cognium-dev 3.58.0 → 3.59.0

package/dist/cli.js

@@ -20638,6 +20638,7 @@ class LanguageSourcesPass {
     const additionalSources = [];
     const additionalSinks = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
+    additionalSources.push(...findOopFieldReadSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -20743,6 +20744,128 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   }
   return sources;
 }
+function findOopFieldReadSources(types, sourceCode, language) {
+  if (language !== "java" && language !== "python")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const isPython = language === "python";
+  const SELF = isPython ? "self" : "this";
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const commentPrefix = isPython ? "#" : "//";
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    let ctor;
+    for (const m of type.methods) {
+      if (isPython) {
+        if (m.name === "__init__") {
+          ctor = m;
+          break;
+        }
+      } else {
+        if (m.name === type.name) {
+          ctor = m;
+          break;
+        }
+      }
+    }
+    if (!ctor)
+      continue;
+    const paramNames = new Set;
+    for (const p of ctor.parameters) {
+      if (p.name === "self" || p.name === "this")
+        continue;
+      paramNames.add(p.name);
+    }
+    const fieldTaint = new Map;
+    const ctorStart = ctor.start_line;
+    const ctorEnd = ctor.end_line;
+    for (let i2 = ctorStart - 1;i2 < Math.min(ctorEnd, lines.length); i2++) {
+      const line = lines[i2] ?? "";
+      if (line.trim().startsWith(commentPrefix))
+        continue;
+      const m = line.match(fieldAssignRe);
+      if (!m)
+        continue;
+      const fieldName = m[1];
+      const rhs = m[2].trim().replace(/;\s*$/, "");
+      let sourceType = null;
+      if (paramNames.has(rhs)) {
+        sourceType = "interprocedural_param";
+      } else if (!isPython && javaHttpPattern.test(rhs)) {
+        sourceType = "http_param";
+      } else if (isPython) {
+        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+          if (pattern.test(rhs)) {
+            sourceType = type2;
+            break;
+          }
+        }
+      }
+      if (sourceType) {
+        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+      }
+    }
+    if (fieldTaint.size === 0)
+      continue;
+    for (const [fieldName, info2] of fieldTaint) {
+      sources.push({
+        type: info2.type,
+        location: `${type.name}.${SELF}.${fieldName} (constructor-injected field, #78)`,
+        severity: "high",
+        line: info2.line,
+        confidence: 0.85,
+        variable: `${SELF}.${fieldName}`
+      });
+    }
+    for (const m of type.methods) {
+      if (m === ctor)
+        continue;
+      const nonSelfParams = m.parameters.filter((p) => p.name !== "self" && p.name !== "this");
+      if (nonSelfParams.length !== 0)
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      let returnedField = null;
+      let returnStatementCount = 0;
+      const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+        const raw = lines[i2] ?? "";
+        const trimmed = raw.trim();
+        if (!trimmed)
+          continue;
+        if (trimmed.startsWith(commentPrefix))
+          continue;
+        const rm = trimmed.match(returnRe);
+        if (rm) {
+          returnedField = rm[1];
+          returnStatementCount++;
+        } else if (/\breturn\b/.test(trimmed)) {
+          returnStatementCount = 99;
+          break;
+        }
+      }
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+        const fieldInfo = fieldTaint.get(returnedField);
+        const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
+        sources.push({
+          type: fieldInfo.type,
+          location: `${type.name}.${m.name} returns tainted field '${returnedField}' (#78)`,
+          severity: "high",
+          line: m.start_line,
+          confidence: 0.85,
+          variable: getterVar
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language))
     return [];
@@ -30440,7 +30563,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.58.0";
+var version = "3.59.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.58.0",
+  "version": "3.59.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.58.0"
+    "circle-ir": "^3.59.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",