cognium-dev 3.80.0 → 3.82.0

package/dist/cli.js

@@ -10660,7 +10660,6 @@ var DEFAULT_SINKS = [
   { method: "addObject", class: "ModelAndView", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "handleHyperlinks", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -11479,9 +11478,15 @@ var DEFAULT_SANITIZERS = [
   { method: "sanitize", class: "DOMPurify", removes: ["xss"] },
   { method: "escape", class: "validator", removes: ["xss"] },
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },
   { method: "resolve", class: "path", removes: ["path_traversal"] },
@@ -30162,6 +30167,911 @@ class WeakRandomPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/_credential-helpers.js
+var CRED_KEYWORD_RE2 = /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i;
+function isCredentialIdentifier(name2) {
+  if (!name2)
+    return false;
+  if (name2.length < 3)
+    return false;
+  return CRED_KEYWORD_RE2.test(name2);
+}
+function argLooksLikeCredential(arg) {
+  if (!arg)
+    return false;
+  if (arg.variable && isCredentialIdentifier(arg.variable))
+    return true;
+  const expr = (arg.expression ?? "").trim();
+  if (!expr)
+    return false;
+  const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+  return isCredentialIdentifier(head);
+}
+function stripQuotes6(s) {
+  const t = s.trim();
+  if (t.startsWith('"') && t.endsWith('"') || t.startsWith("'") && t.endsWith("'") || t.startsWith("`") && t.endsWith("`")) {
+    return t.slice(1, -1);
+  }
+  return t;
+}
+function literalAt(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg)
+    return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const trimmed = raw.trim();
+  if (trimmed.startsWith('"') || trimmed.startsWith("'") || trimmed.startsWith("`")) {
+    return stripQuotes6(trimmed);
+  }
+  if (arg.literal)
+    return stripQuotes6(arg.literal);
+  return null;
+}
+function isHashFunctionCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+    return method === "hashpw" || method === "hash" || method === "hashSync" || method === "GenerateFromPassword" || method === "generate_password_hash";
+  }
+  if (recvLower === "argon2" || recvLower.endsWith(".argon2")) {
+    return method === "hash" || method === "Hash" || method === "PasswordHash";
+  }
+  if (recvLower === "hashlib")
+    return true;
+  if (recvLower === "passlib" || recvLower.includes("passlib.hash"))
+    return true;
+  if (method === "PBKDF2HMAC" || method === "derive")
+    return true;
+  if (recvLower === "crypto") {
+    return method === "createHash" || method === "createHmac" || method === "pbkdf2" || method === "pbkdf2Sync" || method === "scrypt" || method === "scryptSync";
+  }
+  if (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest")) {
+    return method === "getInstance" || method === "update" || method === "digest";
+  }
+  if (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils")) {
+    return true;
+  }
+  if (receiver === "SecretKeyFactory" || receiver.endsWith(".SecretKeyFactory")) {
+    return method === "getInstance" || method === "generateSecret";
+  }
+  if (method === "PBEKeySpec")
+    return true;
+  if (receiver === "md5" || receiver === "sha1" || receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver.endsWith("/md5") || receiver.endsWith("/sha1") || receiver.endsWith("/sha256") || receiver.endsWith("/sha512")) {
+    return method === "New" || method === "Sum" || method === "New224" || method === "New384";
+  }
+  const m = method.toLowerCase();
+  if (m === "hash" || m === "hashpw" || m === "hashsync" || m === "pbkdf2" || m === "pbkdf2sync" || m === "scrypt" || m === "scryptsync")
+    return true;
+  return false;
+}
+function priorHashOf(varName, priorCalls) {
+  for (const c of priorCalls) {
+    if (!isHashFunctionCall(c))
+      continue;
+    for (const a of c.arguments) {
+      if (a.variable === varName)
+        return true;
+      const head = (a.expression ?? "").trim().split(/[.\s(]/, 1)[0];
+      if (head === varName)
+        return true;
+    }
+  }
+  return false;
+}
+
+// ../circle-ir/dist/analysis/passes/weak-password-hash-pass.js
+var FAST_HASH_NAMES = new Set([
+  "sha224",
+  "sha-224",
+  "sha256",
+  "sha-256",
+  "sha384",
+  "sha-384",
+  "sha512",
+  "sha-512",
+  "sha3",
+  "sha-3",
+  "sha3-256",
+  "sha3-512"
+]);
+var BCRYPT_MIN_COST = 10;
+var PBKDF2_MIN_ITERATIONS = 1e5;
+function intLiteral(s) {
+  if (s == null)
+    return null;
+  const t = s.trim();
+  if (!/^-?\d+$/.test(t))
+    return null;
+  const n = parseInt(t, 10);
+  return Number.isFinite(n) ? n : null;
+}
