apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-21 20:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

1464
src/constraint/domain.rs Normal file
View file

File diff suppressed because it is too large Load diff

686
src/constraint/lower.rs Normal file
View file

@ -0,0 +1,686 @@
//! Condition lowering: CFG/SSA branch conditions → structured [`ConditionExpr`].
//!
//! This is the **only** module where `condition_text` is parsed. Everything
//! downstream operates on structured types with [`SsaValue`] keys.
//!
//! ## Lowering hierarchy (structured first, text fallback)
//!
//! 1. **Structural:** `condition_negated` (AST-level boolean)
//! 2. **Structural:** `condition_vars` (AST-extracted identifiers)
//! 3. **Structural:** compound decomposition (already handled by
//! `build_condition_chain` — each leaf is a separate Block/Branch)
//! 4. **Structural:** `value_defs` — resolve var names to [`SsaValue`]s
//! 5. **Structural:** `const_values` — augment with known constants
//! 6. **Text fallback:** `condition_text` — parse comparison operator and
//! literal operand. Necessary because individual comparisons are NOT
//! decomposed into separate SSA operations (condition nodes → `Nop`).
#![allow(clippy::collapsible_if)]
use crate::cfg::NodeInfo;
use crate::ssa::const_prop::ConstLattice;
use crate::ssa::ir::{BlockId, SsaBody, SsaValue};
use serde::{Deserialize, Serialize};
use smallvec::SmallVec;
use std::collections::HashMap;
use super::domain::ConstValue;
// ── Operand ─────────────────────────────────────────────────────────────
/// An operand in a condition expression.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum Operand {
/// A resolved SSA value.
Value(SsaValue),
/// A constant literal extracted from the condition.
Const(ConstValue),
/// Could not resolve.
Unknown,
}
// ── CompOp ──────────────────────────────────────────────────────────────
/// Comparison operator.
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum CompOp {
Eq,
Neq,
Lt,
Gt,
Le,
Ge,
}
impl CompOp {
/// Flip the operator (swap operands): `a < b` becomes `b > a`.
pub fn flip(self) -> Self {
match self {
Self::Lt => Self::Gt,
Self::Gt => Self::Lt,
Self::Le => Self::Ge,
Self::Ge => Self::Le,
other => other, // Eq, Neq are symmetric
}
}
/// Negate the operator: `<` becomes `>=`.
pub fn negate(self) -> Self {
match self {
Self::Eq => Self::Neq,
Self::Neq => Self::Eq,
Self::Lt => Self::Ge,
Self::Ge => Self::Lt,
Self::Gt => Self::Le,
Self::Le => Self::Gt,
}
}
}
// ── ConditionExpr ───────────────────────────────────────────────────────
/// Structured condition expression with SSA-resolved operands.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum ConditionExpr {
/// `lhs op rhs` — e.g., `x > 5`, `x == y`.
Comparison {
lhs: Operand,
op: CompOp,
rhs: Operand,
},
/// Null check: `x == null` / `x != null`.
NullCheck { var: SsaValue, is_null: bool },
/// Type check: `typeof x === "string"`.
TypeCheck {
var: SsaValue,
type_name: String,
positive: bool,
},
/// Boolean truthiness test: `if (x)`.
BoolTest { var: SsaValue },
/// Could not parse or resolve — conservatively no refinement.
Unknown,
}
impl ConditionExpr {
/// Structurally negate a condition expression.
pub fn negate(&self) -> Self {
match self {
Self::Comparison { lhs, op, rhs } => Self::Comparison {
lhs: lhs.clone(),
op: op.negate(),
rhs: rhs.clone(),
},
Self::NullCheck { var, is_null } => Self::NullCheck {
var: *var,
is_null: !is_null,
},
Self::TypeCheck {
var,
type_name,
positive,
} => Self::TypeCheck {
var: *var,
type_name: type_name.clone(),
positive: !positive,
},
// BoolTest negation: handled by the solver using polarity
Self::BoolTest { .. } | Self::Unknown => self.clone(),
}
}
}
// ── Condition lowering ──────────────────────────────────────────────────
/// Lower a branch condition from CFG metadata to a structured
/// [`ConditionExpr`] with SSA-resolved operands.
