cognium-dev 3.65.0 → 3.66.0

package/dist/cli.js

@@ -19080,10 +19080,26 @@ class CrossFileResolver {
   }
   resolveWithReceiver(call, fromFile) {
     const receiver = call.receiver;
-    const receiverType = this.inferReceiverType(receiver, fromFile);
+    const receiverType = call.receiver_type_fqn ?? this.inferReceiverType(receiver, fromFile);
     if (receiverType) {
       const methodSymbol = this.symbolTable.findMethod(receiverType, call.method_name);
       if (methodSymbol) {
+        const parent = methodSymbol.parentType ? this.symbolTable.getSymbol(methodSymbol.parentType) : undefined;
+        if (parent && parent.kind === "interface") {
+          const candidates2 = this.findPolymorphicCandidates(receiverType, call.method_name);
+          if (candidates2.length > 0) {
+            const primary = candidates2[0];
+            return {
+              call,
+              sourceFile: fromFile,
+              targetFile: primary.file,
+              targetMethod: primary.fqn,
+              targetClass: primary.parentType || receiverType,
+              resolution: "polymorphic",
+              candidates: candidates2.map((c) => c.fqn)
+            };
+          }
+        }
         return {
           call,
           sourceFile: fromFile,
@@ -20096,7 +20112,8 @@ class CrossFilePass {
     });
     const ipPaths = [
       ...resolver.findInterproceduralTaintPaths(),
-      ...resolver.findFieldBindingTaintPaths()
+      ...resolver.findFieldBindingTaintPaths(),
+      ...findCrossInstanceAliasingPaths(projectGraph, sourceLines)
     ];
     for (let i2 = 0;i2 < ipPaths.length; i2++) {
       const p = ipPaths[i2];
@@ -20172,6 +20189,108 @@ class CrossFilePass {
     return { crossFileCalls, taintPaths, typeHierarchy };
   }
 }
+function findCrossInstanceAliasingPaths(projectGraph, _sourceLines) {
+  const paths = [];
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const aliasWriteRe = /^\s*this\.([A-Za-z_]\w*)\.([A-Za-z_]\w*)\s*=\s*(.+?)(?:;\s*)?$/;
+  const typeIndex = new Map;
+  for (const filePath of projectGraph.filePaths) {
+    const ir = projectGraph.getIR(filePath);
+    if (!ir)
+      continue;
+    if (ir.meta.language !== "java")
+      continue;
+    for (const t of ir.types) {
+      if (t.kind === "class")
+        typeIndex.set(t.name, { file: filePath, type: t, ir });
+    }
+  }
+  if (typeIndex.size === 0)
+    return paths;
+  for (const filePath of projectGraph.filePaths) {
+    const ir = projectGraph.getIR(filePath);
+    if (!ir)
+      continue;
+    if (ir.meta.language !== "java")
+      continue;
+    const lines = _sourceLines.get(filePath);
+    if (!lines || lines.length === 0)
+      continue;
+    for (const type of ir.types) {
+      if (type.kind !== "class")
+        continue;
+      const aliasFields = new Map;
+      for (const f of type.fields) {
+        if (!f.type)
+          continue;
+        const simple = f.type.replace(/<.*>/g, "").replace(/\[\]$/, "").trim();
+        if (typeIndex.has(simple))
+          aliasFields.set(f.name, simple);
+      }
+      if (aliasFields.size === 0)
+        continue;
+      for (const m of type.methods) {
+        if (m.name === type.name)
+          continue;
+        const mStart = m.start_line;
+        const mEnd = m.end_line;
+        for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+          const trimmed = (lines[i2] ?? "").trim();
+          if (!trimmed || trimmed.startsWith("//"))
+            continue;
+          const wm = trimmed.match(aliasWriteRe);
+          if (!wm)
+            continue;
+          const aliasField = wm[1];
+          const innerField = wm[2];
+          const rhs = wm[3].trim().replace(/;\s*$/, "");
+          const aliasType = aliasFields.get(aliasField);
+          if (!aliasType)
+            continue;
+          const target = typeIndex.get(aliasType);
+          if (!target)
+            continue;
+          if (!target.type.fields.some((f) => f.name === innerField))
+            continue;
+          if (!javaHttpPattern.test(rhs))
+            continue;
+          const innerRe = new RegExp(`\\b${innerField}\\b`);
+          for (const tm of target.type.methods) {
+            const sinksInTarget = target.ir.taint.sinks.filter((s) => s.line >= tm.start_line && s.line <= tm.end_line);
+            for (const sink of sinksInTarget) {
+              const callsAtSink = target.ir.calls.filter((c) => c.location.line === sink.line);
+              let matched = false;
+              for (const c of callsAtSink) {
+                for (const a of c.arguments ?? []) {
+                  if (innerRe.test(a.expression ?? "") || a.variable === innerField) {
+                    matched = true;
+                    break;
+                  }
+                }
+                if (matched)
+                  break;
+              }
+              if (!matched)
+                continue;
+              paths.push({
+                source: { file: filePath, line: i2 + 1, type: "http_param" },
+                sink: { file: target.file, line: sink.line, type: sink.type, cwe: sink.cwe },
+                hops: [
+                  { file: filePath, line: i2 + 1, method: m.name, kind: "source" },
+                  { file: filePath, line: i2 + 1, method: m.name, kind: "field_write" },
+                  { file: target.file, line: tm.start_line, method: tm.name, kind: "field_read" },
+                  { file: target.file, line: sink.line, method: tm.name, kind: "sink" }
+                ],
+                confidence: 0.65
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  return paths;
+}
 
