repotoire 0.9.0

//! Curated registry of dangerous sinks per language. Quality over coverage — ~a dozen of the
//! highest-confidence sinks per language. See spec §2 Group A. A taint finding is Blocking only
//! when the SSA path terminates at a sink classified here AND no sanitizer is on the path.

// ---- Public types ----------------------------------------------------------------

/// Language discriminant. Maps 1-to-1 from the file extension / parser language.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Lang {
    Js,
    Ts,
    Python,
    Rust,
    Go,
    Java,
    CSharp,
    C,
    Cpp,
}

/// The kind of dangerous sink.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SinkKind {
    /// OS-level command execution (CWE-78)
    Exec,
    /// Raw SQL execution (CWE-89)
    SqlExec,
    /// Code evaluation / dynamic code generation (CWE-94)
    Eval,
    /// File write where path comes from user input (CWE-22 / CWE-73)
    FsWritePath,
    /// HTML/DOM sink that can lead to XSS (CWE-79)
    HtmlSink,
    /// Outbound HTTP request with user-controlled URL (CWE-918 SSRF)
    UrlFetch,
    /// Unsafe deserialization (CWE-502)
    Deserialize,
    /// XML External Entity injection (CWE-611).
    ///
    /// Intentionally has no entries in the sink tables below — `classify_sink`
    /// never returns this variant. The `XxeDetector` emits it directly when it
    /// identifies an XML parser configured to resolve external entities; the
    /// dangerous condition is a parser-config fact, not a callee name, so it
    /// can't be expressed in this receiver/name registry.
    Xxe,
    /// NoSQL query execution — MongoDB/etc. query objects built from tainted input
    /// (operator injection, `$where`, `$regex`, etc.) (CWE-943).
    ///
    /// Not in the generic sink tables: the `NosqlInjectionDetector` recognizes
    /// the query-build terminus via its own taint config and emits this kind
    /// directly when it classifies a taint path.
    NosqlQuery,
}

impl SinkKind {
    pub fn as_str(&self) -> &'static str {
        match self {
            SinkKind::Exec => "exec",
            SinkKind::SqlExec => "sql_exec",
            SinkKind::Eval => "eval",
            SinkKind::FsWritePath => "fs_write_path",
            SinkKind::HtmlSink => "html_sink",
            SinkKind::UrlFetch => "url_fetch",
            SinkKind::Deserialize => "deserialize",
            SinkKind::Xxe => "xxe",
            SinkKind::NosqlQuery => "nosql_query",
        }
    }
}

// ---- Internal sink table type ----------------------------------------------------

/// A sink entry: (receiver-or-module, method-or-function, kind).
///
/// `receiver` is the qualifier text before the dot (module/object name), or `""` for a
/// bare call. Matching is conservative: exact name match on the call's callee text
/// (`receiver + "." + name`, or just `name` if receiver is `""`). Conditionals such as
/// `shell=True` / `mode='w'` / `SafeLoader` are handled in the individual detectors —
/// not here.
struct Sink {
    receiver: &'static str,
    name: &'static str,
    kind: SinkKind,
}

// ---- JS / TS (shared) -----------------------------------------------------------

