cognium-dev 3.69.0 → 3.71.0

package/dist/cli.js

@@ -21228,6 +21228,13 @@ function findOopFieldReadSources(types, sourceCode, language) {
       let returnedField = null;
       let returnStatementCount = 0;
       const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      const guardRePy = /\bif\s+[\w.]+\s+(?:not\s+)?in\s+(?:self\.)?[A-Z_][A-Z0-9_]*\s*:/;
+      const guardThrowRePy = /^\s*(?:raise\b|abort\b|return\s+(?:None\b|''|""|\)?$))/;
+      const guardReJv = /\bif\s*\(\s*!\s*(?:this\.)?[A-Z_][A-Z0-9_]*\s*\.\s*(?:contains|includes|has|matches)\s*\(/;
+      const guardThrowReJv = /^\s*(?:throw\b|return\s+null\b)/;
+      const guardRe = isPython ? guardRePy : guardReJv;
+      const guardThrowRe = isPython ? guardThrowRePy : guardThrowReJv;
+      let hasAllowlistGuard = false;
       for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
         const raw = lines[i2] ?? "";
         const trimmed = raw.trim();
@@ -21243,8 +21250,17 @@ function findOopFieldReadSources(types, sourceCode, language) {
           returnStatementCount = 99;
           break;
         }
+        if (guardRe.test(trimmed)) {
+          for (let j = i2 + 1;j < Math.min(i2 + 4, mEnd, lines.length); j++) {
+            const next = lines[j] ?? "";
+            if (guardThrowRe.test(next)) {
+              hasAllowlistGuard = true;
+              break;
+            }
+          }
+        }
       }
-      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField) && !hasAllowlistGuard) {
         const fieldInfo = fieldTaint.get(returnedField);
         const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
         sources.push({
@@ -22835,6 +22851,23 @@ class TaintPropagationPass {
         return false;
       });
     }
+    if (typeof ctx.code === "string") {
+      const sinkByLine = new Map;
+      for (const s of sinks) {
+        if (s.type === "nosql_injection")
+          sinkByLine.set(s.line, s);
+      }
+      if (sinkByLine.size > 0) {
+        finalFlows = finalFlows.filter((f) => {
+          if (f.sink_type !== "nosql_injection")
+            return true;
+          const sink = sinkByLine.get(f.sink_line);
+          if (!sink || !sink.code || !sink.method)
+            return true;
+          return !isMongoValueBoundFilter(sink.code, sink.method);
+        });
+      }
+    }
     if (finalFlows.length > 1) {
       const bestByKey = new Map;
       for (const f of finalFlows) {
@@ -22852,6 +22885,76 @@ class TaintPropagationPass {
     return { flows: finalFlows };
   }
 }
+function isMongoValueBoundFilter(sinkCode, sinkMethod) {
+  if (!sinkCode || !sinkMethod)
+    return false;
+  const callIdx = sinkCode.indexOf(`${sinkMethod}(`);
+  if (callIdx < 0)
+    return false;
+  const openIdx = callIdx + sinkMethod.length;
+  let depth = 0;
+  let braceDepth = 0;
+  let bracketDepth = 0;
+  let inString = null;
+  let firstArgEnd = -1;
+  let firstArgComma = -1;
+  const limit = Math.min(sinkCode.length, openIdx + 4096);
+  for (let i2 = openIdx;i2 < limit; i2++) {
+    const ch = sinkCode[i2];
+    if (inString) {
+      if (ch === "\\" && i2 + 1 < limit) {
+        i2++;
+        continue;
+      }
+      if (ch === inString)
+        inString = null;
+      continue;
+    }
+    if (ch === '"' || ch === "'" || ch === "`") {
+      inString = ch;
+      continue;
+    }
+    if (ch === "(")
+      depth++;
+    else if (ch === ")") {
+      depth--;
+      if (depth === 0) {
+        firstArgEnd = i2;
+        break;
+      }
+    } else if (ch === "{")
+      braceDepth++;
+    else if (ch === "}")
+      braceDepth--;
+    else if (ch === "[")
+      bracketDepth++;
+    else if (ch === "]")
+      bracketDepth--;
+    else if (ch === "," && depth === 1 && braceDepth === 0 && bracketDepth === 0) {
+      if (firstArgComma < 0)
+        firstArgComma = i2;
+    }
+  }
+  if (firstArgEnd < 0)
+    return false;
+  const argEnd = firstArgComma >= 0 ? firstArgComma : firstArgEnd;
+  const firstArg = sinkCode.slice(openIdx + 1, argEnd).trim();
+  if (!firstArg)
+    return false;
