npm - cognium-dev - Versions diffs - 3.71.0 → 3.73.0 - Mend

cognium-dev 3.71.0 → 3.73.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +283 -22
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -11116,6 +11116,29 @@ var DEFAULT_SINKS = [
   { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
   { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
   { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldap", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "search", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "searchSync", class: "ldapjs", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "select", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "select1", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "evaluate", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parse", class: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxml", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXml", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseXmlString", class: "libxmljs", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "DOMParser", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "parseFromString", class: "xmldom", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "ejs", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "handlebars", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "compile", class: "pug", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "mustache", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "render", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "renderString", class: "nunjucks", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "system", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "popen", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "run", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -11192,6 +11215,13 @@ var DEFAULT_SINKS = [
   { method: "delete_one", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "delete_many", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
   { method: "aggregate", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0] },
+  { method: "find_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "update_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "update_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "delete_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "delete_many", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "replace_one", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0, 1], languages: ["python"] },
+  { method: "count_documents", type: "nosql_injection", cwe: "CWE-943", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "from_string", class: "Template", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "jinja2", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "Template", class: "mako", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -11200,6 +11230,13 @@ var DEFAULT_SINKS = [
   { method: "error", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "debug", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "critical", class: "logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "info", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "warning", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "error", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "debug", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "critical", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
+  { method: "log", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1] },
+  { method: "exception", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -11828,6 +11865,17 @@ function findSources(calls, types, patterns, sourceLines, language) {
       s.variable = m[1];
     }
   }
+  if (language === "go" && sourceLines) {
+    const GO_ASSIGN_LHS = /^\s*(?:var\s+)?([A-Za-z_]\w*)(?:\s*,\s*[A-Za-z_]\w*)*\s*(?::\s*[A-Za-z_][\w.]*\s*)?(?::?=)(?!=)/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0)
+        continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = GO_ASSIGN_LHS.exec(lineText);
+      if (m)
+        s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -15192,6 +15240,9 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
+  if (taintedVar.startsWith("self.") || taintedVar.startsWith("this.")) {
+    return { isFalsePositive: false, reason: null };
+  }
   if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
@@ -17823,7 +17874,7 @@ class GoPlugin extends BaseLanguagePlugin {
         type: "command_injection",
         cwe: "CWE-78",
         severity: "critical",
-        argPositions: [0]
+        argPositions: []
       },
       {
         method: "CommandContext",
@@ -17831,7 +17882,7 @@ class GoPlugin extends BaseLanguagePlugin {
         type: "command_injection",
         cwe: "CWE-78",
         severity: "critical",
-        argPositions: [1]
+        argPositions: []
       },
       {
         method: "Open",
@@ -17920,6 +17971,110 @@ class GoPlugin extends BaseLanguagePlugin {
         cwe: "CWE-502",
         severity: "medium",
         argPositions: [0]
+      },
+      {
+        method: "Print",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Println",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Printf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatal",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatalln",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatalf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panic",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panicln",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panicf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Parse",
+        class: "Template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "ParseFiles",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: []
+      },
+      {
+        method: "ParseGlob",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "ParseFS",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: []
       }
     ];
   }
@@ -21084,6 +21239,7 @@ class LanguageSourcesPass {
         ctx.addFinding(finding);
       }
       additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
+      additionalSanitizers.push(...findBashRealpathPrefixGuardSanitizers(code));
     }
     attachSourceLineCode(additionalSources, additionalSinks, code);
     return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
@@ -21139,15 +21295,18 @@ function findGetterSources(types, instanceFieldTaint, _sourceCode) {
   return sources;
 }
 function findOopFieldReadSources(types, sourceCode, language) {
-  if (language !== "java" && language !== "python")
+  if (language !== "java" && language !== "python" && language !== "javascript" && language !== "typescript")
     return [];
   const sources = [];
   const lines = sourceCode.split(`