///
/// Uses structured metadata first (condition_negated, condition_vars,
/// value_defs, const_values), falling back to condition_text parsing
/// for comparison operators and literals.
pub fn lower_condition(
cond_info: &NodeInfo,
ssa: &SsaBody,
branch_block: BlockId,
const_values: Option<&HashMap<SsaValue, ConstLattice>>,
) -> ConditionExpr {
let text = match cond_info.condition_text.as_deref() {
Some(t) if !t.is_empty() => t,
_ => return ConditionExpr::Unknown,
};
if cond_info.condition_vars.is_empty() {
return ConditionExpr::Unknown;
}
// Step 1: Resolve condition variable names to SsaValues
let resolved = resolve_condition_vars(&cond_info.condition_vars, ssa, branch_block);
// Step 2: Build a name→SsaValue lookup
let var_lookup: HashMap<&str, SsaValue> = resolved
.iter()
.map(|(name, val)| (name.as_str(), *val))
.collect();
// Step 3: Check if any resolved values have known constants
let const_lookup: HashMap<SsaValue, ConstValue> = if let Some(cv) = const_values {
resolved
.iter()
.filter_map(|(_, v)| {
cv.get(v)
.and_then(ConstValue::from_const_lattice)
.map(|c| (*v, c))
})
.collect()
} else {
HashMap::new()
};
// Step 4: Try structured patterns, then text fallback
let lower = text.to_ascii_lowercase();
let expr = try_lower_null_check(text, &lower, &var_lookup)
.or_else(|| try_lower_type_check(text, &lower, &var_lookup))
.or_else(|| try_lower_comparison(text, &var_lookup, &const_lookup))
.unwrap_or_else(|| {
// Fallback: if exactly one condition_var, treat as BoolTest
if resolved.len() == 1 {
ConditionExpr::BoolTest { var: resolved[0].1 }
} else {
ConditionExpr::Unknown
}
});
// Apply structural negation from condition_negated
if cond_info.condition_negated {
expr.negate()
} else {
expr
}
}
/// Lower a branch condition using var_stacks from SSA construction.
///
/// Called during SSA lowering when the full [`SsaBody`] is not yet available.
/// Resolves variables via `var_stacks[name].last()` (the current reaching
/// definition) instead of scanning `value_defs`. Does not use `const_values`
/// (unavailable at lowering time); constants are seeded into [`PathEnv`]
/// separately via `seed_from_optimization`.
pub fn lower_condition_with_stacks(
cond_info: &NodeInfo,
var_stacks: &HashMap<String, Vec<SsaValue>>,
) -> ConditionExpr {
let text = match cond_info.condition_text.as_deref() {
Some(t) if !t.is_empty() => t,
_ => return ConditionExpr::Unknown,
};
if cond_info.condition_vars.is_empty() {
return ConditionExpr::Unknown;
}
// Resolve via var_stacks: each var's current reaching definition
let resolved: Vec<(String, SsaValue)> = cond_info
.condition_vars
.iter()
.filter_map(|name| {
var_stacks
.get(name)
.and_then(|stack| stack.last().copied())
.map(|v| (name.clone(), v))
})
.collect();
if resolved.is_empty() {
return ConditionExpr::Unknown;
}
let var_lookup: HashMap<&str, SsaValue> = resolved
.iter()
.map(|(name, val)| (name.as_str(), *val))
.collect();
// No const_values at lowering time — empty lookup
let const_lookup: HashMap<SsaValue, super::domain::ConstValue> = HashMap::new();
let lower = text.to_ascii_lowercase();
let expr = try_lower_null_check(text, &lower, &var_lookup)
.or_else(|| try_lower_type_check(text, &lower, &var_lookup))
.or_else(|| try_lower_comparison(text, &var_lookup, &const_lookup))
.unwrap_or_else(|| {
if resolved.len() == 1 {
ConditionExpr::BoolTest { var: resolved[0].1 }
} else {
ConditionExpr::Unknown
}
});
if cond_info.condition_negated {
expr.negate()
} else {
expr
}
}
// ── Variable resolution ─────────────────────────────────────────────────
/// Resolve condition variable names to their reaching SSA definitions.
///
/// Uses `ssa.value_defs` (SSA structural metadata) to find definitions,
/// not instruction body scanning. For each variable name:
///
/// 1. Find all definitions with that name via `value_defs`.
/// 2. Prefer the definition in the current block (reaching def at block end).
/// 3. If no def in current block, take the highest-indexed def whose
/// block precedes the current block (approximate dominator walk).
