cognium-dev 3.67.0 → 3.69.0

package/dist/cli.js

@@ -6279,6 +6279,12 @@ function extractPythonLiteral(node) {
   if (literalTypes.includes(node.type)) {
     const text = getNodeText(node);
     if (node.type === "string") {
+      for (let i2 = 0;i2 < node.childCount; i2++) {
+        const child = node.child(i2);
+        if (child && child.type === "interpolation") {
+          return null;
+        }
+      }
       return text.replace(/^['"]|['"]$/g, "").replace(/^f['"]|['"]$/g, "");
     }
     return text;
@@ -16864,6 +16870,22 @@ class PythonPlugin extends BaseLanguagePlugin {
         severity: "high",
         argPositions: [0]
       },
+      {
+        method: "urlretrieve",
+        class: "urllib.request",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "urlretrieve",
+        class: "urllib.request",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [1]
+      },
       {
         method: "loads",
         class: "pickle",
@@ -29561,6 +29583,237 @@ class TlsVerifyDisabledPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/module-side-effect-pass.js
+var JS_EXEC_METHODS = new Set([
+  "exec",
+  "spawn",
+  "execSync",
+  "spawnSync",
+  "execFile",
+  "execFileSync"
+]);
+var JS_EXEC_RECEIVERS = new Set([
+  "child_process",
+  "cp"
+]);
+var JS_NETWORK_RECEIVER_METHOD = new Set([
+  "https:request",
+  "http:request",
+  "https:get",
+  "http:get"
+]);
+var JS_NETWORK_MAYBE = new Set([
+  "fetch"
+]);
+var JS_ENV_SIGNAL_RE = /\bprocess\.env\b|\bos\.homedir\b|\/etc\/(passwd|shadow)\b|\.ssh\/id_(rsa|dsa|ed25519)\b|\bhomedir\b/;
+var PKG_JSON_BENIGN_INSTALL = new Set([
+  "node-gyp rebuild",
+  "prebuild-install",
+  "prebuild-install || node-gyp rebuild",
+  "husky install",
+  "patch-package",
+  "npm run build"
+]);
+var PKG_JSON_INSTALL_SHELL_RE = /\b(curl|wget|nc|ncat|node\s+-e|node\s+-r|sh\s+-c|bash\s+-c|eval|base64\s+-d)\b/;
+var PY_NETWORK_RECEIVER_METHODS = [
+  { receiver: "requests", method: "post" },
+  { receiver: "requests", method: "put" },
+  { receiver: "urllib.request", method: "urlopen" },
+  { receiver: "socket", method: "create_connection" },
+  { receiver: "socket", method: "connect" },
+  { receiver: "subprocess", method: "run" },
+  { receiver: "subprocess", method: "Popen" },
+  { receiver: "os", method: "system" }
+];
+var PY_ENV_SIGNAL_RE = /\bos\.environ\b|\bpwd\.getpw\b|\bid_(rsa|dsa|ed25519)\b|\bhome\b|\b\/etc\/(passwd|shadow)\b|\bPath\.home\b|\bglob\.glob\b/;
+var GO_INIT_DANGEROUS = [
+  { receiver: "exec", method: "Command" },
+  { receiver: "http", method: "Post" },
+  { receiver: "http", method: "Get" },
+  { receiver: "net", method: "LookupTXT" },
+  { receiver: "os", method: "Setenv" }
+];
+var RUST_DANGEROUS_METHODS = new Set([
+  "Command::new",
+  "process::Command::new",
+  "std::process::Command::new",
+  "new"
+]);
+var RUST_DANGEROUS_RECEIVERS = new Set([
+  "Command",
+  "process::Command",
+  "std::process::Command",
+  "reqwest",
+  "reqwest::blocking"
+]);
+
+class ModuleSideEffectPass {
+  name = "module-side-effect";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const emit = (line, pattern, api) => {
+      if (findings.some((f) => f.line === line && f.pattern === pattern))
+        return;
+      findings.push({ line, language, pattern, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}-${pattern.replace(/\W+/g, "-")}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-829",
+        severity: "high",
+        level: "error",
+        message: `Module-level / install-time side effect (${pattern}) in \`${api}\`. ` + `Code that runs at import / build / install time is invisible to ` + `runtime defenses and is the standard delivery vector for supply-` + `chain droppers (shai-hulud-style harvesters, malicious typosquats, ` + `build.rs exfil). If this side effect is intentional, move it into ` + `an explicit function invoked at runtime; if it is install-time ` + `configuration, restrict it to documented APIs (e.g. \`cargo:\` ` + `directives, \`node-gyp rebuild\`).`,
+        file,
+        line,
+        fix: this.fixFor(language, pattern),
+        evidence: { language, api, pattern }
+      });
+    };
+    const isRustBuildScript = language === "rust" && /\bbuild\.rs$/.test(file);
+    for (const call of graph.ir.calls) {
+      if (language === "rust" && !isRustBuildScript)
+        continue;
+      const det = this.detectCall(call, language);
+      if (!det)
+        continue;
+      emit(call.location.line, det.pattern, det.api);
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (/\bpackage\.json$/.test(file)) {
+        for (const extra of this.scanPackageJson(code)) {
+          emit(extra.line, extra.pattern, extra.api);
+        }
+      }
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    if (language === "javascript" || language === "typescript") {
+      if (call.in_method != null)
+        return null;
+      if (JS_EXEC_RECEIVERS.has(receiver) && JS_EXEC_METHODS.has(method)) {
+        return {
+          pattern: "module-level child_process call",
+          api: `${receiver}.${method}`
+        };
+      }
+      const recvMethod = `${receiver}:${method}`;
+      if (JS_NETWORK_RECEIVER_METHOD.has(recvMethod)) {
+        return {
+          pattern: "module-level network request",