+function pyKwargInt(call, name2) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? "").trim();
+    const m = expr.match(new RegExp(`^${name2}\\s*=\\s*(-?\\d+)$`));
+    if (m)
+      return parseInt(m[1], 10);
+  }
+  return null;
+}
+
+class WeakPasswordHashPass {
+  name = "weak-password-hash";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection)
+        continue;
+      const { kind, api } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, kind, api });
+      const message = kind === "fast-unsalted-hash" ? `Fast/unsalted hash \`${api}\` applied to a password. ` + "General-purpose hashes (SHA-256/512) are unsuitable for password storage." : kind === "low-bcrypt-cost" ? `bcrypt called with insufficient cost factor (< ${BCRYPT_MIN_COST}).` : `PBKDF2 called with insufficient iteration count (< ${PBKDF2_MIN_ITERATIONS}).`;
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-916",
+        severity: "high",
+        level: "warning",
+        message,
+        file,
+        line,
+        fix: "Use a memory-hard password-hashing function with appropriate cost: " + "Argon2id (recommended), bcrypt (cost ≥ 12), scrypt, or PBKDF2 with ≥ 600k iterations.",
+        evidence: { kind, api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+      if (method === "gensalt") {
+        const rounds = pyKwargInt(call, "rounds");
+        if (rounds !== null && rounds < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.gensalt" };
+        }
+      }
+      if (method === "hash" || method === "hashSync") {
+        const cost = intLiteral(literalAt(call, 1));
+        if (cost !== null && cost < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: `bcrypt.${method}` };
+        }
+      }
+      if (method === "GenerateFromPassword") {
+        const arg1 = call.arguments.find((a) => a.position === 1);
+        const expr = (arg1?.expression ?? "").trim();
+        const n = intLiteral(expr);
+        if (n !== null && n < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+        if (expr === "bcrypt.MinCost") {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+      }
+    }
+    if (method === "PBKDF2HMAC") {
+      const iters = pyKwargInt(call, "iterations");
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBKDF2HMAC" };
+      }
+    }
+    if ((method === "pbkdf2" || method === "pbkdf2Sync") && (recvLower === "crypto" || recvLower.endsWith(".crypto"))) {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: `crypto.${method}` };
+      }
+    }
+    if (method === "PBEKeySpec" && language === "java") {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBEKeySpec" };
+      }
+    }
+    if (language === "python" && (recvLower === "hashlib" || recvLower.endsWith(".hashlib"))) {
+      if (FAST_HASH_NAMES.has(method.toLowerCase())) {
+        if (argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.${method}` };
+        }
+      }
+      if (method === "new") {
+        const algo = literalAt(call, 0)?.toLowerCase() ?? "";
+        if (FAST_HASH_NAMES.has(algo) && argLooksLikeCredential(call.arguments.find((a) => a.position === 1))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.new(${algo})` };
+        }
+      }
+    }
+    if ((language === "javascript" || language === "typescript") && method === "update") {
+      const recvExpr = (receiver ?? "").toLowerCase();
+      const hashLike = recvExpr.includes("hash") || recvExpr.includes("createhash") || recvExpr.includes("sha") || recvExpr.includes("md");
+      if (hashLike && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "crypto.createHash().update" };
+      }
+    }
+    if (language === "java" && method === "update") {
+      const recvName = (receiver ?? "").toLowerCase();
+      const looksLikeDigest = recvName.includes("digest") || recvName.includes("md") || recvName.includes("hash");
+      if (looksLikeDigest && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "MessageDigest.update" };
+      }
+    }
+    if (language === "go") {
+      const isFastPkg = receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver === "sha224";
+      if (isFastPkg && (method === "Sum256" || method === "Sum512" || method === "Sum224" || method === "Sum384" || method === "Sum")) {
+        const expr = (call.arguments.find((a) => a.position === 0)?.expression ?? "").trim();
+        const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+        if (argLooksLikeCredential({ position: 0, expression: inner, variable: inner })) {
+          return { kind: "fast-unsalted-hash", api: `${receiver}.${method}` };
+        }
+      }
+    }
+    return null;
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/weak-password-encoding-pass.js
