codepathfinder 1.2.0__py3-none-manylinux_2_17_aarch64.whl

codepathfinder/propagation.py

@@ -0,0 +1,250 @@
+"""
+Taint propagation primitives for dataflow analysis.
+
+These primitives define HOW taint propagates through code constructs.
+Developers specify which primitives to enable via propagates_through parameter.
+"""
+
+from typing import Dict, Any, List, Optional
+from enum import Enum
+
+
+class PropagationType(Enum):
+    """
+    Enum of all propagation primitive types.
+
+    Phase 1 (MVP - This PR):
+        ASSIGNMENT, FUNCTION_ARGS, FUNCTION_RETURNS
+
+    Phase 2 (MVP - Future PR):
+        STRING_CONCAT, STRING_FORMAT
+
+    Phase 3-6 (Post-MVP):
+        Collections, control flow, OOP, advanced
+    """
+
+    # ===== PHASE 1: BARE MINIMUM (MVP) =====
+    ASSIGNMENT = "assignment"
+    FUNCTION_ARGS = "function_args"
+    FUNCTION_RETURNS = "function_returns"
+
+    # ===== PHASE 2: STRING OPERATIONS (MVP - Future PR) =====
+    STRING_CONCAT = "string_concat"
+    STRING_FORMAT = "string_format"
+
+    # ===== PHASE 3: COLLECTIONS (POST-MVP) =====
+    LIST_APPEND = "list_append"
+    LIST_EXTEND = "list_extend"
+    DICT_VALUES = "dict_values"
+    DICT_UPDATE = "dict_update"
+    SET_ADD = "set_add"
+
+    # ===== PHASE 4: CONTROL FLOW (POST-MVP) =====
+    IF_CONDITION = "if_condition"
+    FOR_ITERATION = "for_iteration"
+    WHILE_CONDITION = "while_condition"
+    SWITCH_CASE = "switch_case"
+
+    # ===== PHASE 5: OOP (POST-MVP) =====
+    ATTRIBUTE_ASSIGNMENT = "attribute_assignment"
+    METHOD_CALL = "method_call"
+    CONSTRUCTOR = "constructor"
+
+    # ===== PHASE 6: ADVANCED (POST-MVP) =====
+    COMPREHENSION = "comprehension"
+    LAMBDA_CAPTURE = "lambda_capture"
+    YIELD_STMT = "yield_stmt"
+
+
+class PropagationPrimitive:
+    """
+    Base class for propagation primitives.
+
+    Each primitive describes ONE way taint can flow through code.
+    """
+
+    def __init__(
+        self, prim_type: PropagationType, metadata: Optional[Dict[str, Any]] = None
+    ):
+        """
+        Args:
+            prim_type: The type of propagation
+            metadata: Optional additional configuration
+        """
+        self.type = prim_type
+        self.metadata = metadata or {}
+
+    def to_ir(self) -> Dict[str, Any]:
+        """
+        Serialize to JSON IR.
+
+        Returns:
+            {
+                "type": "assignment",
+                "metadata": {}
+            }
+        """
+        return {
+            "type": self.type.value,
+            "metadata": self.metadata,
+        }
+
+    def __repr__(self) -> str:
+        return f"propagates.{self.type.value}()"
+
+
+class propagates:
+    """
+    Namespace for taint propagation primitives.
+
+    Usage:
+        propagates.assignment()
+        propagates.function_args()
+        propagates.function_returns()
+    """
+
+    # ===== PHASE 1: BARE MINIMUM (MVP - THIS PR) =====
+
+    @staticmethod
+    def assignment() -> PropagationPrimitive:
+        """
+        Taint propagates through variable assignment.
+
+        Patterns matched:
+            x = tainted           # Simple assignment
+            a = b = tainted       # Chained assignment
+            x, y = tainted, safe  # Tuple unpacking (x is tainted)
+
+        This is the MOST COMMON propagation pattern (~40% of all flows).
+
+        Examples:
+            user_input = request.GET.get("id")  # source
+            query = user_input                  # PROPAGATES via assignment
+            cursor.execute(query)               # sink
+
+        Returns:
+            PropagationPrimitive for assignment
+        """
+        return PropagationPrimitive(PropagationType.ASSIGNMENT)
+
+    @staticmethod
+    def function_args() -> PropagationPrimitive:
+        """
+        Taint propagates through function arguments.
+
+        Patterns matched:
+            func(tainted)              # Positional argument
+            func(arg=tainted)          # Keyword argument