+          api: `${receiver}.${method}`
+        };
+      }
+      if (JS_NETWORK_MAYBE.has(method) && receiver === "") {
+        for (const arg of call.arguments) {
+          if (JS_ENV_SIGNAL_RE.test(arg.expression ?? "")) {
+            return {
+              pattern: "module-level fetch of process.env",
+              api: method
+            };
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "python") {
+      if (call.in_method != null)
+        return null;
+      for (const tuple of PY_NETWORK_RECEIVER_METHODS) {
+        if (receiver === tuple.receiver && method === tuple.method) {
+          for (const arg of call.arguments) {
+            if (PY_ENV_SIGNAL_RE.test(arg.expression ?? "")) {
+              return {
+                pattern: "import-time network call with env signal",
+                api: `${receiver}.${method}`
+              };
+            }
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "go") {
+      if (call.in_method !== "init")
+        return null;
+      for (const tuple of GO_INIT_DANGEROUS) {
+        if (receiver === tuple.receiver && method === tuple.method) {
+          return {
+            pattern: "init() install-time side effect",
+            api: `${receiver}.${method}`
+          };
+        }
+      }
+      return null;
+    }
+    if (language === "rust") {
+      const recv = receiver.trim();
+      if (RUST_DANGEROUS_RECEIVERS.has(recv) || recv.startsWith("Command::")) {
+        if (method === "new" || RUST_DANGEROUS_METHODS.has(method) || method === "get" || method === "post") {
+          return {
+            pattern: "build.rs side effect",
+            api: `${recv || method}.${method}`
+          };
+        }
+      }
+      return null;
+    }
+    return null;
+  }
+  scanPackageJson(code) {
+    const out2 = [];
+    const lines = code.split(`
+`);
+    const installRe = /"(pre|post)?install"\s*:\s*"([^"]+)"/i;
+    for (let i2 = 0;i2 < lines.length; i2++) {
+      const m = lines[i2].match(installRe);
+      if (!m)
+        continue;
+      const value = m[2].trim();
+      if (PKG_JSON_BENIGN_INSTALL.has(value))
+        continue;
+      if (!PKG_JSON_INSTALL_SHELL_RE.test(value))
+        continue;
+      out2.push({
+        line: i2 + 1,
+        pattern: "npm lifecycle hook executes shell",
+        api: `scripts.${m[1] ?? ""}install`
+      });
+    }
+    return out2;
+  }
+  fixFor(language, pattern) {
+    if (pattern.includes("child_process")) {
+      return "Remove the module-level child_process call. If an install-time " + "step is genuinely required, move it into an explicit function and " + "document why it must run at install time.";
+    }
+    if (pattern.includes("module-level network")) {
+      return "Network requests should not run at module load. Move the call " + "inside an exported function called explicitly by the caller.";
+    }
+    if (pattern.includes("module-level fetch of process.env")) {
+      return "Exfiltrating `process.env` at module load is the canonical " + "supply-chain dropper shape. Remove this code or, if intentional, " + "gate it behind an explicit opt-in.";
+    }
+    if (pattern.includes("npm lifecycle hook")) {
+      return "Replace the install-script shell payload with a build tool " + "(e.g. `node-gyp rebuild`, `prebuild-install`). Lifecycle scripts " + "that invoke curl/wget/node -e/sh -c are how supply-chain droppers " + "are delivered.";
+    }
+    if (pattern.includes("import-time network call")) {
+      return "Move the network call inside an explicit function. Sending " + "`os.environ` or filesystem secrets at module import is the canonical " + "credential-harvester shape.";
+    }
+    if (pattern.includes("init()")) {
+      return "Move the side effect out of `init()`. Go `init` functions " + "run automatically on package import; network/exec calls there are " + "invisible to the caller and are how supply-chain droppers operate.";
+    }
+    if (pattern.includes("build.rs")) {
+      return "`build.rs` should only emit `cargo:` directives. " + "Spawning subprocesses or making network requests at build time is " + "a documented supply-chain attack vector (see RUSTSEC).";
+    }
+    return "Remove the module-level side effect or move it inside an " + "explicit, runtime-invoked function.";
+  }
+}
+
 // ../circle-ir/dist/analysis/passes/jwt-verify-disabled-pass.js
 var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
 var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
@@ -31153,6 +31406,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new WeakRandomPass);
     if (!disabledPasses.has("tls-verify-disabled"))
       pipeline.add(new TlsVerifyDisabledPass);
+    if (!disabledPasses.has("module-side-effect"))
+      pipeline.add(new ModuleSideEffectPass);
     if (!disabledPasses.has("jwt-verify-disabled"))
       pipeline.add(new JwtVerifyDisabledPass);
     if (!disabledPasses.has("csrf-protection-disabled"))
@@ -31354,7 +31609,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.67.0";
+var version = "3.69.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.67.0",
+  "version": "3.69.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.67.0"
+    "circle-ir": "^3.69.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",