+function isBasicAuthContext(call, code) {
+  const line = call.location.line;
+  if (line < 1)
+    return false;
+  const lines = code.split(`
+`);
+  const start2 = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 1);
+  const window2 = lines.slice(start2, end).join(`
+`);
+  return /["'`]Basic\s/i.test(window2);
+}
+
+class WeakPasswordEncodingPass {
+  name = "weak-password-encoding";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const api = this.detect(call, language);
+      if (!api)
+        continue;
+      if (isBasicAuthContext(call, code))
+        continue;
+      const line = call.location.line;
+      findings.push({ line, language, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-261",
+        severity: "medium",
+        level: "warning",
+        message: `Credential encoded via \`${api}\` — encoding is NOT encryption. ` + "Base64/hex provide no confidentiality; anyone with the encoded value can decode it.",
+        file,
+        line,
+        fix: "For storage, use a password hash (Argon2id / bcrypt). " + "For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).",
+        evidence: { api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (language === "python") {
+      if (recvLower === "base64" && (method === "b64encode" || method === "urlsafe_b64encode" || method === "standard_b64encode")) {
+        if (argLooksLikeCredential(arg0))
+          return `base64.${method}`;
+      }
+      if (recvLower === "binascii" && method === "hexlify") {
+        if (argLooksLikeCredential(arg0))
+          return "binascii.hexlify";
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "toString") {
+        const encoding = literalAt(call, 0);
+        if (encoding === "base64" || encoding === "hex" || encoding === "base64url") {
+          const recv = (receiver ?? "").toLowerCase();
+          if (recv.includes("buffer.from") && /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i.test(receiver ?? "")) {
+            return `Buffer.from().toString('${encoding}')`;
+          }
+        }
+      }
+      if (method === "btoa" && receiver === "") {
+        if (argLooksLikeCredential(arg0))
+          return "btoa";
+      }
+    }
+    if (language === "java") {
+      if (method === "encodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("encoder") || recv.includes("base64")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return "Base64.encodeToString";
+          }
+        }
+      }
+      if (method === "encodeHexString" && (receiver === "Hex" || receiver.endsWith(".Hex"))) {
+        const expr = (arg0?.expression ?? "").trim();
+        const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+        if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+          return "Hex.encodeHexString";
+        }
+      }
+    }
+    if (language === "go") {
+      if (method === "EncodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("base64") || recv.includes("hex") || recv.includes("encoding")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+          const head = inner.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return recv.includes("hex") ? "hex.EncodeToString" : "base64.EncodeToString";
+          }
+        }
+      }
+    }
+    return null;
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/info-disclosure-stacktrace-pass.js
+var RESPONSE_RECEIVER_RE = /^(res|response|w|writer|ctx|c)$/i;
+var LOGGER_RECEIVER_RE = /^(log|logger|slog|console|pino|winston|sentry)$/i;
+var RESPONSE_SEND_METHODS = new Set([
+  "send",
+  "json",
+  "write",
+  "writeHead",
+  "end",
+  "sendFile",
+  "println",
+  "print",
+  "getWriter",
+  "Fprintln",
+  "Fprintf",
+  "Fprint"
+]);
+function isExceptionExpression(expr) {
+  if (!expr)
+    return false;
+  const e = expr.trim();
+  return /\b(err|error|exc|exception|e|t|throwable)\.(stack|message|toString\(|getMessage\(|getStackTrace\(|getLocalizedMessage\(|getCause\()/i.test(e) || /\btraceback\.(format_exc|format_exception|print_exc)\b/i.test(e) || /\bdebug\.Stack\(\)/.test(e) || /\bstr\(\s*(err|error|exc|exception|e)\s*\)/i.test(e) || /\bString\(\s*(err|error|exc|exception|e)\s*\)/i.test(e);
+}
+function argIsException(arg) {
+  if (!arg)
+    return false;
+  if (arg.variable && /^(err|error|exc|exception|e|t|throwable)$/i.test(arg.variable)) {
+    return true;
+  }
+  return isExceptionExpression(arg.expression);
+}
+function detectJavaPrintStackTrace(call) {
+  if (call.method_name !== "printStackTrace")
+    return null;
+  const rec = call.receiver ?? "";
+  if (!/^(e|ex|exc|exception|err|error|t|throwable)$/i.test(rec))
