cognium-dev 3.72.0 → 3.73.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +189 -3
  2. package/package.json +2 -2
package/dist/cli.js CHANGED
@@ -11865,6 +11865,17 @@ function findSources(calls, types, patterns, sourceLines, language) {
11865
11865
  s.variable = m[1];
11866
11866
  }
11867
11867
  }
11868
+ if (language === "go" && sourceLines) {
11869
+ const GO_ASSIGN_LHS = /^\s*(?:var\s+)?([A-Za-z_]\w*)(?:\s*,\s*[A-Za-z_]\w*)*\s*(?::\s*[A-Za-z_][\w.]*\s*)?(?::?=)(?!=)/;
11870
+ for (const s of result) {
11871
+ if (s.variable && s.variable.length > 0)
11872
+ continue;
11873
+ const lineText = sourceLines[s.line - 1] ?? "";
11874
+ const m = GO_ASSIGN_LHS.exec(lineText);
11875
+ if (m)
11876
+ s.variable = m[1];
11877
+ }
11878
+ }
11868
11879
  return result;
11869
11880
  }
11870
11881
  function isInterproceduralTaintableType(typeName) {
@@ -17863,7 +17874,7 @@ class GoPlugin extends BaseLanguagePlugin {
17863
17874
  type: "command_injection",
17864
17875
  cwe: "CWE-78",
17865
17876
  severity: "critical",
17866
- argPositions: [0]
17877
+ argPositions: []
17867
17878
  },
17868
17879
  {
17869
17880
  method: "CommandContext",
@@ -17871,7 +17882,7 @@ class GoPlugin extends BaseLanguagePlugin {
17871
17882
  type: "command_injection",
17872
17883
  cwe: "CWE-78",
17873
17884
  severity: "critical",
17874
- argPositions: [1]
17885
+ argPositions: []
17875
17886
  },
17876
17887
  {
17877
17888
  method: "Open",
@@ -17960,6 +17971,110 @@ class GoPlugin extends BaseLanguagePlugin {
17960
17971
  cwe: "CWE-502",
17961
17972
  severity: "medium",
17962
17973
  argPositions: [0]
17974
+ },
17975
+ {
17976
+ method: "Print",
17977
+ class: "log",
17978
+ type: "log_injection",
17979
+ cwe: "CWE-117",
17980
+ severity: "medium",
17981
+ argPositions: []
17982
+ },
17983
+ {
17984
+ method: "Println",
17985
+ class: "log",
17986
+ type: "log_injection",
17987
+ cwe: "CWE-117",
17988
+ severity: "medium",
17989
+ argPositions: []
17990
+ },
17991
+ {
17992
+ method: "Printf",
17993
+ class: "log",
17994
+ type: "log_injection",
17995
+ cwe: "CWE-117",
17996
+ severity: "medium",
17997
+ argPositions: []
17998
+ },
17999
+ {
18000
+ method: "Fatal",
18001
+ class: "log",
18002
+ type: "log_injection",
18003
+ cwe: "CWE-117",
18004
+ severity: "medium",
18005
+ argPositions: []
18006
+ },
18007
+ {
18008
+ method: "Fatalln",
18009
+ class: "log",
18010
+ type: "log_injection",
18011
+ cwe: "CWE-117",
18012
+ severity: "medium",
18013
+ argPositions: []
18014
+ },
18015
+ {
18016
+ method: "Fatalf",
18017
+ class: "log",
18018
+ type: "log_injection",
18019
+ cwe: "CWE-117",
18020
+ severity: "medium",
18021
+ argPositions: []
18022
+ },
18023
+ {
18024
+ method: "Panic",
18025
+ class: "log",
18026
+ type: "log_injection",
18027
+ cwe: "CWE-117",
18028
+ severity: "medium",
18029
+ argPositions: []
18030
+ },
18031
+ {
18032
+ method: "Panicln",
18033
+ class: "log",
18034
+ type: "log_injection",
18035
+ cwe: "CWE-117",
18036
+ severity: "medium",
18037
+ argPositions: []
18038
+ },
18039
+ {
18040
+ method: "Panicf",
18041
+ class: "log",
18042
+ type: "log_injection",
18043
+ cwe: "CWE-117",
18044
+ severity: "medium",
18045
+ argPositions: []
18046
+ },
18047
+ {
18048
+ method: "Parse",
18049
+ class: "Template",
18050
+ type: "code_injection",
18051
+ cwe: "CWE-94",
18052
+ severity: "high",
18053
+ argPositions: [0]
18054
+ },
18055
+ {
18056
+ method: "ParseFiles",
18057
+ class: "template",
18058
+ type: "code_injection",
18059
+ cwe: "CWE-94",
18060
+ severity: "high",
18061
+ argPositions: []
18062
+ },
18063
+ {
18064
+ method: "ParseGlob",
18065
+ class: "template",
18066
+ type: "code_injection",
18067
