cognium-dev 3.57.0 → 3.59.0

package/dist/cli.js

@@ -10233,10 +10233,10 @@ var DEFAULT_SOURCES = [
   { method: "cookie", class: "HttpRequest", type: "http_cookie", severity: "high", return_tainted: true },
   { method: "param", class: "Request", type: "http_param", severity: "high", return_tainted: true },
   { method: "cookies", class: "Request", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "Json", type: "http_body", severity: "high", return_tainted: true },
-  { method: "Query", type: "http_param", severity: "high", return_tainted: true },
-  { method: "Path", type: "http_path", severity: "high", return_tainted: true },
-  { method: "Form", type: "http_param", severity: "high", return_tainted: true },
+  { method: "Json", type: "http_body", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Query", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Path", type: "http_path", severity: "high", return_tainted: true, languages: ["rust"] },
+  { method: "Form", type: "http_param", severity: "high", return_tainted: true, languages: ["rust"] },
   { method: "var", class: "env", type: "env_input", severity: "medium", return_tainted: true },
   { method: "var_os", class: "env", type: "env_input", severity: "medium", return_tainted: true },
   { method: "args", class: "env", type: "env_input", severity: "medium", return_tainted: true },
@@ -10389,10 +10389,10 @@ var DEFAULT_SINKS = [
   { method: "UrlResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "PathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "forFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
+  { method: "resolve", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolve", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "resolveSibling", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "relativize", class: "Path", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["java"] },
   { method: "staticFiles", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "setRoot", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "setWebRoot", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11208,6 +11208,11 @@ var DEFAULT_SANITIZERS = [
   { method: "toRealPath", class: "Path", removes: ["path_traversal"] },
   { method: "file_name", removes: ["path_traversal"] },
   { method: "canonicalize", removes: ["path_traversal"] },
+  { method: "Base", class: "filepath", removes: ["path_traversal"] },
+  { method: "Base", class: "path", removes: ["path_traversal"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
+  { method: "Clean", class: "path", removes: ["path_traversal"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
   { method: "replace", removes: ["log_injection"] },
   { method: "encodeForLDAP", removes: ["ldap_injection"] },
   { method: "encodeForDN", removes: ["ldap_injection"] },
@@ -11268,6 +11273,7 @@ var DEFAULT_SANITIZERS = [
   { method: "abspath", class: "os.path", removes: ["path_traversal"] },
   { method: "realpath", class: "path", removes: ["path_traversal"] },
   { method: "abspath", class: "path", removes: ["path_traversal"] },
+  { method: "resolve", class: "Path", removes: ["path_traversal"] },
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
   { method: "query!", removes: ["sql_injection"] },
@@ -11287,7 +11293,25 @@ var DEFAULT_SANITIZERS = [
   { method: "encode_text", class: "html_escape", removes: ["xss"] },
   { method: "encode_attribute", class: "html_escape", removes: ["xss"] },
   { method: "escape_html", removes: ["xss"] },
-  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] }
+  { method: "parse", removes: ["sql_injection", "command_injection", "xss"] },
