feat: implement module alias tracking for dynamic dispatch in JS/TS

Author: elicpeter

src/ast.rs

@@ -250,6 +250,52 @@ fn is_binary(bytes: &[u8]) -> bool {
     bytes.iter().filter(|b| **b == 0).count() * 100 / bytes.len().max(1) > 1
 }
 
+/// Check if a file path indicates a test file. Matches filename-based
+/// conventions (`.test.js`, `.spec.ts`) and the `__tests__` directory
+/// convention.  Directory-only checks (`test/`, `tests/`, `fixtures/`)
+/// are intentionally excluded because they're too broad when scanning
+/// absolute paths.
+fn is_test_file(path: &Path) -> bool {
+    static TEST_SUFFIXES: &[&str] = &[
+        ".test.js",
+        ".test.ts",
+        ".test.jsx",
+        ".test.tsx",
+        ".spec.js",
+        ".spec.ts",
+        ".spec.jsx",
+        ".spec.tsx",
+    ];
+
+    if let Some(name) = path.file_name().and_then(|n| n.to_str()) {
+        for suffix in TEST_SUFFIXES {
+            if name.ends_with(suffix) {
+                return true;
+            }
+        }
+    }
+
+    // __tests__ is specific enough (React/Jest convention) to match on directory
+    for component in path.components() {
+        if let std::path::Component::Normal(c) = component
+            && c == "__tests__"
+        {
+            return true;
+        }
+    }
+
+    false
+}
+
+/// Pattern IDs that are noise-prone in test files (fixture credentials,
+/// non-crypto randomness, plain HTTP in test harnesses).
+fn is_test_suppressible_pattern(id: &str) -> bool {
+    // Suffix-match to handle both js. and ts. prefixes
+    id.ends_with(".secrets.hardcoded_secret")
+        || id.ends_with(".crypto.math_random")
+        || id.ends_with(".transport.fetch_http")
+}
+
 /// Check if a file path belongs to a non-production context (tests, vendor,
 /// benchmarks, etc.).  Used to downgrade severity for findings in paths that
 /// are unlikely to represent attack surface.
@@ -363,11 +409,16 @@ impl<'a> ParsedSource<'a> {
         let compiled = query_cache::for_lang(self.lang_slug, self.ts_lang.clone());
         let mut cursor = QueryCursor::new();
         let mut out = Vec::new();
+        let in_test_file = is_test_file(self.path);
 
         for cq in compiled.iter() {
             if cq.meta.severity > cfg.scanner.min_severity {
                 continue;
             }
+            // Suppress noise-prone patterns in test files
+            if in_test_file && is_test_suppressible_pattern(cq.meta.id) {
+                continue;
+            }
             let mut matches = cursor.matches(&cq.query, root, self.bytes);
             while let Some(m) = matches.next() {
                 if let Some(cap) = m.captures.iter().find(|c| c.index == 0) {

src/cfg.rs

@@ -2448,7 +2448,18 @@ fn push_node<'a>(
 fn extract_param_names<'a>(func_node: Node<'a>, lang: &str, code: &'a [u8]) -> Vec<String> {
     let cfg = param_config(lang);
     let mut names = Vec::new();
-    let Some(params) = func_node.child_by_field_name(cfg.params_field) else {
+    // Try the params_field directly on the function node first.
+    // For C/C++, the parameter list is nested inside the declarator
+    // (function_definition > declarator:function_declarator > parameters:parameter_list),
+    // so fall back to looking one level deeper via the "declarator" field.
+    let params = func_node
+        .child_by_field_name(cfg.params_field)
+        .or_else(|| {
+            func_node
+                .child_by_field_name("declarator")
+                .and_then(|d| d.child_by_field_name(cfg.params_field))
+        });
+    let Some(params) = params else {
         return names;
     };
     let mut cursor = params.walk();
@@ -6027,4 +6038,48 @@ mod cfg_tests {
         assert!(!has_sql_placeholders("SELECT * FROM t WHERE x = $0")); // $0 not valid
         assert!(!has_sql_placeholders("ratio = 50%")); // %<not s>
     }
+
+    #[test]
+    fn c_function_extracts_param_names() {
+        let src = b"void handle_command(int cmd, char *arg) { }";
+        let ts_lang = Language::from(tree_sitter_c::LANGUAGE);
+        let file_cfg = parse_to_file_cfg(src, "c", ts_lang);
+        let params: Vec<_> = file_cfg
+            .summaries
+            .values()
+            .flat_map(|s| s.param_names.iter().cloned())
+            .collect();
+        assert!(
+            params.contains(&"cmd".to_string()),
+            "expected 'cmd' in params, got: {:?}",
+            params
+        );
+        assert!(
+            params.contains(&"arg".to_string()),
+            "expected 'arg' in params, got: {:?}",
+            params
+        );
+    }
+
+    #[test]
+    fn cpp_function_extracts_param_names() {
+        let src = b"void process(int x, std::string name) { }";
+        let ts_lang = Language::from(tree_sitter_cpp::LANGUAGE);
+        let file_cfg = parse_to_file_cfg(src, "cpp", ts_lang);
+        let params: Vec<_> = file_cfg
+            .summaries
+            .values()
+            .flat_map(|s| s.param_names.iter().cloned())
+            .collect();
+        assert!(
+            params.contains(&"x".to_string()),
+            "expected 'x' in params, got: {:?}",
+            params
+        );
+        assert!(
+            params.contains(&"name".to_string()),
+            "expected 'name' in params, got: {:?}",
+            params
+        );
+    }
 }

