cognium-dev 3.70.0 → 3.72.0

package/dist/cli.js

@@ -11116,6 +11116,29 @@ var DEFAULT_SINKS = [
   { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
   { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
   { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "select", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "select1", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "evaluate", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "DOMParser", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "xmldom", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "mustache", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "renderString", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "system", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "popen", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "run", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -11192,6 +11215,13 @@ var DEFAULT_SINKS = [
   { method: "delete_one", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "delete_many", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "aggregate", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
+  { method: "find_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "update_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "update_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "delete_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "delete_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "replace_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "count_documents", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "from_string", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "jinja2", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "mako", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11200,6 +11230,13 @@ var DEFAULT_SINKS = [
   { method: "error", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "debug", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "critical", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "info", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "warning", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "error", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "debug", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "critical", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "log", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1] },
+  { method: "exception", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -15192,6 +15229,9 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
+  if (taintedVar.startsWith("self.") || taintedVar.startsWith("this.")) {
+    return { isFalsePositive: false, reason: null };
+  }
   if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
@@ -21139,15 +21179,18 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   return sources;
 }
 function findOopFieldReadSources(types, sourceCode, language) {
-  if (language !== "java" && language !== "python")
+  if (language !== "java" && language !== "python" && language !== "javascript" && language !== "typescript")
     return [];
   const sources = [];
   const lines = sourceCode.split(`
 `);
   const isPython = language === "python";
+  const isJs = language === "javascript" || language === "typescript";
+  const isJava = language === "java";
   const SELF = isPython ? "self" : "this";
   const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
   const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const fieldAssignReG = new RegExp(`${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*([^;}\\n]+)`, "g");
   const commentPrefix = isPython ? "#" : "//";
   for (const type of types) {
     if (type.kind !== "class")
@@ -21161,7 +21204,12 @@ function findOopFieldReadSources(types, sourceCode, language) {
           ctor = m;
           break;
         }
-      } else {
+      } else if (isJs) {
+        if (m.name === "constructor") {
+          ctor = m;
+          break;
+        }
+      } else if (isJava) {
         if (m.name === type.name) {
           ctor = m;
           break;
@@ -21183,26 +21231,44 @@ function findOopFieldReadSources(types, sourceCode, language) {
       const line = lines[i2] ?? "";
       if (line.trim().startsWith(commentPrefix))
         continue;
-      const m = line.match(fieldAssignRe);
-      if (!m)
+      const pairs = [];
+      const anchored = line.match(fieldAssignRe);
+      if (anchored)
+        pairs.push({ field: anchored[1], rhs: anchored[2].trim().replace(/;\s*$/, "") });
+      if (isJs) {
+        for (const m of line.matchAll(fieldAssignReG)) {
+          const field = m[1];
+          const rhs = m[2].trim().replace(/;\s*$/, "");
+          if (!pairs.some((p) => p.field === field))
+            pairs.push({ field, rhs });
+        }
+      }
+      if (pairs.length === 0)
         continue;
-      const fieldName = m[1];
-      const rhs = m[2].trim().replace(/;\s*$/, "");
-      let sourceType = null;
-      if (paramNames.has(rhs)) {
-        sourceType = "interprocedural_param";
-      } else if (!isPython && javaHttpPattern.test(rhs)) {
-        sourceType = "http_param";
-      } else if (isPython) {
-        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
-          if (pattern.test(rhs)) {
-            sourceType = type2;
-            break;
+      for (const { field: fieldName, rhs } of pairs) {
+        let sourceType = null;
+        if (paramNames.has(rhs)) {
+          sourceType = "interprocedural_param";
+        } else if (isJava && javaHttpPattern.test(rhs)) {
+          sourceType = "http_param";
+        } else if (isPython) {
+          for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+            if (pattern.test(rhs)) {
+              sourceType = type2;
+              break;
+            }
+          }
+        } else if (isJs) {
+          for (const { pattern, type: type2 } of JS_TAINTED_PATTERNS) {
+            if (pattern.test(rhs)) {
+              sourceType = type2;
+              break;
+            }
           }
         }
-      }
-      if (sourceType) {
