cognium-dev 3.65.0 → 3.67.0

package/dist/cli.js

@@ -11038,9 +11038,11 @@ var DEFAULT_SINKS = [
   { method: "rmdir", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "createReadStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "createWriteStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
-  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
-  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"], allow_unresolved_receiver: true },
+  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"], allow_unresolved_receiver: true },
+  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"], allow_unresolved_receiver: true },
+  { method: "execute", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"], allow_unresolved_receiver: true },
+  { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"], allow_unresolved_receiver: true },
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "send", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -11053,6 +11055,9 @@ var DEFAULT_SINKS = [
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInThisContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "parse", class: "protobuf", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "protobufjs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "Root", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "find", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "findOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "updateOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
@@ -12249,6 +12254,9 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
+      if (pattern.allow_unresolved_receiver && !call.receiver_type && !call.receiver_type_fqn && call.receiver.includes(".")) {
+        return true;
+      }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
       const target = call.resolution?.target;
@@ -15265,6 +15273,9 @@ class DefaultLanguageRegistry {
     if (language === "tsx") {
       return this.plugins.get("javascript");
     }
+    if (language === "typescript") {
+      return this.plugins.get("javascript");
+    }
     return this.plugins.get(language);
   }
   getForFile(filePath) {
@@ -19080,10 +19091,26 @@ class CrossFileResolver {
   }
   resolveWithReceiver(call, fromFile) {
     const receiver = call.receiver;
-    const receiverType = this.inferReceiverType(receiver, fromFile);
+    const receiverType = call.receiver_type_fqn ?? this.inferReceiverType(receiver, fromFile);
     if (receiverType) {
       const methodSymbol = this.symbolTable.findMethod(receiverType, call.method_name);
       if (methodSymbol) {
+        const parent = methodSymbol.parentType ? this.symbolTable.getSymbol(methodSymbol.parentType) : undefined;
+        if (parent && parent.kind === "interface") {
+          const candidates2 = this.findPolymorphicCandidates(receiverType, call.method_name);
+          if (candidates2.length > 0) {
+            const primary = candidates2[0];
+            return {
+              call,
+              sourceFile: fromFile,
+              targetFile: primary.file,
+              targetMethod: primary.fqn,
+              targetClass: primary.parentType || receiverType,
+              resolution: "polymorphic",
+              candidates: candidates2.map((c) => c.fqn)
+            };
+          }
+        }
         return {
           call,
           sourceFile: fromFile,
@@ -20096,7 +20123,8 @@ class CrossFilePass {
     });
     const ipPaths = [
       ...resolver.findInterproceduralTaintPaths(),
-      ...resolver.findFieldBindingTaintPaths()
+      ...resolver.findFieldBindingTaintPaths(),
+      ...findCrossInstanceAliasingPaths(projectGraph, sourceLines)
     ];
     for (let i2 = 0;i2 < ipPaths.length; i2++) {
       const p = ipPaths[i2];
@@ -20172,6 +20200,108 @@ class CrossFilePass {
     return { crossFileCalls, taintPaths, typeHierarchy };
   }
 }
+function findCrossInstanceAliasingPaths(projectGraph, _sourceLines) {
+  const paths = [];
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  const aliasWriteRe = /^\s*this\.([A-Za-z_]\w*)\.([A-Za-z_]\w*)\s*=\s*(.+?)(?:;\s*)?$/;
+  const typeIndex = new Map;
+  for (const filePath of projectGraph.filePaths) {
+    const ir = projectGraph.getIR(filePath);
+    if (!ir)
+      continue;
+    if (ir.meta.language !== "java")
+      continue;
+    for (const t of ir.types) {
+      if (t.kind === "class")
+        typeIndex.set(t.name, { file: filePath, type: t, ir });
+    }
+  }
+  if (typeIndex.size === 0)
+    return paths;
+  for (const filePath of projectGraph.filePaths) {
+    const ir = projectGraph.getIR(filePath);
+    if (!ir)
+      continue;
+    if (ir.meta.language !== "java")
+      continue;
+    const lines = _sourceLines.get(filePath);
+    if (!lines || lines.length === 0)
+      continue;
+    for (const type of ir.types) {
