cognium-dev 3.58.0 → 3.62.0

package/dist/cli.js

@@ -3612,7 +3612,7 @@ function detectLanguage(tree) {
 }
 function extractTypes(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -5041,7 +5041,7 @@ function detectLanguageFromTree(tree, cache) {
 function extractCalls(tree, cache, language) {
   const calls = [];
   const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
+  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript" || detectedLanguage === "tsx";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
   if (detectedLanguage === "go") {
@@ -5090,8 +5090,149 @@ function extractJavaScriptCalls(tree, cache) {
       calls.push(callInfo);
     }
   }
+  const jsxAttributes = getNodesFromCache(tree.rootNode, "jsx_attribute", cache);
+  for (const attr of jsxAttributes) {
+    const callInfo = extractJSXAttributeSink(attr);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  const assignments = getNodesFromCache(tree.rootNode, "assignment_expression", cache);
+  for (const assign of assignments) {
+    const callInfo = extractDomPropertyAssignmentSink(assign);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
   return calls;
 }
+var DOM_XSS_ASSIGNMENT_PROPERTIES = new Set([
+  "innerHTML",
+  "outerHTML"
+]);
+function extractDomPropertyAssignmentSink(node) {
+  const leftNode = node.childForFieldName("left");
+  const rightNode = node.childForFieldName("right");
+  if (!leftNode || !rightNode)
+    return null;
+  if (leftNode.type !== "member_expression")
+    return null;
+  const propertyNode = leftNode.childForFieldName("property");
+  const objectNode = leftNode.childForFieldName("object");
+  if (!propertyNode)
+    return null;
+  const propertyName = getNodeText(propertyNode);
+  if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName))
+    return null;
+  const receiver = objectNode ? getNodeText(objectNode) : null;
+  const expression = getNodeText(rightNode);
+  const { variable, literal } = analyzeJSArgument(rightNode);
+  const enclosingFunc = findJSEnclosingFunction(node);
+  return {
+    method_name: propertyName,
+    receiver,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: `DOM.${propertyName}`
+    }
+  };
+}
+function extractJSXAttributeSink(attr) {
+  let nameNode = null;
+  for (let i2 = 0;i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "property_identifier") {
+      nameNode = child;
+      break;
+    }
+  }
+  if (!nameNode)
+    return null;
+  const attrName = getNodeText(nameNode);
+  if (attrName !== "dangerouslySetInnerHTML")
+    return null;
+  let valueExpr = null;
+  for (let i2 = 0;i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "jsx_expression") {
+      valueExpr = child;
+      break;
+    }
+  }
+  if (!valueExpr)
+    return null;
+  let htmlValue = null;
+  for (let i2 = 0;i2 < valueExpr.childCount; i2++) {
+    const inner = valueExpr.child(i2);
+    if (!inner || inner.type !== "object")
+      continue;
+    for (let j = 0;j < inner.childCount; j++) {
+      const pair = inner.child(j);
+      if (!pair || pair.type !== "pair")
+        continue;
+      const keyNode = pair.childForFieldName("key");
+      if (!keyNode)
+        continue;
+      const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, "");
+      if (keyText === "__html") {
+        htmlValue = pair.childForFieldName("value");
+        break;
+      }
+    }
+    if (htmlValue)
+      break;
+  }
+  if (!htmlValue) {
+    for (let i2 = 0;i2 < valueExpr.childCount; i2++) {
+      const inner = valueExpr.child(i2);
+      if (inner && inner.type !== "{" && inner.type !== "}") {
+        htmlValue = inner;
+        break;
+      }
+    }
+  }
+  if (!htmlValue)
+    return null;
+  const expression = getNodeText(htmlValue);
+  const { variable, literal } = analyzeJSArgument(htmlValue);
+  const enclosingFunc = findJSEnclosingFunction(attr);
+  return {
+    method_name: "dangerouslySetInnerHTML",
+    receiver: null,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: attr.startPosition.row + 1,
+      column: attr.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: "react.dangerouslySetInnerHTML"
+    }
+  };
+}
 function buildJSResolutionContext(tree, cache) {
   const context = {
     functionNames: new Set,
@@ -6632,7 +6773,7 @@ function detectLanguage2(tree) {
 }
 function extractImports(tree, language) {