-        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+        if (sourceType) {
+          fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+        }
       }
     }
     if (fieldTaint.size === 0)
@@ -21228,6 +21294,13 @@ function findOopFieldReadSources(types, sourceCode, language) {
       let returnedField = null;
       let returnStatementCount = 0;
       const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+      const guardRePy = /\bif\s+[\w.]+\s+(?:not\s+)?in\s+(?:self\.)?[A-Z_][A-Z0-9_]*\s*:/;
+      const guardThrowRePy = /^\s*(?:raise\b|abort\b|return\s+(?:None\b|''|""|\)?$))/;
+      const guardReJv = /\bif\s*\(\s*!\s*(?:this\.)?[A-Z_][A-Z0-9_]*\s*\.\s*(?:contains|includes|has|matches)\s*\(/;
+      const guardThrowReJv = /^\s*(?:throw\b|return\s+null\b)/;
+      const guardRe = isPython ? guardRePy : guardReJv;
+      const guardThrowRe = isPython ? guardThrowRePy : guardThrowReJv;
+      let hasAllowlistGuard = false;
       for (let i2 = mStart - 1;i2 < Math.min(mEnd, lines.length); i2++) {
         const raw = lines[i2] ?? "";
         const trimmed = raw.trim();
@@ -21243,8 +21316,17 @@ function findOopFieldReadSources(types, sourceCode, language) {
           returnStatementCount = 99;
           break;
         }
+        if (guardRe.test(trimmed)) {
+          for (let j = i2 + 1;j < Math.min(i2 + 4, mEnd, lines.length); j++) {
+            const next = lines[j] ?? "";
+            if (guardThrowRe.test(next)) {
+              hasAllowlistGuard = true;
+              break;
+            }
+          }
+        }
       }
-      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+      if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField) && !hasAllowlistGuard) {
         const fieldInfo = fieldTaint.get(returnedField);
         const getterVar = isPython ? `${SELF}.${m.name}` : m.name;
         sources.push({
@@ -22059,11 +22141,20 @@ class SinkFilterPass {
       const { pyTaintedVars, pySanitizedVars } = langSources;
       const sourceLines = ctx.code.split(`
 `);
+      const oopFieldVars = new Set;
+      for (const s of sources) {
+        if (s.variable && s.variable.startsWith("self.")) {
+          oopFieldVars.add(s.variable);
+        }
+      }
       filtered = filtered.filter((sink) => {
         if (sink.type !== "xpath_injection")
           return true;
         const sinkLineText = sourceLines[sink.line - 1] ?? "";
         const taintedVarOnLine = [...pyTaintedVars.keys()].find((v) => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+        const oopVarOnLine = [...oopFieldVars].find((v) => sinkLineText.includes(v));
+        if (oopVarOnLine)
+          return true;
         if (!taintedVarOnLine)
           return false;
         if (pySanitizedVars.has(taintedVarOnLine))
@@ -22835,6 +22926,23 @@ class TaintPropagationPass {
         return false;
       });
     }
+    if (typeof ctx.code === "string") {
+      const sinkByLine = new Map;
+      for (const s of sinks) {
+        if (s.type === "nosql_injection")
+          sinkByLine.set(s.line, s);
+      }
+      if (sinkByLine.size > 0) {
+        finalFlows = finalFlows.filter((f) => {
+          if (f.sink_type !== "nosql_injection")
+            return true;
+          const sink = sinkByLine.get(f.sink_line);
+          if (!sink || !sink.code || !sink.method)
+            return true;
+          return !isMongoValueBoundFilter(sink.code, sink.method);
+        });
+      }
+    }
     if (finalFlows.length > 1) {
       const bestByKey = new Map;
       for (const f of finalFlows) {
@@ -22852,6 +22960,76 @@ class TaintPropagationPass {
     return { flows: finalFlows };
   }
 }
+function isMongoValueBoundFilter(sinkCode, sinkMethod) {
+  if (!sinkCode || !sinkMethod)
+    return false;
+  const callIdx = sinkCode.indexOf(`${sinkMethod}(`);
+  if (callIdx < 0)
+    return false;
+  const openIdx = callIdx + sinkMethod.length;
+  let depth = 0;
+  let braceDepth = 0;
+  let bracketDepth = 0;
+  let inString = null;
+  let firstArgEnd = -1;
+  let firstArgComma = -1;
+  const limit = Math.min(sinkCode.length, openIdx + 4096);
+  for (let i2 = openIdx;i2 < limit; i2++) {
+    const ch = sinkCode[i2];
+    if (inString) {
+      if (ch === "\\" && i2 + 1 < limit) {
+        i2++;
+        continue;
+      }
+      if (ch === inString)
+        inString = null;
+      continue;
+    }
+    if (ch === '"' || ch === "'" || ch === "`") {
+      inString = ch;
+      continue;
+    }
+    if (ch === "(")
+      depth++;
+    else if (ch === ")") {
+      depth--;
+      if (depth === 0) {
+        firstArgEnd = i2;
+        break;
+      }
+    } else if (ch === "{")
+      braceDepth++;
+    else if (ch === "}")
+      braceDepth--;
+    else if (ch === "[")
+      bracketDepth++;
+    else if (ch === "]")
+      bracketDepth--;
+    else if (ch === "," && depth === 1 && braceDepth === 0 && bracketDepth === 0) {
+      if (firstArgComma < 0)
+        firstArgComma = i2;
+    }
+  }
+  if (firstArgEnd < 0)
+    return false;
+  const argEnd = firstArgComma >= 0 ? firstArgComma : firstArgEnd;
+  const firstArg = sinkCode.slice(openIdx + 1, argEnd).trim();
+  if (!firstArg)
+    return false;
+  if (firstArg[0] !== "{" || firstArg[firstArg.length - 1] !== "}")
+    return false;
+  const body2 = firstArg.slice(1, -1).trim();
+  if (!body2)
+    return false;
+  const stripped = body2.replace(/(['"`])(?:\\.|(?!\1).)*\1/g, '""');
+  if (/\.\.\./.test(stripped))
+    return false;
+  if (/(^|[,{\s])\$[A-Za-z_]\w*\s*:/.test(stripped))
+    return false;
+  if (/(['"])\$[A-Za-z_]\w*\1\s*:/.test(body2))
+    return false;
+  return true;
+}
 function isInJavaSanitizedMethod(code, types, sinkLine, sinkType) {
   if (!types || types.length === 0)
     return false;
@@ -31898,7 +32076,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.70.0";
+var version = "3.72.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.70.0",
+  "version": "3.72.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.70.0"
+    "circle-ir": "^3.72.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",