 // ../circle-ir/dist/analysis/html/html-extractor.js
 var EVENT_HANDLER_ATTRS = new Set([
@@ -20878,6 +20997,8 @@ class LanguageSourcesPass {
     const additionalSanitizers = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
     additionalSources.push(...findOopFieldReadSources(types, code, language));
+    additionalSources.push(...findStaticFieldSources(types, code, language));
+    additionalSources.push(...findSetterChainSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -21106,6 +21227,155 @@ function findOopFieldReadSources(types, sourceCode, language) {
   }
   return sources;
 }
+function findStaticFieldSources(types, sourceCode, language) {
+  if (language !== "java")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    const staticFields = new Set;
+    for (const f of type.fields) {
+      if (f.modifiers.includes("static"))
+        staticFields.add(f.name);
+    }
+    if (staticFields.size === 0)
+      continue;
+    const qualifiedAssignRe = new RegExp(`^\\s*${type.name}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+    const bareAssignRe = /^\s*([A-Za-z_]\w*)\s*=\s*(.+?)(?:;\s*)?$/;
+    for (const m of type.methods) {
+      if (!m.modifiers.includes("static"))
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+        const line = lines[i2] ?? "";
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("//"))
+          continue;
+        let fieldName = null;
+        let rhs = null;
+        const qm = trimmed.match(qualifiedAssignRe);
+        if (qm) {
+          fieldName = qm[1];
+          rhs = qm[2];
+        } else {
+          const bm = trimmed.match(bareAssignRe);
+          if (bm) {
+            fieldName = bm[1];
+            rhs = bm[2];
+          }
+        }
+        if (!fieldName || !rhs)
+          continue;
+        if (!staticFields.has(fieldName))
+          continue;
+        rhs = rhs.trim().replace(/;\s*$/, "");
+        if (!javaHttpPattern.test(rhs))
+          continue;
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${fieldName} static field set in ${m.name}() — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.85,
+          variable: fieldName
+        });
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${fieldName} static field (qualified read alias) — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.85,
+          variable: `${type.name}.${fieldName}`
+        });
+      }
+    }
+  }
+  return sources;
+}
+function findSetterChainSources(types, sourceCode, language) {
+  if (language !== "java")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    const pairs = new Map;
+    const setterRe = /this\.([A-Za-z_]\w*)\s*=\s*([A-Za-z_]\w*)\s*;?/;
+    const getterRe = /return\s+this\.([A-Za-z_]\w*)\s*;?/;
+    for (const m of type.methods) {
+      if (m.name === type.name)
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      const fullBody = lines.slice(mStart - 1, Math.min(mEnd, lines.length)).join(`
+`);
+      const open = fullBody.indexOf("{");
+      const close = fullBody.lastIndexOf("}");
+      if (open < 0 || close < 0 || close <= open)
+        continue;
+      const inner = fullBody.slice(open + 1, close).replace(/\/\/[^\n]*/g, "").trim();
+      if (!inner)
+        continue;
+      const sm = inner.match(setterRe);
+      if (sm && m.parameters.length === 1 && sm[2] === m.parameters[0].name) {
+        const remainder = inner.replace(sm[0], "").trim();
+        if (!remainder) {
+          const entry = pairs.get(sm[1]) ?? {};
+          entry.setter = m.name;
+          pairs.set(sm[1], entry);
+          continue;
+        }
+      }
+      const gm = inner.match(getterRe);
+      if (gm && m.parameters.length === 0) {
+        const remainder = inner.replace(gm[0], "").trim();
+        if (!remainder) {
+          const entry = pairs.get(gm[1]) ?? {};
+          entry.getter = m.name;
+          pairs.set(gm[1], entry);
+        }
+      }
+    }
+    for (const [, { setter, getter }] of pairs) {
+      if (!setter || !getter)
+        continue;
+      const setterCallRe = new RegExp(`\\b([A-Za-z_]\\w*)\\.${setter}\\s*\\(\\s*([^)]+?)\\s*\\)\\s*;?`);
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const line = lines[i2] ?? "";
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("//"))
+          continue;
+        const cm = trimmed.match(setterCallRe);
+        if (!cm)
+          continue;
+        const arg = cm[2];
+        if (!javaHttpPattern.test(arg))
+          continue;
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${setter}(tainted) → ${type.name}.${getter}() chain — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.75,
+          variable: getter
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language))
     return [];
@@ -31047,7 +31317,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.65.0";
+var version = "3.66.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.65.0",
+  "version": "3.66.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.65.0"
+    "circle-ir": "^3.66.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",