   const effectiveLanguage = language ?? detectLanguage2(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -7347,7 +7488,7 @@ function detectLanguage3(tree) {
 }
 function buildCFG(tree, language) {
   const effectiveLanguage = language ?? detectLanguage3(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
@@ -7928,7 +8069,7 @@ function detectLanguage4(tree) {
 }
 function buildDFG(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage4(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   if (isJavaScript) {
     return buildJavaScriptDFG(tree, cache);
   }
@@ -8749,7 +8890,18 @@ function buildBashDFG(tree) {
       if (varNameNode) {
         const varName = getNodeText(varNameNode);
         if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
+          let reachingDef = findReachingDef(varName, scopeStack);
+          if (reachingDef === null && !positionalParams.includes(varName)) {
+            const def = {
+              id: defIdCounter++,
+              variable: varName,
+              line: 0,
+              kind: "param"
+            };
+            defs.push(def);
+            scopeStack[0].set(varName, def.id);
+            reachingDef = def.id;
+          }
           uses.push({
             id: useIdCounter++,
             variable: varName,
@@ -8762,7 +8914,18 @@ function buildBashDFG(tree) {
       const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
       if (varNameNode && varNameNode.type === "variable_name") {
         const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
+        let reachingDef = findReachingDef(varName, scopeStack);
+        if (reachingDef === null && !positionalParams.includes(varName)) {
+          const def = {
+            id: defIdCounter++,
+            variable: varName,
+            line: 0,
+            kind: "param"
+          };
+          defs.push(def);
+          scopeStack[0].set(varName, def.id);
+          reachingDef = def.id;
+        }
         uses.push({
           id: useIdCounter++,
           variable: varName,
@@ -9234,7 +9397,7 @@ var FRAMEWORK_MODULE_PATTERNS = [
   /^@nestjs\/core$/
 ];
 function extractRuntimeRegistrations(tree, cache, language, imports) {
-  if (language === "javascript" || language === "typescript") {
+  if (language === "javascript" || language === "typescript" || language === "tsx") {
     return extractJSRuntimeRegistrations(tree, cache, imports);
   }
   if (language === "python") {
@@ -10171,8 +10334,11 @@ var DEFAULT_SOURCES = [
   { method: "get", class: "cookies", type: "http_cookie", severity: "high", return_tainted: true },
   { property: "json", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "data", object: "request", type: "http_body", severity: "high", property_tainted: true },
+  { property: "stream", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "path", object: "request", type: "http_path", severity: "medium", property_tainted: true },
   { property: "query_string", object: "request", type: "http_query", severity: "high", property_tainted: true },
+  { method: "get_data", class: "request", type: "http_body", severity: "high", return_tainted: true },
+  { method: "get_json", class: "request", type: "http_body", severity: "high", return_tainted: true },
   { method: "get", class: "GET", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "POST", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "META", type: "http_header", severity: "high", return_tainted: true },
@@ -10335,13 +10501,13 @@ var DEFAULT_SINKS = [
   { method: "setExecutable", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommand", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Java", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "bash", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "sh", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "bash", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "shell", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "sh", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "spawn", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "fork", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "popen", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "system", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10404,6 +10570,9 @@ var DEFAULT_SINKS = [
   { method: "unzip", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
