apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-27 20:29:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

59
src/labels/c.rs
View file

@ -6,15 +6,38 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["getenv"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["fgets", "scanf", "fscanf", "gets", "read"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// Network input sources
LabelRule {
matchers: &["recv", "recvfrom"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
// Generic `sanitize_*` prefix: clears the full cap mask. A function
// named `sanitize_*` is a developer-asserted general-purpose
// sanitizer; without a more specific signal (e.g. an explicit
// sanitizer label rule with a narrower cap), assume it covers every
// taint cap that flows through it. Narrowing to a single cap (e.g.
// HTML_ESCAPE) under-clears developer-named sanitizers and produces
// FPs whenever the downstream sink belongs to a different cap (e.g.
// FMT_STRING via printf), which is the typical case in C/C++ code.
LabelRule {
matchers: &["sanitize_"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// Type conversion sanitizers
LabelRule {
matchers: &["atoi", "atol", "strtol", "strtoul"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
@ -22,18 +45,27 @@ pub static RULES: &[LabelRule] = &[
"system", "popen", "exec", "execl", "execlp", "execle", "execve", "execvp",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["sprintf", "strcpy", "strcat"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["printf", "fprintf"],
label: DataLabel::Sink(Cap::FMT_STRING),
case_sensitive: false,
},
LabelRule {
matchers: &["fopen", "open"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["curl_easy_perform"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
];
@ -43,7 +75,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"while_statement" => Kind::While,
"for_statement" => Kind::For,
"do_statement" => Kind::While,
"switch_statement" => Kind::Block,
"switch_statement" => Kind::Switch,
"case_statement" => Kind::Block,
"labeled_statement" => Kind::Block,
@ -79,3 +111,26 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["declarator", "name"],
};
/// Benchmark-driven output-parameter source positions for known C APIs.
/// Maps callee name → argument positions that receive Source taint.
pub static OUTPUT_PARAM_SOURCES: &[(&str, &[usize])] = &[
("fgets", &[0]), // fgets(buf, size, stream) — buf receives input
("gets", &[0]), // gets(buf) — buf receives input
("recv", &[1]), // recv(fd, buf, len, flags)
("recvfrom", &[1]), // recvfrom(fd, buf, len, flags, ...)
];
/// Arg-to-arg taint propagation for known C functions.
pub static ARG_PROPAGATIONS: &[super::ArgPropagation] = &[
super::ArgPropagation {
callee: "inet_pton",
from_args: &[1],
to_args: &[2],
},
super::ArgPropagation {
callee: "inet_aton",
from_args: &[0],
to_args: &[1],
},
];

93
src/labels/cpp.rs
View file

@ -6,32 +6,82 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["getenv"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["std::cin", "std::getline", "fgets", "scanf", "gets"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// Network input sources
LabelRule {
matchers: &["recv", "recvfrom"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
// Generic `sanitize_*` prefix: clears the full cap mask. A function
// named `sanitize_*` is a developer-asserted general-purpose
// sanitizer; without a more specific signal (e.g. an explicit
// sanitizer label rule with a narrower cap), assume it covers every
// taint cap that flows through it. Narrowing to a single cap (e.g.
// HTML_ESCAPE) under-clears developer-named sanitizers and produces
// FPs whenever the downstream sink belongs to a different cap (e.g.
// FMT_STRING via printf), which is the typical case in C/C++ code.
LabelRule {
matchers: &["sanitize_"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// Type conversion sanitizers (C++ STL forms).
LabelRule {
matchers: &[
"std::stoi",
"std::stol",
"std::stoul",
"std::stof",
"std::stod",
],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// Type conversion sanitizers (C-stdlib forms still valid in C++).
// Numeric parse → caller receives an integral / floating value, not
// the original string; downstream string-injection caps are cleared.
LabelRule {
matchers: &[
"atoi", "atol", "atoll", "atof", "strtol", "strtoul", "strtoll", "strtoull",
],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["system", "popen", "execve", "execvp"],
matchers: &[
"system", "popen", "execl", "execlp", "execle", "execve", "execvp",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["sprintf", "strcpy", "strcat"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["printf", "fprintf"],
label: DataLabel::Sink(Cap::FMT_STRING),
case_sensitive: false,
},
LabelRule {
matchers: &["fopen", "open"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["curl_easy_perform", "connect"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
];
@ -42,12 +92,12 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"for_statement" => Kind::For,
"for_range_loop" => Kind::For,
"do_statement" => Kind::While,
"switch_statement" => Kind::Block,
"switch_statement" => Kind::Switch,
"case_statement" => Kind::Block,
"labeled_statement" => Kind::Block,
"return_statement" => Kind::Return,
"throw_statement" => Kind::Return,
"throw_statement" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -56,12 +106,19 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"compound_statement" => Kind::Block,
"else_clause" => Kind::Block,
"function_definition" => Kind::Function,
"try_statement" => Kind::Block,
"try_statement" => Kind::Try,
"catch_clause" => Kind::Block,
"lambda_expression" => Kind::Block,
"lambda_expression" => Kind::Function,
// Namespace bodies and C++ class bodies descend as plain Blocks so the
// CFG builder can reach the nested function_definitions/lambdas inside
// and extract them as separate bodies.
"declaration_list" => Kind::Block,
"field_declaration_list" => Kind::Block,
// data-flow
"call_expression" => Kind::CallFn,
"new_expression" => Kind::CallFn,
"delete_expression" => Kind::CallFn,
"assignment_expression" => Kind::Assignment,
"declaration" => Kind::CallWrapper,
"expression_statement" => Kind::CallWrapper,
@ -84,3 +141,27 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["declarator", "name"],
};
/// Benchmark-driven output-parameter source positions for known C++ APIs.
pub static OUTPUT_PARAM_SOURCES: &[(&str, &[usize])] = &[
("getline", &[1]), // std::getline(stream, str) — str receives input
("std::getline", &[1]),
("fgets", &[0]),
("gets", &[0]),
("recv", &[1]),
("recvfrom", &[1]),
];
/// Arg-to-arg taint propagation for known C++ functions.
pub static ARG_PROPAGATIONS: &[super::ArgPropagation] = &[
super::ArgPropagation {
callee: "inet_pton",
from_args: &[1],
to_args: &[2],
},
super::ArgPropagation {
callee: "inet_aton",
from_args: &[0],
to_args: &[1],
},
];