pub fn resolve_condition_vars(
vars: &[String],
ssa: &SsaBody,
block: BlockId,
) -> SmallVec<[(String, SsaValue); 4]> {
let mut result = SmallVec::new();
for var_name in vars {
if let Some(val) = resolve_single_var(var_name, ssa, block) {
result.push((var_name.clone(), val));
}
}
result
}
fn resolve_single_var(var_name: &str, ssa: &SsaBody, block: BlockId) -> Option<SsaValue> {
let mut best_in_block: Option<SsaValue> = None;
let mut best_outside: Option<SsaValue> = None;
for (idx, vd) in ssa.value_defs.iter().enumerate() {
if vd.var_name.as_deref() != Some(var_name) {
continue;
}
let v = SsaValue(idx as u32);
if vd.block == block {
// Prefer highest index in current block (last definition)
best_in_block = Some(match best_in_block {
Some(existing) if existing.0 > v.0 => existing,
_ => v,
});
} else {
// Outside current block: take highest index (approximate)
best_outside = Some(match best_outside {
Some(existing) if existing.0 > v.0 => existing,
_ => v,
});
}
}
best_in_block.or(best_outside)
}
// ── Null check lowering ─────────────────────────────────────────────────
fn try_lower_null_check(
text: &str,
lower: &str,
var_lookup: &HashMap<&str, SsaValue>,
) -> Option<ConditionExpr> {
// Patterns: "x == null", "x === null", "x != null", "x !== null"
// "x is None", "x is not None", "x == nil", "x != nil"
let is_null;
let var_name;
// Python "is None" / "is not None"
if lower.contains(" is not none") {
is_null = false;
var_name = extract_before(text, " is not ");
} else if lower.contains(" is none") {
is_null = true;
var_name = extract_before(text, " is ");
}
// JS/TS/Java null checks
else if let Some((lhs, rhs, negated)) = try_split_equality(text) {
let lhs_t = lhs.trim();
let rhs_t = rhs.trim();
let lhs_lower = lhs_t.to_ascii_lowercase();
let rhs_lower = rhs_t.to_ascii_lowercase();
let (null_side, var_side) =
if lhs_lower == "null" || lhs_lower == "nil" || lhs_lower == "none" {
(true, rhs_t)
} else if rhs_lower == "null" || rhs_lower == "nil" || rhs_lower == "none" {
(true, lhs_t)
} else {
return None; // Not a null check
};
if !null_side {
return None;
}
var_name = Some(var_side);
is_null = !negated;
} else {
return None;
}
let var_name = var_name?;
let var_name_trimmed = var_name.trim();
let ssa_val = var_lookup.get(var_name_trimmed)?;
Some(ConditionExpr::NullCheck {
var: *ssa_val,
is_null,
})
}
// ── Type check lowering ─────────────────────────────────────────────────
fn try_lower_type_check(
text: &str,
lower: &str,
var_lookup: &HashMap<&str, SsaValue>,
) -> Option<ConditionExpr> {
// Pattern: "typeof x === 'string'"
if lower.starts_with("typeof ") {
let rest = &text[7..]; // skip "typeof "
let (lhs, rhs, negated) = try_split_equality(rest)?;
let var_part = lhs.trim();
let type_part = rhs.trim();
// Strip quotes from type
let type_name = strip_quotes(type_part)?;
let ssa_val = var_lookup.get(var_part)?;
return Some(ConditionExpr::TypeCheck {
var: *ssa_val,
type_name: type_name.to_string(),
positive: !negated,
});
}
// Pattern: "isinstance(x, int)" (Python)
if lower.starts_with("isinstance(") && lower.ends_with(')') {
let inner = &text[11..text.len() - 1]; // strip isinstance( ... )
let comma = inner.find(',')?;
let var_part = inner[..comma].trim();
let type_part = inner[comma + 1..].trim();
let ssa_val = var_lookup.get(var_part)?;
return Some(ConditionExpr::TypeCheck {
var: *ssa_val,
type_name: type_part.to_string(),
positive: true,
});
}
// Pattern: PHP "is_numeric(x)", "is_string(x)", etc.
if lower.starts_with("is_") && lower.ends_with(')') {
if let Some(paren) = text.find('(') {
let type_part = &text[3..paren]; // "numeric", "string", etc.
let var_part = text[paren + 1..text.len() - 1].trim();
let ssa_val = var_lookup.get(var_part)?;
return Some(ConditionExpr::TypeCheck {
var: *ssa_val,
type_name: type_part.to_string(),
positive: true,
});
}
}
// Pattern: "x instanceof String" (Java/TypeScript)
if let Some(pos) = lower.find(" instanceof ") {
let var_part = text[..pos].trim();
let type_part = text[pos + " instanceof ".len()..].trim();
if let Some(ssa_val) = var_lookup.get(var_part) {
return Some(ConditionExpr::TypeCheck {
var: *ssa_val,
type_name: type_part.to_string(),
positive: true,
});
}
}
// Pattern: "x.is_a?(Integer)" / "x.kind_of?(Integer)" (Ruby)
for method in &[".is_a?(", ".kind_of?("] {