 `);
   const isPython = language === "python";
+  const isJs = language === "javascript" || language === "typescript";
+  const isJava = language === "java";
   const SELF = isPython ? "self" : "this";
   const javaHttpPattern = /\b(?:req|request|httpRequest|servletRequest|httpServletRequest)\.(?:getParameter|getParameterValues|getParameterMap|getHeader|getHeaders|getCookies|getQueryString|getPathInfo|getRequestURI|getRequestURL|getInputStream|getReader)\b/;
   const fieldAssignRe = new RegExp(`^\\s*${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*(.+?)(?:;\\s*)?$`);
+  const fieldAssignReG = new RegExp(`${SELF}\\.([A-Za-z_]\\w*)\\s*=\\s*([^;}\\n]+)`, "g");
   const commentPrefix = isPython ? "#" : "//";
   for (const type of types) {
     if (type.kind !== "class")
@@ -21161,7 +21320,12 @@ function findOopFieldReadSources(types, sourceCode, language) {
           ctor = m;
           break;
         }
-      } else {
+      } else if (isJs) {
+        if (m.name === "constructor") {
+          ctor = m;
+          break;
+        }
+      } else if (isJava) {
         if (m.name === type.name) {
           ctor = m;
           break;
@@ -21183,26 +21347,44 @@ function findOopFieldReadSources(types, sourceCode, language) {
       const line = lines[i2] ?? "";
       if (line.trim().startsWith(commentPrefix))
         continue;
-      const m = line.match(fieldAssignRe);
-      if (!m)
+      const pairs = [];
+      const anchored = line.match(fieldAssignRe);
+      if (anchored)
+        pairs.push({ field: anchored[1], rhs: anchored[2].trim().replace(/;\s*$/, "") });
+      if (isJs) {
+        for (const m of line.matchAll(fieldAssignReG)) {
+          const field = m[1];
+          const rhs = m[2].trim().replace(/;\s*$/, "");
+          if (!pairs.some((p) => p.field === field))
+            pairs.push({ field, rhs });
+        }
+      }
+      if (pairs.length === 0)
         continue;
-      const fieldName = m[1];
-      const rhs = m[2].trim().replace(/;\s*$/, "");
-      let sourceType = null;
-      if (paramNames.has(rhs)) {
-        sourceType = "interprocedural_param";
-      } else if (!isPython && javaHttpPattern.test(rhs)) {
-        sourceType = "http_param";
-      } else if (isPython) {
-        for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
-          if (pattern.test(rhs)) {
-            sourceType = type2;
-            break;
+      for (const { field: fieldName, rhs } of pairs) {
+        let sourceType = null;
+        if (paramNames.has(rhs)) {
+          sourceType = "interprocedural_param";
+        } else if (isJava && javaHttpPattern.test(rhs)) {
+          sourceType = "http_param";
+        } else if (isPython) {
+          for (const { pattern, type: type2 } of PYTHON_TAINTED_PATTERNS2) {
+            if (pattern.test(rhs)) {
+              sourceType = type2;
+              break;
+            }
+          }
+        } else if (isJs) {
+          for (const { pattern, type: type2 } of JS_TAINTED_PATTERNS) {
+            if (pattern.test(rhs)) {
+              sourceType = type2;
+              break;
+            }
           }
         }
-      }
-      if (sourceType) {
-        fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+        if (sourceType) {
+          fieldTaint.set(fieldName, { line: i2 + 1, type: sourceType });
+        }
       }
     }
     if (fieldTaint.size === 0)
@@ -22027,6 +22209,76 @@ function isSafeBashAllowlistRegex(literal) {
   }
   return consumed === body2.length;
 }
+function findBashRealpathPrefixGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const caseOpen = /^\s*case\s+"?\$\{?\w+\}?"?\s+in\b/;
+  const esacClose = /^\s*esac\b/;
+  const armOpener = /^\s*([^)\s][^)]*?)\)/;
+  const prefixArm = /^(?:"\$\{?\w+\}?"|"[^"]*"|\/[\w\-./]+|\$\{?\w+\}?|[\w\-./]+)(?:\/|\*)/;
+  const catchAllArm = /^(?:\*|\\\*)$/;
+  let i2 = 0;
+  while (i2 < lines.length) {
+    if (!caseOpen.test(lines[i2])) {
+      i2++;
+      continue;
+    }
+    let caseEnd = -1;
+    for (let j = i2 + 1;j < lines.length; j++) {
+      if (esacClose.test(lines[j])) {
+        caseEnd = j;
+        break;
+      }
+    }
+    if (caseEnd === -1) {
+      i2++;
+      continue;
+    }
+    let hasPrefixArm = false;
+    let hasTerminalCatchAll = false;
+    for (let j = i2 + 1;j < caseEnd; j++) {
+      const armMatch = armOpener.exec(lines[j]);
+      if (!armMatch)
+        continue;
+      const pattern = armMatch[1].trim();
+      if (catchAllArm.test(pattern)) {
+        let bodyEnd = caseEnd;
+        for (let k = j + 1;k < caseEnd; k++) {
+          if (armOpener.test(lines[k])) {
+            bodyEnd = k;
+            break;
+          }
+        }
+        const armBody = lines.slice(j, bodyEnd).join(" ");
+        if (/\b(exit|return|die)\b/.test(armBody)) {
+          hasTerminalCatchAll = true;
+        }
+      } else if (prefixArm.test(pattern)) {
+        hasPrefixArm = true;
+      }
+    }
+    if (hasPrefixArm && hasTerminalCatchAll) {
+      for (let l = i2 + 1;l <= caseEnd + 1; l++) {
+        sanitizers.push({
+          type: "realpath_prefix_guard",
+          method: "case",
+          line: l,
+          sanitizes: [
+            "path_traversal",
+            "command_injection",
+            "code_injection",
+            "ssrf",
+            "open_redirect",
+            "log_injection"
+          ]
+        });
+      }
+    }
+    i2 = caseEnd + 1;
+  }
+  return sanitizers;
+}
 // ../circle-ir/dist/analysis/passes/sink-filter-pass.js
 var JS_XSS_SANITIZERS = [
@@ -22075,11 +22327,20 @@ class SinkFilterPass {
       const { pyTaintedVars, pySanitizedVars } = langSources;
       const sourceLines = ctx.code.split(`
 `);
+      const oopFieldVars = new Set;
+      for (const s of sources) {
+        if (s.variable && s.variable.startsWith("self.")) {
+          oopFieldVars.add(s.variable);
+        }
+      }
       filtered = filtered.filter((sink) => {
         if (sink.type !== "xpath_injection")
           return true;
         const sinkLineText = sourceLines[sink.line - 1] ?? "";
         const taintedVarOnLine = [...pyTaintedVars.keys()].find((v) => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+        const oopVarOnLine = [...oopFieldVars].find((v) => sinkLineText.includes(v));
+        if (oopVarOnLine)
+          return true;
         if (!taintedVarOnLine)
           return false;
         if (pySanitizedVars.has(taintedVarOnLine))
@@ -32001,7 +32262,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.71.0";
+var version = "3.73.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.71.0",
+  "version": "3.73.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.71.0"
+    "circle-ir": "^3.73.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",