src/cfg_analysis/guards.rs

@@ -32,26 +32,28 @@ fn is_all_args_constant(ctx: &AnalysisContext, sink: NodeIndex) -> bool {
         .split(['.', ':'])
         .map(|p| p.split('(').next().unwrap_or(p))
         .collect();
+    // When the callee was overridden by an inner call (e.g. `db.query` inside
+    // `Promise.all([db.query(...)])`), the outer callee's parts (e.g. "Promise",
+    // "all") also belong to the callee machinery, not to arguments.
+    let outer_parts: Vec<&str> = sink_info
+        .call
+        .outer_callee
+        .as_deref()
+        .map(|oc| {
+            oc.split(['.', ':'])
+                .map(|p| p.split('(').next().unwrap_or(p))
+                .collect()
+        })
+        .unwrap_or_default();
     let sink_func = sink_info.ast.enclosing_func.as_deref();
 
-    // Collect parameter names for the enclosing function — parameters are not
-    // user-controlled constants but they're not externally tainted either, so
-    // they should not block constant-arg suppression.
-    let param_names: Vec<&str> = ctx
-        .func_summaries
-        .values()
-        .filter(|s| ctx.cfg[s.entry].ast.enclosing_func.as_deref() == sink_func)
-        .flat_map(|s| s.param_names.iter().map(|p| p.as_str()))
-        .collect();
-
     sink_info.taint.uses.iter().all(|u| {
-        // Part of the callee name itself → constant
+        // Part of the callee name itself → not an argument, skip
         // Check both individual parts and the full dotted callee path
-        if callee_parts.contains(&u.as_str()) || u == callee_desc {
-            return true;
-        }
-        // Function parameter → not externally tainted
-        if param_names.contains(&u.as_str()) {
+        if callee_parts.contains(&u.as_str())
+            || u == callee_desc
+            || outer_parts.contains(&u.as_str())
+        {
             return true;
         }
         // One-hop trace: find the defining node in the same function
@@ -424,6 +426,29 @@ impl CfgAnalysis for UnguardedSink {
                 if (sink_caps & high_risk).is_empty() {
                     continue; // FILE_IO, SSRF, FMT_STRING etc. without taint → noise
                 }
+                // If the function containing the sink has no Source-labeled
+                // nodes AND no parameters (through which taint could flow
+                // from callers), taint ran and found nothing because there
+                // is nothing to find.  Suppress — the structural finding
+                // is noise.
+                let sink_func = sink_info.ast.enclosing_func.as_deref();
+                let has_sources = ctx.cfg.node_indices().any(|n| {
+                    let info = &ctx.cfg[n];
+                    info.ast.enclosing_func.as_deref() == sink_func
+                        && info
+                            .taint
+                            .labels
+                            .iter()
+                            .any(|l| matches!(l, DataLabel::Source(_)))
+                });
+                let has_params = ctx.func_summaries.values().any(|s| {
+                    s.entry.index() < ctx.cfg.node_count()
+                        && ctx.cfg[s.entry].ast.enclosing_func.as_deref() == sink_func
+                        && !s.param_names.is_empty()
+                });
+                if !has_sources && !has_params {
+                    continue; // No sources or params in scope → noise
+                }
                 (Severity::Medium, Confidence::Medium)
             };
 

src/database.rs

@@ -1978,6 +1978,7 @@ fn make_test_callee_body(
             },
             alias_result: crate::ssa::alias::BaseAliasResult::empty(),
             points_to: crate::ssa::heap::PointsToResult::empty(),
+            module_aliases: std::collections::HashMap::new(),
             branches_pruned: 0,
             copies_eliminated: 0,
             dead_defs_removed: 0,