+      if (type.kind !== "class")
+        continue;
+      const aliasFields = new Map;
+      for (const f of type.fields) {
+        if (!f.type)
+          continue;
+        const simple = f.type.replace(/<.*>/g, "").replace(/\[\]$/, "").trim();
+        if (typeIndex.has(simple))
+          aliasFields.set(f.name, simple);
+      }
+      if (aliasFields.size === 0)
+        continue;
+      for (const m of type.methods) {
+        if (m.name === type.name)
+          continue;
+        const mStart = m.start_line;
+        const mEnd = m.end_line;
+        for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+          const trimmed = (lines[i2] ?? "").trim();
+          if (!trimmed || trimmed.startsWith("//"))
+            continue;
+          const wm = trimmed.match(aliasWriteRe);
+          if (!wm)
+            continue;
+          const aliasField = wm[1];
+          const innerField = wm[2];
+          const rhs = wm[3].trim().replace(/;\s*$/, "");
+          const aliasType = aliasFields.get(aliasField);
+          if (!aliasType)
+            continue;
+          const target = typeIndex.get(aliasType);
+          if (!target)
+            continue;
+          if (!target.type.fields.some((f) => f.name === innerField))
+            continue;
+          if (!javaHttpPattern.test(rhs))
+            continue;
+          const innerRe = new RegExp(`\\b${innerField}\\b`);
+          for (const tm of target.type.methods) {
+            const sinksInTarget = target.ir.taint.sinks.filter((s) => s.line >= tm.start_line && s.line <= tm.end_line);
+            for (const sink of sinksInTarget) {
+              const callsAtSink = target.ir.calls.filter((c) => c.location.line === sink.line);
+              let matched = false;
+              for (const c of callsAtSink) {
+                for (const a of c.arguments ?? []) {
+                  if (innerRe.test(a.expression ?? "") || a.variable === innerField) {
+                    matched = true;
+                    break;
+                  }
+                }
+                if (matched)
+                  break;
+              }
+              if (!matched)
+                continue;
+              paths.push({
+                source: { file: filePath, line: i2 + 1, type: "http_param" },
+                sink: { file: target.file, line: sink.line, type: sink.type, cwe: sink.cwe },
+                hops: [
+                  { file: filePath, line: i2 + 1, method: m.name, kind: "source" },
+                  { file: filePath, line: i2 + 1, method: m.name, kind: "field_write" },
+                  { file: target.file, line: tm.start_line, method: tm.name, kind: "field_read" },
+                  { file: target.file, line: sink.line, method: tm.name, kind: "sink" }
+                ],
+                confidence: 0.65
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  return paths;
+}
 
 // ../circle-ir/dist/analysis/html/html-extractor.js
 var EVENT_HANDLER_ATTRS = new Set([
@@ -20878,6 +21008,8 @@ class LanguageSourcesPass {
     const additionalSanitizers = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
     additionalSources.push(...findOopFieldReadSources(types, code, language));
+    additionalSources.push(...findStaticFieldSources(types, code, language));
+    additionalSources.push(...findSetterChainSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
     const jsDOMSinks = findJavaScriptDOMSinks(code, language);
     for (const s of jsDOMSinks) {
@@ -21106,6 +21238,155 @@ function findOopFieldReadSources(types, sourceCode, language) {
   }
   return sources;
 }
+function findStaticFieldSources(types, sourceCode, language) {
+  if (language !== "java")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    const staticFields = new Set;
+    for (const f of type.fields) {
+      if (f.modifiers.includes("static"))
+        staticFields.add(f.name);
+    }
+    if (staticFields.size === 0)
+      continue;
+    const qualifiedAssignRe = new RegExp(`^\\s*${type.name}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+    const bareAssignRe = /^\s*([A-Za-z_]\w*)\s*=\s*(.+?)(?:;\s*)?$/;
+    for (const m of type.methods) {
+      if (!m.modifiers.includes("static"))
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
+        const line = lines[i2] ?? "";
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("//"))
+          continue;
+        let fieldName = null;
+        let rhs = null;
+        const qm = trimmed.match(qualifiedAssignRe);
+        if (qm) {
+          fieldName = qm[1];
+          rhs = qm[2];
+        } else {
+          const bm = trimmed.match(bareAssignRe);
+          if (bm) {
+            fieldName = bm[1];
+            rhs = bm[2];
+          }
+        }
+        if (!fieldName || !rhs)
+          continue;
+        if (!staticFields.has(fieldName))