+  { method: "extractall", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "send_from_directory", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [1], languages: ["python"] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "Scanner", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11171,10 +11340,22 @@ var DEFAULT_SINKS = [
   { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
-  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defineProperty", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "defineProperties", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "jQuery", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "innerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "outerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -11787,7 +11968,11 @@ function matchesSourcePattern(call, pattern) {
     }
     if (pattern.class && pattern.class !== "constructor") {
       if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (!call.receiver) {
-        return false;
+        const target = call.resolution?.target;
+        const expectedTail = `${pattern.class}.${pattern.method}`;
+        if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {} else {
+          return false;
+        }
       } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
@@ -12044,7 +12229,11 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
-      return false;
+      const target = call.resolution?.target;
+      const expectedTail = `${pattern.class}.${pattern.method}`;
+      if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {} else {
+        return false;
+      }
     }
   }
   if (!pattern.class && call.receiver) {
@@ -15051,6 +15240,9 @@ class DefaultLanguageRegistry {
     }
   }
   get(language) {
+    if (language === "tsx") {
+      return this.plugins.get("javascript");
+    }
     return this.plugins.get(language);
   }
   getForFile(filePath) {
@@ -17244,6 +17436,20 @@ class BashPlugin extends BaseLanguagePlugin {
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
+      },
+      {
+        method: "source",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: ".",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
       }
     ];
   }
@@ -20337,6 +20543,7 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const allSources = [];
   const allSinks = [];
   const allSanitizers = [];
+  const allFlows = [];
   const allImports = [];
   const allExports = [];
   const allFindings = [];
@@ -20422,6 +20629,14 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
         line: sanitizer.line + lineShift
       });
     }
+    for (const flow of ir.taint.flows ?? []) {
+      allFlows.push({
+        ...flow,
+        source_line: flow.source_line + lineShift,
+        sink_line: flow.sink_line + lineShift,
+        path: flow.path.map((step) => ({ ...step, line: step.line + lineShift }))
+      });
+    }
     for (const imp of ir.imports) {
       allImports.push({
         ...imp,
@@ -20441,7 +20656,8 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const taint = {
     sources: allSources,
     sinks: allSinks,
-    sanitizers: allSanitizers.length > 0 ? allSanitizers : undefined
+    sanitizers: allSanitizers.length > 0 ? allSanitizers : undefined,
+    flows: allFlows.length > 0 ? allFlows : undefined
   };
   const cfg = {
     blocks: allCfgBlocks,
@@ -20637,7 +20853,9 @@ class LanguageSourcesPass {
     const constProp = ctx.getResult("constant-propagation");
     const additionalSources = [];
     const additionalSinks = [];
+    const additionalSanitizers = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
+    additionalSources.push(...findOopFieldReadSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -20689,9 +20907,10 @@ class LanguageSourcesPass {
       for (const finding of bashFindings) {
         ctx.addFinding(finding);
       }
+      additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
     }
     attachSourceLineCode(additionalSources, additionalSinks, code);
-    return { additionalSources, additionalSinks, pyTaintedVars, pySanitizedVars, jsTaintedVars };
+    return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
 }
 function findGetterSources(types, instanceFieldTaint, _sourceCode) {
@@ -20743,6 +20962,128 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   }
   return sources;
 }
+function findOopFieldReadSources(types, sourceCode, language) {
+  if (language !== "java" && language !== "python")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const isPython = language === "python";