if let Some(dot_pos) = lower.find(method) {
let var_part = text[..dot_pos].trim();
let after = dot_pos + method.len();
if let Some(close) = text[after..].find(')') {
let type_part = text[after..after + close].trim();
if let Some(ssa_val) = var_lookup.get(var_part) {
return Some(ConditionExpr::TypeCheck {
var: *ssa_val,
type_name: type_part.to_string(),
positive: true,
});
}
}
}
}
None
}
// ── Comparison lowering ─────────────────────────────────────────────────
fn try_lower_comparison(
text: &str,
var_lookup: &HashMap<&str, SsaValue>,
const_lookup: &HashMap<SsaValue, ConstValue>,
) -> Option<ConditionExpr> {
// Find comparison operator (longest first to avoid prefix conflicts)
let operators = ["===", "!==", "==", "!=", ">=", "<=", ">", "<"];
let mut found_op = None;
let mut found_pos = 0;
let mut found_len = 0;
for op_str in &operators {
if let Some(pos) = text.find(op_str) {
// Avoid matching inside strings
if found_op.is_none() || op_str.len() > found_len {
found_op = Some(*op_str);
found_pos = pos;
found_len = op_str.len();
}
}
}
let op_str = found_op?;
let lhs = text[..found_pos].trim();
let rhs = text[found_pos + found_len..].trim();
let op = match op_str {
"===" | "==" => CompOp::Eq,
"!==" | "!=" => CompOp::Neq,
"<" => CompOp::Lt,
">" => CompOp::Gt,
"<=" => CompOp::Le,
">=" => CompOp::Ge,
_ => return None,
};
// Resolve operands
let lhs_op = resolve_operand(lhs, var_lookup, const_lookup);
let rhs_op = resolve_operand(rhs, var_lookup, const_lookup);
// Need at least one Value operand
// If both unknown, nothing useful
if matches!(&lhs_op, Operand::Unknown) && matches!(&rhs_op, Operand::Unknown) {
return None;
}
Some(ConditionExpr::Comparison {
lhs: lhs_op,
op,
rhs: rhs_op,
})
}
fn resolve_operand(
text: &str,
var_lookup: &HashMap<&str, SsaValue>,
const_lookup: &HashMap<SsaValue, ConstValue>,
) -> Operand {
// Try as variable first
if let Some(&ssa_val) = var_lookup.get(text) {
// Check if we know its constant value (structured knowledge)
if let Some(cv) = const_lookup.get(&ssa_val) {
return Operand::Const(cv.clone());
}
return Operand::Value(ssa_val);
}
// Try as literal
if let Some(cv) = ConstValue::parse_literal(text) {
return Operand::Const(cv);
}
// Try stripping quotes (for string literals inside conditions)
if let Some(s) = strip_quotes(text) {
return Operand::Const(ConstValue::Str(s.to_string()));
}
Operand::Unknown
}
// ── Text parsing helpers ────────────────────────────────────────────────
/// Try to split on an equality/inequality operator.
/// Returns (lhs, rhs, is_negated).
fn try_split_equality(text: &str) -> Option<(&str, &str, bool)> {
// Try longest operators first
for (op, negated) in &[("!==", true), ("===", false), ("!=", true), ("==", false)] {
if let Some(pos) = text.find(op) {
return Some((&text[..pos], &text[pos + op.len()..], *negated));
}
}
None
}
/// Extract the text before a case-insensitive marker.
fn extract_before<'a>(text: &'a str, marker: &str) -> Option<&'a str> {
let lower = text.to_ascii_lowercase();
let marker_lower = marker.to_ascii_lowercase();
lower.find(&marker_lower).map(|pos| &text[..pos])
}
/// Strip surrounding quotes from a string.
fn strip_quotes(text: &str) -> Option<&str> {
let t = text.trim();
if t.len() >= 2 {
if (t.starts_with('"') && t.ends_with('"'))
|| (t.starts_with('\'') && t.ends_with('\''))
|| (t.starts_with('`') && t.ends_with('`'))
{
return Some(&t[1..t.len() - 1]);
}
}
None
}
#[cfg(test)]
mod tests {
use super::*;
use crate::cfg::{NodeInfo, StmtKind};
use crate::ssa::ir::{BlockId, SsaBlock, SsaBody, SsaValue, Terminator, ValueDef};
use petgraph::graph::NodeIndex;
use smallvec::SmallVec;
/// Helper: build a minimal SsaBody with value_defs for the given variable
/// names, all assigned to block 0.
fn make_ssa_body(var_names: &[&str]) -> SsaBody {
let value_defs: Vec<ValueDef> = var_names
.iter()
.enumerate()
.map(|(i, name)| ValueDef {
var_name: Some(name.to_string()),
cfg_node: NodeIndex::new(i),
block: BlockId(0),
})
.collect();
SsaBody {
blocks: vec![SsaBlock {
id: BlockId(0),
phis: vec![],
body: vec![],
terminator: Terminator::Return(None),
preds: SmallVec::new(),
succs: SmallVec::new(),
}],
entry: BlockId(0),
value_defs,
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
}
}
/// Helper: build a minimal NodeInfo for a condition.