118
src/labels/go.rs
View file

@ -1,4 +1,5 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig, RuntimeLabelRule};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -6,6 +7,7 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["os.Getenv"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -20,32 +22,57 @@ pub static RULES: &[LabelRule] = &[
"Request.URL",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["html.EscapeString", "template.HTMLEscapeString"],
matchers: &[
"html.EscapeString",
"template.HTMLEscapeString",
"template.HTMLEscaper",
],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["url.QueryEscape", "url.PathEscape"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &["filepath.Clean", "filepath.Base"],
label: DataLabel::Sanitizer(Cap::FILE_IO),
case_sensitive: false,
},
// Type conversion sanitizers
LabelRule {
matchers: &[
"strconv.Atoi",
"strconv.ParseInt",
"strconv.ParseFloat",
"strconv.ParseBool",
],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["exec.Command"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["db.Query", "db.Exec", "db.QueryRow", "db.Prepare"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// fmt.Printf/Sprintf write to stdout or build strings in memory — not
// security sinks. fmt.Fprintf writes to an io.Writer (often http.ResponseWriter)
// so it IS a security sink for XSS.
LabelRule {
matchers: &["fmt.Fprintf", "fmt.Sprintf", "fmt.Printf"],
label: DataLabel::Sink(Cap::FMT_STRING),
matchers: &["fmt.Fprintf"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -56,10 +83,36 @@ pub static RULES: &[LabelRule] = &[
"os.ReadFile",
],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["template.HTML"],
matchers: &["template.HTML", "template.JS", "template.CSS"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
"http.Get",
"http.Post",
"http.NewRequest",
"http.NewRequestWithContext",
"net.Dial",
"net.DialTimeout",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &[
"md5.New",
"md5.Sum",
"sha1.New",
"sha1.Sum",
"des.NewCipher",
"rc4.NewCipher",
],
label: DataLabel::Sink(Cap::CRYPTO),
case_sensitive: false,
},
];
@ -79,8 +132,8 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"function_declaration" => Kind::Function,
"method_declaration" => Kind::Function,
"func_literal" => Kind::Function,
"expression_switch_statement" => Kind::Block,
"type_switch_statement" => Kind::Block,
"expression_switch_statement" => Kind::Switch,
"type_switch_statement" => Kind::Switch,
"expression_case" => Kind::Block,
"type_case" => Kind::Block,
"default_case" => Kind::Block,
@ -95,6 +148,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"short_var_declaration" => Kind::CallWrapper,
"expression_statement" => Kind::CallWrapper,
"var_declaration" => Kind::CallWrapper,
"type_assertion_expression" => Kind::Seq,
// trivia
"comment" => Kind::Trivia,
@ -112,3 +166,51 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name"],
};
/// Framework-conditional rules for Go.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Gin) {
rules.push(RuntimeLabelRule {
matchers: vec![
"c.Param".into(),
"c.Query".into(),
"c.PostForm".into(),
"c.DefaultQuery".into(),
"c.DefaultPostForm".into(),
"c.GetHeader".into(),
"c.Cookie".into(),
"c.BindJSON".into(),
"c.ShouldBindJSON".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["c.HTML".into(), "c.String".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
if ctx.has(DetectedFramework::Echo) {
rules.push(RuntimeLabelRule {
matchers: vec![
"c.QueryParam".into(),
"c.FormValue".into(),
"c.Param".into(),
"c.Bind".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["c.HTML".into(), "c.String".into(), "c.JSON".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
rules
}

165
src/labels/java.rs
View file

@ -1,4 +1,5 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig, RuntimeLabelRule};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -6,6 +7,7 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["System.getenv"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -16,34 +18,155 @@ pub static RULES: &[LabelRule] = &[
"getReader",
"getQueryString",
"getPathInfo",
"getRequestURI",
"getRequestURL",
"getServletPath",
"getContextPath",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["readObject", "readLine"],
matchers: &["readObject", "readLine", "ObjectMapper.readValue"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["HtmlUtils.htmlEscape", "StringEscapeUtils.escapeHtml4"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// OWASP ESAPI encoders
LabelRule {
matchers: &["Encoder.encodeForHTML", "Encoder.encodeForJavaScript"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["Encoder.encodeForSQL"],
label: DataLabel::Sanitizer(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &["Encoder.encodeForURL"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
// OWASP ESAPI input validator — validates and canonicalizes input
LabelRule {
matchers: &["Validator.getValidInput"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// Type-check sanitizers — parsing to a primitive erases taint
LabelRule {
matchers: &[
"Integer.parseInt",
"Long.parseLong",
"Short.parseShort",
"Double.parseDouble",
"Integer.valueOf",
"Boolean.parseBoolean",
],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["URLEncoder.encode"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
// Parameterized queries prevent SQL injection
LabelRule {
matchers: &["prepareStatement"],
label: DataLabel::Sanitizer(Cap::SQL_QUERY),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["Runtime.exec", "ProcessBuilder"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["executeQuery", "executeUpdate", "prepareStatement"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
matchers: &["executeQuery", "executeUpdate"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &["Class.forName"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
// HTTP response sinks — println/print are broad (also match System.out)
// but necessary to catch response.getWriter().println() via suffix matching.
LabelRule {
matchers: &["println", "print"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// openConnection() is the standard java.net.URL API for initiating a connection.
// It is the correct interception point — the URL is already set on the object.
LabelRule {
matchers: &[
"openConnection",
"HttpClient.send",
"HttpClient.sendAsync",
"getForObject",
"RestTemplate.exchange",
"postForObject",
"postForEntity",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &["println", "print", "write"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
matchers: &[
"readObject",
"readUnshared",
"XMLDecoder.readObject",
"ObjectMapper.readValue",
],
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
// ─── Spring / JPA / Hibernate SQL sinks ───
LabelRule {
matchers: &[
"jdbcTemplate.query",
"jdbcTemplate.update",
"jdbcTemplate.execute",
"jdbcTemplate.queryForObject",
"jdbcTemplate.queryForList",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &[
"entityManager.createNativeQuery",
"entityManager.createQuery",
"session.createQuery",
"session.createSQLQuery",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: true,
},
// NOTE: Java logging (logger.info, log.warn, etc.) removed as sinks —
// logging format injection is not a real security vulnerability in Java.
// String.format also removed — it builds strings in memory (not a sink);
// the real sink is wherever the formatted string is used (SQL, HTTP, etc.).
// ─── JNDI injection sinks ───
LabelRule {
matchers: &[
"InitialContext.lookup",
"ctx.lookup",
"context.lookup",
"dirContext.lookup",
],
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
];
@ -56,7 +179,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"do_statement" => Kind::While,
"return_statement" => Kind::Return,
"throw_statement" => Kind::Return,
"throw_statement" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -68,13 +191,16 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"interface_body" => Kind::Block,
"method_declaration" => Kind::Function,
"constructor_declaration" => Kind::Function,
"switch_expression" => Kind::Block,
"switch_expression" => Kind::Switch,
"switch_block" => Kind::Block,
"switch_block_statement_group" => Kind::Block,
"try_statement" => Kind::Block,
"try_statement" => Kind::Try,
"try_with_resources_statement" => Kind::Try,
"resource_specification" => Kind::Block,
"resource" => Kind::CallWrapper,
"catch_clause" => Kind::Block,
"finally_clause" => Kind::Block,
"lambda_expression" => Kind::Block,
"lambda_expression" => Kind::Function,
"constructor_body" => Kind::Block,
"static_initializer" => Kind::Block,
@ -84,6 +210,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"assignment_expression" => Kind::Assignment,
"local_variable_declaration" => Kind::CallWrapper,
"expression_statement" => Kind::CallWrapper,
"cast_expression" => Kind::Seq,
// trivia
"line_comment" => Kind::Trivia,
@ -102,3 +229,19 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name"],
};
/// Framework-conditional rules for Java.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Spring) {
// When Spring is detected, bare "send" is likely HttpClient.send()
rules.push(RuntimeLabelRule {
matchers: vec!["send".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
});
}
rules
}

