Seed sinks for web frameworks and ORMs

detect/threat_test.go

@@ -258,26 +258,38 @@ func TestSinksRubyProject(t *testing.T) {
 	sr := engine.Sinks(r)
 
 	if len(sr.Sinks) == 0 {
-		t.Fatal("expected sinks from Ruby language def")
+		t.Fatal("expected sinks from detected tools")
 	}
 
-	// All sinks in this fixture come from Ruby (only ruby/language.toml has sinks).
-	bySymbol := make(map[string]brief.SinkEntry)
+	// Index by tool+symbol since multiple tools can have a sink with the same name.
+	type key struct{ tool, symbol string }
+	idx := make(map[key]brief.SinkEntry)
 	for _, s := range sr.Sinks {
-		if s.Tool != "Ruby" {
-			t.Errorf("unexpected sink from %q: %v", s.Tool, s)
-		}
-		bySymbol[s.Symbol] = s
+		idx[key{s.Tool, s.Symbol}] = s
 	}
 
-	if e, ok := bySymbol["eval"]; !ok {
-		t.Error("expected eval sink")
+	// Ruby stdlib sinks
+	if e, ok := idx[key{"Ruby", "eval"}]; !ok {
+		t.Error("expected Ruby eval sink")
 	} else if e.Threat != "code_injection" || e.CWE != "CWE-95" {
-		t.Errorf("eval sink = %+v", e)
+		t.Errorf("Ruby eval sink = %+v", e)
+	}
+	if _, ok := idx[key{"Ruby", "Marshal.load"}]; !ok {
+		t.Error("expected Ruby Marshal.load sink")
+	}
+
+	// Rails framework sinks
+	if e, ok := idx[key{"Rails", "html_safe"}]; !ok {
+		t.Error("expected Rails html_safe sink")
+	} else if e.Threat != "xss" {
+		t.Errorf("Rails html_safe threat = %q, want xss", e.Threat)
 	}
 
-	if _, ok := bySymbol["Marshal.load"]; !ok {
-		t.Error("expected Marshal.load sink")
+	// ActiveRecord ORM sinks
+	if e, ok := idx[key{"ActiveRecord", "find_by_sql"}]; !ok {
+		t.Error("expected ActiveRecord find_by_sql sink")
+	} else if e.Threat != "sql_injection" {
+		t.Errorf("ActiveRecord find_by_sql threat = %q, want sql_injection", e.Threat)
 	}
 }
 

knowledge/elixir/ecto.toml

@@ -20,3 +20,31 @@ run = "mix ecto.migrate"
 role = ["library"]
 function = ["data-mapping", "validation"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Repo.query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With interpolation; $1 placeholders are safe"
+
+[[security.sinks]]
+symbol = "Repo.query!"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "fragment"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With ^ pinned interpolation outside the fragment"
+
+[[security.sinks]]
+symbol = "Ecto.Adapters.SQL.query"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "cast"
+threat = "mass_assignment"
+cwe = "CWE-915"
+note = "Without explicit field allowlist as second arg"

knowledge/elixir/phoenix.toml

@@ -23,3 +23,31 @@ role = ["framework"]
 function = ["api-development", "templating"]
 layer = ["backend", "full-stack"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "raw"
+threat = "xss"
+cwe = "CWE-79"
+note = "Phoenix.HTML.raw bypasses escaping"
+
+[[security.sinks]]
+symbol = "safe_to_string"
+threat = "xss"
+cwe = "CWE-79"
+
+[[security.sinks]]
+symbol = "redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+note = "With external: target"
+
+[[security.sinks]]
+symbol = "send_file"
+threat = "path_traversal"
+cwe = "CWE-22"
+note = "Plug.Conn.send_file"
+
+[[security.sinks]]
+symbol = "send_download"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/echo.toml

@@ -18,3 +18,29 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.HTML"
+threat = "xss"
+cwe = "CWE-79"
+note = "Renders raw HTML string"
+
+[[security.sinks]]
+symbol = "c.HTMLBlob"
+threat = "xss"
+cwe = "CWE-79"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.File"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.Attachment"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/ent.toml