const JS_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "child_process",
        name: "exec",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "child_process",
        name: "execSync",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "child_process",
        name: "execFile",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "child_process",
        name: "execFileSync",
        kind: SinkKind::Exec,
    },
    // spawn with {shell:true} — detector checks args before reporting Blocking
    Sink {
        receiver: "child_process",
        name: "spawn",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "child_process",
        name: "spawnSync",
        kind: SinkKind::Exec,
    },
    // Code evaluation
    Sink {
        receiver: "",
        name: "eval",
        kind: SinkKind::Eval,
    },
    Sink {
        receiver: "",
        name: "Function",
        kind: SinkKind::Eval,
    }, // new Function(src)
    // setTimeout/setInterval are eval-equivalent ONLY when the first arg is a
    // string literal, not a callback — the EvalDetector must confirm that
    // before promoting to Blocking.
    Sink {
        receiver: "",
        name: "setInterval",
        kind: SinkKind::Eval,
    },
    Sink {
        receiver: "",
        name: "setTimeout",
        kind: SinkKind::Eval,
    },
    // Filesystem write — path taint
    Sink {
        receiver: "fs",
        name: "writeFile",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "writeFileSync",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "appendFile",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "appendFileSync",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "createWriteStream",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "unlink",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "rename",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "rmdir",
        kind: SinkKind::FsWritePath,
    },
    // Outbound HTTP / SSRF — detector checks that URL arg is tainted
    Sink {
        receiver: "",
        name: "fetch",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "axios",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "axios",
        name: "post",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "axios",
        name: "put",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "axios",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "http",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "http",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "https",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "https",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "got",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    // HTML / DOM sinks → XSS. Property-write sinks (innerHTML = x, dangerouslySetInnerHTML,
    // res.send / res.write) are detected per-property by the XSS detector; it reports
    // SinkKind::HtmlSink itself. The entries below cover function-call forms.
    Sink {
        receiver: "document",
        name: "write",
        kind: SinkKind::HtmlSink,
    },
    Sink {
        receiver: "document",
        name: "writeln",
        kind: SinkKind::HtmlSink,
    },
];

// ---- Python ---------------------------------------------------------------------

const PY_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "os",
        name: "system",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "os",
        name: "popen",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "os",
        name: "execv",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "os",
        name: "execve",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "os",
        name: "execvp",
        kind: SinkKind::Exec,
    },
    // subprocess — only when shell=True; detector checks before reporting Blocking
    Sink {
        receiver: "subprocess",
        name: "call",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "subprocess",
        name: "run",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "subprocess",
        name: "Popen",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "subprocess",
        name: "check_output",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "subprocess",
        name: "check_call",
        kind: SinkKind::Exec,
    },
    // Code evaluation
    Sink {
        receiver: "",
        name: "eval",
        kind: SinkKind::Eval,
    },
    Sink {
        receiver: "",
        name: "exec",
        kind: SinkKind::Eval,
    },
    // (`compile()` alone is not a sink — it returns a code object; the danger is
    //  `eval`/`exec` of the result, which are already covered above.)
    // Filesystem write — only write/append modes; detector checks mode arg
    Sink {
        receiver: "",
        name: "open",
        kind: SinkKind::FsWritePath,
    },
    // Unsafe deserialization
    Sink {
        receiver: "pickle",
        name: "loads",
        kind: SinkKind::Deserialize,
    },
    Sink {
        receiver: "pickle",
        name: "load",
        kind: SinkKind::Deserialize,
    },
    Sink {
        receiver: "_pickle",
        name: "loads",
        kind: SinkKind::Deserialize,
    },
    Sink {
        receiver: "_pickle",
        name: "load",
        kind: SinkKind::Deserialize,
    },
    // yaml.load without SafeLoader — detector checks Loader kwarg
    Sink {
        receiver: "yaml",
        name: "load",
        kind: SinkKind::Deserialize,
    },
    // Outbound HTTP / SSRF
    Sink {
        receiver: "requests",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "requests",
        name: "post",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "requests",
        name: "put",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "requests",
        name: "delete",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "requests",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
    // Both `urllib` and `urllib.request` are listed because the call's
    // qualifier text depends on the import form (`import urllib` vs
    // `import urllib.request`); the dotted-path entry is a no-op if the taint
    // infra never produces that receiver string, never a false negative.
    Sink {
        receiver: "urllib",
        name: "urlopen",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "urllib.request",
        name: "urlopen",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "httpx",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "httpx",
        name: "post",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "httpx",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
];