+  const SELF = isPython ? "self" : "this";
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const commentPrefix = isPython ? "#" : "//";
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    let ctor;
+    for (const m of type.methods) {
+      if (isPython) {
+        if (m.name === "__init__") {
+          ctor = m;
+          break;
+        }
+      } else {
+        if (m.name === type.name) {
+          ctor = m;
+          break;
+        }
+      }
+    }
+    if (!ctor)
+      continue;
+    const paramNames = new Set;
+    for (const p of ctor.parameters) {
+      if (p.name === "self" || p.name === "this")
+        continue;
+      paramNames.add(p.name);
+    }
+    const fieldTaint = new Map;
+    const ctorStart = ctor.start_line;
+    const ctorEnd = ctor.end_line;
+    for (let i2 = ctorStart - 1;i2 < Math.min(ctorEnd, lines.length); i2++) {
+      const line = lines[i2] ?? "";
+      if (line.trim().startsWith(commentPrefix))
+        continue;
+      const m = line.match(fieldAssignRe);
+      if (!m)
+        continue;
+      const fieldName = m[1];
+      const rhs = m[2].trim().replace(/;\s*$/, "");
+      let sourceType = null;
+      if (paramNames.has(rhs)) {
+        sourceType = "interprocedural_param";
+      } else if (!isPython && javaHttpPattern.test(rhs)) {
+        sourceType = "http_param";
+      } else if (isPython) {
+        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+          if (pattern.test(rhs)) {
+            sourceType = type2;
+            break;
+          }
+        }
+      }
+      if (sourceType) {
+        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+      }
+    }
+    if (fieldTaint.size === 0)
+      continue;
+    for (const [fieldName, info2] of fieldTaint) {
+      sources.push({
+        type: info2.type,
+        location: `${type.name}.${SELF}.${fieldName} (constructor-injected field, #78)`,
+        severity: "high",
+        line: info2.line,
+        confidence: 0.85,
+        variable: `${SELF}.${fieldName}`
+      });
+    }
+    for (const m of type.methods) {
+      if (m === ctor)
+        continue;
+      const nonSelfParams = m.parameters.filter((p) => p.name !== "self" && p.name !== "this");
+      if (nonSelfParams.length !== 0)
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      let returnedField = null;
+      let returnStatementCount = 0;
+      const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+        const raw = lines[i2] ?? "";
+        const trimmed = raw.trim();
+        if (!trimmed)
+          continue;
+        if (trimmed.startsWith(commentPrefix))
+          continue;
+        const rm = trimmed.match(returnRe);
+        if (rm) {
+          returnedField = rm[1];
+          returnStatementCount++;
+        } else if (/\breturn\b/.test(trimmed)) {
+          returnStatementCount = 99;
+          break;
+        }
+      }
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+        const fieldInfo = fieldTaint.get(returnedField);
+        const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
+        sources.push({
+          type: fieldInfo.type,
+          location: `${type.name}.${m.name} returns tainted field '${returnedField}' (#78)`,
+          severity: "high",
+          line: m.start_line,
+          confidence: 0.85,
+          variable: getterVar
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language))
     return [];
@@ -20820,62 +21161,62 @@ function buildPythonTaintedVars(sourceCode) {
     const line = lines[i2];
     if (line.trimStart().startsWith("#"))
       continue;
-    const subscriptAssign = line.match(/^\s*(\w+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/);
+    const subscriptAssign = line.match(/^\s*([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/u);
     if (subscriptAssign) {
       const [, container, , key, rhs2] = subscriptAssign;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs)
         containerTainted.set(`${container}['${key}']`, i2 + 1);
       continue;
     }
-    const setCallMatch = line.match(/^\s*(\w+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/);
+    const setCallMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/u);
     if (setCallMatch) {
       const [, obj, , section, , key, rhs2] = setCallMatch;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs)