+  { method: "parseInt", class: "Integer", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseLong", class: "Long", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseFloat", class: "Float", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseDouble", class: "Double", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseShort", class: "Short", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "parseByte", class: "Byte", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "fromString", class: "UUID", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "BigInt", removes: ["sql_injection", "nosql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "Atoi", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseInt", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseFloat", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseUint", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "ParseBool", class: "strconv", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "Parse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "MustParse", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "bool", removes: ["sql_injection", "command_injection", "xss", "code_injection"] },
+  { method: "UUID", class: "uuid", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] },
+  { method: "Decimal", class: "decimal", removes: ["sql_injection", "command_injection", "path_traversal", "code_injection"] }
 ];
 function getDefaultConfig() {
   return {
@@ -11398,7 +11422,7 @@ function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy,
 `) : undefined;
   const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
-  const sanitizers = findSanitizers(calls, types, config.sanitizers);
+  const sanitizers = findSanitizers(calls, types, config.sanitizers, sourceLines);
   return { sources, sinks, sanitizers };
 }
 function attachSourceLineCode(sources, sinks, code) {
@@ -11419,6 +11443,9 @@ function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
+      if (pattern.languages && pattern.languages.length > 0 && language !== undefined && !pattern.languages.includes(language)) {
+        continue;
+      }
       if (matchesSourcePattern(call, pattern)) {
         sources.push({
           type: pattern.type,
@@ -12048,6 +12075,15 @@ function receiverMightBeClass(receiver, className) {
   if (receiver === className) {
     return true;
   }
+  if (receiver.endsWith(")")) {
+    const ctorMatch = receiver.match(/^(\w+)\(/);
+    if (ctorMatch) {
+      const ctorName = ctorMatch[1];
+      if (ctorName === className || ctorName.toLowerCase() === className.toLowerCase()) {
+        return true;
+      }
+    }
+  }
   if (receiver.includes("::")) {
     const scopePrefix = receiver.match(/^(\w+)::/);
     if (scopePrefix) {
@@ -12290,7 +12326,7 @@ function calculateSinkConfidence(call, pattern) {
   }
   return Math.min(confidence, 1);
 }
-function findSanitizers(calls, types, patterns) {
+function findSanitizers(calls, types, patterns, sourceLines) {
   const sanitizers = [];
   const sanitizerMethods = new Set;
   for (const type of types) {
@@ -12300,6 +12336,77 @@ function findSanitizers(calls, types, patterns) {
       }
     }
   }
+  const wrapperSanitizers = new Map;
+  for (const type of types) {
+    for (const method of type.methods) {
+      const bodySize = method.end_line - method.start_line;
+      if (bodySize < 0 || bodySize > 2)
+        continue;
+      const paramNames = new Set(method.parameters.map((p) => p.name));
+      if (paramNames.size === 0)
+        continue;
+      const inside = [];
+      for (const c of calls) {
+        if (c.location.line < method.start_line || c.location.line > method.end_line)
+          continue;
+        if (c.method_name === method.name)
+          continue;
+        inside.push(c);
+      }
+      if (inside.length !== 1)
+        continue;
+      const innerCall = inside[0];
+      let matched;
+      for (const pattern of patterns) {
+        if (matchesSanitizerPattern(innerCall, pattern)) {
+          matched = pattern;
+          break;
+        }
+      }
+      if (!matched || !matched.removes || matched.removes.length === 0)
+        continue;
+      let argOk = false;
+      for (const arg of innerCall.arguments) {
+        if (arg.variable && paramNames.has(arg.variable)) {
+          argOk = true;
+          break;
+        }
+      }
+      if (!argOk)
+        continue;
+      if (sourceLines) {
+        const lineText = sourceLines[innerCall.location.line - 1] ?? "";
+        const stripped = lineText.trim();
+        const returnMatch = stripped.match(/^return\s+(?:await\s+)?(.*)$/);
+        if (!returnMatch)
+          continue;
+        const after = returnMatch[1].replace(/;\s*$/, "").trimEnd();