552
src/labels/javascript.rs
View file

@ -1,4 +1,7 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{
Cap, DataLabel, GateActivation, Kind, LabelRule, ParamConfig, RuntimeLabelRule, SinkGate,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -12,31 +15,109 @@ pub static RULES: &[LabelRule] = &[
"req.params",
"req.headers",
"req.cookies",
"req.hostname",
"req.ip",
"req.path",
"req.protocol",
"req.url",
"req.get",
"req.header",
"process.env",
"location.search",
"location.hash",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["JSON.parse"],
label: DataLabel::Sanitizer(Cap::JSON_PARSE),
case_sensitive: false,
},
// `encodeURIComponent` percent-encodes every character outside the
// ASCII identifier alphabet, including `<`, `>`, `&`, `"`, `'` — so
// the result is safe to embed in HTML text content and HTML
// attribute values, not just URL components. Treating it as
// covering both URL_ENCODE and HTML_ESCAPE caps avoids FPs when a
// wrapper that calls it is composed into an HTML sink (e.g.
// `res.send('<p>' + cleanInput(x) + '</p>')`). `encodeURI` keeps a
// smaller reserved set (`?`, `&`, `=`, `+` are NOT encoded) so it
// stays URL-only.
LabelRule {
matchers: &["encodeURIComponent"],
label: DataLabel::Sanitizer(Cap::from_bits_truncate(
Cap::URL_ENCODE.bits() | Cap::HTML_ESCAPE.bits(),
)),
case_sensitive: false,
},
LabelRule {
matchers: &["encodeURIComponent", "encodeURI"],
matchers: &["encodeURI"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &["DOMPurify.sanitize"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["xss"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["sanitizeHtml"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["validator.escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Type coercion sanitizers
LabelRule {
matchers: &["parseInt", "parseFloat", "Number"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: true,
},
LabelRule {
matchers: &["sanitizeUrl"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &["shell-escape", "shellescape"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
// he library — HTML entity encoding
LabelRule {
matchers: &["he.encode", "he.escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Conventional project-local HTML escapers. Suffix word-boundary match
// fires on bare calls to locally defined helpers (`function escapeHtml(x)`
// invoked as `escapeHtml(x)`) across codebases that follow the common
// naming convention. Case-insensitive so `EscapeHtml` / `escapeHTML`
// / `safeHTML` all qualify.
LabelRule {
matchers: &["escapeHtml", "escapeHTML", "htmlEscape", "safeHtml"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["eval"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
LabelRule {
matchers: &["innerHTML"],
matchers: &["innerHTML", "dangerouslySetInnerHTML"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -45,14 +126,384 @@ pub static RULES: &[LabelRule] = &[
"document.location.href",
],
label: DataLabel::Sink(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &[
"child_process.exec",
"child_process.execSync",
"child_process.spawn",
"child_process.execFile",
// Bare forms from destructured imports:
// const { exec, execSync } = require('child_process')
// Note: bare `exec` suffix-matches RegExp.prototype.exec() too,
// but in practice tainted data rarely flows to regexp.exec().
"exec",
"execSync",
"execFile",
// Common promisified wrappers around child_process.exec
"execAsync",
"execPromise",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: true,
},
// ── Outbound HTTP clients — modeled as destination-aware gated sinks ──
// Flat-Sink modeling of fetch/axios/got/undici/http.request was producing
// a dominant FP class where any tainted body/payload arg appeared as SSRF
// (e.g. `fetch("/api/telemetry", { body: navigator.userAgent })`). SSRF
// semantics require attacker control over the *destination*, not the
// payload. The gated entries in `GATED_SINKS` below narrow activation to
// URL / host / path / origin arguments or object fields. Taint flowing
// only to body / data / json / headers is no longer flagged as SSRF —
// cross-boundary data-exfiltration detection is a separate future
// capability (`Cap::DATA_EXFIL`, not yet introduced).
// Express response sinks
LabelRule {
matchers: &["res.send", "res.json"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["res.redirect"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &["res.sendFile", "res.download"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["res.set", "res.header"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// DOM XSS sinks
LabelRule {
matchers: &[
"document.write",
"document.writeln",
"outerHTML",
"insertAdjacentHTML",
],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Navigation / open-redirect sinks
LabelRule {
matchers: &["location.assign", "location.replace", "window.open"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// Node.js file-system sinks
LabelRule {
matchers: &[
"fs.writeFile",
"fs.writeFileSync",
"fs.readFile",
"fs.readFileSync",
"fs.createReadStream",
"fs.createWriteStream",
"fs.access",
"fs.stat",
"fs.statSync",
"fs.unlink",
"fs.unlinkSync",
"fs.readdir",
"fs.readdirSync",
],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
// Node.js network sinks
LabelRule {
matchers: &["net.createConnection"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// ─────────── SQL injection sinks ─────────────
// Database drivers: mysql, mysql2, pg, better-sqlite3
LabelRule {
matchers: &[
"connection.query",
"client.query",
"pool.query",
"db.query",
"db.execute",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// ORM / query builder raw-SQL entry points
LabelRule {
matchers: &[
"sequelize.query",
"knex.raw",
"$queryRaw",
"$queryRawUnsafe",
"$executeRaw",
"$executeRawUnsafe",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: true,
},
];
/// Callee patterns that must never be classified as source/sanitizer/sink.
/// Express/Koa route-registration methods look like `router.get(path, handler)`
/// and could collide with source matchers like `req.get`.
/// Also excludes non-user-controlled `req.*` properties (session, app, route).
pub static EXCLUDES: &[&str] = &[
// Express route registration
"router.get",
"router.post",
"router.put",
"router.delete",
"router.patch",
"router.use",
"router.all",
"app.get",
"app.post",
"app.put",
"app.delete",
"app.patch",
"app.use",
"app.all",
// Non-user-controlled req properties
"req.session",
"req.app",
"req.route",
"req.next",
// Session management lifecycle methods
"req.session.destroy",
"req.session.regenerate",
"req.session.save",
"req.session.reload",
];
pub static GATED_SINKS: &[SinkGate] = &[
SinkGate {
callee_matcher: "setAttribute",
arg_index: 0,
dangerous_values: &["href", "src", "action", "formaction", "srcdoc"],
dangerous_prefixes: &["on"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
payload_args: &[1],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::ValueMatch,
},
SinkGate {
callee_matcher: "parseFromString",
arg_index: 1,
dangerous_values: &["text/html", "application/xhtml+xml"],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::ValueMatch,
},
// ── Outbound HTTP clients (SSRF) ──────────────────────────────────────
//
// Policy: SSRF fires only when taint reaches the destination-bearing
// argument or object field (URL / host / path / origin). Taint flowing
// only to body / data / json / headers / payload is silenced. See the
// commentary at the top of RULES for the rationale.
//
// `fetch(input, init)` — arg 0 can be a URL string OR a Request/config
// object with `url`. Per WHATWG Fetch, when `input` is a dictionary, the
// URL field is canonically `url`. Init-object body/headers at arg 1 are
// *not* destination-bearing.
SinkGate {
callee_matcher: "fetch",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url"],
},
},
// `axios(config)` / `axios.request(config)` — config object exposes
// `url` and `baseURL`. Body-ish fields (`data`, `params`, `headers`)
// are excluded.
SinkGate {
callee_matcher: "axios",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "baseURL"],
},
},
SinkGate {
callee_matcher: "axios.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "baseURL"],
},
},
// `axios.get(url[, config])` — arg 0 is URL; arg 1 is config.
SinkGate {
callee_matcher: "axios.get",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
// `axios.post(url, data[, config])` — arg 0 is URL; `data` at arg 1 is
// the request body and must NOT activate SSRF.
SinkGate {
callee_matcher: "axios.post",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
// `axios.put / axios.patch / axios.delete` follow the same shape —
// (url, data?, config?). Keep the model consistent across verbs.
SinkGate {
callee_matcher: "axios.put",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.patch",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.delete",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
// `got(url[, options])` / `got(options)` — options exposes `url` and
// `prefixUrl`. Body-ish fields (`body`, `json`, `form`, `searchParams`,
// `headers`) are excluded.
SinkGate {
callee_matcher: "got",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "prefixUrl"],
},
},
// `undici.request(url | opts[, opts])` — opts exposes `origin` and
// `path`. Body-ish fields (`body`, `headers`) are excluded.
SinkGate {
callee_matcher: "undici.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["origin", "path"],
},
},
// Node `http.request(options[, cb])` / `https.request(options[, cb])` —
// options exposes `host`, `hostname`, `path`, `protocol`, `port`,
// `origin`. Body is sent via `.write()`/`.end()` on the returned
// ClientRequest, so it never appears as a positional arg here.
// Arg 0 may also be a URL string — the "whole arg is destination"
// fallback (triggered when arg 0 is not an object literal) covers that.
SinkGate {
callee_matcher: "http.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["host", "hostname", "path", "protocol", "port", "origin"],
},
},
SinkGate {
callee_matcher: "https.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["host", "hostname", "path", "protocol", "port", "origin"],
},
},
];
@ -65,7 +516,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"do_statement" => Kind::While,
"return_statement" => Kind::Return,
"throw_statement" => Kind::Return,
"throw_statement" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -79,11 +530,11 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"method_definition" => Kind::Function,
"generator_function_declaration" => Kind::Function,
"generator_function" => Kind::Function,
"switch_statement" => Kind::Block,
"switch_statement" => Kind::Switch,
"switch_body" => Kind::Block,
"switch_case" => Kind::Block,
"switch_default" => Kind::Block,
"try_statement" => Kind::Block,
"try_statement" => Kind::Try,
"catch_clause" => Kind::Block,
"finally_clause" => Kind::Block,
"class_declaration" => Kind::Block,
@ -114,3 +565,90 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name", "pattern"],
};
/// Framework-conditional rules for JavaScript.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Koa) {
rules.push(RuntimeLabelRule {
matchers: vec![
"ctx.request.body".into(),
"ctx.request.query".into(),
"ctx.request.querystring".into(),
"ctx.request.params".into(),
"ctx.request.headers".into(),
"ctx.request.header".into(),
"ctx.request.get".into(),
"ctx.query".into(),
"ctx.params".into(),
"ctx.headers".into(),
"ctx.header".into(),
"ctx.get".into(),
"ctx.cookies.get".into(),
"ctx.hostname".into(),
"ctx.ip".into(),
"ctx.path".into(),
"ctx.protocol".into(),
"ctx.url".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.body".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.redirect".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.set".into(), "ctx.append".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
if ctx.has(DetectedFramework::Fastify) {
rules.push(RuntimeLabelRule {
matchers: vec![
"request.body".into(),
"request.query".into(),
"request.params".into(),
"request.headers".into(),
"request.cookies".into(),
"request.hostname".into(),
"request.ip".into(),
"request.url".into(),
"request.raw.headers".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.send".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.redirect".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.sendFile".into(), "reply.download".into()],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.header".into(), "reply.headers".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
rules
}