         containerTainted.set(`${obj}['${section}']['${key}']`, i2 + 1);
       continue;
     }
-    const containerAppendMatch = line.match(/^\s*(\w+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/);
+    const containerAppendMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/u);
     if (containerAppendMatch) {
       const [, receiver, , argExpr] = containerAppendMatch;
-      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(argExpr));
+      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(argExpr));
       const argIsDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(argExpr));
       if (argIsTainted || argIsDirectSource)
         tainted.set(receiver, tainted.get(receiver) ?? i2 + 1);
       continue;
     }
-    const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
+    const augAssign = line.match(/^\s*([\p{L}\p{N}_]+)\s*\+=\s*(.+)$/u);
     if (augAssign) {
       const [, augLhs, augRhs] = augAssign;
-      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(augRhs));
+      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(augRhs));
       if (rhsTainted || tainted.has(augLhs))
         tainted.set(augLhs, tainted.get(augLhs) ?? i2 + 1);
       continue;
     }
-    const forLoopMatch = line.match(/^\s*for\s+(\w+)\s+in\s+(.+?)(?:\s*:\s*)?$/);
+    const forLoopMatch = line.match(/^\s*for\s+([\p{L}\p{N}_]+)\s+in\s+(.+?)(?:\s*:\s*)?$/u);
     if (forLoopMatch) {
       const [, iterVar, iterExpr] = forLoopMatch;
       const isDirectSource2 = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(iterExpr));
-      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(iterExpr));
+      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(iterExpr));
       if (isDirectSource2 || isPropagated)
         tainted.set(iterVar, i2 + 1);
       continue;
     }
-    const assignMatch = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+    const assignMatch = line.match(/^\s*([\p{L}\p{N}_]+)\s*=\s*(.+)$/u);
     if (!assignMatch)
       continue;
     const [, lhs, rhs] = assignMatch;
     const isDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(rhs));
     let propagatedFrom;
-    const dictAccessMatch = rhs.trim().match(/^(\w+)\[(['"])([^'"]+)\2\]$/);
+    const dictAccessMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]$/u);
     if (dictAccessMatch) {
       const [, container, , key] = dictAccessMatch;
       if (containerTainted.has(`${container}['${key}']`))
         propagatedFrom = `${container}['${key}']`;
     }
     if (!propagatedFrom) {
-      const confGetMatch = rhs.trim().match(/^(\w+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/);
+      const confGetMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/u);
       if (confGetMatch) {
         const [, obj, , section, , key] = confGetMatch;
         if (containerTainted.has(`${obj}['${section}']['${key}']`))
@@ -20885,7 +21226,7 @@ function buildPythonTaintedVars(sourceCode) {
     if (!propagatedFrom) {
       const isSafeEnvRead = /\bos\.environ\.get\s*\(/.test(rhs) || /\bos\.getenv\s*\(/.test(rhs);
       if (!isSafeEnvRead)
-        propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+        propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs));
     }
     if (isDirectSource) {
       tainted.set(lhs, i2 + 1);
@@ -21290,6 +21631,61 @@ function findBashPatternFindings(sourceCode, file) {
   }
   return findings;
 }
+function findBashRegexAllowlistSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const guardRe = /^\s*if\s+\[\[\s*!\s*"?\$\{?(\w+)\}?"?\s*=~\s*(\S+)\s*\]\]\s*;\s*then\s+(exit|return|die)\b/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const m = guardRe.exec(lines[i2]);
+    if (!m)
+      continue;
+    const regexLiteral = m[2];
+    if (!isSafeBashAllowlistRegex(regexLiteral))
+      continue;
+    const ifLine1Indexed = i2 + 1;
+    for (let l = ifLine1Indexed + 1;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "regex_allowlist",
+        method: "=~",
+        line: l,
+        sanitizes: [
+          "command_injection",
+          "path_traversal",
+          "sql_injection",
+          "code_injection",
+          "ssrf",
+          "xss",
+          "open_redirect",
+          "log_injection"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function isSafeBashAllowlistRegex(literal) {
+  if (!literal.startsWith("^") || !literal.endsWith("$"))
