Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-24 20:28:06 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/real_world/python/taint/cmdi_subprocess.expect.json
+++ b/tests/fixtures/real_world/python/taint/cmdi_subprocess.expect.json
@ -0,0 +1,25 @@
+{
+  "description": "Flask handler passes user input directly to subprocess.run with shell=True",
+  "tags": [
+    "taint",
+    "cmdi",
+    "flask",
+    "subprocess"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        6,
+        12
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('cmd') flows directly into subprocess.run with shell=True"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/cmdi_subprocess.py
+++ b/tests/fixtures/real_world/python/taint/cmdi_subprocess.py
@ -0,0 +1,19 @@
+from flask import Flask, request
+import subprocess
+
+app = Flask(__name__)
+
+@app.route('/run')
+def run_cmd():
+    cmd = request.args.get('cmd')
+    result = subprocess.run(cmd, shell=True, capture_output=True)
+    return result.stdout.decode()
+
+@app.route('/run-safe')
+def run_cmd_safe():
+    cmd = request.args.get('cmd')
+    allowed = ['ls', 'date', 'whoami']
+    if cmd not in allowed:
+        return 'Not allowed', 403
+    result = subprocess.run([cmd], capture_output=True)
+    return result.stdout.decode()
--- a/tests/fixtures/real_world/python/taint/eval_input.expect.json
+++ b/tests/fixtures/real_world/python/taint/eval_input.expect.json
@ -0,0 +1,36 @@
+{
+  "description": "eval() called with user-controlled input from Flask request",
+  "tags": [
+    "taint",
+    "code-exec",
+    "eval",
+    "flask"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "py.code_exec.eval",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        6,
+        10
+      ],
+      "evidence_contains": [],
+      "notes": "eval() is an AST-level dangerous function pattern"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        5,
+        11
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('expr') flows directly into eval()"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/eval_input.py
+++ b/tests/fixtures/real_world/python/taint/eval_input.py
@ -0,0 +1,9 @@
+from flask import Flask, request
+
+app = Flask(__name__)
+
+@app.route('/calc')
+def calculate():
+    expr = request.args.get('expr')
+    result = eval(expr)
+    return str(result)
--- a/tests/fixtures/real_world/python/taint/path_traversal.expect.json
+++ b/tests/fixtures/real_world/python/taint/path_traversal.expect.json
@ -0,0 +1,25 @@
+{
+  "description": "Path traversal via user-controlled filename passed to send_file",
+  "tags": [
+    "taint",
+    "path-traversal",
+    "flask",
+    "file-io"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        6,
+        12
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('file') flows into os.path.join then send_file without validation"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/path_traversal.py
+++ b/tests/fixtures/real_world/python/taint/path_traversal.py
@ -0,0 +1,19 @@
+from flask import Flask, request, send_file
+import os
+
+app = Flask(__name__)
+
+@app.route('/download')
+def download():
+    filename = request.args.get('file')
+    filepath = os.path.join('/uploads', filename)
+    return send_file(filepath)
+
+@app.route('/download-safe')
+def download_safe():
+    filename = request.args.get('file')
+    filepath = os.path.join('/uploads', filename)
+    realpath = os.path.realpath(filepath)
+    if not realpath.startswith('/uploads'):
+        return 'Forbidden', 403
+    return send_file(realpath)
--- a/tests/fixtures/real_world/python/taint/pickle_deser.expect.json
+++ b/tests/fixtures/real_world/python/taint/pickle_deser.expect.json
@ -0,0 +1,37 @@
+{
+  "description": "Pickle deserialization of user-supplied base64 data",
+  "tags": [
+    "taint",
+    "deser",
+    "pickle",
+    "flask"
+  ],
+  "modes": [
+    "full",
+    "ast"
+  ],
+  "expected": [
+    {
+      "rule_id": "py.deser.pickle_loads",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        9,
+        13
+      ],
+      "evidence_contains": [],
+      "notes": "pickle.loads on user-controlled data enables arbitrary code execution"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        7,
+        14
+      ],
+      "evidence_contains": [],
+      "notes": "User data flows through base64 decode into pickle.loads - aspirational taint finding"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/pickle_deser.py
+++ b/tests/fixtures/real_world/python/taint/pickle_deser.py
@ -0,0 +1,12 @@
+from flask import Flask, request
+import pickle
+import base64
+
+app = Flask(__name__)
+
+@app.route('/load', methods=['POST'])
+def load_object():
+    data = request.get_data()
+    decoded = base64.b64decode(data)
+    obj = pickle.loads(decoded)
+    return str(obj)
--- a/tests/fixtures/real_world/python/taint/sqli_concat.expect.json
+++ b/tests/fixtures/real_world/python/taint/sqli_concat.expect.json
@ -0,0 +1,36 @@
+{
+  "description": "SQL injection via string concatenation with user input in cursor.execute",
+  "tags": [
+    "taint",
+    "sqli",
+    "flask",
+    "sqlite"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        6,
+        14
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('id') concatenated directly into SQL query string"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        14,
+        22
+      ],
+      "evidence_contains": [],
+      "notes": "Safe version uses parameterized query - should not trigger"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/sqli_concat.py
+++ b/tests/fixtures/real_world/python/taint/sqli_concat.py
@ -0,0 +1,20 @@
+from flask import Flask, request
+import sqlite3
+
+app = Flask(__name__)
+
+@app.route('/user')
+def get_user():
+    user_id = request.args.get('id')
+    conn = sqlite3.connect('app.db')
+    cursor = conn.cursor()
+    cursor.execute("SELECT * FROM users WHERE id = " + user_id)
+    return str(cursor.fetchall())
+
+@app.route('/user-safe')
+def get_user_safe():
+    user_id = request.args.get('id')
+    conn = sqlite3.connect('app.db')
+    cursor = conn.cursor()
+    cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
+    return str(cursor.fetchall())
--- a/tests/fixtures/real_world/python/taint/yaml_deser.expect.json
+++ b/tests/fixtures/real_world/python/taint/yaml_deser.expect.json
@ -0,0 +1,37 @@
+{
+  "description": "Unsafe YAML deserialization with yaml.load vs safe yaml.safe_load",
+  "tags": [
+    "taint",
+    "deser",
+    "yaml",
+    "flask"
+  ],
+  "modes": [
+    "full",
+    "ast"
+  ],
+  "expected": [
+    {
+      "rule_id": "py.deser.yaml_load",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        7,
+        11
+      ],
+      "evidence_contains": [],
+      "notes": "yaml.load with FullLoader is unsafe with user-controlled data"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        6,
+        12
+      ],
+      "evidence_contains": [],
+      "notes": "User data flows into yaml.load - aspirational taint finding"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/taint/yaml_deser.py
+++ b/tests/fixtures/real_world/python/taint/yaml_deser.py
@ -0,0 +1,16 @@
+from flask import Flask, request
+import yaml
+
+app = Flask(__name__)
+
+@app.route('/parse', methods=['POST'])
+def parse_config():
+    data = request.get_data()
+    config = yaml.load(data, Loader=yaml.FullLoader)
+    return str(config)
+
+@app.route('/parse-safe', methods=['POST'])
+def parse_config_safe():
+    data = request.get_data()
+    config = yaml.safe_load(data)
+    return str(config)