1498
src/labels/mod.rs
View file

File diff suppressed because it is too large Load diff

106
src/labels/php.rs
View file

@ -1,4 +1,5 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig, RuntimeLabelRule};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -22,23 +23,51 @@ pub static RULES: &[LabelRule] = &[
"_ENV",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["file_get_contents", "fread"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["htmlspecialchars", "htmlentities"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["escapeshellarg", "escapeshellcmd"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["basename"],
matchers: &["basename", "realpath"],
label: DataLabel::Sanitizer(Cap::FILE_IO),
case_sensitive: false,
},
// PDO parameterized queries
LabelRule {
matchers: &["prepare", "bindParam", "bindValue"],
label: DataLabel::Sanitizer(Cap::SQL_QUERY),
case_sensitive: false,
},
// Type-check sanitizers
LabelRule {
matchers: &["intval", "floatval", "ctype_digit", "ctype_alpha"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// PHP input filtering
LabelRule {
matchers: &["filter_input", "filter_var"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["urlencode", "rawurlencode"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
@ -51,30 +80,63 @@ pub static RULES: &[LabelRule] = &[
"popen",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["eval", "assert"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
LabelRule {
matchers: &["include", "include_once", "require", "require_once"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["unserialize"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
LabelRule {
matchers: &["move_uploaded_file", "copy", "file_put_contents", "fwrite"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["echo", "print"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["mysqli_query", "pg_query", "query"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
matchers: &["mysqli_query", "pg_query", "pg_execute", "query"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// PDO and MySQLi OOP: exec/prepare+execute patterns.
LabelRule {
matchers: &[
"pdo.exec",
"pdo.query",
"mysqli.real_query",
"mysqli_real_query",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// Laravel Eloquent: raw SQL methods.
// DB::raw() → scoped_call_expression, callee text "DB.raw".
// whereRaw/selectRaw/orderByRaw/havingRaw → member_call_expression on query builder.
LabelRule {
matchers: &["DB.raw", "whereRaw", "selectRaw", "orderByRaw", "havingRaw"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// NOTE: `file_get_contents` can fetch URLs (SSRF vector) and local files (LFI vector).
// As a Sink(SSRF) it only fires when the argument is tainted.
LabelRule {
matchers: &["file_get_contents", "curl_exec"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
];
@ -87,7 +149,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"do_statement" => Kind::While,
"return_statement" => Kind::Return,
"throw_expression" => Kind::Return,
"throw_expression" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -98,21 +160,26 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"else_if_clause" => Kind::Block,
"function_definition" => Kind::Function,
"method_declaration" => Kind::Function,
"switch_statement" => Kind::Block,
"switch_statement" => Kind::Switch,
"switch_block" => Kind::Block,
"case_statement" => Kind::Block,
"default_statement" => Kind::Block,
"try_statement" => Kind::Block,
"try_statement" => Kind::Try,
"catch_clause" => Kind::Block,
"finally_clause" => Kind::Block,
"colon_block" => Kind::Block,
"anonymous_function_creation_expression" => Kind::Function,
"arrow_function" => Kind::Function,
"class_declaration" => Kind::Block,
// data-flow
"function_call_expression" => Kind::CallFn,
"object_creation_expression" => Kind::CallFn,
"member_call_expression" => Kind::CallMethod,
"scoped_call_expression" => Kind::CallMethod,
"assignment_expression" => Kind::Assignment,
"expression_statement" => Kind::CallWrapper,
"echo_statement" => Kind::CallWrapper,
// trivia
"comment" => Kind::Trivia,
@ -131,3 +198,24 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name"],
};
/// Framework-conditional rules for PHP.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Laravel) {
rules.push(RuntimeLabelRule {
matchers: vec![
"Request::input".into(),
"Request::get".into(),
"Request::query".into(),
"Request::post".into(),
"Request::all".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
}
rules
}