+    return null;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0)
+    return null;
+  const expr = (arg0.expression ?? arg0.variable ?? "").trim();
+  if (/\bresponse\.getWriter\(\)/.test(expr) || /\bresp\.getWriter\(\)/.test(expr) || /\bout\b/.test(expr) || /\bgetWriter\(\)/.test(expr)) {
+    return "e.printStackTrace(response.getWriter())";
+  }
+  return null;
+}
+function detectResponseLeakCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  if (!RESPONSE_SEND_METHODS.has(method))
+    return null;
+  if (LOGGER_RECEIVER_RE.test(receiver))
+    return null;
+  const recTail = receiver.split(".").pop() ?? receiver;
+  const recHead = receiver.split(".")[0] ?? receiver;
+  if (!RESPONSE_RECEIVER_RE.test(recTail) && !RESPONSE_RECEIVER_RE.test(recHead)) {
+    if (!/(?:^|[.\s])(res|response)\.(?:status|set|header|cookie)\b/i.test(receiver)) {
+      return null;
+    }
+  }
+  for (const a of call.arguments) {
+    if (argIsException(a)) {
+      return `${receiver || ""}${receiver ? "." : ""}${method}(${(a.expression ?? a.variable ?? "").trim()})`;
+    }
+  }
+  return null;
+}
+function detectPythonTracebackReturn(ctx) {
+  const out2 = [];
+  const lines = ctx.code.split(`
+`);
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const ln = lines[i2] ?? "";
+    if (/\breturn\s+traceback\.format_exc\s*\(\s*\)/.test(ln) || /\breturn\s+\{[^}]*traceback\.format_exc\s*\(\s*\)[^}]*\}/.test(ln) || /\bjsonify\s*\([^)]*traceback\.format_exc\s*\(\s*\)/.test(ln)) {
+      out2.push({ line: i2 + 1, api: "return traceback.format_exc()" });
+      continue;
+    }
+    if (/\breturn\s+(?:str|repr)\s*\(\s*(?:e|err|error|exc|exception)\s*\)/.test(ln)) {
+      const start2 = Math.max(0, i2 - 8);
+      const end = Math.min(lines.length, i2 + 2);
+      const window2 = lines.slice(start2, end).join(`
+`);
+      if (/@(?:app|router|blueprint)\.(?:route|get|post|put|delete|patch)\b/.test(window2)) {
+        out2.push({ line: i2 + 1, api: "return str(e) in handler" });
+      }
+    }
+  }
+  return out2;
+}
+
+class InfoDisclosureStacktracePass {
+  name = "info-disclosure-stacktrace";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    if (language === "python") {
+      for (const f of detectPythonTracebackReturn(ctx)) {
+        findings.push({ line: f.line, api: f.api, language });
+        ctx.addFinding(this.makeFinding(file, f.line, f.api));
+      }
+    }
+    for (const call of graph.ir.calls) {
+      let api = null;
+      if (language === "java") {
+        api = detectJavaPrintStackTrace(call);
+        if (!api)
+          api = detectResponseLeakCall(call);
+      } else if (language === "javascript" || language === "typescript") {
+        api = detectResponseLeakCall(call);
+      } else if (language === "go") {
+        const method = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "http" && method === "Error") {
+          const arg1 = call.arguments.find((a) => a.position === 1);
+          if (argIsException(arg1))
+            api = "http.Error(w, err.Error())";
+        } else if (rec === "fmt" && (method === "Fprintln" || method === "Fprintf" || method === "Fprint")) {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          if (arg0 && /^(w|writer|resp|response)$/i.test((arg0.variable ?? arg0.expression ?? "").trim())) {
+            for (const a of call.arguments) {
+              if (a.position === 0)
+                continue;
+              if (argIsException(a)) {
+                api = `fmt.${method}(w, err)`;
+                break;
+              }
+            }
+          }
+        } else {
+          api = detectResponseLeakCall(call);
+        }
+      } else if (language === "python") {
+        api = detectResponseLeakCall(call);
+      }
+      if (!api)
+        continue;
+      const line = call.location.line;
+      findings.push({ line, api, language });
+      ctx.addFinding(this.makeFinding(file, line, api));
+    }
+    return { findings };
+  }
+  makeFinding(file, line, api) {
+    return {
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-209",
+      severity: "medium",
+      level: "warning",
+      message: `Exception detail returned to client via \`${api}\`. ` + "Leaking stack traces / exception messages reveals framework internals, " + "file paths, and class names — useful reconnaissance for an attacker.",
+      file,
+      line,
+      fix: "Return a generic error response to the client (e.g. status 500 + a " + "request id) and log the full exception server-side via your logger " + '(e.g. `logger.error("…", e)` or `console.error(err)`).',
