cognium-dev 3.81.0 → 3.82.0

package/dist/cli.js

@@ -11478,9 +11478,15 @@ var DEFAULT_SANITIZERS = [
   { method: "sanitize", class: "DOMPurify", removes: ["xss"] },
   { method: "escape", class: "validator", removes: ["xss"] },
   { method: "parse", class: "JSON", removes: ["xss", "code_injection"] },
-  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss"] },
-  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection"] },
-  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection"] },
+  { method: "parseInt", removes: ["sql_injection", "nosql_injection", "command_injection", "xss", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "parseFloat", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "Number", removes: ["sql_injection", "nosql_injection", "command_injection", "external_taint_escape", "path_traversal", "code_injection"] },
+  { method: "min", class: "Math", removes: ["external_taint_escape"] },
+  { method: "max", class: "Math", removes: ["external_taint_escape"] },
+  { method: "includes", removes: ["external_taint_escape"] },
+  { method: "has", removes: ["external_taint_escape"] },
+  { method: "contains", removes: ["external_taint_escape"] },
+  { method: "indexOf", removes: ["external_taint_escape"] },
   { method: "basename", class: "path", removes: ["path_traversal"] },
   { method: "normalize", class: "path", removes: ["path_traversal"] },
   { method: "resolve", class: "path", removes: ["path_traversal"] },
@@ -30522,6 +30528,311 @@ class WeakPasswordEncodingPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/info-disclosure-stacktrace-pass.js
+var RESPONSE_RECEIVER_RE = /^(res|response|w|writer|ctx|c)$/i;
+var LOGGER_RECEIVER_RE = /^(log|logger|slog|console|pino|winston|sentry)$/i;
+var RESPONSE_SEND_METHODS = new Set([
+  "send",
+  "json",
+  "write",
+  "writeHead",
+  "end",
+  "sendFile",
+  "println",
+  "print",
+  "getWriter",
+  "Fprintln",
+  "Fprintf",
+  "Fprint"
+]);
+function isExceptionExpression(expr) {
+  if (!expr)
+    return false;
+  const e = expr.trim();
+  return /\b(err|error|exc|exception|e|t|throwable)\.(stack|message|toString\(|getMessage\(|getStackTrace\(|getLocalizedMessage\(|getCause\()/i.test(e) || /\btraceback\.(format_exc|format_exception|print_exc)\b/i.test(e) || /\bdebug\.Stack\(\)/.test(e) || /\bstr\(\s*(err|error|exc|exception|e)\s*\)/i.test(e) || /\bString\(\s*(err|error|exc|exception|e)\s*\)/i.test(e);
+}
+function argIsException(arg) {
+  if (!arg)
+    return false;
+  if (arg.variable && /^(err|error|exc|exception|e|t|throwable)$/i.test(arg.variable)) {
+    return true;
+  }
+  return isExceptionExpression(arg.expression);
+}
+function detectJavaPrintStackTrace(call) {
+  if (call.method_name !== "printStackTrace")
+    return null;
+  const rec = call.receiver ?? "";
+  if (!/^(e|ex|exc|exception|err|error|t|throwable)$/i.test(rec))
+    return null;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0)
+    return null;
+  const expr = (arg0.expression ?? arg0.variable ?? "").trim();
+  if (/\bresponse\.getWriter\(\)/.test(expr) || /\bresp\.getWriter\(\)/.test(expr) || /\bout\b/.test(expr) || /\bgetWriter\(\)/.test(expr)) {
+    return "e.printStackTrace(response.getWriter())";
+  }
+  return null;
+}
+function detectResponseLeakCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  if (!RESPONSE_SEND_METHODS.has(method))
+    return null;
+  if (LOGGER_RECEIVER_RE.test(receiver))
+    return null;
+  const recTail = receiver.split(".").pop() ?? receiver;
+  const recHead = receiver.split(".")[0] ?? receiver;
+  if (!RESPONSE_RECEIVER_RE.test(recTail) && !RESPONSE_RECEIVER_RE.test(recHead)) {
+    if (!/(?:^|[.\s])(res|response)\.(?:status|set|header|cookie)\b/i.test(receiver)) {
+      return null;
+    }
+  }
+  for (const a of call.arguments) {
+    if (argIsException(a)) {
+      return `${receiver || ""}${receiver ? "." : ""}${method}(${(a.expression ?? a.variable ?? "").trim()})`;
+    }
+  }
+  return null;
+}
+function detectPythonTracebackReturn(ctx) {
+  const out2 = [];
+  const lines = ctx.code.split(`
+`);
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const ln = lines[i2] ?? "";
+    if (/\breturn\s+traceback\.format_exc\s*\(\s*\)/.test(ln) || /\breturn\s+\{[^}]*traceback\.format_exc\s*\(\s*\)[^}]*\}/.test(ln) || /\bjsonify\s*\([^)]*traceback\.format_exc\s*\(\s*\)/.test(ln)) {
+      out2.push({ line: i2 + 1, api: "return traceback.format_exc()" });
+      continue;
+    }
+    if (/\breturn\s+(?:str|repr)\s*\(\s*(?:e|err|error|exc|exception)\s*\)/.test(ln)) {