src/patterns/javascript.rs

@@ -241,4 +241,71 @@ pub const PATTERNS: &[Pattern] = &[
         category: PatternCategory::InsecureConfig,
         confidence: Confidence::High,
     },
+    // ── Tier A: TLS verification disabled ─────────────────────────────
+    Pattern {
+        id: "js.config.reject_unauthorized",
+        description: "TLS certificate verification disabled via rejectUnauthorized: false",
+        query: r#"(pair
+                     key: (property_identifier) @key (#eq? @key "rejectUnauthorized")
+                     value: (false) @val)
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::High,
+    },
+    // ── Tier A: Hardcoded fallback secret ──────────────────────────────
+    Pattern {
+        id: "js.secrets.fallback_secret",
+        description: "Environment variable with secret-like name has hardcoded fallback value",
+        query: r#"(binary_expression
+                     left: (member_expression
+                       object: (member_expression
+                         object: (identifier) @proc (#eq? @proc "process")
+                         property: (property_identifier) @env (#eq? @env "env"))
+                       property: (property_identifier) @key
+                         (#match? @key "(?i)(secret|password|key|token)"))
+                     operator: "||"
+                     right: (string) @fallback)
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::Secrets,
+        confidence: Confidence::Medium,
+    },
+    // ── Tier A: Verbose error response ────────────────────────────────
+    Pattern {
+        id: "js.config.verbose_error_response",
+        description: "Error object passed to response renderer — may leak stack traces to users",
+        query: r#"(call_expression
+                     function: (member_expression
+                       property: (property_identifier) @method
+                         (#match? @method "^(render|send|json)$"))
+                     arguments: (arguments
+                       (_)
+                       (object
+                         (shorthand_property_identifier) @prop
+                           (#eq? @prop "error"))))
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::Medium,
+    },
+    // ── Tier B: CORS dynamic origin reflection ────────────────────────
+    Pattern {
+        id: "js.config.cors_dynamic_origin",
+        description: "CORS Access-Control-Allow-Origin set to dynamic value — may reflect arbitrary origins",
+        query: r#"(call_expression
+                     function: (member_expression
+                       property: (property_identifier) @method (#eq? @method "setHeader"))
+                     arguments: (arguments
+                       (string) @header_name (#match? @header_name "Access-Control-Allow-Origin")
+                       . (identifier) @value))
+                   @vuln"#,
+        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::Medium,
+    },
 ];

src/patterns/typescript.rs

@@ -230,4 +230,71 @@ pub const PATTERNS: &[Pattern] = &[
         category: PatternCategory::InsecureConfig,
         confidence: Confidence::High,
     },
+    // ── Tier A: TLS verification disabled ─────────────────────────────
+    Pattern {
+        id: "ts.config.reject_unauthorized",
+        description: "TLS certificate verification disabled via rejectUnauthorized: false",
+        query: r#"(pair
+                     key: (property_identifier) @key (#eq? @key "rejectUnauthorized")
+                     value: (false) @val)
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::High,
+    },
+    // ── Tier A: Hardcoded fallback secret ──────────────────────────────
+    Pattern {
+        id: "ts.secrets.fallback_secret",
+        description: "Environment variable with secret-like name has hardcoded fallback value",
+        query: r#"(binary_expression
+                     left: (member_expression
+                       object: (member_expression
+                         object: (identifier) @proc (#eq? @proc "process")
+                         property: (property_identifier) @env (#eq? @env "env"))
+                       property: (property_identifier) @key
+                         (#match? @key "(?i)(secret|password|key|token)"))
+                     operator: "||"
+                     right: (string) @fallback)
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::Secrets,
+        confidence: Confidence::Medium,
+    },
+    // ── Tier A: Verbose error response ────────────────────────────────
+    Pattern {
+        id: "ts.config.verbose_error_response",
+        description: "Error object passed to response renderer — may leak stack traces to users",
+        query: r#"(call_expression
+                     function: (member_expression
+                       property: (property_identifier) @method
+                         (#match? @method "^(render|send|json)$"))
+                     arguments: (arguments
+                       (_)
+                       (object
+                         (shorthand_property_identifier) @prop
+                           (#eq? @prop "error"))))
+                   @vuln"#,
+        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::Medium,
+    },
+    // ── Tier B: CORS dynamic origin reflection ────────────────────────
+    Pattern {
+        id: "ts.config.cors_dynamic_origin",
+        description: "CORS Access-Control-Allow-Origin set to dynamic value — may reflect arbitrary origins",
+        query: r#"(call_expression
+                     function: (member_expression
+                       property: (property_identifier) @method (#eq? @method "setHeader"))
+                     arguments: (arguments
+                       (string) @header_name (#match? @header_name "Access-Control-Allow-Origin")
+                       . (identifier) @value))
+                   @vuln"#,
+        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::InsecureConfig,
+        confidence: Confidence::Medium,
+    },
 ];

src/server/debug.rs

@@ -943,6 +943,11 @@ pub fn analyse_function_taint(
         points_to: Some(&opt.points_to),
         dynamic_pts: None,
         import_bindings: None,
+        module_aliases: if opt.module_aliases.is_empty() {
+            None
+        } else {
+            Some(&opt.module_aliases)
+        },
     };
 
     crate::taint::ssa_transfer::run_ssa_taint_full_with_exits(ssa, cfg, &transfer)