+        const callPrefix = innerCall.receiver ? `${innerCall.receiver}.${innerCall.method_name}(` : `${innerCall.method_name}(`;
+        if (!after.startsWith(callPrefix))
+          continue;
+        if (!after.endsWith(")"))
+          continue;
+      }
+      const existing = wrapperSanitizers.get(method.name);
+      if (existing) {
+        const set = new Set([...existing, ...matched.removes]);
+        wrapperSanitizers.set(method.name, Array.from(set));
+      } else {
+        wrapperSanitizers.set(method.name, [...matched.removes]);
+      }
+    }
+  }
+  for (const call of calls) {
+    const removes = wrapperSanitizers.get(call.method_name);
+    if (!removes)
+      continue;
+    sanitizers.push({
+      type: "derived_wrapper",
+      method: formatSanitizerMethod(call),
+      line: call.location.line,
+      sanitizes: removes
+    });
+  }
   for (const call of calls) {
     if (sanitizerMethods.has(call.method_name)) {
       sanitizers.push({
@@ -12957,7 +13064,24 @@ var SANITIZER_METHODS = new Set([
   "validatePath",
   "validateCityName",
   "validateInput",
-  "sanitizeInput"
+  "sanitizeInput",
+  "parseInt",
+  "parseLong",
+  "parseFloat",
+  "parseDouble",
+  "parseShort",
+  "parseByte",
+  "fromString",
+  "Number",
+  "BigInt",
+  "Atoi",
+  "ParseInt",
+  "ParseFloat",
+  "ParseUint",
+  "ParseBool",
+  "int",
+  "float",
+  "bool"
 ]);
 var ANTI_SANITIZER_METHODS = new Set([
   "decode",
@@ -13030,6 +13154,7 @@ class ConstantPropagator {
   currentClassName = null;
   inConstructor = false;
   constructorParamPositions = new Map;
+  safePatternFieldsCache = null;
   analyze(tree, sourceCode, additionalTaintPatterns = [], sanitizerMethods = [], taintedParameters = []) {
     this.source = sourceCode;
     this.additionalTaintPatterns = additionalTaintPatterns;
@@ -13060,12 +13185,14 @@ class ConstantPropagator {
     this.currentClassName = null;
     this.inConstructor = false;
     this.constructorParamPositions.clear();
+    this.safePatternFieldsCache = null;
     this.collectClassFields(tree.rootNode);
     for (const methodName of sanitizerMethods) {
       this.methodReturnsSanitized.add(methodName);
     }
     this.evaluator = new ExpressionEvaluator(this.source, (name2) => this.lookupSymbol(name2));
     this.analyzeMethodReturns(tree.rootNode);
+    this.seedPythonModuleConstants(tree.rootNode);
     this.visit(tree.rootNode);
     this.refineTaintFromConstants();
     const resultTainted = new Set(this.tainted);
@@ -13410,6 +13537,141 @@ class ConstantPropagator {
       }
     }
   }
+  fieldDeclHasPrimitiveLiteralValue(node) {
+    const primitive = new Set([
+      "true",
+      "false",
+      "null_literal",
+      "decimal_integer_literal",
+      "hex_integer_literal",
+      "octal_integer_literal",
+      "binary_integer_literal",
+      "decimal_floating_point_literal",
+      "hex_floating_point_literal",
+      "character_literal",
+      "string_literal",
+      "number",
+      "string"
+    ]);
+    for (const child of node.children) {
+      if (child.type !== "variable_declarator")
+        continue;
+      const value = child.childForFieldName("value");
+      if (!value)
+        continue;
+      if (!primitive.has(value.type))
+        return false;
+    }
+    return true;
+  }
+  getSafePatternFields() {
+    if (this.safePatternFieldsCache !== null)
+      return this.safePatternFieldsCache;
+    const set = new Set;
+    const re = /\b(?:public\s+|private\s+|protected\s+)?(?:static\s+final|final\s+static)\s+(?:java\.util\.regex\.)?Pattern\s+(\w+)\s*=\s*(?:java\.util\.regex\.)?Pattern\s*\.\s*compile\s*\(\s*"((?:[^"\\]|\\.)*)"/g;
+    let m;
+    while ((m = re.exec(this.source)) !== null) {
+      const name2 = m[1];
+      const regex = m[2];
+      if (this.isStrictAnchoredRegex(regex))
+        set.add(name2);
+    }
+    this.safePatternFieldsCache = set;
+    return set;
+  }
+  isStrictAnchoredRegex(re) {
+    if (!re.startsWith("^") || !re.endsWith("$"))
+      return false;
+    const stripped = re.replace(/\[(?:[^\]\\]|\\.)*\]/g, "");
+    const cleaned = stripped.replace(/\\./g, "");
+    if (cleaned.includes("."))