297
src/labels/python.rs
View file

@ -1,4 +1,7 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{
Cap, DataLabel, GateActivation, Kind, LabelRule, ParamConfig, RuntimeLabelRule, SinkGate,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -6,6 +9,7 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["os.getenv", "os.environ"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -14,17 +18,52 @@ pub static RULES: &[LabelRule] = &[
"request.json",
"request.headers",
"request.cookies",
"request.files",
"request.data",
"request.values",
"request.environ",
"request.url",
"request.base_url",
"request.host",
// Common alias: from flask import request as flask_request
"flask_request.args",
"flask_request.form",
"flask_request.json",
"flask_request.headers",
"flask_request.cookies",
"flask_request.files",
"flask_request.data",
"flask_request.values",
// Flask request methods (method-call form of the attributes above)
"request.get_data",
"request.get_json",
"flask_request.get_data",
"flask_request.get_json",
"input",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// Django-specific sources (case-sensitive to avoid request.get() dict method FP)
LabelRule {
matchers: &[
"request.GET",
"request.POST",
"request.META",
"request.body",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: true,
},
LabelRule {
matchers: &["sys.argv"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["open"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &[
@ -34,44 +73,227 @@ pub static RULES: &[LabelRule] = &[
"requests.post",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["html.escape"],
matchers: &["html.escape", "cgi.escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["shlex.quote"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
"bleach.clean",
"markupsafe.escape",
"django.utils.html.escape",
],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Type coercion sanitizers
LabelRule {
matchers: &["int", "float", "bool"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: true,
},
LabelRule {
matchers: &["urllib.parse.quote", "urllib.parse.quote_plus"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
// Path canonicalization
LabelRule {
matchers: &["os.path.abspath", "os.path.normpath"],
label: DataLabel::Sanitizer(Cap::FILE_IO),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
// Flask sinks
LabelRule {
matchers: &["render_template_string"],
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
// Jinja2 / string.Template — tainted template string enables SSTI
LabelRule {
matchers: &["Template"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: true,
},
LabelRule {
matchers: &["make_response"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["redirect"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// Django sinks
LabelRule {
matchers: &["HttpResponse", "mark_safe"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Flask Markup — bypasses auto-escaping
LabelRule {
matchers: &["Markup"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: true,
},
LabelRule {
matchers: &["eval", "exec"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
LabelRule {
matchers: &[
"os.system",
"os.popen",
"subprocess.call",
"subprocess.run",
"subprocess.Popen",
"subprocess.check_output",
"subprocess.check_call",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["cursor.execute", "cursor.executemany"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
matchers: &["cursor.execute", "cursor.executemany", "sqlalchemy.text"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// Django ORM raw SQL execution
LabelRule {
matchers: &["objects.raw"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// SQL injection: sqlite3 / SQLAlchemy / generic DB connection execute.
LabelRule {
matchers: &[
"conn.execute",
"connection.execute",
"session.execute",
"engine.execute",
"db.execute",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &["send_file", "send_from_directory"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["os.path.realpath"],
label: DataLabel::Sanitizer(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &[
"urllib.request.urlopen",
"requests.get",
"requests.post",
"requests.put",
"requests.delete",
"requests.patch",
"requests.head",
"requests.request",
"httpx.get",
"httpx.post",
"httpx.put",
"httpx.delete",
"httpx.patch",
"httpx.head",
"httpx.request",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// aiohttp HTTP client — SSRF sinks
LabelRule {
matchers: &[
"aiohttp.get",
"aiohttp.post",
"aiohttp.put",
"aiohttp.delete",
"aiohttp.request",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &[
"pickle.loads",
"pickle.load",
"yaml.load", // unsafe unless SafeLoader
"yaml.unsafe_load",
"yaml.full_load",
"shelve.open",
],
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
];
pub static GATED_SINKS: &[SinkGate] = &[
// Legacy single-kwarg gate retained for back-compat: Popen(cmd, shell=True).
SinkGate {
callee_matcher: "Popen",
arg_index: 0,
dangerous_values: &["True", "true"],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: true,
payload_args: &[0],
keyword_name: Some("shell"),
dangerous_kwargs: &[],
activation: GateActivation::ValueMatch,
},
// subprocess.run(cmd, shell=True) — multi-kwarg gate using the new
// presence-aware mechanism. Payload is arg 1 (after receiver offset
// applied by the CFG layer when the call is modelled method-style).
SinkGate {
callee_matcher: "subprocess.run",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[("shell", &["True", "true"])],
activation: GateActivation::ValueMatch,
},
SinkGate {
callee_matcher: "subprocess.call",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[("shell", &["True", "true"])],
activation: GateActivation::ValueMatch,
},
SinkGate {
callee_matcher: "subprocess.Popen",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[("shell", &["True", "true"])],
activation: GateActivation::ValueMatch,
},
];
@ -82,7 +304,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"for_statement" => Kind::For,
"return_statement" => Kind::Return,
"raise_statement" => Kind::Return,
"raise_statement" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -92,8 +314,11 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"else_clause" => Kind::Block,
"elif_clause" => Kind::Block,
"with_statement" => Kind::Block,
"with_clause" => Kind::Block,
"with_item" => Kind::CallWrapper,
"function_definition" => Kind::Function,
"try_statement" => Kind::Block,
"lambda" => Kind::Function,
"try_statement" => Kind::Try,
"except_clause" => Kind::Block,
"finally_clause" => Kind::Block,
"class_definition" => Kind::Block,
@ -117,7 +342,57 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
pub static PARAM_CONFIG: ParamConfig = ParamConfig {
params_field: "parameters",
param_node_kinds: &["identifier"],
// Python parameters: bare identifiers, typed (`x: T`), defaulted
// (`x=42`), and typed-with-default (`x: T = ...`). Without the
// typed forms, type-annotated handlers register zero arity and
// their parameter taint never participates in summaries.
param_node_kinds: &[
"identifier",
"typed_parameter",
"default_parameter",
"typed_default_parameter",
],
self_param_kinds: &[],
ident_fields: &["name"],
};
/// Framework-conditional rules for Python.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Django) {
// QuerySet.extra() — raw SQL injection risk.
// Framework-conditional because `extra` is too generic as a static matcher.
rules.push(RuntimeLabelRule {
matchers: vec!["extra".into()],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
});
}
rules
}
#[cfg(test)]
mod tests {
use super::KINDS;
use crate::labels::Kind;
#[test]
fn lambda_classified_as_function() {
assert_eq!(KINDS.get("lambda"), Some(&Kind::Function));
}
#[test]
fn function_definition_classified_as_function() {
assert_eq!(KINDS.get("function_definition"), Some(&Kind::Function));
}
#[test]
fn lambda_distinct_from_other_kinds() {
// Ensure lambda doesn't accidentally map to Block or Other
let kind = KINDS.get("lambda").unwrap();
assert_ne!(*kind, Kind::Block);
assert_ne!(*kind, Kind::Other);
}
}

