cognium-dev 3.82.0 → 3.84.0

package/dist/cli.js

@@ -10517,10 +10517,6 @@ var DEFAULT_SINKS = [
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "waitFor", class: "Process", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
-  { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
-  { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
   { method: "File", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "FileInputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileOutputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -10764,7 +10760,6 @@ var DEFAULT_SINKS = [
   { method: "entity", class: "ResponseBuilder", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "ok", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "eval", class: "ScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", class: "Pattern", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
   { method: "parseExpression", class: "ExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseExpression", class: "SpelExpressionParser", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "getValue", class: "Expression", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
@@ -11239,7 +11234,6 @@ var DEFAULT_SINKS = [
   { method: "log", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1] },
   { method: "exception", class: "logging", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0] },
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "step", class: "StepExecution", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "invokeMethod", class: "Script", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
   { method: "evaluate", class: "Script", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -12053,6 +12047,61 @@ function isSafeGoExecCommandCall(call, pattern, language) {
     return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust")
+    return false;
+  if (pattern.type !== "command_injection")
+    return false;
+  if (pattern.class !== undefined && pattern.class !== "Command")
+    return false;
+  const SHELL_PROGRAMS = new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m)
+      return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg)
+      return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== undefined) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null)
+      return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12077,6 +12126,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== undefined && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -21313,6 +21365,14 @@ class LanguageSourcesPass {
       additionalSanitizers.push(...findGoMapAllowlistGuardSanitizers(code));
       additionalSanitizers.push(...findGoHtmlTemplateImportSanitizers(code));
     }
+    if (language === "python") {
+      additionalSanitizers.push(...findPythonNetlocAllowlistGuardSanitizers(code));
+      additionalSanitizers.push(...findPythonRangeCheckGuardSanitizers(code));
+    }
+    if (language === "rust") {
+      additionalSanitizers.push(...findRustSetAllowlistGuardSanitizers(code));
+      additionalSanitizers.push(...findRustCanonicalizeGuardSanitizers(code));
+    }
     attachSourceLineCode(additionalSources, additionalSinks, code);
     return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
@@ -22427,6 +22487,210 @@ function findGoHtmlTemplateImportSanitizers(code) {
   }
   return sanitizers;
 }
+function findPythonNetlocAllowlistGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const guardOpen = /^(\s*)if\s+.+?\s+not\s+in\s+([A-Za-z_][A-Za-z0-9_]*)\s*:\s*$/;
+  const allowlistName = /^(?:[A-Z][A-Z0-9_]+|.*?(allowed|accepted|whitelist|permitted|valid|approved).*)$/i;
+  const terminator = /\b(return|raise|abort\s*\(|sys\.exit\s*\()/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const m = guardOpen.exec(lines[i2]);
+    if (!m)
+      continue;
+    const guardIndent = m[1].length;
+    const allowName = m[2];
+    if (!allowlistName.test(allowName))
+      continue;
+    let bodyHasTerminator = false;
+    let blockEnd = -1;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1;j < maxScan; j++) {
+      const line = lines[j];
+      if (line.trim() === "")
+        continue;
+      const indent = line.length - line.trimStart().length;
+      if (indent <= guardIndent) {
+        blockEnd = j - 1;
+        break;
+      }
+      if (terminator.test(line))
+        bodyHasTerminator = true;
+    }
+    if (blockEnd === -1)
+      blockEnd = Math.min(lines.length - 1, i2 + 25);
+    if (!bodyHasTerminator)
+      continue;
+    for (let l = blockEnd + 2;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "python_netloc_allowlist_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "open_redirect",
+          "ssrf",