+      return false;
+    if (cleaned.includes("|"))
+      return false;
+    return true;
+  }
+  detectRegexAllowlistGuard(condition, consequence) {
+    if (!consequence)
+      return null;
+    let condText = getNodeText2(condition, this.source).replace(/\s+/g, "");
+    while (condText.startsWith("(") && condText.endsWith(")")) {
+      const inner = condText.slice(1, -1);
+      let depth = 0;
+      let balanced = true;
+      for (let i2 = 0;i2 < inner.length; i2++) {
+        if (inner[i2] === "(")
+          depth++;
+        else if (inner[i2] === ")")
+          depth--;
+        if (depth < 0) {
+          balanced = false;
+          break;
+        }
+      }
+      if (!balanced || depth !== 0)
+        break;
+      condText = inner;
+    }
+    const m = condText.match(/^!(\w+)\.matcher\((\w+)\)\.matches\(\)$/);
+    if (!m)
+      return null;
+    const patternName = m[1];
+    const varName = m[2];
+    if (!this.getSafePatternFields().has(patternName))
+      return null;
+    if (!this.consequenceContainsThrow(consequence))
+      return null;
+    return varName;
+  }
+  consequenceContainsThrow(node) {
+    if (node.type === "throw_statement")
+      return true;
+    const stack = [node];
+    while (stack.length > 0) {
+      const n = stack.pop();
+      if (!n)
+        continue;
+      if (n.type === "throw_statement")
+        return true;
+      if (n.type === "if_statement" || n.type === "switch_statement")
+        continue;
+      for (const c of n.children)
+        stack.push(c);
+    }
+    return false;
+  }
+  seedPythonModuleConstants(root) {
+    if (root.type !== "module")
+      return;
+    for (const child of root.children) {
+      const target = child.type === "assignment" ? child : child.type === "expression_statement" && child.children.length > 0 ? child.children[0] : null;
+      if (!target || target.type !== "assignment")
+        continue;
+      const left = target.childForFieldName("left");
+      const right = target.childForFieldName("right");
+      if (!left || !right)
+        continue;
+      if (left.type !== "identifier")
+        continue;
+      const allowed = new Set([
+        "true",
+        "false",
+        "none",
+        "integer",
+        "float",
+        "string"
+      ]);
+      if (!allowed.has(right.type))
+        continue;
+      const name2 = getNodeText2(left, this.source);
+      if (!name2)
+        continue;
+      const value = this.evaluateExpression(right);
+      if (!isKnown(value))
+        continue;
+      this.symbols.set(name2, value);
+    }
+  }
   findAllMethods(node) {
     const methods = [];
     const stack = [node];
@@ -13495,6 +13757,11 @@ class ConstantPropagator {
       case "local_variable_declaration":
         this.handleVariableDeclaration(node);
         return false;
+      case "field_declaration":
+        if (this.fieldDeclHasPrimitiveLiteralValue(node)) {
+          this.handleVariableDeclaration(node);
+        }
+        return false;
       case "assignment_expression":
         this.handleAssignment(node);
         return false;
@@ -13964,6 +14231,16 @@ class ConstantPropagator {
       }
       this.inConditionalBranch = wasInConditional;
       this.tainted = new Set([...taintedBefore, ...taintedAfterThen, ...taintedAfterElse]);
+      const guardedVar = this.detectRegexAllowlistGuard(condition, consequence);
+      if (guardedVar) {
+        this.tainted.delete(guardedVar);
+        this.sanitizedVars.add(guardedVar);
+        const scoped = this.getScopedName(guardedVar);
+        if (scoped !== guardedVar) {
+          this.tainted.delete(scoped);
+          this.sanitizedVars.add(scoped);
+        }
+      }
     }
   }
   normalizeCondition(cond) {
@@ -14135,15 +14412,26 @@ class ConstantPropagator {
     return null;
   }
   isSanitizerMethodCall(node) {
-    if (node.type !== "method_invocation") {
+    const methodName = this.extractCallName(node);
+    if (!methodName)
       return false;
+    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+  }
+  extractCallName(node) {
+    let fnNode = null;
+    if (node.type === "method_invocation") {
+      fnNode = node.childForFieldName("name");
+    } else if (node.type === "call_expression" || node.type === "call") {
+      fnNode = node.childForFieldName("function");
     }
-    const nameNode = node.childForFieldName("name");
-    if (!nameNode) {
-      return false;
+    if (!fnNode)
+      return null;
+    if (fnNode.type === "selector_expression" || fnNode.type === "member_expression" || fnNode.type === "attribute") {
+      const tail = fnNode.childForFieldName("field") || fnNode.childForFieldName("property") || fnNode.childForFieldName("attribute");