173
src/labels/ruby.rs
View file

@ -1,4 +1,5 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig, RuntimeLabelRule};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -6,32 +7,166 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["ENV", "gets"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["params"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// Rails request object — user-controlled HTTP request data.
// Dotted matchers work via push_node receiver.method text construction
// (confirmed by existing Net::HTTP.get matcher in ssrf_net_http fixture).
LabelRule {
matchers: &[
"request.headers",
"request.body",
"request.url",
"request.referrer",
"request.path",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["CGI.escapeHTML", "ERB::Util.html_escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Rails HTML escaping / sanitization helpers.
LabelRule {
matchers: &[
"CGI.escape",
"Rack::Utils.escape_html",
"sanitize",
"strip_tags",
],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["Shellwords.escape", "Shellwords.shellescape"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
// Type coercion sanitizers
LabelRule {
matchers: &["to_i", "to_f"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
},
// ActiveRecord SQL sanitizers
LabelRule {
matchers: &["sanitize_sql", "sanitize_sql_array"],
label: DataLabel::Sanitizer(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &["URI.encode_www_form_component"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["system", "exec"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
// Backtick shell execution: tree-sitter-ruby represents `` `cmd` `` as a
// `subshell` node with no callee field. push_node normalises the synthetic
// callee name to "subshell" and extract_arg_uses lifts interpolation
// identifiers into positional args, so any tainted `#{var}` participates
// in sink detection.
LabelRule {
matchers: &["subshell"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: true,
},
// File I/O sinks: user-controlled paths flowing into File.open/File.new
// are a path-traversal / arbitrary-read vector. File.open also participates
// in the resource-lifecycle acquire/release pair (cfg_analysis::RUBY_RESOURCES),
// so this entry is additive — it does not disturb resource-leak detection.
LabelRule {
matchers: &["File.open", "File.new", "File.read", "IO.read"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["eval"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
LabelRule {
matchers: &["puts", "print"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// URI.open is the network-capable Kernel#open wrapper — more specific than
// plain `open` (excluded to avoid file I/O false positives).
LabelRule {
matchers: &[
"Net::HTTP.get",
"Net::HTTP.post",
"URI.open",
"HTTParty.get",
"HTTParty.post",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// Type-qualified sinks: resolves when receiver is typed as HttpClient via constructor_type().
// Handles instance-level calls (client.request) that direct matchers above don't cover.
LabelRule {
matchers: &["HttpClient.request", "HttpClient.get", "HttpClient.post"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &["Marshal.load", "Marshal.restore", "YAML.load"],
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
// Reflection / dynamic class resolution — arbitrary class instantiation from
// user-controlled names enables gadget chains (similar risk profile to
// deserialization). Rails adds `constantize`/`safe_constantize` to String.
LabelRule {
matchers: &["constantize", "safe_constantize"],
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
// SQL injection: ActiveRecord unsafe raw-query execution APIs.
LabelRule {
matchers: &["find_by_sql", "connection.execute", "select_all"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// SQL injection: ActiveRecord query methods that accept raw SQL strings.
// `where` and `order` are the most common Rails SQLi vectors when called
// with string interpolation (e.g., User.where("name = '#{params[:name]}'")).
// Broad matchers — verified against fixture fallout.
LabelRule {
matchers: &["where", "order", "group", "having", "joins", "pluck"],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: true,
},
// Open redirect: redirect_to with user-controlled destination.
LabelRule {
matchers: &["redirect_to"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// Path traversal: file serving with user-controlled path.
LabelRule {
matchers: &["send_file"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
// XSS escape-bypass footguns: html_safe and raw disable auto-escaping.
LabelRule {
matchers: &["html_safe", "raw"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
];
@ -55,7 +190,8 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"else" => Kind::Block,
"elsif" => Kind::If,
"begin" => Kind::Block,
// begin/rescue/ensure: handled by build_begin_rescue() in cfg.rs
"begin" => Kind::Try,
"rescue" => Kind::Block,
"ensure" => Kind::Block,
"case" => Kind::Block,
@ -66,10 +202,14 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"block" => Kind::Function,
// data-flow
"call" => Kind::CallFn,
"call" => Kind::CallMethod,
"assignment" => Kind::Assignment,
"method" => Kind::Function,
"singleton_method" => Kind::Function,
// Backtick shell execution: treat as a synthetic call so push_node
// classifies it as a sink and extract_arg_uses lifts interpolation
// identifiers into positional args.
"subshell" => Kind::CallFn,
// trivia
"comment" => Kind::Trivia,
@ -84,3 +224,28 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name"],
};
/// Framework-conditional rules for Ruby.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Rails) {
// Strong parameters — permit/require sanitize user input
rules.push(RuntimeLabelRule {
matchers: vec!["permit".into(), "require".into()],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: false,
});
}
if ctx.has(DetectedFramework::Sinatra) {
// Sinatra template rendering — user content flows to rendered output
rules.push(RuntimeLabelRule {
matchers: vec!["erb".into(), "haml".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
rules
}

