cognium-dev 3.70.0 → 3.71.0

package/dist/cli.js

@@ -21228,6 +21228,13 @@ function findOopFieldReadSources(types, sourceCode, language) {
       let returnedField = null;
       let returnStatementCount = 0;
       const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      const guardRePy = /\bif\s+[\w.]+\s+(?:not\s+)?in\s+(?:self\.)?[A-Z_][A-Z0-9_]*\s*:/;
+      const guardThrowRePy = /^\s*(?:raise\b|abort\b|return\s+(?:None\b|''|""|\)?$))/;
+      const guardReJv = /\bif\s*\(\s*!\s*(?:this\.)?[A-Z_][A-Z0-9_]*\s*\.\s*(?:contains|includes|has|matches)\s*\(/;
+      const guardThrowReJv = /^\s*(?:throw\b|return\s+null\b)/;
+      const guardRe = isPython ? guardRePy : guardReJv;
+      const guardThrowRe = isPython ? guardThrowRePy : guardThrowReJv;
+      let hasAllowlistGuard = false;
       for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
         const raw = lines[i2] ?? "";
         const trimmed = raw.trim();
@@ -21243,8 +21250,17 @@ function findOopFieldReadSources(types, sourceCode, language) {
           returnStatementCount = 99;
           break;
         }
+        if (guardRe.test(trimmed)) {
+          for (let j = i2 + 1;j < Math.min(i2 + 4, mEnd, lines.length); j++) {
+            const next = lines[j] ?? "";
+            if (guardThrowRe.test(next)) {
+              hasAllowlistGuard = true;
+              break;
+            }
+          }
+        }
       }
-      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField) && !hasAllowlistGuard) {
         const fieldInfo = fieldTaint.get(returnedField);
         const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
         sources.push({
@@ -22835,6 +22851,23 @@ class TaintPropagationPass {
         return false;
       });
     }
+    if (typeof ctx.code === "string") {
+      const sinkByLine = new Map;
+      for (const s of sinks) {
+        if (s.type === "nosql_injection")
+          sinkByLine.set(s.line, s);
+      }
+      if (sinkByLine.size > 0) {
+        finalFlows = finalFlows.filter((f) => {
+          if (f.sink_type !== "nosql_injection")
+            return true;
+          const sink = sinkByLine.get(f.sink_line);
+          if (!sink || !sink.code || !sink.method)
+            return true;
+          return !isMongoValueBoundFilter(sink.code, sink.method);
+        });
+      }
+    }
     if (finalFlows.length > 1) {
       const bestByKey = new Map;
       for (const f of finalFlows) {
@@ -22852,6 +22885,76 @@ class TaintPropagationPass {
     return { flows: finalFlows };
   }
 }
+function isMongoValueBoundFilter(sinkCode, sinkMethod) {
+  if (!sinkCode || !sinkMethod)
+    return false;
+  const callIdx = sinkCode.indexOf(`${sinkMethod}(`);
+  if (callIdx < 0)
+    return false;
+  const openIdx = callIdx + sinkMethod.length;
+  let depth = 0;
+  let braceDepth = 0;
+  let bracketDepth = 0;
+  let inString = null;
+  let firstArgEnd = -1;
+  let firstArgComma = -1;
+  const limit = Math.min(sinkCode.length, openIdx + 4096);
+  for (let i2 = openIdx;i2 < limit; i2++) {
+    const ch = sinkCode[i2];
+    if (inString) {
+      if (ch === "\\" && i2 + 1 < limit) {
+        i2++;
+        continue;
+      }
+      if (ch === inString)
+        inString = null;
+      continue;
+    }
+    if (ch === '"' || ch === "'" || ch === "`") {
+      inString = ch;
+      continue;
+    }
+    if (ch === "(")
+      depth++;
+    else if (ch === ")") {
+      depth--;
+      if (depth === 0) {
+        firstArgEnd = i2;
+        break;
+      }
+    } else if (ch === "{")
+      braceDepth++;
+    else if (ch === "}")
+      braceDepth--;
+    else if (ch === "[")
+      bracketDepth++;
+    else if (ch === "]")
+      bracketDepth--;
+    else if (ch === "," && depth === 1 && braceDepth === 0 && bracketDepth === 0) {
+      if (firstArgComma < 0)
+        firstArgComma = i2;
+    }
+  }
+  if (firstArgEnd < 0)
+    return false;
+  const argEnd = firstArgComma >= 0 ? firstArgComma : firstArgEnd;
+  const firstArg = sinkCode.slice(openIdx + 1, argEnd).trim();
+  if (!firstArg)
+    return false;
+  if (firstArg[0] !== "{" || firstArg[firstArg.length - 1] !== "}")
+    return false;
+  const body2 = firstArg.slice(1, -1).trim();
+  if (!body2)
+    return false;
+  const stripped = body2.replace(/(['"`])(?:\\.|(?!\1).)*\1/g, '""');
+  if (/\.\.\./.test(stripped))
+    return false;
+  if (/(^|[,{\s])\$[A-Za-z_]\w*\s*:/.test(stripped))
+    return false;
+  if (/(['"])\$[A-Za-z_]\w*\1\s*:/.test(body2))
+    return false;
+  return true;
+}
 function isInJavaSanitizedMethod(code, types, sinkLine, sinkType) {
   if (!types || types.length === 0)
     return false;
@@ -31898,7 +32001,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.70.0";
+var version = "3.71.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.70.0",
+  "version": "3.71.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.70.0"
+    "circle-ir": "^3.71.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",