+  if (firstArg[0] !== "{" || firstArg[firstArg.length - 1] !== "}")
+    return false;
+  const body2 = firstArg.slice(1, -1).trim();
+  if (!body2)
+    return false;
+  const stripped = body2.replace(/(['"`])(?:\\.|(?!\1).)*\1/g, '""');
+  if (/\.\.\./.test(stripped))
+    return false;
+  if (/(^|[,{\s])\$[A-Za-z_]\w*\s*:/.test(stripped))
+    return false;
+  if (/(['"])\$[A-Za-z_]\w*\1\s*:/.test(body2))
+    return false;
+  return true;
+}
 function isInJavaSanitizedMethod(code, types, sinkLine, sinkType) {
   if (!types || types.length === 0)
     return false;
@@ -29814,6 +29917,293 @@ class ModuleSideEffectPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/cache-no-vary-pass.js
+function isSharedCacheable(value) {
+  const v = value.toLowerCase();
+  if (/\b(private|no-store|no-cache)\b/.test(v))
+    return false;
+  const pub = /\bpublic\b/.test(v);
+  const maxMatch = /\b(?:s-maxage|max-age)\s*=\s*(\d+)/.exec(v);
+  const positiveMax = maxMatch ? Number(maxMatch[1]) > 0 : false;
+  return pub || positiveMax;
+}
+function isVaryCovering(value) {
+  const v = value.toLowerCase();
+  return /\b(cookie|authorization|\*)\b/.test(v);
+}
+var JS_AUTH_SIGNAL_RE = /\b(?:req|request)\s*\.\s*(?:cookies|session|user(?:Id|Name)?)\b|\b(?:req|request)\s*\.\s*headers\s*\.\s*(?:cookie|authorization)\b|\bres(?:ponse)?\s*\.\s*cookie\s*\(/i;
+var PY_AUTH_SIGNAL_RE = /\brequest\s*\.\s*cookies\b|\brequest\s*\.\s*headers\s*\.\s*get\s*\(\s*['"]Authorization['"]|\brequest\s*\.\s*authorization\b|\bsession\s*\[|\b(?:g\.user|current_user)\b|\bset_cookie\s*\(/i;
+var GO_AUTH_SIGNAL_RE = /\br\s*\.\s*Cookie\s*\(|\br\s*\.\s*Header\s*(?:\(\)|\.)\s*\.?\s*Get\s*\(\s*"(?:Cookie|Authorization)"|\br\s*\.\s*BasicAuth\s*\(|\bhttp\s*\.\s*SetCookie\s*\(|\bc\s*\.\s*(?:GetHeader|Cookie|SetCookie)\s*\(/;
+var JAVA_AUTH_SIGNAL_RE = /@CookieValue\b|@RequestHeader\s*\(\s*"(?:Cookie|Authorization)"|\brequest\s*\.\s*getCookies\s*\(|\brequest\s*\.\s*getHeader\s*\(\s*"(?:Cookie|Authorization)"|\bresponse\s*\.\s*addCookie\s*\(|\bSecurityContextHolder\b|\bPrincipal\s+\w+|\bAuthentication\s+\w+/;
+var PY_CACHE_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Cache-Control['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+var PY_VARY_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Vary['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+var PY_VARY_DECORATOR_RE = /^\s*@\s*(?:vary_on_cookie|vary_on_headers)\b/;
+var PY_CACHE_CONTROL_DECORATOR_RE = /^\s*@\s*cache_control\s*\(([^)]*)\)/;
+var JS_HEADER_METHODS = new Set(["setHeader", "set", "header"]);
+var GO_HEADER_METHODS = new Set(["Set", "Add"]);
+var JAVA_HEADER_METHODS = new Set(["setHeader", "addHeader"]);
+var JS_RES_RECEIVERS = new Set(["res", "response", "ctx"]);
+function classifyCall(call, language) {
+  const method = call.method_name;
+  const receiver = (call.receiver ?? "").trim();
+  const arg0 = call.arguments[0]?.literal ?? null;
+  const arg1 = call.arguments[1]?.literal ?? null;
+  if (language === "javascript" || language === "typescript") {
+    if (JS_RES_RECEIVERS.has(receiver) && JS_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (JS_RES_RECEIVERS.has(receiver) && method === "vary") {
+      const v = arg0 ?? "";
+      if (isVaryCovering(v) || v === "")
+        return { kind: "vary" };
+    }
+    if (JS_RES_RECEIVERS.has(receiver) && method === "cookie") {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  if (language === "python") {
+    if (receiver === "request.cookies" || receiver === "request.session") {
+      return { kind: "auth" };
+    }
+    if (receiver === "request.headers" && method === "get") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "authorization" || v === "cookie")
+        return { kind: "auth" };
+    }
+    if ((receiver === "response" || receiver === "resp") && method === "set_cookie") {
+      return { kind: "auth" };
+    }
+    if (method === "patch_vary_headers")
+      return { kind: "vary" };
+    if (method === "patch_cache_control") {
+      const argTxt = call.arguments.map((a) => a.expression ?? "").join(",");