273
src/labels/rust.rs
View file

@ -1,4 +1,5 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig, RuntimeLabelRule};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -6,19 +7,28 @@ pub static RULES: &[LabelRule] = &[
LabelRule {
matchers: &["std::env::var", "env::var", "source_env"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["source_file"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
LabelRule {
matchers: &["fs::read_to_string", "fs::read"],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["html_escape::encode_safe", "sanitize_", "sanitize_html"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["shell_escape::unix::escape", "sanitize_shell"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
@ -31,20 +41,91 @@ pub static RULES: &[LabelRule] = &[
"command::output",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["sink_html"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
"fs::read_to_string",
"fs::write",
"fs::read",
"fs::remove_file",
"fs::remove_dir",
"fs::remove_dir_all",
"fs::rename",
"fs::copy",
"File::open",
"File::create",
],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &[
"reqwest::get",
"reqwest::Client.execute",
"reqwest::Client.get",
"reqwest::Client.post",
"reqwest::Client.put",
"reqwest::Client.delete",
"reqwest::Client.head",
"reqwest::Client.patch",
"reqwest::Client.request",
// Type-qualified (receiver typed as HttpClient)
"HttpClient.get",
"HttpClient.post",
"HttpClient.put",
"HttpClient.delete",
"HttpClient.head",
"HttpClient.patch",
"HttpClient.request",
"HttpClient.execute",
"HttpClient.send",
],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &[
"rusqlite::Connection.execute",
"rusqlite::Connection.query",
"rusqlite::Connection.query_row",
"rusqlite::Connection.prepare",
"sqlx::query",
"sqlx::query_as",
"sqlx::query_scalar",
"diesel::sql_query",
"postgres::Client.execute",
"postgres::Client.query",
"postgres::Client.prepare",
// Type-qualified (receiver typed as DatabaseConnection)
"DatabaseConnection.execute",
"DatabaseConnection.query",
"DatabaseConnection.query_row",
"DatabaseConnection.prepare",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
LabelRule {
matchers: &[
"serde_yaml::from_str",
"serde_yaml::from_slice",
"serde_yaml::from_reader",
"bincode::deserialize",
"bincode::deserialize_from",
"rmp_serde::from_slice",
"rmp_serde::from_read",
"ciborium::from_reader",
"ron::from_str",
"toml::from_str",
],
label: DataLabel::Sink(Cap::DESERIALIZE),
case_sensitive: false,
},
];
@ -73,7 +154,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"match_arm" => Kind::Block,
"unsafe_block" => Kind::Block,
"function_item" => Kind::Function,
"closure_expression" => Kind::Block,
"closure_expression" => Kind::Function,
"async_block" => Kind::Block,
"impl_item" => Kind::Block,
"trait_item" => Kind::Block,
@ -87,6 +168,12 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"expression_statement" => Kind::CallWrapper,
"assignment_expression" => Kind::Assignment,
// struct expressions — recurse so env::var() calls inside field
// initialisers produce Source-labelled CFG nodes (needed for summaries).
"struct_expression" => Kind::Block,
"field_initializer_list" => Kind::Block,
"field_initializer" => Kind::CallWrapper,
// trivia
"line_comment" => Kind::Trivia,
"block_comment" => Kind::Trivia,
@ -105,3 +192,185 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &["self_parameter"],
ident_fields: &["pattern"],
};
/// Framework-conditional rules for Rust.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Axum) {
rules.push(RuntimeLabelRule {
matchers: vec![
"Path".into(),
"Query".into(),
"Json".into(),
"Form".into(),
"Multipart".into(),
"HeaderMap".into(),
"HeaderMap.get".into(),
"Request.headers".into(),
"Request.uri".into(),
"headers.get".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: true,
});
rules.push(RuntimeLabelRule {
matchers: vec!["Html".into(), "IntoResponse".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: true,
});
rules.push(RuntimeLabelRule {
matchers: vec!["Redirect::to".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: true,
});
}
if ctx.has(DetectedFramework::ActixWeb) {
rules.push(RuntimeLabelRule {
matchers: vec![
"web::Path".into(),
"web::Query".into(),
"web::Json".into(),
"web::Form".into(),
"web::Bytes".into(),
"HttpRequest".into(),
"HttpRequest.headers".into(),
"HttpRequest.cookie".into(),
"HttpRequest.match_info".into(),
"HttpRequest.query_string".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: true,
});
rules.push(RuntimeLabelRule {
matchers: vec![
"HttpResponse.body".into(),
"HttpResponse.json".into(),
"HttpResponse.content_type".into(),
"body".into(),
"json".into(),
],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: true,
});
}
if ctx.has(DetectedFramework::Rocket) {
rules.push(RuntimeLabelRule {
matchers: vec![
"Json".into(),
"Form".into(),
"LenientForm".into(),
"TempFile".into(),
"CookieJar".into(),
"CookieJar.get".into(),
"CookieJar.get_private".into(),
"Request.headers".into(),
"Request.cookies".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: true,
});
rules.push(RuntimeLabelRule {
matchers: vec!["RawHtml".into(), "content::RawHtml".into(), "Html".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: true,
});
rules.push(RuntimeLabelRule {
matchers: vec!["Redirect::to".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: true,
});
}
rules
}
/// Phase C: auth-as-taint label rules for Rust. Gated by
/// `config.scanner.enable_auth_as_taint`; appended to the runtime rule set
/// when the flag is enabled. These declare **sinks** (state-changing or
/// outbound operations that should not be reached by an un-checked
/// request-bound id) and **sanitizers** (ownership/membership guards that
/// validate a caller-supplied id).
pub fn phase_c_auth_rules() -> Vec<RuntimeLabelRule> {
vec![
// ── Sinks requiring Cap::UNAUTHORIZED_ID ──
// Realtime / pub-sub: broadcasting on a caller-supplied group/channel
// id without first verifying membership is the canonical cross-tenant
// leak.
RuntimeLabelRule {
matchers: vec![
"realtime::publish".into(),
"realtime::publish_to_group".into(),
"realtime::publish_to_channel".into(),
"realtime::broadcast".into(),
"broadcaster::send".into(),
"broadcaster::publish".into(),
"pubsub::publish".into(),
],
label: DataLabel::Sink(Cap::UNAUTHORIZED_ID),
case_sensitive: false,
},
// Database mutations keyed by caller-supplied id. These overlay the
// existing SQL_QUERY sink declarations (multi-label composition) so
// a bare id carrying only UNAUTHORIZED_ID still fires.
RuntimeLabelRule {
matchers: vec![
"rusqlite::Connection.execute".into(),
"postgres::Client.execute".into(),
"sqlx::query".into(),
"sqlx::query_as".into(),
"diesel::insert_into".into(),
"diesel::update".into(),
"diesel::delete".into(),
// Type-qualified (receiver typed as DatabaseConnection)
"DatabaseConnection.execute".into(),
"DatabaseConnection.query".into(),
],
label: DataLabel::Sink(Cap::UNAUTHORIZED_ID),
case_sensitive: false,
},
// Outbound cache writes.
RuntimeLabelRule {
matchers: vec![
"redis::cmd".into(),
"cache::set".into(),
"cache::set_ex".into(),
"cache::insert".into(),
],
label: DataLabel::Sink(Cap::UNAUTHORIZED_ID),
case_sensitive: false,
},
// ── Sanitizers clearing Cap::UNAUTHORIZED_ID ──
// Ownership and membership guards from the auth_analysis default
// `authorization_check_names` list. Phase C consumes these via
// call-site argument sanitization (see
// `is_auth_as_taint_arg_sanitizer` in ssa_transfer).
RuntimeLabelRule {
matchers: vec![
"check_ownership".into(),
"has_ownership".into(),
"require_ownership".into(),
"ensure_ownership".into(),
"is_owner".into(),
"authorize".into(),
"verify_access".into(),
"has_permission".into(),
"can_access".into(),
"can_manage".into(),
"require_group_member".into(),
"require_org_member".into(),
"require_workspace_member".into(),
"require_tenant_member".into(),
"require_team_member".into(),
"require_membership".into(),
"check_membership".into(),
"authz::require".into(),
"authz::check".into(),
],
label: DataLabel::Sanitizer(Cap::UNAUTHORIZED_ID),
case_sensitive: false,
},
]
}