+ cwe: "CWE-94",
18068
+ severity: "high",
18069
+ argPositions: [0]
18070
+ },
18071
+ {
18072
+ method: "ParseFS",
18073
+ class: "template",
18074
+ type: "code_injection",
18075
+ cwe: "CWE-94",
18076
+ severity: "high",
18077
+ argPositions: []
17963
18078
  }
17964
18079
  ];
17965
18080
  }
@@ -21124,6 +21239,7 @@ class LanguageSourcesPass {
21124
21239
  ctx.addFinding(finding);
21125
21240
  }
21126
21241
  additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
21242
+ additionalSanitizers.push(...findBashRealpathPrefixGuardSanitizers(code));
21127
21243
  }
21128
21244
  attachSourceLineCode(additionalSources, additionalSinks, code);
21129
21245
  return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
@@ -22093,6 +22209,76 @@ function isSafeBashAllowlistRegex(literal) {
22093
22209
  }
22094
22210
  return consumed === body2.length;
22095
22211
  }
22212
+ function findBashRealpathPrefixGuardSanitizers(code) {
22213
+ const sanitizers = [];
22214
+ const lines = code.split(`
22215
+ `);
22216
+ const caseOpen = /^\s*case\s+"?\$\{?\w+\}?"?\s+in\b/;
22217
+ const esacClose = /^\s*esac\b/;
22218
+ const armOpener = /^\s*([^)\s][^)]*?)\)/;
22219
+ const prefixArm = /^(?:"\$\{?\w+\}?"|"[^"]*"|\/[\w\-./]+|\$\{?\w+\}?|[\w\-./]+)(?:\/|\*)/;
22220
+ const catchAllArm = /^(?:\*|\\\*)$/;
22221
+ let i2 = 0;
22222
+ while (i2 < lines.length) {
22223
+ if (!caseOpen.test(lines[i2])) {
22224
+ i2++;
22225
+ continue;
22226
+ }
22227
+ let caseEnd = -1;
22228
+ for (let j = i2 + 1;j < lines.length; j++) {
22229
+ if (esacClose.test(lines[j])) {
22230
+ caseEnd = j;
22231
+ break;
22232
+ }
22233
+ }
22234
+ if (caseEnd === -1) {
22235
+ i2++;
22236
+ continue;
22237
+ }
22238
+ let hasPrefixArm = false;
22239
+ let hasTerminalCatchAll = false;
22240
+ for (let j = i2 + 1;j < caseEnd; j++) {
22241
+ const armMatch = armOpener.exec(lines[j]);
22242
+ if (!armMatch)
22243
+ continue;
22244
+ const pattern = armMatch[1].trim();
22245
+ if (catchAllArm.test(pattern)) {
22246
+ let bodyEnd = caseEnd;
22247
+ for (let k = j + 1;k < caseEnd; k++) {
22248
+ if (armOpener.test(lines[k])) {
22249
+ bodyEnd = k;
22250
+ break;
22251
+ }
22252
+ }
22253
+ const armBody = lines.slice(j, bodyEnd).join(" ");
22254
+ if (/\b(exit|return|die)\b/.test(armBody)) {
22255
+ hasTerminalCatchAll = true;
22256
+ }
22257
+ } else if (prefixArm.test(pattern)) {
22258
+ hasPrefixArm = true;
22259
+ }
22260
+ }
22261
+ if (hasPrefixArm && hasTerminalCatchAll) {
22262
+ for (let l = i2 + 1;l <= caseEnd + 1; l++) {
22263
+ sanitizers.push({
22264
+ type: "realpath_prefix_guard",
22265
+ method: "case",
22266
+ line: l,
22267
+ sanitizes: [
22268
+ "path_traversal",
22269
+ "command_injection",
22270
+ "code_injection",
22271
+ "ssrf",
22272
+ "open_redirect",
22273
+ "log_injection"
22274
+ ]
22275
+ });
22276
+ }
22277
+ }
22278
+ i2 = caseEnd + 1;
22279
+ }
22280
+ return sanitizers;
22281
+ }
22096
22282
 
22097
22283
  // ../circle-ir/dist/analysis/passes/sink-filter-pass.js
22098
22284
  var JS_XSS_SANITIZERS = [
@@ -32076,7 +32262,7 @@ var colors = {
32076
32262
  };
32077
32263
 
32078
32264
  // src/version.ts
32079
- var version = "3.72.0";
32265
+ var version = "3.73.0";
32080
32266
 
32081
32267
  // src/formatters.ts
32082
32268
  var SINK_SEVERITY = {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cognium-dev",
3
- "version": "3.72.0",
3
+ "version": "3.73.0",
4
4
  "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
65
65
  "registry": "https://registry.npmjs.org/"
66
66
  },
67
67
  "dependencies": {
68
- "circle-ir": "^3.72.0"
68
+ "circle-ir": "^3.73.0"
69
69
  },
70
70
  "devDependencies": {
71
71
  "@types/node": "^25.5.0",