+    return false;
+  const body2 = literal.slice(1, -1);
+  if (body2.length === 0)
+    return false;
+  if (body2.includes(".*") || body2.includes(".+"))
+    return false;
+  if (body2.includes("|"))
+    return false;
+  if (/\\\d/.test(body2))
+    return false;
+  const safeToken = /\[[^\]]+\][+*?]?|\\.|[A-Za-z0-9_\-./]|[+*?]/g;
+  let consumed = 0;
+  let match;
+  while ((match = safeToken.exec(body2)) !== null) {
+    if (match.index !== consumed)
+      return false;
+    consumed += match[0].length;
+  }
+  return consumed === body2.length;
+}
 
 // ../circle-ir/dist/analysis/passes/sink-filter-pass.js
 var JS_XSS_SANITIZERS = [
@@ -21326,7 +21722,10 @@ class SinkFilterPass {
         sinks.push(s);
       }
     }
-    const sanitizers = taintMatcher.sanitizers;
+    const sanitizers = [
+      ...taintMatcher.sanitizers,
+      ...langSources.additionalSanitizers ?? []
+    ];
     let filtered = sinks.filter((sink) => !constProp.unreachableLines.has(sink.line));
     filtered = filterCleanArraySinks(filtered, calls, constProp.taintedArrayElements, constProp.symbols);
     filtered = filterCleanVariableSinks(filtered, calls, constProp.tainted, constProp.symbols, dfg, constProp.sanitizedVars, constProp.synchronizedLines, language);
@@ -21811,6 +22210,21 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
         });
       }
     }
+    if (source.variable) {
+      const paramDefs = defsByLine.get(0) ?? [];
+      for (const def of paramDefs) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          tainted.push({
+            variable: def.variable,
+            defId: def.id,
+            line: def.line,
+            sourceType: source.type,
+            sourceLine: source.line,
+            confidence: source.confidence
+          });
+        }
+      }
+    }
   }
   return tainted;
 }
@@ -22384,7 +22798,7 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
     if (reCache.has(s.variable))
       continue;
     const escaped = s.variable.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    reCache.set(s.variable, new RegExp(`\\b${escaped}\\b`));
+    reCache.set(s.variable, new RegExp(`(?<![\\p{L}\\p{N}_])${escaped}(?![\\p{L}\\p{N}_])`, "u"));
   }
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22526,6 +22940,13 @@ function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourc
     for (const def of graph.defsAtLine(source.line)) {
       seedIds.add(def.id);
     }
+    if (source.variable) {
+      for (const def of graph.defsAtLine(0)) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          seedIds.add(def.id);
+        }
+      }
+    }
   }
   const taintedDefIds = graph.propagateTaintedDefIds(seedIds);
   const taintedVarsFromCP = options.taintedVariables ?? new Set;
@@ -22666,7 +23087,34 @@ function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourc
     const targetMethod = getMethodNode(methodNodes, call.method_name);
     if (!targetMethod) {
       if (taintedArgPositions.length > 0 && !collectionMethods.has(call.method_name) && !sanitizerMethods.has(call.method_name) && !safeUtilityMethods.has(call.method_name)) {
-        const sink = {
+        const isBash = graph.ir.meta.language === "bash";
+        const bashSafeBuiltins = new Set([
+          "echo",
+          "printf",
+          "test",
+          "[",
+          "[[",
+          "true",
+          "false",
+          ":",
+          "declare",
+          "local",
+          "export",
+          "readonly",
+          "typeset"
+        ]);
+        if (isBash && bashSafeBuiltins.has(call.method_name)) {
+          continue;
+        }
+        const sink = isBash ? {
+          type: "command_injection",
+          cwe: "CWE-78",
+          location: `Tainted data (${taintedArgVars.join(", ")}) passed unquoted to shell utility ${call.method_name}`,
+          line: call.location.line,
+          confidence: 0.6,
+          method: call.method_name,
+          argPositions: taintedArgPositions
+        } : {
           type: "external_taint_escape",
           cwe: "CWE-668",
           location: `Tainted data (${taintedArgVars.join(", ")}) passed to external method ${call.receiver ? call.receiver + "." : ""}${call.method_name}()`,
@@ -23346,6 +23794,7 @@ function isPublicMethod(method, language) {
       return method.modifiers.includes("public");
     case "javascript":
     case "typescript":
