Skip to content

circle-ir v3.36.0

Choose a tag to compare

View all tags
@openmason openmason released this 12 Jun 01:25
· 37 commits to main since this release
circle-ir-v3.36.0
3b6a8f9

Fixed

Python taint flows emit for every sink category — systematic fix (#18).

result.taint.flows was empty for every Python case (sqli, command_injection, path_traversal, code_injection, deserialization, xxe, ldap_injection, open_redirect) — including the XSS case the reporter believed was working.

Root causes

Two structural defects, not category-specific:

  1. No per-language DFG builder for Python. core/extractors/dfg.ts:buildDFG() dispatches on language with explicit branches for JS, Rust, Bash, Go. Python falls through to buildJavaDFG(), which scans for method_declaration AST nodes; Python emits function_definition. Result: every Python file produced empty DFG.
  2. Python compound-expression args lose arg.variable. extractPythonArguments only sets arg.variable for bare identifier nodes. cur.execute("SELECT … " + uid) leaves arg.variable = undefined, defeating the DFG propagator's arg.variable === use.variable matching.

Fix

Language-agnostic detectExpressionScanFlows() supplement in TaintPropagationPass. Word-boundary matches each source's explicit .variable field against sink call argument expressions. Reuses existing FP filters; respects sink.argPositions. ~40 LOC vs ~990 LOC for a full Python DFG.

Why systematic

Python's findPythonAssignmentSources already sets source.variable for assignment-style sources — a single variable-tracking primitive covers every sink category at once. Not a per-category patch.

Tests

  • 10 unit tests (taint-propagation-pass.test.ts) — positive cases, multi-sink-same-line dedup, argPositions filter, word-boundary, dead-code, Java non-emission, source-after-sink, propagator dedup.
  • 11 end-to-end tests (taint-propagation.test.ts) — every previously-broken Python category + XSS positive control + Java sqli non-regression.

Total suite: 1925 passing tests (1904 baseline + 21 new).

Notes

  • Reporter's premise that "XSS works, others don't" was falsified by direct probe.
  • Python DFG fall-through is a latent bug affecting other consumers (DFGVerifier, PathFinder). A proper buildPythonDFG remains future work.
Assets 2
Loading