+      evidence: { api }
+    };
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/unrestricted-file-upload-pass.js
+var UPLOAD_NAME_RE = /(?:getOriginalFilename|getSubmittedFileName|originalname|originalName|\.filename|\.Filename|FileHeader\.Filename|UploadFile)/;
+var FILE_SAFE_CALL_RE = /(?:secure_filename|FilenameUtils\.getExtension|\.lastIndexOf\(['"]\.['"]\)|ALLOWED_EXT|ALLOWED_EXTENSIONS|allowedExtensions|\bfileFilter\b|filepath\.Ext|path\.extname)/;
+function lineWindow(code, startLine, endLine) {
+  const lines = code.split(`
+`);
+  const s = Math.max(0, startLine - 1);
+  const e = Math.min(lines.length, endLine);
+  return lines.slice(s, e).join(`
+`);
+}
+function callHasUploadName(call) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? a.variable ?? "").trim();
+    if (UPLOAD_NAME_RE.test(expr))
+      return true;
+  }
+  if (UPLOAD_NAME_RE.test(call.receiver ?? ""))
+    return true;
+  return false;
+}
+
+class UnrestrictedFileUploadPass {
+  name = "unrestricted-file-upload";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const safeFunctionRanges = [];
+    for (const t of graph.ir.types) {
+      for (const m of t.methods) {
+        const body2 = lineWindow(code, m.start_line, m.end_line);
+        if (FILE_SAFE_CALL_RE.test(body2)) {
+          safeFunctionRanges.push({ start: m.start_line, end: m.end_line });
+        }
+      }
+    }
+    const inSafeRange = (line) => {
+      for (const r of safeFunctionRanges) {
+        if (line >= r.start && line <= r.end)
+          return true;
+      }
+      const win = lineWindow(code, Math.max(1, line - 20), line + 5);
+      return FILE_SAFE_CALL_RE.test(win);
+    };
+    if (language === "java") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "transferTo" && callHasUploadName(call)) {
+          if (inSafeRange(call.location.line))
+            continue;
+          this.emit(ctx, findings, file, call.location.line, language, "MultipartFile.transferTo(<original filename>)");
+          continue;
+        }
+        if (m === "copy" && (call.receiver === "Files" || (call.receiver ?? "").endsWith(".Files"))) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, "Files.copy(input, Path.of(dir, <original filename>))");
+          }
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (m === "multer" || rec === "" && m === "multer") {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          const expr = (arg0?.expression ?? "").trim();
+          if (/\bdest\s*:/.test(expr) && !/\bfileFilter\s*:/.test(expr)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, "multer({ dest }) without fileFilter");
+            continue;
+          }
+        }
+        if (rec === "fs" && (m === "writeFile" || m === "writeFileSync" || m === "appendFile")) {
+          if (callHasUploadName(call) || call.arguments.some((a) => /\breq\.file(?:s)?\b/.test(a.expression ?? a.variable ?? ""))) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `fs.${m}(<path>, req.file.buffer)`);
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "save") {
+          const rec = call.receiver ?? "";
+          if (!/^(f|file|upload|attachment)$/i.test(rec) && rec !== "")
+            continue;
+          if (!callHasUploadName(call))
+            continue;
+          if (inSafeRange(call.location.line))
+            continue;
+          this.emit(ctx, findings, file, call.location.line, language, "f.save(<dir>, f.filename) without secure_filename");
+        }
+      }
+    }
+    if (language === "go") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "os" && (m === "Create" || m === "OpenFile")) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `os.${m}(<uploaded filename>)`);
+          }
+        }
+        if ((rec === "os" || rec === "ioutil") && m === "WriteFile") {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `${rec}.WriteFile(<uploaded filename>, …)`);
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  emit(ctx, findings, file, line, language, api) {
+    findings.push({ line, api, language });
+    ctx.addFinding({
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-434",
+      severity: "high",
+      level: "error",
+      message: `File upload saved using untrusted name (${api}) — no extension allow-list or ` + "filename canonicalization detected. An attacker can upload a `.jsp`/`.php`/`.html` " + "file and request it back, achieving RCE or stored XSS.",
+      file,
+      line,
+      fix: "Validate the uploaded extension against an allow-list (e.g. " + '`Set.of("png","jpg")`), then save with a sanitized filename. In Python use ' + "`werkzeug.utils.secure_filename`. In multer pass a `fileFilter`. Never " + "concatenate the upload's original filename into a save path without " + "validation.",