+      const start2 = Math.max(0, i2 - 8);
+      const end = Math.min(lines.length, i2 + 2);
+      const window2 = lines.slice(start2, end).join(`
+`);
+      if (/@(?:app|router|blueprint)\.(?:route|get|post|put|delete|patch)\b/.test(window2)) {
+        out2.push({ line: i2 + 1, api: "return str(e) in handler" });
+      }
+    }
+  }
+  return out2;
+}
+
+class InfoDisclosureStacktracePass {
+  name = "info-disclosure-stacktrace";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    if (language === "python") {
+      for (const f of detectPythonTracebackReturn(ctx)) {
+        findings.push({ line: f.line, api: f.api, language });
+        ctx.addFinding(this.makeFinding(file, f.line, f.api));
+      }
+    }
+    for (const call of graph.ir.calls) {
+      let api = null;
+      if (language === "java") {
+        api = detectJavaPrintStackTrace(call);
+        if (!api)
+          api = detectResponseLeakCall(call);
+      } else if (language === "javascript" || language === "typescript") {
+        api = detectResponseLeakCall(call);
+      } else if (language === "go") {
+        const method = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "http" && method === "Error") {
+          const arg1 = call.arguments.find((a) => a.position === 1);
+          if (argIsException(arg1))
+            api = "http.Error(w, err.Error())";
+        } else if (rec === "fmt" && (method === "Fprintln" || method === "Fprintf" || method === "Fprint")) {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          if (arg0 && /^(w|writer|resp|response)$/i.test((arg0.variable ?? arg0.expression ?? "").trim())) {
+            for (const a of call.arguments) {
+              if (a.position === 0)
+                continue;
+              if (argIsException(a)) {
+                api = `fmt.${method}(w, err)`;
+                break;
+              }
+            }
+          }
+        } else {
+          api = detectResponseLeakCall(call);
+        }
+      } else if (language === "python") {
+        api = detectResponseLeakCall(call);
+      }
+      if (!api)
+        continue;
+      const line = call.location.line;
+      findings.push({ line, api, language });
+      ctx.addFinding(this.makeFinding(file, line, api));
+    }
+    return { findings };
+  }
+  makeFinding(file, line, api) {
+    return {
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-209",
+      severity: "medium",
+      level: "warning",
+      message: `Exception detail returned to client via \`${api}\`. ` + "Leaking stack traces / exception messages reveals framework internals, " + "file paths, and class names — useful reconnaissance for an attacker.",
+      file,
+      line,
+      fix: "Return a generic error response to the client (e.g. status 500 + a " + "request id) and log the full exception server-side via your logger " + '(e.g. `logger.error("…", e)` or `console.error(err)`).',
+      evidence: { api }
+    };
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/unrestricted-file-upload-pass.js
+var UPLOAD_NAME_RE = /(?:getOriginalFilename|getSubmittedFileName|originalname|originalName|\.filename|\.Filename|FileHeader\.Filename|UploadFile)/;
+var FILE_SAFE_CALL_RE = /(?:secure_filename|FilenameUtils\.getExtension|\.lastIndexOf\(['"]\.['"]\)|ALLOWED_EXT|ALLOWED_EXTENSIONS|allowedExtensions|\bfileFilter\b|filepath\.Ext|path\.extname)/;
+function lineWindow(code, startLine, endLine) {
+  const lines = code.split(`
+`);
+  const s = Math.max(0, startLine - 1);
+  const e = Math.min(lines.length, endLine);
+  return lines.slice(s, e).join(`
+`);
+}
+function callHasUploadName(call) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? a.variable ?? "").trim();
+    if (UPLOAD_NAME_RE.test(expr))
+      return true;
+  }
+  if (UPLOAD_NAME_RE.test(call.receiver ?? ""))
+    return true;
+  return false;
+}
+
+class UnrestrictedFileUploadPass {
+  name = "unrestricted-file-upload";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const safeFunctionRanges = [];
+    for (const t of graph.ir.types) {
+      for (const m of t.methods) {
+        const body2 = lineWindow(code, m.start_line, m.end_line);
+        if (FILE_SAFE_CALL_RE.test(body2)) {
+          safeFunctionRanges.push({ start: m.start_line, end: m.end_line });
+        }
+      }
+    }
+    const inSafeRange = (line) => {
+      for (const r of safeFunctionRanges) {
+        if (line >= r.start && line <= r.end)
+          return true;
+      }
+      const win = lineWindow(code, Math.max(1, line - 20), line + 5);