fn make_cond_info(text: &str, vars: &[&str]) -> NodeInfo {
NodeInfo {
kind: StmtKind::If,
condition_text: Some(text.to_string()),
condition_vars: vars.iter().map(|v| v.to_string()).collect(),
..Default::default()
}
}
// ── instanceof pattern ───────────────────────────────────────────────
#[test]
fn lower_instanceof_string() {
let ssa = make_ssa_body(&["x"]);
let info = make_cond_info("x instanceof String", &["x"]);
let expr = lower_condition(&info, &ssa, BlockId(0), None);
match expr {
ConditionExpr::TypeCheck {
var,
type_name,
positive,
} => {
assert_eq!(var, SsaValue(0));
assert_eq!(type_name, "String");
assert!(positive);
}
other => panic!("expected TypeCheck, got {:?}", other),
}
}
// ── .is_a? pattern (Ruby) ────────────────────────────────────────────
#[test]
fn lower_is_a_integer() {
let ssa = make_ssa_body(&["user_id"]);
let info = make_cond_info("user_id.is_a?(Integer)", &["user_id"]);
let expr = lower_condition(&info, &ssa, BlockId(0), None);
match expr {
ConditionExpr::TypeCheck {
var,
type_name,
positive,
} => {
assert_eq!(var, SsaValue(0));
assert_eq!(type_name, "Integer");
assert!(positive);
}
other => panic!("expected TypeCheck, got {:?}", other),
}
}
// ── .kind_of? pattern (Ruby) ─────────────────────────────────────────
#[test]
fn lower_kind_of_float() {
let ssa = make_ssa_body(&["x"]);
let info = make_cond_info("x.kind_of?(Float)", &["x"]);
let expr = lower_condition(&info, &ssa, BlockId(0), None);
match expr {
ConditionExpr::TypeCheck {
var,
type_name,
positive,
} => {
assert_eq!(var, SsaValue(0));
assert_eq!(type_name, "Float");
assert!(positive);
}
other => panic!("expected TypeCheck, got {:?}", other),
}
}
}

59
src/constraint/mod.rs Normal file
View file

@ -0,0 +1,59 @@
//! Path constraint solving for infeasible path pruning.
//!
//! This module implements a per-value abstract domain ([`ValueFact`]) with
//! canonical lattice operations (meet/join/widen), SSA-aware condition
//! lowering, and incremental unsatisfiability detection via a [`PathEnv`]
//! constraint environment.
//!
//! ## Architecture
//!
//! - [`domain`]: Abstract domain types (ValueFact, PathEnv, UnionFind)
//! - [`lower`]: Condition lowering from CFG/SSA to structured ConditionExpr
//! - [`solver`]: Constraint refinement and satisfiability checking
//!
//! ## Known limitations (V1)
//!
//! - **No full disjunctive reasoning.** OR-heavy true branches lose
//! constraints at join. Disjunctive PathState deferred to V2.
//! - **Comparison operators parsed from condition_text.** The CFG/SSA IR
//! does not decompose individual comparisons into structured operations;
//! condition_text parsing is the only way to extract operator and literal.
//! This is isolated in [`lower`].
//! - **Bounded transitive cycle detection.** Relational constraint cycle
//! detection walks at most 4 hops. Longer chains are missed (conservative).
//! - **No cast/conversion modeling.** `parseInt`, `int()`, `parseFloat`
//! etc. yield Top for the result's ValueFact.
//! - **BoolTest is conservative.** Does not infer NonNull from truthiness
//! unless value is known boolean-typed.
//! - **Variable resolution approximation.** Reaching definitions resolved
//! via value_defs scan; may be imprecise in complex CFG shapes without
//! full dominator tree walk.
//! - **No language-specific truthiness model.** All languages share the
//! same conservative BoolTest behavior.
//! - **Floats not modeled in ConstValue.** Float literals fall through
//! to Unknown.
pub mod domain;
pub mod lower;
pub mod solver;
#[cfg(test)]
mod tests;
pub use domain::{
BoolState, ConstValue, MAX_DISEQUALITY_EDGES, MAX_EQUALITY_EDGES, MAX_PATH_ENV_ENTRIES,
MAX_REFINE_PER_BLOCK, MAX_RELATIONAL, Nullability, PathEnv, RelOp, TypeSet, ValueFact,
WIDEN_THRESHOLD,
};
pub use lower::{CompOp, ConditionExpr, Operand, lower_condition};
pub use solver::{is_satisfiable, refine_env};
/// Feature gate: check if constraint solving is enabled.
///
/// Controlled by `analysis.engine.constraint_solving` in `nyx.conf` (default
/// `true`) or the `--constraint-solving / --no-constraint-solving` CLI flag.
/// The legacy `NYX_CONSTRAINT` env var is consulted only when no runtime has
/// been installed (library use / legacy tests).
pub fn is_enabled() -> bool {
crate::utils::analysis_options::current().constraint_solving
}

422
src/constraint/solver.rs Normal file
View file

@ -0,0 +1,422 @@
//! Constraint solver: apply conditions to [`PathEnv`] and check satisfiability.
//!