+      evidence: { api, language }
+    });
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/plaintext-password-storage-pass.js
+function isWriteStorageCall(call, language) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (language === "python") {
+    if (method === "write" || method === "writelines") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+    if ((recvLower === "pickle" || recvLower === "json" || recvLower === "yaml") && (method === "dump" || method === "dumps")) {
+      return { credPos: 0, api: `${receiver}.${method}` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "javascript" || language === "typescript") {
+    if ((recvLower === "fs" || recvLower.endsWith(".fs")) && (method === "writeFile" || method === "writeFileSync" || method === "appendFile" || method === "appendFileSync")) {
+      return { credPos: 1, api: `fs.${method}` };
+    }
+    if ((recvLower === "localstorage" || recvLower === "sessionstorage") && method === "setItem") {
+      return { credPos: 1, api: `${receiver}.setItem` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "java") {
+    if ((receiver === "Files" || receiver.endsWith(".Files")) && (method === "write" || method === "writeString")) {
+      return { credPos: 1, api: `Files.${method}` };
+    }
+    if (method === "write") {
+      const lc = (receiver ?? "").toLowerCase();
+      if (lc.includes("writer") || lc.includes("file") || lc.includes("stream")) {
+        return { credPos: 0, api: `${receiver}.write` };
+      }
+    }
+  }
+  if (language === "go") {
+    if (receiver === "os" || receiver.endsWith("/os")) {
+      if (method === "WriteFile")
+        return { credPos: 1, api: "os.WriteFile" };
+    }
+    if (receiver === "ioutil" || receiver.endsWith("/ioutil")) {
+      if (method === "WriteFile")
+        return { credPos: 1, api: "ioutil.WriteFile" };
+    }
+    if (method === "WriteString" || method === "Write") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+  }
+  return null;
+}
+
+class PlaintextPasswordStoragePass {
+  name = "plaintext-password-storage";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const callsByScope = new Map;
+    for (const call of graph.ir.calls) {
+      const scope = call.in_method ?? "<top>";
+      const arr = callsByScope.get(scope) ?? [];
+      arr.push(call);
+      callsByScope.set(scope, arr);
+    }
+    for (const call of graph.ir.calls) {
+      const spec = isWriteStorageCall(call, language);
+      if (!spec)
+        continue;
+      const credArg = call.arguments.find((a) => a.position === spec.credPos);
+      if (!credArg)
+        continue;
+      if (!argLooksLikeCredential(credArg))
+        continue;
+      const identExpr = (credArg.expression ?? "").trim();
+      const head = identExpr.split(/[.\s(]/, 1)[0] ?? "";
+      const identifier = credArg.variable ?? head;
+      if (!identifier)
+        continue;
+      const scope = call.in_method ?? "<top>";
+      const scopeCalls = callsByScope.get(scope) ?? [];
+      const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+      if (priorHashOf(identifier, prior))
+        continue;
+      if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i.test(credArg.expression ?? "")) {
+        continue;
+      }
+      const line = call.location.line;
+      findings.push({ line, language, api: spec.api, identifier });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-256",
+        severity: "high",
+        level: "warning",
+        message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. ` + "Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.",
+        file,
+        line,
+        fix: "Hash the credential with Argon2id / bcrypt before writing it to " + "disk, cookie, KV store, or database.",
+        evidence: { identifier, api: spec.api, language }
+      });
+    }
+    return { findings };
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/cleartext-credential-transport-pass.js
+var LOCALHOST_RE = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)(?::\d+)?$/i;
+function isInsecureHttpUrl(urlLiteral) {
+  if (!urlLiteral)
+    return false;
+  if (!/^http:\/\//i.test(urlLiteral))
+    return false;
+  const rest = urlLiteral.slice("http://".length);
+  const host = rest.split("/", 1)[0] ?? "";
+  if (LOCALHOST_RE.test(host))
+    return false;
+  return true;
+}
+function anyArgCarriesCredential(call, startPos) {
+  for (const a of call.arguments) {
+    if (a.position < startPos)
