Added Cap::DATA_EXFIL and taint fp and fn fixes on real repos (#59)

* feat: Enhance data exfiltration detection with source sensitivity gating for cookies and headers * feat: Implement cross-file data exfiltration detection with parameter-specific gate filters * feat: Add calibration tests and refine DATA_EXFIL severity scoring logic * feat: Introduce per-detector configuration for data exfiltration suppression * feat: Enhance DATA_EXFIL findings with destination field tracking in diagnostics and SARIF output * feat: Add tainted body and URL handling for data exfiltration detection * feat: Add integration tests and fixtures for DATA_EXFIL and SSRF detection in Go * feat: Add Java integration tests and fixtures for DATA_EXFIL detection across multiple HTTP clients * feat: Add synthetic externals handling for closure-captured variables in SSA * feat: Implement closure-based suppression for resource leak findings * feat: Add regression guards for shell-injection and taint propagation in for-of destructure patterns * feat: Implement constructor cap narrowing for data exfiltration detection in HTTP request builders * feat: Add gated sinks for data exfiltration detection in C and C++ using curl_easy_setopt * feat: Implement DATA_EXFIL cap parity for backwards analysis and add integration tests * feat: Add data exfiltration sinks for various languages and enhance documentation * refactor: Simplify formatting and improve readability in various files * refactor: Improve readability by simplifying conditional statements and adding clippy linting * docs: Update CHANGELOG and comments for data exfiltration features and configuration * docs: Clarify configuration instructions for data exfiltration trusted destinations * docs: Enhance comments for evidence routing logic in data exfiltration
2026-06-21 20:18:06 +02:00 · 2026-05-01 10:59:52 -04:00 · 2026-05-01 10:59:52 -04:00 · 58f1794a4e
commit 58f1794a4e
parent a438886217
189 changed files with 8421 additions and 383 deletions
--- a/tests/backwards_analysis_tests.rs
+++ b/tests/backwards_analysis_tests.rs
@ -104,7 +104,33 @@ fn demand_driven_suite() {
        "no_source: no backwards-confirmed notes on a source-free fixture"
    );

-    // ── 5. backwards OFF is a strict no-op: no confirmed notes.
+    // ── 5. data_exfil cap parity: the backwards engine must
+    //         round-trip `Cap::DATA_EXFIL` exactly like SQL/CMD/SSRF.
+    //         The forward engine fires `taint-data-exfiltration`
+    //         on a cookie → fetch-body flow; backwards must reach
+    //         the request.cookies source and confirm.
+    set_backwards(true);
+    let dir = fixture_path("demand_driven_data_exfil");
+    let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
+    validate_expectations(&diags, &dir);
+    let exfil_confirmed = diags
+        .iter()
+        .filter(|d| {
+            d.id.starts_with("taint-data-exfiltration")
+                && has_backwards_note(d, "backwards-confirmed")
+        })
+        .count();
+    assert!(
+        exfil_confirmed >= 1,
+        "data_exfil: expected ≥1 backwards-confirmed taint-data-exfiltration finding; got diags: {}",
+        diags
+            .iter()
+            .map(|d| format!("{}:{}", d.id, d.line))
+            .collect::<Vec<_>>()
+            .join(", ")
+    );
+
+    // ── 6. backwards OFF is a strict no-op: no confirmed notes.
    set_backwards(false);
    let dir = fixture_path("demand_driven_reach_source");
    let diags = scan_fixture_dir(&dir, AnalysisMode::Full);