+      if (tail)
+        return getNodeText2(tail, this.source);
     }
-    const methodName = getNodeText2(nameNode, this.source);
-    return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
+    return getNodeText2(fnNode, this.source);
   }
   isAntiSanitizerCall(node) {
     if (node.type !== "method_invocation") {
@@ -20350,6 +20638,7 @@ class LanguageSourcesPass {
     const additionalSources = [];
     const additionalSinks = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
+    additionalSources.push(...findOopFieldReadSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -20455,6 +20744,128 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   }
   return sources;
 }
+function findOopFieldReadSources(types, sourceCode, language) {
+  if (language !== "java" && language !== "python")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const isPython = language === "python";
+  const SELF = isPython ? "self" : "this";
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const commentPrefix = isPython ? "#" : "//";
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    let ctor;
+    for (const m of type.methods) {
+      if (isPython) {
+        if (m.name === "__init__") {
+          ctor = m;
+          break;
+        }
+      } else {
+        if (m.name === type.name) {
+          ctor = m;
+          break;
+        }
+      }
+    }
+    if (!ctor)
+      continue;
+    const paramNames = new Set;
+    for (const p of ctor.parameters) {
+      if (p.name === "self" || p.name === "this")
+        continue;
+      paramNames.add(p.name);
+    }
+    const fieldTaint = new Map;
+    const ctorStart = ctor.start_line;
+    const ctorEnd = ctor.end_line;
+    for (let i2 = ctorStart - 1;i2 < Math.min(ctorEnd, lines.length); i2++) {
+      const line = lines[i2] ?? "";
+      if (line.trim().startsWith(commentPrefix))
+        continue;
+      const m = line.match(fieldAssignRe);
+      if (!m)
+        continue;
+      const fieldName = m[1];
+      const rhs = m[2].trim().replace(/;\s*$/, "");
+      let sourceType = null;
+      if (paramNames.has(rhs)) {
+        sourceType = "interprocedural_param";
+      } else if (!isPython && javaHttpPattern.test(rhs)) {
+        sourceType = "http_param";
+      } else if (isPython) {
+        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+          if (pattern.test(rhs)) {
+            sourceType = type2;
+            break;
+          }
+        }
+      }
+      if (sourceType) {
+        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+      }
+    }
+    if (fieldTaint.size === 0)
+      continue;
+    for (const [fieldName, info2] of fieldTaint) {
+      sources.push({
+        type: info2.type,
+        location: `${type.name}.${SELF}.${fieldName} (constructor-injected field, #78)`,
+        severity: "high",
+        line: info2.line,
+        confidence: 0.85,
+        variable: `${SELF}.${fieldName}`
+      });
+    }
+    for (const m of type.methods) {
+      if (m === ctor)
+        continue;
+      const nonSelfParams = m.parameters.filter((p) => p.name !== "self" && p.name !== "this");
+      if (nonSelfParams.length !== 0)
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      let returnedField = null;
+      let returnStatementCount = 0;
+      const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+        const raw = lines[i2] ?? "";
+        const trimmed = raw.trim();
+        if (!trimmed)
+          continue;
+        if (trimmed.startsWith(commentPrefix))
+          continue;
+        const rm = trimmed.match(returnRe);
+        if (rm) {
+          returnedField = rm[1];
+          returnStatementCount++;
+        } else if (/\breturn\b/.test(trimmed)) {
+          returnStatementCount = 99;
+          break;
+        }
+      }
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+        const fieldInfo = fieldTaint.get(returnedField);
+        const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
+        sources.push({
+          type: fieldInfo.type,
+          location: `${type.name}.${m.name} returns tainted field '${returnedField}' (#78)`,
+          severity: "high",
+          line: m.start_line,
+          confidence: 0.85,
+          variable: getterVar
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language))
     return [];
@@ -20821,26 +21232,44 @@ function findBashTaintSources(sourceCode, dfg) {
   const lines = sourceCode.split(`
 `);
   const definedVars = new Set(dfg.defs.filter((d) => d.kind === "local").map((d) => d.variable));