@@ -21,3 +21,15 @@ files = ["ent/schema/"]
 
 [taxonomy]
 function = ["code-generation"]
+
+[[security.sinks]]
+symbol = "sql.Raw"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Generated code is safe; raw escape hatch is not"
+
+[[security.sinks]]
+symbol = "ExecContext"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Direct driver access"

knowledge/go/fiber.toml

@@ -18,3 +18,24 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.SendString"
+threat = "xss"
+cwe = "CWE-79"
+note = "When Content-Type is text/html"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.SendFile"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.Download"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/gin.toml

@@ -17,3 +17,30 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.String"
+threat = "xss"
+cwe = "CWE-79"
+note = "No HTML escaping; use c.HTML for templated output"
+
+[[security.sinks]]
+symbol = "c.Data"
+threat = "xss"
+cwe = "CWE-79"
+note = "When Content-Type is text/html"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.File"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.FileAttachment"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/gorm.toml

@@ -16,3 +16,42 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Raw"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "db.Raw with Sprintf; placeholders are safe"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Where"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With Sprintf string; struct/map forms are safe"
+
+[[security.sinks]]
+symbol = "Order"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Column name not parameterizable"
+
+[[security.sinks]]
+symbol = "Select"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With string from user input"
+
+[[security.sinks]]
+symbol = "Group"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Having"
+threat = "sql_injection"
+cwe = "CWE-89"

knowledge/go/pgx.toml

@@ -14,3 +14,19 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "When query built via Sprintf; use $1 placeholders"
+
+[[security.sinks]]
+symbol = "QueryRow"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"

knowledge/go/sqlx.toml

@@ -14,3 +14,29 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "When query built via Sprintf; use bindvars"
+
+[[security.sinks]]
+symbol = "Queryx"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Get"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Select"
+threat = "sql_injection"
+cwe = "CWE-89"

knowledge/java/spring-boot.toml

@@ -18,3 +18,50 @@ role = ["framework"]
 function = ["api-development", "dependency-injection", "data-mapping"]
 layer = ["backend", "full-stack"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "@ResponseBody"
+threat = "xss"
+cwe = "CWE-79"
+note = "When returning HTML string without escaping"
+
+[[security.sinks]]
+symbol = "th:utext"
+threat = "xss"
+cwe = "CWE-79"
+note = "Thymeleaf unescaped text"
+
+[[security.sinks]]
+symbol = "RedirectView"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "redirect:"
+threat = "open_redirect"
+cwe = "CWE-601"
+note = "View name prefix with caller-controlled suffix"
+
+[[security.sinks]]
+symbol = "@Query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Spring Data with nativeQuery=true and concat"
+
+[[security.sinks]]
+symbol = "createNativeQuery"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "JPA EntityManager"
+
+[[security.sinks]]
+symbol = "JdbcTemplate.query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With concat; PreparedStatement form is safe"
+
+[[security.sinks]]
+symbol = "SpEL"
+threat = "code_injection"
+cwe = "CWE-95"
+note = "SpelExpressionParser.parseExpression with user input; CVE-2022-22965 class"

knowledge/node/angular.toml

@@ -23,3 +23,25 @@ role = ["framework"]
 function = ["templating"]
 layer = ["frontend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "bypassSecurityTrustHtml"
+threat = "xss"
+cwe = "CWE-79"
+note = "DomSanitizer"
+
+[[security.sinks]]
+symbol = "bypassSecurityTrustUrl"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "bypassSecurityTrustScript"
+threat = "xss"
+cwe = "CWE-79"
+
+[[security.sinks]]
+symbol = "innerHTML"
+threat = "xss"
+cwe = "CWE-79"
+note = "[innerHTML] binding; sanitizes by default but bypasses exist"

knowledge/node/drizzle.toml

@@ -23,3 +23,9 @@ files = ["drizzle.config.ts", "drizzle.config.js"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "sql.raw"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "sql template tag is safe; sql.raw bypasses"