+            func(*tainted)             # Args unpacking
+            func(**tainted)            # Kwargs unpacking
+
+        Critical for inter-procedural analysis (~30% of flows).
+
+        Examples:
+            user_input = request.GET.get("id")  # source
+            process_data(user_input)            # PROPAGATES via function_args
+            def process_data(data):
+                execute(data)                   # sink (data is tainted)
+
+        Returns:
+            PropagationPrimitive for function arguments
+        """
+        return PropagationPrimitive(PropagationType.FUNCTION_ARGS)
+
+    @staticmethod
+    def function_returns() -> PropagationPrimitive:
+        """
+        Taint propagates through return values.
+
+        Patterns matched:
+            return tainted                # Direct return
+            return tainted if cond else safe  # Conditional return
+            return [tainted, safe]        # Return list containing tainted
+
+        Essential for functions that transform tainted data (~20% of flows).
+
+        Examples:
+            def get_user_id():
+                user_input = request.GET.get("id")  # source
+                return user_input                   # PROPAGATES via return
+
+            query = get_user_id()           # query is now tainted
+            execute(query)                  # sink
+
+        Returns:
+            PropagationPrimitive for function returns
+        """
+        return PropagationPrimitive(PropagationType.FUNCTION_RETURNS)
+
+    # ===== PHASE 2: STRING OPERATIONS (MVP - THIS PR) =====
+
+    @staticmethod
+    def string_concat() -> PropagationPrimitive:
+        """
+        Taint propagates through string concatenation.
+
+        Patterns matched:
+            result = tainted + "suffix"      # Right concat
+            result = "prefix" + tainted      # Left concat
+            result = tainted + safe + more   # Mixed concat
+
+        Critical for SQL/Command injection where queries are built via concat (~10% of flows).
+
+        Examples:
+            user_id = request.GET.get("id")           # source
+            query = "SELECT * FROM users WHERE id = " + user_id  # PROPAGATES via string_concat
+            cursor.execute(query)                     # sink
+
+        Returns:
+            PropagationPrimitive for string concatenation
+        """
+        return PropagationPrimitive(PropagationType.STRING_CONCAT)
+
+    @staticmethod
+    def string_format() -> PropagationPrimitive:
+        """
+        Taint propagates through string formatting.
+
+        Patterns matched:
+            f"{tainted}"                    # f-string
+            "{}".format(tainted)            # str.format()
+            "%s" % tainted                  # % formatting
+            "{name}".format(name=tainted)   # Named placeholders
+
+        Critical for SQL injection where ORM methods use format() (~8% of flows).
+
+        Examples:
+            user_id = request.GET.get("id")           # source
+            query = f"SELECT * FROM users WHERE id = {user_id}"  # PROPAGATES via string_format
+            cursor.execute(query)                     # sink
+
+        Returns:
+            PropagationPrimitive for string formatting
+        """
+        return PropagationPrimitive(PropagationType.STRING_FORMAT)
+
+    # ===== PHASE 3-6: POST-MVP =====
+    # Will be implemented in post-MVP PRs
+
+
+def create_propagation_list(
+    primitives: List[PropagationPrimitive],
+) -> List[Dict[str, Any]]:
+    """
+    Convert a list of propagation primitives to JSON IR.
+
+    Args:
+        primitives: List of PropagationPrimitive objects
+
+    Returns:
+        List of JSON IR dictionaries
+
+    Example:
+        >>> prims = [propagates.assignment(), propagates.function_args()]
+        >>> create_propagation_list(prims)
+        [
+            {"type": "assignment", "metadata": {}},
+            {"type": "function_args", "metadata": {}}
+        ]
+    """
+    return [prim.to_ir() for prim in primitives]