+          "path_traversal",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findPythonRangeCheckGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const rangeGuard = /^(\s*)if\s+([A-Za-z_][A-Za-z0-9_]*)\s*[<>]=?\s*(?:\d+|-?\d+\.?\d*|[A-Z][A-Z0-9_]+)\s*(?:(?:or|and)\s+\2\s*[<>]=?\s*(?:\d+|-?\d+\.?\d*|[A-Z][A-Z0-9_]+)\s*)?:\s*$/;
+  const terminator = /\b(return|raise|abort\s*\(|sys\.exit\s*\()/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const m = rangeGuard.exec(lines[i2]);
+    if (!m)
+      continue;
+    const guardIndent = m[1].length;
+    let bodyHasTerminator = false;
+    let blockEnd = -1;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1;j < maxScan; j++) {
+      const line = lines[j];
+      if (line.trim() === "")
+        continue;
+      const indent = line.length - line.trimStart().length;
+      if (indent <= guardIndent) {
+        blockEnd = j - 1;
+        break;
+      }
+      if (terminator.test(line))
+        bodyHasTerminator = true;
+    }
+    if (blockEnd === -1)
+      blockEnd = Math.min(lines.length - 1, i2 + 25);
+    if (!bodyHasTerminator)
+      continue;
+    for (let l = blockEnd + 2;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "python_range_check_guard",
+        method: "if",
+        line: l,
+        sanitizes: ["xss", "external_taint_escape"]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findRustSetAllowlistGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const guardOpen = /^\s*if\s+!\s*([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*(?:contains|contains_key)\s*\(/;
+  const allowlistName = /^(?:[A-Z][A-Z0-9_]+|.*?(allowed|accepted|whitelist|permitted|valid|approved).*)$/i;
+  const terminator = /\b(return|Err\s*\(|panic!\s*\(|HttpResponse::(?:Forbidden|BadRequest|Unauthorized))/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const m = guardOpen.exec(lines[i2]);
+    if (!m)
+      continue;
+    const setName = m[1];
+    if (!allowlistName.test(setName))
+      continue;
+    let depth = 0;
+    for (const ch of lines[i2]) {
+      if (ch === "{")
+        depth++;
+      else if (ch === "}")
+        depth--;
+    }
+    if (depth <= 0)
+      continue;
+    let closeLine = -1;
+    let bodyHasTerminator = false;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1;j < maxScan; j++) {
+      const line = lines[j];
+      if (terminator.test(line))
+        bodyHasTerminator = true;
+      for (const ch of line) {
+        if (ch === "{")
+          depth++;
+        else if (ch === "}")
+          depth--;
+      }
+      if (depth === 0) {
+        closeLine = j;
+        break;
+      }
+    }
+    if (closeLine === -1 || !bodyHasTerminator)
+      continue;
+    for (let l = closeLine + 2;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "rust_set_allowlist_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "ssrf",
+          "open_redirect",
+          "command_injection",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findRustCanonicalizeGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const guardOpen = /^\s*if\s+!\s*[A-Za-z_][\w?.()&]*\.starts_with\s*\(/;
+  const terminator = /\b(return|Err\s*\(|panic!\s*\(|HttpResponse::(?:Forbidden|BadRequest|Unauthorized|NotFound))/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    if (!guardOpen.test(lines[i2]))
+      continue;
+    let depth = 0;
+    for (const ch of lines[i2]) {
+      if (ch === "{")
+        depth++;
+      else if (ch === "}")
+        depth--;
+    }
+    if (depth <= 0)
+      continue;
+    let closeLine = -1;
+    let bodyHasTerminator = false;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1;j < maxScan; j++) {
+      const line = lines[j];
+      if (terminator.test(line))
+        bodyHasTerminator = true;
+      for (const ch of line) {
+        if (ch === "{")
+          depth++;
+        else if (ch === "}")
+          depth--;
+      }
+      if (depth === 0) {
+        closeLine = j;
+        break;
+      }
+    }
+    if (closeLine === -1 || !bodyHasTerminator)
+      continue;
+    for (let l = closeLine + 2;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "rust_canonicalize_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "path_traversal",
+          "xss",
+          "ssrf",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
 
 // ../circle-ir/dist/analysis/passes/sink-filter-pass.js
 var JS_XSS_SANITIZERS = [
@@ -33592,7 +33856,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.82.0";
+var version = "3.84.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.82.0",
+  "version": "3.84.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.82.0"
+    "circle-ir": "^3.84.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",