513
src/labels/typescript.rs
View file

@ -1,4 +1,7 @@
use crate::labels::{Cap, DataLabel, Kind, LabelRule, ParamConfig};
use crate::labels::{
Cap, DataLabel, GateActivation, Kind, LabelRule, ParamConfig, RuntimeLabelRule, SinkGate,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use phf::{Map, phf_map};
pub static RULES: &[LabelRule] = &[
@ -12,35 +15,442 @@ pub static RULES: &[LabelRule] = &[
"req.params",
"req.headers",
"req.cookies",
"req.hostname",
"req.ip",
"req.path",
"req.protocol",
"req.url",
"req.get",
"req.header",
"process.env",
"location.search",
"location.hash",
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
},
// ───────── Sanitizers ──────────
LabelRule {
matchers: &["encodeURIComponent", "encodeURI"],
matchers: &["JSON.parse"],
label: DataLabel::Sanitizer(Cap::JSON_PARSE),
case_sensitive: false,
},
// See javascript.rs for rationale: encodeURIComponent is safe for
// HTML text and attribute contexts because it percent-encodes <, >,
// &, ", '.
LabelRule {
matchers: &["encodeURIComponent"],
label: DataLabel::Sanitizer(Cap::from_bits_truncate(
Cap::URL_ENCODE.bits() | Cap::HTML_ESCAPE.bits(),
)),
case_sensitive: false,
},
LabelRule {
matchers: &["encodeURI"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &["DOMPurify.sanitize"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["xss"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["sanitizeHtml"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["validator.escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Type coercion sanitizers
LabelRule {
matchers: &["parseInt", "parseFloat", "Number"],
label: DataLabel::Sanitizer(Cap::all()),
case_sensitive: true,
},
LabelRule {
matchers: &["sanitizeUrl"],
label: DataLabel::Sanitizer(Cap::URL_ENCODE),
case_sensitive: false,
},
LabelRule {
matchers: &["shell-escape", "shellescape"],
label: DataLabel::Sanitizer(Cap::SHELL_ESCAPE),
case_sensitive: false,
},
// he library — HTML entity encoding
LabelRule {
matchers: &["he.encode", "he.escape"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Conventional project-local HTML escapers. Suffix word-boundary match
// fires on bare calls to locally defined helpers (`function escapeHtml(x)`
// invoked as `escapeHtml(x)`) across codebases that follow the common
// naming convention. Case-insensitive so `EscapeHtml` / `escapeHTML`
// / `safeHTML` all qualify.
LabelRule {
matchers: &["escapeHtml", "escapeHTML", "htmlEscape", "safeHtml"],
label: DataLabel::Sanitizer(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// ─────────── Sinks ─────────────
LabelRule {
matchers: &["eval"],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
label: DataLabel::Sink(Cap::CODE_EXEC),
case_sensitive: false,
},
LabelRule {
matchers: &["innerHTML"],
matchers: &["innerHTML", "dangerouslySetInnerHTML"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &[
"child_process.exec",
"child_process.execSync",
"child_process.spawn",
"child_process.execFile",
// Bare forms from destructured imports:
// const { exec, execSync } = require('child_process')
"exec",
"execSync",
"execFile",
// Common promisified wrappers around child_process.exec
"execAsync",
"execPromise",
],
label: DataLabel::Sink(Cap::SHELL_ESCAPE),
case_sensitive: true,
},
// ── Outbound HTTP clients — modeled as destination-aware gated sinks ──
// See GATED_SINKS below; rationale mirrors javascript.rs.
LabelRule {
matchers: &[
"location.href",
"window.location.href",
"document.location.href",
],
label: DataLabel::Sink(Cap::URL_ENCODE),
case_sensitive: false,
},
// Express response sinks
LabelRule {
matchers: &["res.send", "res.json"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
LabelRule {
matchers: &["res.redirect"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
LabelRule {
matchers: &["res.sendFile", "res.download"],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
LabelRule {
matchers: &["res.set", "res.header"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// DOM XSS sinks
LabelRule {
matchers: &[
"document.write",
"document.writeln",
"outerHTML",
"insertAdjacentHTML",
],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
},
// Navigation / open-redirect sinks
LabelRule {
matchers: &["location.assign", "location.replace", "window.open"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// Node.js file-system sinks
LabelRule {
matchers: &[
"fs.writeFile",
"fs.writeFileSync",
"fs.readFile",
"fs.readFileSync",
"fs.createReadStream",
"fs.createWriteStream",
"fs.access",
"fs.stat",
"fs.statSync",
"fs.unlink",
"fs.unlinkSync",
"fs.readdir",
"fs.readdirSync",
],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
// Node.js network sinks
LabelRule {
matchers: &["net.createConnection"],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
},
// ─────────── SQL injection sinks ─────────────
// Database drivers: mysql, mysql2, pg, better-sqlite3
LabelRule {
matchers: &[
"connection.query",
"client.query",
"pool.query",
"db.query",
"db.execute",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: false,
},
// ORM / query builder raw-SQL entry points
LabelRule {
matchers: &[
"sequelize.query",
"knex.raw",
"$queryRaw",
"$queryRawUnsafe",
"$executeRaw",
"$executeRawUnsafe",
],
label: DataLabel::Sink(Cap::SQL_QUERY),
case_sensitive: true,
},
];
/// Callee patterns that must never be classified as source/sanitizer/sink.
pub static EXCLUDES: &[&str] = &[
// Express route registration
"router.get",
"router.post",
"router.put",
"router.delete",
"router.patch",
"router.use",
"router.all",
"app.get",
"app.post",
"app.put",
"app.delete",
"app.patch",
"app.use",
"app.all",
// Non-user-controlled req properties
"req.session",
"req.app",
"req.route",
"req.next",
];
pub static GATED_SINKS: &[SinkGate] = &[
SinkGate {
callee_matcher: "setAttribute",
arg_index: 0,
dangerous_values: &["href", "src", "action", "formaction", "srcdoc"],
dangerous_prefixes: &["on"],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
payload_args: &[1],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::ValueMatch,
},
SinkGate {
callee_matcher: "parseFromString",
arg_index: 1,
dangerous_values: &["text/html", "application/xhtml+xml"],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::ValueMatch,
},
// ── Outbound HTTP clients (SSRF) — see javascript.rs for rationale ────
SinkGate {
callee_matcher: "fetch",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url"],
},
},
SinkGate {
callee_matcher: "axios",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "baseURL"],
},
},
SinkGate {
callee_matcher: "axios.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "baseURL"],
},
},
SinkGate {
callee_matcher: "axios.get",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.post",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.put",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.patch",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "axios.delete",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &[],
},
},
SinkGate {
callee_matcher: "got",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["url", "prefixUrl"],
},
},
SinkGate {
callee_matcher: "undici.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["origin", "path"],
},
},
SinkGate {
callee_matcher: "http.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["host", "hostname", "path", "protocol", "port", "origin"],
},
},
SinkGate {
callee_matcher: "https.request",
arg_index: 0,
dangerous_values: &[],
dangerous_prefixes: &[],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
payload_args: &[0],
keyword_name: None,
dangerous_kwargs: &[],
activation: GateActivation::Destination {
object_destination_fields: &["host", "hostname", "path", "protocol", "port", "origin"],
},
},
];
@ -53,7 +463,7 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"do_statement" => Kind::While,
"return_statement" => Kind::Return,
"throw_statement" => Kind::Return,
"throw_statement" => Kind::Throw,
"break_statement" => Kind::Break,
"continue_statement" => Kind::Continue,
@ -67,11 +477,11 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"method_definition" => Kind::Function,
"generator_function_declaration" => Kind::Function,
"generator_function" => Kind::Function,
"switch_statement" => Kind::Block,
"switch_statement" => Kind::Switch,
"switch_body" => Kind::Block,
"switch_case" => Kind::Block,
"switch_default" => Kind::Block,
"try_statement" => Kind::Block,
"try_statement" => Kind::Try,
"catch_clause" => Kind::Block,
"finally_clause" => Kind::Block,
"class_declaration" => Kind::Block,
@ -88,6 +498,8 @@ pub static KINDS: Map<&'static str, Kind> = phf_map! {
"variable_declaration" => Kind::CallWrapper,
"lexical_declaration" => Kind::CallWrapper,
"expression_statement" => Kind::CallWrapper,
"as_expression" => Kind::Seq,
"type_assertion" => Kind::Seq,
// trivia
"comment" => Kind::Trivia,
@ -106,3 +518,90 @@ pub static PARAM_CONFIG: ParamConfig = ParamConfig {
self_param_kinds: &[],
ident_fields: &["name", "pattern"],
};
/// Framework-conditional rules for TypeScript.
pub fn framework_rules(ctx: &FrameworkContext) -> Vec<RuntimeLabelRule> {
let mut rules = Vec::new();
if ctx.has(DetectedFramework::Koa) {
rules.push(RuntimeLabelRule {
matchers: vec![
"ctx.request.body".into(),
"ctx.request.query".into(),
"ctx.request.querystring".into(),
"ctx.request.params".into(),
"ctx.request.headers".into(),
"ctx.request.header".into(),
"ctx.request.get".into(),
"ctx.query".into(),
"ctx.params".into(),
"ctx.headers".into(),
"ctx.header".into(),
"ctx.get".into(),
"ctx.cookies.get".into(),
"ctx.hostname".into(),
"ctx.ip".into(),
"ctx.path".into(),
"ctx.protocol".into(),
"ctx.url".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.body".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.redirect".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["ctx.set".into(), "ctx.append".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
if ctx.has(DetectedFramework::Fastify) {
rules.push(RuntimeLabelRule {
matchers: vec![
"request.body".into(),
"request.query".into(),
"request.params".into(),
"request.headers".into(),
"request.cookies".into(),
"request.hostname".into(),
"request.ip".into(),
"request.url".into(),
"request.raw.headers".into(),
],
label: DataLabel::Source(Cap::all()),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.send".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.redirect".into()],
label: DataLabel::Sink(Cap::SSRF),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.sendFile".into(), "reply.download".into()],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
});
rules.push(RuntimeLabelRule {
matchers: vec!["reply.header".into(), "reply.headers".into()],
label: DataLabel::Sink(Cap::HTML_ESCAPE),
case_sensitive: false,
});
}
rules
}