//! The solver operates on structured [`ConditionExpr`] values — never on raw
//! text. Negation is always structural (via [`ConditionExpr::negate`] /
//! [`CompOp::negate`]), not via a generic "negate ValueFact" operation.
use crate::ssa::type_facts::TypeKind;
use super::domain::{BoolState, ConstValue, Nullability, PathEnv, RelOp, TypeSet, ValueFact};
use super::lower::{CompOp, ConditionExpr, Operand};
/// Apply a condition to a [`PathEnv`], producing the refined environment
/// for the branch where the condition has the given polarity.
///
/// `polarity = true`: condition holds (true branch).
/// `polarity = false`: condition does NOT hold (false branch) — negate
/// the condition structurally, then apply.
pub fn refine_env(env: &PathEnv, cond: &ConditionExpr, polarity: bool) -> PathEnv {
if env.is_unsat() {
return env.clone();
}
let effective = if polarity {
cond.clone()
} else {
cond.negate()
};
let mut result = env.clone();
apply_condition(&mut result, &effective);
result
}
/// Check if a [`PathEnv`] is satisfiable.
///
/// Unsatisfiability is detected incrementally during [`PathEnv::refine`],
/// so this is just a flag check.
pub fn is_satisfiable(env: &PathEnv) -> bool {
!env.is_unsat()
}
// ── Internal dispatch ───────────────────────────────────────────────────
fn apply_condition(env: &mut PathEnv, cond: &ConditionExpr) {
match cond {
ConditionExpr::NullCheck { var, is_null } => {
let mut fact = ValueFact::top();
if *is_null {
fact.null = Nullability::Null;
fact.types = TypeSet::singleton(&TypeKind::Null);
} else {
fact.null = Nullability::NonNull;
}
env.refine(*var, &fact);
}
ConditionExpr::TypeCheck {
var,
type_name,
positive,
} => {
if let Some(kind) = parse_type_name(type_name) {
let ts = TypeSet::singleton(&kind);
let mut fact = ValueFact::top();
if *positive {
fact.types = ts;
if kind != TypeKind::Null {
fact.null = Nullability::NonNull;
}
} else {
fact.types = ts.complement();
}
env.refine(*var, &fact);
}
// Unknown type name → no refinement (conservative)
}
ConditionExpr::BoolTest { var } => {
// Conservative: only refine NonNull for known boolean-typed values.
// Truthiness is language-specific (0, "", empty containers are
// falsy in some languages). Over-constraining would be unsound.
//
// We check the existing fact: if the value is already known
// boolean-typed, we can safely refine to True.
let existing = env.get(*var);
if existing.types == TypeSet::singleton(&TypeKind::Bool) {
let mut fact = ValueFact::top();
fact.bool_state = BoolState::True;
fact.null = Nullability::NonNull;
env.refine(*var, &fact);
}
// Otherwise: no refinement (conservative)
}
ConditionExpr::Comparison { lhs, op, rhs } => {
apply_comparison(env, lhs, *op, rhs);
}
ConditionExpr::Unknown => {
// No information — no refinement
}
}
}
fn apply_comparison(env: &mut PathEnv, lhs: &Operand, op: CompOp, rhs: &Operand) {
match (lhs, rhs) {
(Operand::Value(v), Operand::Const(c)) => {
apply_value_const(env, *v, op, c);
}
(Operand::Const(c), Operand::Value(v)) => {
// Flip: const op var → var (flipped_op) const
apply_value_const(env, *v, op.flip(), c);
}
(Operand::Value(a), Operand::Value(b)) => match op {
CompOp::Eq => env.assert_equal(*a, *b),
CompOp::Neq => env.assert_not_equal(*a, *b),
CompOp::Lt => env.assert_relational(*a, RelOp::Lt, *b),
CompOp::Gt => env.assert_relational(*b, RelOp::Lt, *a),
CompOp::Le => env.assert_relational(*a, RelOp::Le, *b),
CompOp::Ge => env.assert_relational(*b, RelOp::Le, *a),
},
// At least one Unknown operand: no refinement
_ => {}
}
}
/// Apply a value-vs-constant comparison to the environment.
fn apply_value_const(env: &mut PathEnv, v: crate::ssa::ir::SsaValue, op: CompOp, c: &ConstValue) {
let mut fact = ValueFact::top();
match op {
CompOp::Eq => {
fact.exact = Some(c.clone());
match c {
ConstValue::Int(i) => {
fact.lo = Some(*i);
fact.hi = Some(*i);
fact.types = TypeSet::singleton(&TypeKind::Int);
fact.null = Nullability::NonNull;
}
ConstValue::Null => {
fact.null = Nullability::Null;
fact.types = TypeSet::singleton(&TypeKind::Null);
}
ConstValue::Bool(b) => {
fact.bool_state = if *b {
BoolState::True
} else {
BoolState::False
};
fact.types = TypeSet::singleton(&TypeKind::Bool);
fact.null = Nullability::NonNull;
}
ConstValue::Str(_) => {
fact.types = TypeSet::singleton(&TypeKind::String);
fact.null = Nullability::NonNull;
}
}
}
CompOp::Neq => {
if c == &ConstValue::Null {
fact.null = Nullability::NonNull;
}
fact.excluded.push(c.clone());
}
CompOp::Lt => {
if let ConstValue::Int(i) = c {
fact.hi = Some(*i);
fact.hi_strict = true;
fact.null = Nullability::NonNull;
}
// Non-Int Lt: no refinement (V1)
}
CompOp::Le => {
if let ConstValue::Int(i) = c {
fact.hi = Some(*i);
fact.null = Nullability::NonNull;
}
}
CompOp::Gt => {
if let ConstValue::Int(i) = c {
fact.lo = Some(*i);
fact.lo_strict = true;
fact.null = Nullability::NonNull;
}
}
CompOp::Ge => {
if let ConstValue::Int(i) = c {
fact.lo = Some(*i);
fact.null = Nullability::NonNull;
}
}
}
env.refine(v, &fact);
}
/// Map typeof / type-name strings to [`TypeKind`].