+  const fnHeaderRe = /^\s*(?:function\s+)?[A-Za-z_][\w-]*\s*\(\s*\)\s*\{?\s*$|^\s*function\s+[A-Za-z_][\w-]*\s*\{?\s*$/;
+  let braceDepth = 0;
   for (let i2 = 0;i2 < lines.length; i2++) {
     const line = lines[i2];
     const trimmed = line.trim();
     const lineNumber = i2 + 1;
     if (trimmed.startsWith("#"))
       continue;
-    const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
-    let m;
-    while ((m = positionalRe.exec(line)) !== null) {
-      const param = m[1] ?? m[2];
-      const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
-      if (!alreadyExists) {
-        sources.push({
-          type: "io_input",
-          location: `positional parameter $${param}`,
-          severity: "high",
-          line: lineNumber,
-          confidence: 1,
-          variable: param
-        });
+    const insideFunction = braceDepth > 0;
+    if (!insideFunction) {
+      const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
+      let m;
+      while ((m = positionalRe.exec(line)) !== null) {
+        const param = m[1] ?? m[2];
+        const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
+        if (!alreadyExists) {
+          sources.push({
+            type: "io_input",
+            location: `positional parameter $${param}`,
+            severity: "high",
+            line: lineNumber,
+            confidence: 1,
+            variable: param
+          });
+        }
+      }
+    }
+    if (fnHeaderRe.test(line) || /^\s*[A-Za-z_][\w-]*\s*\(\s*\)\s*\{/.test(line)) {
+      const openBracesOnLine = (line.match(/\{/g) ?? []).length;
+      const closeBracesOnLine = (line.match(/\}/g) ?? []).length;
+      braceDepth += openBracesOnLine - closeBracesOnLine;
+    } else {
+      if (braceDepth > 0) {
+        const openBracesOnLine = (line.match(/\{/g) ?? []).length;
+        const closeBracesOnLine = (line.match(/\}/g) ?? []).length;
+        braceDepth += openBracesOnLine - closeBracesOnLine;
+        if (braceDepth < 0)
+          braceDepth = 0;
       }
     }
     const cmdSubAssign = trimmed.match(/^(\w+)=\$\((\w+)\s/);
@@ -21287,10 +21716,15 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
     const callsAtSink = callsByLine.get(sink.line) ?? [];
     const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
     const relevantCalls = sink.method ? callsAtSink.filter((c) => c.method_name === sink.method) : callsAtSink;
+    const trustArgPositions = language !== "bash" && language !== "shell";
     for (const call of relevantCalls) {
       let allArgsAreClean = true;
+      let dangerousArgCount = 0;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
+        if (trustArgPositions && sink.argPositions && sink.argPositions.length > 0 && !sink.argPositions.includes(arg.position))
+          continue;
+        dangerousArgCount++;
         if (language === "bash" && arg.expression === call.method_name && !arg.variable && arg.literal == null)
           continue;
         if (arg.variable && !arg.expression?.includes("[")) {
@@ -21318,7 +21752,7 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
           allArgsAreClean = false;
         }
       }
-      if (allArgsAreClean && call.arguments.length > 0)
+      if (allArgsAreClean && dangerousArgCount > 0)
         return false;
     }
     return true;
@@ -21369,6 +21803,17 @@ function filterSanitizedSinks(sinks, sanitizers, calls) {
 }
 
 // ../circle-ir/dist/analysis/taint-propagation.js
+function buildSanitizersByLine(sanitizers) {
+  const out2 = new Map;
+  for (const san of sanitizers) {
+    const existing = out2.get(san.line);
+    if (existing)
+      existing.push(san);
+    else
+      out2.set(san.line, [san]);
+  }
+  return out2;
+}
 function propagateTaint2(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanitizers, sanitizersArg) {
   let graph;
   let sources;
@@ -21404,7 +21849,7 @@ function propagateTaint2(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSani
   const defsByLine = graph.defsByLine;
   const usesByLine = graph.usesByLine;
   const callsByLine = graph.callsByLine;
-  const sanitizersByLine = graph.sanitizersByLine;
+  const sanitizersByLine = sanitizers.length > 0 ? buildSanitizersByLine(sanitizers) : graph.sanitizersByLine;
   const defById = graph.defById;
   const rawInitialTaint = findInitialTaint(sources, callsByLine, defsByLine);
   const initialTaint = rawInitialTaint.filter((tv) => {
@@ -21672,7 +22117,7 @@ class TaintPropagationPass {
         flows.push(f);
       }
     }
-    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines) ?? [];
+    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code) ?? [];
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line))
         continue;