+          continue;
+        rhs = rhs.trim().replace(/;\s*$/, "");
+        if (!javaHttpPattern.test(rhs))
+          continue;
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${fieldName} static field set in ${m.name}() — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.85,
+          variable: fieldName
+        });
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${fieldName} static field (qualified read alias) — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.85,
+          variable: `${type.name}.${fieldName}`
+        });
+      }
+    }
+  }
+  return sources;
+}
+function findSetterChainSources(types, sourceCode, language) {
+  if (language !== "java")
+    return [];
+  const sources = [];
+  const lines = sourceCode.split(`
+`);
+  const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
+  for (const type of types) {
+    if (type.kind !== "class")
+      continue;
+    if (type.name === "<module>")
+      continue;
+    const pairs = new Map;
+    const setterRe = /this\.([A-Za-z_]\w*)\s*=\s*([A-Za-z_]\w*)\s*;?/;
+    const getterRe = /return\s+this\.([A-Za-z_]\w*)\s*;?/;
+    for (const m of type.methods) {
+      if (m.name === type.name)
+        continue;
+      const mStart = m.start_line;
+      const mEnd = m.end_line;
+      const fullBody = lines.slice(mStart - 1, Math.min(mEnd, lines.length)).join(`
+`);
+      const open = fullBody.indexOf("{");
+      const close = fullBody.lastIndexOf("}");
+      if (open < 0 || close < 0 || close <= open)
+        continue;
+      const inner = fullBody.slice(open + 1, close).replace(/\/\/[^\n]*/g, "").trim();
+      if (!inner)
+        continue;
+      const sm = inner.match(setterRe);
+      if (sm && m.parameters.length === 1 && sm[2] === m.parameters[0].name) {
+        const remainder = inner.replace(sm[0], "").trim();
+        if (!remainder) {
+          const entry = pairs.get(sm[1]) ?? {};
+          entry.setter = m.name;
+          pairs.set(sm[1], entry);
+          continue;
+        }
+      }
+      const gm = inner.match(getterRe);
+      if (gm && m.parameters.length === 0) {
+        const remainder = inner.replace(gm[0], "").trim();
+        if (!remainder) {
+          const entry = pairs.get(gm[1]) ?? {};
+          entry.getter = m.name;
+          pairs.set(gm[1], entry);
+        }
+      }
+    }
+    for (const [, { setter, getter }] of pairs) {
+      if (!setter || !getter)
+        continue;
+      const setterCallRe = new RegExp(`\\b([A-Za-z_]\\w*)\\.${setter}\\s*\\(\\s*([^)]+?)\\s*\\)\\s*;?`);
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const line = lines[i2] ?? "";
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("//"))
+          continue;
+        const cm = trimmed.match(setterCallRe);
+        if (!cm)
+          continue;
+        const arg = cm[2];
+        if (!javaHttpPattern.test(arg))
+          continue;
+        sources.push({
+          type: "http_param",
+          location: `${type.name}.${setter}(tainted) → ${type.name}.${getter}() chain — #78 round 2`,
+          severity: "high",
+          line: i2 + 1,
+          confidence: 0.75,
+          variable: getter
+        });
+      }
+    }
+  }
+  return sources;
+}
 function findJavaScriptAssignmentSources(sourceCode, language) {
   if (!["javascript", "typescript"].includes(language))
     return [];
@@ -21852,6 +22133,32 @@ class SinkFilterPass {
         return true;
       });
     }
+    if (["javascript", "typescript"].includes(language)) {
+      const sourceLines = ctx.code.split(`
+`);
+      const guardPatterns = /\b(?:includes|startsWith|endsWith|indexOf|test|match)\s*\(/;
+      filtered = filtered.filter((sink) => {
+        if (sink.type !== "open_redirect" && sink.type !== "crlf") {
+          return true;
+        }
+        const sinkLineText = sourceLines[sink.line - 1] ?? "";
+        const startLine = Math.max(0, sink.line - 7);
+        for (let i2 = startLine;i2 < sink.line - 1; i2++) {
+          const line = sourceLines[i2] ?? "";
+          if (/\bif\s*\(/.test(line) && guardPatterns.test(line)) {
+            return false;
+          }
+        }
+        if (/\bencodeURIComponent\s*\(|\bencodeURI\s*\(/.test(sinkLineText)) {
+          return false;
+        }
+        const setHeaderMatch = sinkLineText.match(/setHeader\s*\(\s*[^,]+,\s*(['"`])([^'"`]*)\1\s*\)/);
+        if (setHeaderMatch) {
+          return false;
+        }
+        return true;
+      });
+    }
     return { sources, sinks: filtered, sanitizers };
   }
 }
@@ -31047,7 +31354,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.65.0";
+var version = "3.67.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.65.0",
+  "version": "3.67.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.65.0"
+    "circle-ir": "^3.67.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",