+      if (/\bpublic\s*=\s*True\b/.test(argTxt)) {
+        return { kind: "cache-public", value: argTxt };
+      }
+    }
+    return null;
+  }
+  if (language === "go") {
+    if ((receiver === "w.Header()" || receiver === "rw.Header()") && GO_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (receiver === "c" && method === "Header") {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if (receiver === "r" && (method === "Cookie" || method === "BasicAuth")) {
+      return { kind: "auth" };
+    }
+    if ((receiver === "r.Header" || receiver === "r.Header()") && method === "Get") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "cookie" || v === "authorization")
+        return { kind: "auth" };
+    }
+    if (receiver === "http" && method === "SetCookie")
+      return { kind: "auth" };
+    if (receiver === "c" && (method === "Cookie" || method === "GetHeader" || method === "SetCookie")) {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  if (language === "java") {
+    if ((receiver === "response" || receiver === "resp") && JAVA_HEADER_METHODS.has(method)) {
+      const header = (arg0 ?? "").toLowerCase();
+      if (header === "cache-control" && arg1 && isSharedCacheable(arg1)) {
+        return { kind: "cache-public", value: arg1 };
+      }
+      if (header === "vary" && arg1 && isVaryCovering(arg1)) {
+        return { kind: "vary" };
+      }
+    }
+    if ((receiver === "headers" || receiver === "httpHeaders") && method === "setCacheControl") {
+      return { kind: "cache-public", value: "HttpHeaders.setCacheControl(...)" };
+    }
+    if ((receiver === "headers" || receiver === "httpHeaders") && method === "setVary") {
+      return { kind: "vary" };
+    }
+    if (receiver === "request" && method === "getCookies") {
+      return { kind: "auth" };
+    }
+    if (receiver === "request" && method === "getHeader") {
+      const v = (arg0 ?? "").toLowerCase();
+      if (v === "cookie" || v === "authorization")
+        return { kind: "auth" };
+    }
+    if ((receiver === "response" || receiver === "resp") && method === "addCookie") {
+      return { kind: "auth" };
+    }
+    return null;
+  }
+  return null;
+}
+function authSignalRegex(language) {
+  switch (language) {
+    case "javascript":
+    case "typescript":
+      return JS_AUTH_SIGNAL_RE;
+    case "python":
+      return PY_AUTH_SIGNAL_RE;
+    case "go":
+      return GO_AUTH_SIGNAL_RE;
+    case "java":
+      return JAVA_AUTH_SIGNAL_RE;
+    default:
+      return null;
+  }
+}
+function scanWindow(code, language, startLine, endLine) {
+  const lines = code.split(`
+`);
+  const lo = Math.max(0, startLine - 1);
+  const hi = Math.min(lines.length, endLine);
+  const out2 = { vary: false, auth: false };
+  const authRe = authSignalRegex(language);
+  for (let i2 = lo;i2 < hi; i2++) {
+    const ln = lines[i2];
+    if (authRe && authRe.test(ln))
+      out2.auth = true;
+    if (language === "python") {
+      if (!out2.cachePublic) {
+        const mc = PY_CACHE_HEADER_ASSIGN_RE.exec(ln);
+        if (mc && isSharedCacheable(mc[2])) {
+          out2.cachePublic = { line: i2 + 1, value: mc[2] };
+        }
+      }
+      if (!out2.cachePublic) {
+        const md = PY_CACHE_CONTROL_DECORATOR_RE.exec(ln);
+        if (md) {
+          const argTxt = md[1];
+          if (/\bpublic\s*=\s*True\b/.test(argTxt) && (/\bmax_age\s*=\s*[1-9]\d*\b/.test(argTxt) || !/max_age/.test(argTxt))) {
+            out2.cachePublic = { line: i2 + 1, value: argTxt };
+          }
+        }
+      }
+      if (!out2.vary) {
+        const mv = PY_VARY_HEADER_ASSIGN_RE.exec(ln);
+        if (mv && isVaryCovering(mv[2]))
+          out2.vary = true;
+        if (PY_VARY_DECORATOR_RE.test(ln))
+          out2.vary = true;
+      }
+    }
+  }
+  return out2;
+}
+
+class CacheNoVaryPass {
+  name = "cache-no-vary";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const isSupported = language === "javascript" || language === "typescript" || language === "python" || language === "go" || language === "java";