///
/// Resolution order:
/// 1. Cross-language primitive aliases (case-insensitive)
/// 2. Java/Ruby/Go class and framework names (case-sensitive)
/// 3. Java type hierarchy fallback (case-sensitive, via [`TypeHierarchy`])
pub fn parse_type_name(name: &str) -> Option<TypeKind> {
use crate::ssa::type_facts::TypeHierarchy;
primitive_type_alias(name)
.or_else(|| class_name_to_type_kind(name))
.or_else(|| TypeHierarchy::resolve_kind(name))
}
/// Tier 1: Cross-language primitive type aliases (case-insensitive).
fn primitive_type_alias(name: &str) -> Option<TypeKind> {
match name.to_ascii_lowercase().as_str() {
"string" | "str" => Some(TypeKind::String),
"number" | "int" | "integer" | "i32" | "i64" | "u32" | "u64" | "float" | "double"
| "numeric" => Some(TypeKind::Int),
"boolean" | "bool" => Some(TypeKind::Bool),
"object" => Some(TypeKind::Object),
"array" | "list" => Some(TypeKind::Array),
"null" | "nil" | "none" | "undefined" => Some(TypeKind::Null),
_ => None,
}
}
/// Tier 2: Java/Ruby/Go class and framework type names (case-sensitive).
pub fn class_name_to_type_kind(name: &str) -> Option<TypeKind> {
match name {
"String" | "CharSequence" | "StringBuilder" | "StringBuffer" => Some(TypeKind::String),
"Integer" | "Long" | "Short" | "Byte" | "Number" | "BigInteger" | "BigDecimal"
| "Double" | "Float" => Some(TypeKind::Int),
"Boolean" => Some(TypeKind::Bool),
"List" | "ArrayList" | "Collection" | "Set" | "HashSet" => Some(TypeKind::Array),
"URL" | "URI" => Some(TypeKind::Url),
// Framework HTTP clients — also listed in JAVA_HIERARCHY (type_facts.rs)
// for subtype resolution. Both locations needed: this function is called
// directly by the constraint solver, while the hierarchy provides
// is_subtype_of() for instanceof checks.
"HttpClient" | "CloseableHttpClient" | "OkHttpClient" | "WebClient"
| "RestTemplate" => Some(TypeKind::HttpClient),
"HttpServletResponse" | "HttpResponse" | "ServletResponse"
// Spring HTTP response
| "ResponseEntity" => {
Some(TypeKind::HttpResponse)
}
"Connection" | "DataSource" | "MongoClient"
// JDBC statement types (execute SQL, same suppression semantics)
| "Statement" | "PreparedStatement" => Some(TypeKind::DatabaseConnection),
"File" | "Path"
// Java I/O supertypes (enables hierarchy fallback for subtypes)
| "InputStream" | "OutputStream" | "Reader" | "Writer" | "PrintWriter"
| "BufferedInputStream" | "BufferedOutputStream" => Some(TypeKind::FileHandle),
// Python qualified type names.
// Only covers raw lowered names from isinstance(). The lowering in lower.rs
// extracts the literal type text: isinstance(x, requests.Session) produces
// type_name = "requests.Session". Does NOT handle import aliasing
// (e.g., `from requests import Session as S` → "S" is not resolved).