@@ -21694,13 +22139,13 @@ class TaintPropagationPass {
         continue;
       flows.push(f);
     }
-    const paramFlows = detectParameterSinkFlows(types, calls, sources, sinks, constProp.unreachableLines) ?? [];
+    const paramFlows = detectParameterSinkFlows(types, calls, sources, sinks, constProp.unreachableLines, constProp.tainted, ctx.code) ?? [];
     for (const f of paramFlows) {
       if (!flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
         flows.push(f);
       }
     }
-    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, constProp.tainted, ctx.code, ctx.language) ?? [];
     for (const f of exprScanFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type))
         continue;
@@ -21722,10 +22167,25 @@ class TaintPropagationPass {
         continue;
       flows.push(f);
     }
-    return { flows };
+    const sanitizedNames = constProp.sanitizedVars;
+    const finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
+      if (f.path.length === 0)
+        return true;
+      const sourceVar = f.path[0].variable;
+      if (!sourceVar)
+        return true;
+      if (sanitizedNames.has(sourceVar))
+        return false;
+      for (const s of sanitizedNames) {
+        if (s.endsWith(`:${sourceVar}`))
+          return false;
+      }
+      return true;
+    });
+    return { flows: finalFlows };
   }
 }
-function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines) {
+function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code) {
   const flows = [];
   const callsByLine = new Map;
   for (const call of calls) {
@@ -21748,6 +22208,9 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
           if (taintedVars.has(varName) || taintedVars.has(scopedName)) {
             const source = sources[0];
             if (source) {
+              if (typeof code === "string" && isReassignedToLiteralBetween(code, varName, source.line, sink.line)) {
+                continue;
+              }
               flows.push({
                 source_line: source.line,
                 sink_line: sink.line,
@@ -21782,6 +22245,9 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
               if (taintedVars.has(collectionVar) || taintedVars.has(scopedCollection)) {
                 const source = sources[0];
                 if (source) {
+                  if (typeof code === "string" && isReassignedToLiteralBetween(code, collectionVar, source.line, sink.line)) {
+                    continue;
+                  }
                   flows.push({
                     source_line: source.line,
                     sink_line: sink.line,
@@ -21852,7 +22318,7 @@ function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, un
   }
   return flows;
 }
-function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines) {
+function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines, tainted, code) {
   const flows = [];
   const paramSourcesByMethod = new Map;
   for (const source of sources) {
@@ -21898,6 +22364,9 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
           if (paramSource) {
             const exists = flows.some((f) => f.source_line === paramSource.line && f.sink_line === sink.line);
             if (!exists) {
+              if (typeof code === "string" && isReassignedToLiteralBetween(code, arg.variable, paramSource.line, sink.line)) {
+                continue;
+              }
               flows.push({
                 source_line: paramSource.line,
                 sink_line: sink.line,
@@ -21918,7 +22387,28 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   }
   return flows;
 }
-function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, code, language) {
+function isReassignedToLiteralBetween(code, variable, srcLine, sinkLine) {
+  if (!variable || sinkLine - srcLine < 2)
+    return false;
+  if (!/^[A-Za-z_][\w]*$/.test(variable))
+    return false;
+  const lines = code.split(`
+`);
+  const lo = Math.max(0, srcLine);
+  const hi = Math.min(lines.length, sinkLine - 1);
+  const strLit = `(?:"[^"\\\\]*(?:\\\\.[^"\\\\]*)*"|'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'|\`[^\`\\\\]*(?:\\\\.[^\`\\\\]*)*\`)`;
+  const reNaked = new RegExp(`^\\s*${variable}\\s*(?::?=)\\s*${strLit}\\s*;?\\s*$`);
+  const reGuarded = new RegExp(`^\\s*if\\b.*\\b${variable}\\s*=\\s*${strLit}\\s*;?\\s*$`);
+  for (let i2 = lo;i2 < hi; i2++) {
+    const line = lines[i2];
+    if (!line)
+      continue;
+    if (reNaked.test(line) || reGuarded.test(line))
+      return true;
+  }
+  return false;
+}
+function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, tainted, code, language) {
   const flows = [];