+    if (!isSupported)
+      return { findings };
+    if (/(?:\.test|\.spec)\.[jt]sx?$/i.test(file) || /__tests__\/|\/tests?\//i.test(file)) {
+      return { findings };
+    }
+    const callsByHandler = new Map;
+    for (const call of graph.ir.calls) {
+      const key = call.in_method ?? "<top>";
+      let arr = callsByHandler.get(key);
+      if (!arr) {
+        arr = [];
+        callsByHandler.set(key, arr);
+      }
+      arr.push(call);
+    }
+    const emit = (line, handler, cacheValue) => {
+      if (findings.some((f) => f.line === line && f.handler === handler))
+        return;
+      findings.push({ line, language, handler, cacheValue });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-524",
+        severity: "medium",
+        level: "warning",
+        message: `Response sets a shared-cacheable Cache-Control ('${cacheValue}') in ` + `a handler that reads authenticated or user-scoped state, but does ` + `not set 'Vary: Cookie' or 'Vary: Authorization'. A shared cache ` + `(CDN, reverse proxy, ISP cache) keys the response by URL only and ` + `may serve one user's body to another. (CWE-524)`,
+        file,
+        line,
+        fix: `Either add 'Vary: Cookie' (or 'Vary: Authorization') so caches key ` + `on the user identity, or change the directive to 'private' / ` + `'no-store' so the response is never shared-cached.`,
+        evidence: {
+          language,
+          handler: handler ?? "<top>",
+          cacheValue
+        }
+      });
+    };
+    for (const [handlerKey, calls] of callsByHandler) {
+      const handler = handlerKey === "<top>" ? null : handlerKey;
+      const cachePublicHits = [];
+      let varyFromCalls = false;
+      let authFromCalls = false;
+      for (const call of calls) {
+        const cls = classifyCall(call, language);
+        if (!cls)
+          continue;
+        if (cls.kind === "cache-public") {
+          cachePublicHits.push({
+            line: call.location.line,
+            value: cls.value ?? ""
+          });
+        } else if (cls.kind === "vary") {
+          varyFromCalls = true;
+        } else if (cls.kind === "auth") {
+          authFromCalls = true;
+        }
+      }
+      let minLine = Infinity;
+      let maxLine = -Infinity;
+      for (const c of calls) {
+        if (c.location?.line) {
+          minLine = Math.min(minLine, c.location.line);
+          maxLine = Math.max(maxLine, c.location.line);
+        }
+      }
+      if (minLine === Infinity)
+        continue;
+      const winStart = Math.max(1, minLine - 5);
+      const winEnd = maxLine + 5;
+      const winScan = scanWindow(code, language, winStart, winEnd);
+      if (winScan.cachePublic)
+        cachePublicHits.push(winScan.cachePublic);
+      const vary = varyFromCalls || winScan.vary;
+      const auth = authFromCalls || winScan.auth;
+      if (cachePublicHits.length === 0)
+        continue;
+      if (vary)
+        continue;
+      if (!auth)
+        continue;
+      emit(cachePublicHits[0].line, handler, cachePublicHits[0].value);
+    }
+    return { findings };
+  }
+}
+
 // ../circle-ir/dist/analysis/passes/jwt-verify-disabled-pass.js
 var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
 var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
@@ -31408,6 +31798,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new TlsVerifyDisabledPass);
     if (!disabledPasses.has("module-side-effect"))
       pipeline.add(new ModuleSideEffectPass);
+    if (!disabledPasses.has("cache-no-vary"))
+      pipeline.add(new CacheNoVaryPass);
     if (!disabledPasses.has("jwt-verify-disabled"))
       pipeline.add(new JwtVerifyDisabledPass);
     if (!disabledPasses.has("csrf-protection-disabled"))
@@ -31609,7 +32001,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.69.0";
+var version = "3.71.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.69.0",
+  "version": "3.71.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.69.0"
+    "circle-ir": "^3.71.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",