codepathfinder-1.2.0.dist-info/METADATA

@@ -0,0 +1,111 @@
+Metadata-Version: 2.4
+Name: codepathfinder
+Version: 1.2.0
+Summary: Python SDK for code-pathfinder static analysis for modern security teams
+Home-page: https://github.com/shivasurya/code-pathfinder
+Author: code-pathfinder contributors
+License: AGPL-3.0
+Project-URL: Homepage, https://codepathfinder.dev
+Project-URL: Repository, https://github.com/shivasurya/code-pathfinder
+Project-URL: Documentation, https://codepathfinder.dev
+Keywords: sast,security,static-analysis,codeql-alternative
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: GNU Affero General Public License v3
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: mypy>=1.0.0; extra == "dev"
+Requires-Dist: ruff>=0.1.0; extra == "dev"
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
+
+# Code-Pathfinder Python DSL
+
+Python DSL for defining security patterns in Code Pathfinder - an open-source security suite combining structural code analysis with AI-powered vulnerability detection.
+
+**Project Goals:**
+- Real-time IDE integration bringing security insights directly into your editor
+- AI-assisted analysis leveraging LLMs to understand context and identify vulnerabilities
+- Unified workflow coverage from local development to CI/CD pipelines
+- Flexible reporting supporting DefectDojo, GitHub Advanced Security, SARIF, and other platforms
+
+**Documentation**: https://codepathfinder.dev/
+
+## Installation
+
+```bash
+pip install codepathfinder
+```
+
+This installs **both** the Python DSL and the `pathfinder` CLI binary for your platform.
+
+### Verify Installation
+
+```bash
+# Test CLI binary
+pathfinder --version
+
+# Test Python DSL
+python -c "from codepathfinder import rule, calls; print('DSL OK')"
+```
+
+### Supported Platforms
+
+- Linux (glibc): x86_64, aarch64
+- macOS: arm64 (Apple Silicon), x86_64 (Intel)
+- Windows: x86_64
+
+Source distributions are available for other platforms - the binary will be downloaded automatically on first use.
+
+## Quick Example
+
+```python
+from codepathfinder import rule, flows, calls
+from codepathfinder.presets import PropagationPresets
+
+@rule(id="sql-injection", severity="critical", cwe="CWE-89")
+def detect_sql_injection():
+    """Detects SQL injection vulnerabilities"""
+    return flows(
+        from_sources=calls("request.GET", "request.POST"),
+        to_sinks=calls("execute", "executemany"),
+        sanitized_by=calls("quote_sql"),
+        propagates_through=PropagationPresets.standard(),
+        scope="global"
+    )
+```
+
+## Features
+
+- **Matchers**: `calls()`, `variable()` for pattern matching
+- **Dataflow Analysis**: `flows()` for source-to-sink taint tracking
+- **Propagation**: Explicit propagation primitives (assignment, function args, returns)
+- **Logic Operators**: `And()`, `Or()`, `Not()` for complex rules
+- **JSON IR**: Serializes to JSON for Go executor integration
+
+## Documentation
+
+For detailed documentation, visit https://codepathfinder.dev/
+
+## Requirements
+
+- Python 3.8+
+- No external dependencies (stdlib only!)
+
+## License
+
+AGPL-3.0 - GNU Affero General Public License v3