+      return FILE_SAFE_CALL_RE.test(win);
+    };
+    if (language === "java") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "transferTo" && callHasUploadName(call)) {
+          if (inSafeRange(call.location.line))
+            continue;
+          this.emit(ctx, findings, file, call.location.line, language, "MultipartFile.transferTo(<original filename>)");
+          continue;
+        }
+        if (m === "copy" && (call.receiver === "Files" || (call.receiver ?? "").endsWith(".Files"))) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, "Files.copy(input, Path.of(dir, <original filename>))");
+          }
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (m === "multer" || rec === "" && m === "multer") {
+          const arg0 = call.arguments.find((a) => a.position === 0);
+          const expr = (arg0?.expression ?? "").trim();
+          if (/\bdest\s*:/.test(expr) && !/\bfileFilter\s*:/.test(expr)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, "multer({ dest }) without fileFilter");
+            continue;
+          }
+        }
+        if (rec === "fs" && (m === "writeFile" || m === "writeFileSync" || m === "appendFile")) {
+          if (callHasUploadName(call) || call.arguments.some((a) => /\breq\.file(?:s)?\b/.test(a.expression ?? a.variable ?? ""))) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `fs.${m}(<path>, req.file.buffer)`);
+          }
+        }
+      }
+    }
+    if (language === "python") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        if (m === "save") {
+          const rec = call.receiver ?? "";
+          if (!/^(f|file|upload|attachment)$/i.test(rec) && rec !== "")
+            continue;
+          if (!callHasUploadName(call))
+            continue;
+          if (inSafeRange(call.location.line))
+            continue;
+          this.emit(ctx, findings, file, call.location.line, language, "f.save(<dir>, f.filename) without secure_filename");
+        }
+      }
+    }
+    if (language === "go") {
+      for (const call of graph.ir.calls) {
+        const m = call.method_name ?? "";
+        const rec = call.receiver ?? "";
+        if (rec === "os" && (m === "Create" || m === "OpenFile")) {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `os.${m}(<uploaded filename>)`);
+          }
+        }
+        if ((rec === "os" || rec === "ioutil") && m === "WriteFile") {
+          if (callHasUploadName(call)) {
+            if (inSafeRange(call.location.line))
+              continue;
+            this.emit(ctx, findings, file, call.location.line, language, `${rec}.WriteFile(<uploaded filename>, …)`);
+          }
+        }
+      }
+    }
+    return { findings };
+  }
+  emit(ctx, findings, file, line, language, api) {
+    findings.push({ line, api, language });
+    ctx.addFinding({
+      id: `${this.name}-${file}-${line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-434",
+      severity: "high",
+      level: "error",
+      message: `File upload saved using untrusted name (${api}) — no extension allow-list or ` + "filename canonicalization detected. An attacker can upload a `.jsp`/`.php`/`.html` " + "file and request it back, achieving RCE or stored XSS.",
+      file,
+      line,
+      fix: "Validate the uploaded extension against an allow-list (e.g. " + '`Set.of("png","jpg")`), then save with a sanitized filename. In Python use ' + "`werkzeug.utils.secure_filename`. In multer pass a `fileFilter`. Never " + "concatenate the upload's original filename into a save path without " + "validation.",
+      evidence: { api, language }
+    });
+  }
+}
+
 // ../circle-ir/dist/analysis/passes/plaintext-password-storage-pass.js
 function isWriteStorageCall(call, language) {
   const method = call.method_name ?? "";
@@ -33084,6 +33395,10 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new XmlEntityExpansionPass);
     if (!disabledPasses.has("mass-assignment"))
       pipeline.add(new MassAssignmentPass);
+    if (!disabledPasses.has("info-disclosure-stacktrace"))
+      pipeline.add(new InfoDisclosureStacktracePass);
+    if (!disabledPasses.has("unrestricted-file-upload"))
+      pipeline.add(new UnrestrictedFileUploadPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -33277,7 +33592,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.81.0";
+var version = "3.82.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.81.0",
+  "version": "3.82.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.81.0"
+    "circle-ir": "^3.82.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",