+      continue;
+    if (argLooksLikeCredential(a))
+      return true;
+    const expr = (a.expression ?? "").trim();
+    if (!expr)
+      continue;
+    if (/(?:["'`]?(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|credential)["'`]?\s*[:=])/i.test(expr)) {
+      return true;
+    }
+    if (/\b(?:password|passwd|pwd|secret|api_key|api-key|apiKey|auth_token|authToken|credential)\w*\b/i.test(expr)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+class CleartextCredentialTransportPass {
+  name = "cleartext-credential-transport";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection)
+        continue;
+      const { api, url } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, api, url });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-523",
+        severity: "high",
+        level: "error",
+        message: `Credentials transmitted to \`${url}\` over HTTP via \`${api}\`. ` + "Cleartext transport exposes credentials to network observers.",
+        file,
+        line,
+        fix: "Use HTTPS (https://) for all endpoints that receive credentials. " + "For internal traffic, terminate TLS at the service boundary.",
+        evidence: { api, url, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (language === "python") {
+      if ((recvLower === "requests" || recvLower === "httpx" || recvLower.endsWith(".requests") || recvLower.endsWith(".httpx")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, method === "request" ? 1 : 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `${receiver}.${method}`, url };
+        }
+      }
+      if (method === "urlopen" && recvLower.includes("urllib")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "urllib.request.urlopen", url };
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if ((recvLower === "axios" || recvLower.endsWith(".axios")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `axios.${method}`, url };
+        }
+      }
+      if (method === "fetch" && receiver === "") {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "fetch", url };
+        }
+      }
+      if (method === "request" && (recvLower === "http" || recvLower.endsWith(".http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.request", url };
+        }
+      }
+    }
+    if (language === "java" && method === "URL" && receiver === "") {
+      const url = literalAt(call, 0);
+      if (!isInsecureHttpUrl(url))
+        return null;
+      const scope = call.in_method ?? null;
+      if (!scope)
+        return null;
+      return null;
+    }
+    if (language === "go") {
+      if (method === "Post" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.Post", url };
+        }
+      }
+      if (method === "NewRequest" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 1);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 2)) {
+          return { api: "http.NewRequest", url };
+        }
+      }
+    }
+    return null;
+  }
+}
+
 // ../circle-ir/dist/analysis/passes/tls-verify-disabled-pass.js
 var PY_HTTP_METHODS = new Set([
   "get",
@@ -32463,6 +33373,14 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new WeakCryptoPass);
     if (!disabledPasses.has("weak-random"))
       pipeline.add(new WeakRandomPass);
+    if (!disabledPasses.has("weak-password-hash"))
+      pipeline.add(new WeakPasswordHashPass);
+    if (!disabledPasses.has("weak-password-encoding"))
+      pipeline.add(new WeakPasswordEncodingPass);
+    if (!disabledPasses.has("plaintext-password-storage"))
+      pipeline.add(new PlaintextPasswordStoragePass);
+    if (!disabledPasses.has("cleartext-credential-transport"))
+      pipeline.add(new CleartextCredentialTransportPass);
     if (!disabledPasses.has("tls-verify-disabled"))
       pipeline.add(new TlsVerifyDisabledPass);
     if (!disabledPasses.has("module-side-effect"))
@@ -32477,6 +33395,10 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new XmlEntityExpansionPass);
     if (!disabledPasses.has("mass-assignment"))
       pipeline.add(new MassAssignmentPass);
+    if (!disabledPasses.has("info-disclosure-stacktrace"))
+      pipeline.add(new InfoDisclosureStacktracePass);
+    if (!disabledPasses.has("unrestricted-file-upload"))
+      pipeline.add(new UnrestrictedFileUploadPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -32670,7 +33592,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.80.0";
+var version = "3.82.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.80.0",
+  "version": "3.82.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.80.0"
+    "circle-ir": "^3.82.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",