codepathfinder-1.2.0.dist-info/RECORD

@@ -0,0 +1,33 @@
+codepathfinder/__init__.py,sha256=bezgVTNZB2NM-v5NBjrM2g8S1DKPDg9YQqHtqcd58i8,1194
+codepathfinder/config.py,sha256=jx1Q5QnX2zJKKhai6ISwFIWh7h9M4o06bgZpyieGx98,2473
+codepathfinder/dataflow.py,sha256=H2X3uCc4Srl5WzmjmAeICJggUFSZnNhn1WbrWP7g8Cc,6815
+codepathfinder/decorators.py,sha256=KK-peMcpWdS9uxqjxYCO2xaALjZEDOJ2iVv6w1PzobU,4336
+codepathfinder/ir.py,sha256=K0YfGSFZyysDRd8B-o9gnyou5R3EbwApPsK3qSjmDSE,2837
+codepathfinder/logic.py,sha256=cA76-mhE_A7WmWQtZtufZWxMKSrI4Bt7avJRWi20ud4,2418
+codepathfinder/matchers.py,sha256=mCWG_FWw_CizCsKsnV9IOMaWDdrdETb_bbEeS7uF-LA,7978
+codepathfinder/presets.py,sha256=_EU2WNtMY5PfY1iRcoZuiLkzKRddvtdn6H8tSy1dzGw,3914
+codepathfinder/propagation.py,sha256=yz1ODauUD0hnzDjPWfTIdQojWcvkYbwrnvou4C9Fy6U,7695
+codepathfinder/bin/pathfinder,sha256=J9XWeFdgxbQfOlGb2_kTYyq9FXk_myW5ObwIoyC4qeo,9317592
+codepathfinder/cli/__init__.py,sha256=ymnNkbFV4_HTbQR3nznrMxYWygFdptbtIpowWfQUOwk,6001
+codepathfinder-1.2.0.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+rules/__init__.py,sha256=5f-EuZwvtJDUHXeZgMgbF8knpDgvKcCQRiLhXS1kehE,893
+rules/container_combinators.py,sha256=nTW5ofz74_07b9_u3RnxYf5NW6ksqYhiAQNkH8-xJHs,6108
+rules/container_decorators.py,sha256=UG_QwzbTNPnhyOEcYPQV1oj3cCDIrETooBT4tGbYbXk,5937
+rules/container_ir.py,sha256=vq6i7OLLBSRZIVod7hcnQRu8dlB4WATI4fUz4ngKzrY,2609
+rules/container_matchers.py,sha256=YcJQEdU8Pd7clTqjilykxqjajk-cineKli4uD3gsGQ0,7563
+rules/container_programmatic.py,sha256=J5E65PC9DTZCgjBKYZzuXUXNECU0xSa8CBOqui6mlBE,3582
+rules/python_decorators.py,sha256=s8mE1i5BEpdhaWo6EiRMUO1or-7aCC21zvhX6ai5cRo,4792
+rules/python_ir.py,sha256=Rb_kcB6mhZz5l6089snpqQ00dRFFLanFSJVohl7iacc,2091
+rules/python/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rules/python/deserialization/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rules/python/deserialization/pickle_loads.py,sha256=wGJkzbIZmf7Ph4MG9isbasU_a8nj6WCUulAaVmCgxCs,12621
+rules/python/django/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rules/python/django/sql_injection.py,sha256=eTWF2QbeJVcWxYenB9D0henvkd58-YY-U2qJ0bX_SPc,10868
+rules/python/flask/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rules/python/flask/debug_mode.py,sha256=iJhFbIRt1IgDscV4f6rMiKmLur3mbSpZwHPI4pOsrvw,9913
+rules/python/injection/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+codepathfinder-1.2.0.dist-info/METADATA,sha256=kHz2QnrpksZ-3NUnpytQrOjW34jIZbovlTq63IiyZx0,3689
+codepathfinder-1.2.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+codepathfinder-1.2.0.dist-info/entry_points.txt,sha256=WOhPEAAVEokrKiLCyYAfnLeJaZdDmSj-sf55yGjXdQo,55
+codepathfinder-1.2.0.dist-info/top_level.txt,sha256=bh9z1--S2iWytMW5LQcsHYCynEMN0_7pdFCWEeeNqAU,21
+codepathfinder-1.2.0.dist-info/RECORD,,

codepathfinder-1.2.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

codepathfinder-1.2.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pathfinder = codepathfinder.cli:main