"requests.Response" | "http.client.HTTPResponse" | "urllib3.response.HTTPResponse"
| "httpx.Response" | "aiohttp.ClientResponse" => Some(TypeKind::HttpResponse),
"requests.Session" | "urllib3.PoolManager" | "aiohttp.ClientSession"
| "httpx.Client" | "httpx.AsyncClient" => Some(TypeKind::HttpClient),
"sqlite3.Connection" | "psycopg2.connection" | "mysql.connector.connection"
| "pymongo.MongoClient" | "redis.Redis" => Some(TypeKind::DatabaseConnection),
"io.TextIOWrapper" | "io.BufferedReader" | "io.BufferedWriter" | "io.FileIO"
| "io.BytesIO" | "io.StringIO" => Some(TypeKind::FileHandle),
_ => None,
}
}
#[cfg(test)]
mod tests {
use super::*;
// ── parse_type_name tier 1 (primitive aliases) ───────────────────────
#[test]
fn parse_numeric_to_int() {
// PHP-style "numeric" → Int via tier 1 primitive alias
assert_eq!(parse_type_name("numeric"), Some(TypeKind::Int));
}
#[test]
fn parse_string_case_insensitive() {
// Tier 1 lowercase "string" matches "String" via case-insensitive
assert_eq!(parse_type_name("String"), Some(TypeKind::String));
}
// ── parse_type_name tier 2 (class names) ────────────────────────────
#[test]
fn parse_integer_class_name() {
// Java boxed class "Integer" → Int via tier 2
assert_eq!(parse_type_name("Integer"), Some(TypeKind::Int));
}
#[test]
fn parse_http_servlet_response() {
// Java framework class → HttpResponse via tier 2
assert_eq!(
parse_type_name("HttpServletResponse"),
Some(TypeKind::HttpResponse)
);
}
// ── parse_type_name tier 3 (hierarchy fallback) ─────────────────────
#[test]
fn parse_closeable_http_client_via_hierarchy() {
// CloseableHttpClient is in tier 2 class_name_to_type_kind directly
assert_eq!(
parse_type_name("CloseableHttpClient"),
Some(TypeKind::HttpClient)
);
}
#[test]
fn parse_file_input_stream_via_hierarchy() {
// FileInputStream: not in tier 1 or tier 2 directly.
// Tier 3 hierarchy: FileInputStream → supertypes ["InputStream"].
// "InputStream" IS in tier 2 → FileHandle.
assert_eq!(
parse_type_name("FileInputStream"),
Some(TypeKind::FileHandle)
);
}
// ── Java I/O and JDBC types ─────────────────────────────────────────
#[test]
fn parse_java_statement_to_db() {
assert_eq!(
parse_type_name("Statement"),
Some(TypeKind::DatabaseConnection)
);
assert_eq!(
parse_type_name("PreparedStatement"),
Some(TypeKind::DatabaseConnection)
);
}
#[test]
fn parse_java_io_stream_to_file_handle() {
assert_eq!(parse_type_name("InputStream"), Some(TypeKind::FileHandle));
assert_eq!(parse_type_name("OutputStream"), Some(TypeKind::FileHandle));
assert_eq!(parse_type_name("Reader"), Some(TypeKind::FileHandle));
assert_eq!(parse_type_name("Writer"), Some(TypeKind::FileHandle));
assert_eq!(parse_type_name("PrintWriter"), Some(TypeKind::FileHandle));
}
#[test]
fn parse_java_response_entity() {
assert_eq!(
parse_type_name("ResponseEntity"),
Some(TypeKind::HttpResponse)
);
}
// ── Python qualified type names ─────────────────────────────────────
#[test]
fn parse_python_qualified_http_client() {
assert_eq!(
parse_type_name("requests.Session"),
Some(TypeKind::HttpClient)
);
assert_eq!(
parse_type_name("aiohttp.ClientSession"),
Some(TypeKind::HttpClient)
);
assert_eq!(parse_type_name("httpx.Client"), Some(TypeKind::HttpClient));
assert_eq!(
parse_type_name("httpx.AsyncClient"),
Some(TypeKind::HttpClient)
);
assert_eq!(
parse_type_name("urllib3.PoolManager"),
Some(TypeKind::HttpClient)
);
}
#[test]
fn parse_python_qualified_db_connection() {
assert_eq!(
parse_type_name("sqlite3.Connection"),
Some(TypeKind::DatabaseConnection)
);
assert_eq!(
parse_type_name("psycopg2.connection"),
Some(TypeKind::DatabaseConnection)
);
assert_eq!(
parse_type_name("mysql.connector.connection"),
Some(TypeKind::DatabaseConnection)
);
}
#[test]
fn parse_python_qualified_http_response() {
assert_eq!(
parse_type_name("requests.Response"),
Some(TypeKind::HttpResponse)
);
assert_eq!(
parse_type_name("httpx.Response"),
Some(TypeKind::HttpResponse)
);
assert_eq!(
parse_type_name("aiohttp.ClientResponse"),
Some(TypeKind::HttpResponse)
);
}
#[test]
fn parse_python_qualified_file_handle() {
assert_eq!(
parse_type_name("io.TextIOWrapper"),
Some(TypeKind::FileHandle)
);
assert_eq!(parse_type_name("io.BytesIO"), Some(TypeKind::FileHandle));
assert_eq!(parse_type_name("io.StringIO"), Some(TypeKind::FileHandle));
}
}

1086
src/constraint/tests.rs Normal file
View file

File diff suppressed because it is too large Load diff