pick: " + "`const { name, email } = req.body; const user = { name, email };`. " + "For ORMs, use a DTO / Zod schema with `.pick(...)` or " + "allow-list serializers.",
+          evidence: { pattern: "{...req.<bag>}", match: m[0], language }
+        });
+      }
+      return { findings };
+    }
+    return { findings };
+  }
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -29276,6 +29791,12 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new TlsVerifyDisabledPass);
     if (!disabledPasses.has("jwt-verify-disabled"))
       pipeline.add(new JwtVerifyDisabledPass);
+    if (!disabledPasses.has("csrf-protection-disabled"))
+      pipeline.add(new CsrfProtectionDisabledPass);
+    if (!disabledPasses.has("xml-entity-expansion"))
+      pipeline.add(new XmlEntityExpansionPass);
+    if (!disabledPasses.has("mass-assignment"))
+      pipeline.add(new MassAssignmentPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -29469,7 +29990,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.54.0";
+var version = "3.56.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.54.0",
+  "version": "3.56.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.54.0"
+    "circle-ir": "^3.56.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",