+    case "tsx":
       return !method.modifiers.includes("private") && !method.modifiers.includes("protected");
     case "python":
       return !method.name.startsWith("_");
@@ -23365,7 +23814,7 @@ class MissingPublicDocPass {
     if (UTIL_DIR_RE.test(graph.ir.meta.file)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
-    if (!["java", "javascript", "typescript", "python"].includes(language)) {
+    if (!["java", "javascript", "typescript", "tsx", "python"].includes(language)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
     const lines = code.split(`
@@ -23889,6 +24338,7 @@ function hasDeclKeyword(lineText, language) {
       return /\b(?:int|long|float|double|boolean|byte|char|short|var|final)\b/.test(lineText) || /\b[A-Z]\w*(?:<[^>]*>)?\s+\w/.test(lineText);
     case "javascript":
     case "typescript":
+    case "tsx":
       return /\b(?:let|const|var)\s+[\w{[]/.test(lineText);
     case "rust":
       return /\blet\s+(?:mut\s+)?\w/.test(lineText);
@@ -28395,6 +28845,7 @@ class WeakRandomPass {
         return "Use the `secrets` module (`secrets.token_bytes`, " + "`secrets.token_hex`, `secrets.choice`, `secrets.randbelow`).";
       case "javascript":
       case "typescript":
+      case "tsx":
         return "Use `crypto.randomBytes(n)` (Node.js) or " + "`crypto.getRandomValues(typedArray)` (browser).";
       case "go":
         return "Use `crypto/rand` instead of `math/rand`. Example: " + "`b := make([]byte, 32); _, _ = rand.Read(b)` (where `rand` is `crypto/rand`).";
@@ -28433,7 +28884,7 @@ class WeakRandomPass {
       }
       return null;
     }
-    if (language === "javascript" || language === "typescript") {
+    if (language === "javascript" || language === "typescript" || language === "tsx") {
       if (method === "random" && (receiver === "Math" || receiver.endsWith(".Math"))) {
         return "Math.random";
       }
@@ -30035,6 +30486,7 @@ function getNodeTypesForLanguage(language) {
       ]);
     case "javascript":
     case "typescript":
+    case "tsx":
       return new Set([
         "call_expression",
         "new_expression",
@@ -30047,7 +30499,12 @@ function getNodeTypesForLanguage(language) {
         "import_statement",
         "export_statement",
         "member_expression",
-        "assignment_expression"
+        "assignment_expression",
+        "jsx_element",
+        "jsx_self_closing_element",
+        "jsx_opening_element",
+        "jsx_attribute",
+        "jsx_expression"
       ]);
     case "bash":
       return new Set([
@@ -30111,8 +30568,15 @@ async function analyze(code, filePath, language, options = {}) {
   if (language === "html") {
     return analyzeHtmlFile(code, filePath, options);
   }
-  logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
-  const tree = await parse(code, language);
+  let parseGrammar = language;
+  if (language === "javascript" || language === "typescript") {
+    const lower = filePath.toLowerCase();
+    if (lower.endsWith(".tsx") || lower.endsWith(".jsx")) {
+      parseGrammar = "tsx";
+    }
+  }
+  logger.debug("Analyzing file", { filePath, language, parseGrammar, codeLength: code.length });
+  const tree = await parse(code, parseGrammar);
   try {
     logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
     const parseStatus = extractParseStatus(tree);
@@ -30440,7 +30904,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.58.0";
+var version = "3.62.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {
@@ -30463,7 +30927,11 @@ var SINK_SEVERITY = {
   insecure_cookie: "low",
   trust_boundary: "medium",
   external_taint_escape: "medium",
-  mybatis_mapper_call: "medium"
+  mybatis_mapper_call: "medium",
+  redos: "medium",
+  format_string: "high",
+  crlf: "medium",
+  mass_assignment: "high"
 };
 var SINK_CWE = {
   sql_injection: "CWE-89",
@@ -30485,7 +30953,11 @@ var SINK_CWE = {
   insecure_cookie: "CWE-614",
   trust_boundary: "CWE-501",
   external_taint_escape: "CWE-20",
-  mybatis_mapper_call: "CWE-89"
+  mybatis_mapper_call: "CWE-89",
+  redos: "CWE-1333",
+  format_string: "CWE-134",
+  crlf: "CWE-113",
+  mass_assignment: "CWE-915"
 };
 var VULNERABILITY_HELP = {
   sql_injection: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.58.0",
+  "version": "3.62.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.58.0"
+    "circle-ir": "^3.62.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",