   const sourcesWithVar = sources.filter((s) => typeof s.variable === "string" && s.variable.length > 0);
   const aliasSanitizedFor = new Map;
@@ -21973,10 +22463,10 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
             continue;
           const rhs = rhsMatch[1];
           for (const san of lineSans) {
-            const sanMatch = san.method.match(/^(?:(\w+)\.)?(\w+)\(\)$/);
+            const sanMatch = san.method.match(/(\w+)\(\)$/);
             if (!sanMatch)
               continue;
-            const sanName = sanMatch[1] ? `${sanMatch[1]}.${sanMatch[2]}` : sanMatch[2];
+            const sanName = sanMatch[1];
             if (!rhs.includes(`${sanName}(`))
               continue;
             let set = aliasSanitizedFor.get(varName);
@@ -22048,6 +22538,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
           if (aliasSanitizedFor.get(source.variable)?.has(sink.type)) {
             break;
           }
+          if (typeof code === "string" && isReassignedToLiteralBetween(code, source.variable, source.line, sink.line)) {
+            break;
+          }
           flows.push({
             source_line: source.line,
             sink_line: sink.line,
@@ -22082,6 +22575,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
     for (const source of colocSources) {
       if (!canSourceReachSink(source.type, sink.type))
         continue;
+      if (source.type === "file_input" && sink.type === "path_traversal" && sink.method && source.location.includes(`${sink.method}(`)) {
+        continue;
+      }
       if (flows.some((f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type))
         continue;
       flows.push({
@@ -26325,6 +26821,25 @@ var JS_ROUTE_METHODS = new Set([
   "head",
   "options"
 ]);
+var SECURITY_MIDDLEWARE_METHODS = new Set([
+  "helmet",
+  "frameguard",
+  "contentSecurityPolicy",
+  "hsts",
+  "noSniff",
+  "xssFilter",
+  "referrerPolicy",
+  "permittedCrossDomainPolicies",
+  "dnsPrefetchControl",
+  "frameOptions",
+  "headers",
+  "httpStrictTransportSecurity",
+  "contentTypeOptions",
+  "xssProtection",
+  "Talisman",
+  "Secure"
+]);
+var SECURITY_MIDDLEWARE_ANNOTATIONS_RE = /\b(EnableWebSecurity|SecurityFilterChain|after_request|before_request)\b/;
 
 class SecurityHeadersPass {
   name = "security-headers";
@@ -26355,6 +26870,7 @@ class SecurityHeadersPass {
       list.push(call);
     }
     const hasHandler = detectHandler(graph, calls);
+    const hasGlobalMiddleware = detectGlobalSecurityMiddleware(graph, calls);
     for (const rule of this.rules) {
       const headerKey = rule.header.toLowerCase();
       const writes = writtenHeaders.get(headerKey) ?? [];
@@ -26363,6 +26879,8 @@ class SecurityHeadersPass {
           continue;
         if (rule.requiresHandler !== false && !hasHandler)
           continue;
+        if (hasGlobalMiddleware)
+          continue;
         ctx.addFinding({
           id: `${rule.rule_id}-${file}`,
           pass: this.name,
@@ -26537,6 +27055,28 @@ function detectHandler(graph, calls) {
   }
   return false;
 }
+function detectGlobalSecurityMiddleware(graph, calls) {
+  for (const call of calls) {
+    if (SECURITY_MIDDLEWARE_METHODS.has(call.method_name))
+      return true;
+    if (call.method_name === "use" && call.arguments.length > 0) {
+      const firstArg = call.arguments[0].expression ?? "";
+      if (/\b(helmet|Talisman|secure)\b/.test(firstArg))
+        return true;
+    }
+  }
+  for (const type of graph.ir.types) {
+    if (type.annotations.some((a) => SECURITY_MIDDLEWARE_ANNOTATIONS_RE.test(a)))
+      return true;
+    for (const method of type.methods) {
+      if (method.annotations.some((a) => SECURITY_MIDDLEWARE_ANNOTATIONS_RE.test(a)))
+        return true;
+      if (/^security[A-Za-z]*FilterChain$/i.test(method.name))
+        return true;
+    }
+  }
+  return false;
+}
 function checkInheritedCorsHeaders(fileAnalyses, typeHierarchy, sourceLines) {
   const findings = [];
   for (const { file: parentFile, analysis: parentIR } of fileAnalyses) {
@@ -30023,7 +30563,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.57.0";
+var version = "3.59.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {
@@ -30797,7 +31337,8 @@ var TEST_PATTERNS = [
   /_test\.py$/,
   /_tests\.py$/,
   /test_.*\.py$/,
-  /_test\.rs$/
+  /_test\.rs$/,
+  /_test\.go$/
 ];
 function isTestFile2(filePath) {
   return TEST_PATTERNS.some((pattern) => pattern.test(filePath));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.57.0",
+  "version": "3.59.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.57.0"
+    "circle-ir": "^3.59.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",