// ---- Rust -----------------------------------------------------------------------

const RUST_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "Command",
        name: "new",
        kind: SinkKind::Exec,
    }, // std::process::Command::new(<tainted>)
    Sink {
        receiver: "",
        name: "system",
        kind: SinkKind::Exec,
    }, // libc::system
    // Filesystem write — path taint
    Sink {
        receiver: "fs",
        name: "write",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "fs",
        name: "remove_file",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "File",
        name: "create",
        kind: SinkKind::FsWritePath,
    },
    // (`File::open` is read-only by default — not a write-path sink. A tainted
    //  path to it is a read-side path-traversal concern handled by the
    //  PathTraversalDetector, not promoted here.)
    // Outbound HTTP / SSRF
    Sink {
        receiver: "reqwest",
        name: "get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "reqwest",
        name: "post",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "reqwest",
        name: "request",
        kind: SinkKind::UrlFetch,
    },
];

// ---- Go -------------------------------------------------------------------------

const GO_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "exec",
        name: "Command",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "exec",
        name: "CommandContext",
        kind: SinkKind::Exec,
    },
    // Filesystem write — path taint
    Sink {
        receiver: "os",
        name: "OpenFile",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "os",
        name: "Create",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "os",
        name: "Remove",
        kind: SinkKind::FsWritePath,
    },
    Sink {
        receiver: "os",
        name: "WriteFile",
        kind: SinkKind::FsWritePath,
    },
    // `ioutil.WriteFile` is deprecated since Go 1.16 in favour of `os.WriteFile`
    // above, but retained for older codebases.
    Sink {
        receiver: "ioutil",
        name: "WriteFile",
        kind: SinkKind::FsWritePath,
    },
    // Outbound HTTP / SSRF
    Sink {
        receiver: "http",
        name: "Get",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "http",
        name: "Post",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "http",
        name: "NewRequest",
        kind: SinkKind::UrlFetch,
    },
    // HTML template sinks
    Sink {
        receiver: "template",
        name: "HTML",
        kind: SinkKind::HtmlSink,
    },
];

// ---- Java -----------------------------------------------------------------------

const JAVA_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "Runtime",
        name: "exec",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "ProcessBuilder",
        name: "command",
        kind: SinkKind::Exec,
    },
    // Raw SQL
    Sink {
        receiver: "Statement",
        name: "execute",
        kind: SinkKind::SqlExec,
    },
    Sink {
        receiver: "Statement",
        name: "executeQuery",
        kind: SinkKind::SqlExec,
    },
    Sink {
        receiver: "Statement",
        name: "executeUpdate",
        kind: SinkKind::SqlExec,
    },
    Sink {
        receiver: "Statement",
        name: "executeLargeUpdate",
        kind: SinkKind::SqlExec,
    },
    // Outbound HTTP / SSRF
    Sink {
        receiver: "URL",
        name: "openConnection",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "HttpClient",
        name: "send",
        kind: SinkKind::UrlFetch,
    },
];

// ---- C# -------------------------------------------------------------------------

const CSHARP_SINKS: &[Sink] = &[
    // OS command execution
    Sink {
        receiver: "Process",
        name: "Start",
        kind: SinkKind::Exec,
    },
    // Raw SQL
    Sink {
        receiver: "SqlCommand",
        name: "ExecuteReader",
        kind: SinkKind::SqlExec,
    },
    Sink {
        receiver: "SqlCommand",
        name: "ExecuteNonQuery",
        kind: SinkKind::SqlExec,
    },
    Sink {
        receiver: "SqlCommand",
        name: "ExecuteScalar",
        kind: SinkKind::SqlExec,
    },
    // Outbound HTTP / SSRF
    Sink {
        receiver: "HttpClient",
        name: "GetAsync",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "HttpClient",
        name: "PostAsync",
        kind: SinkKind::UrlFetch,
    },
    Sink {
        receiver: "HttpClient",
        name: "SendAsync",
        kind: SinkKind::UrlFetch,
    },
    // Code evaluation
    Sink {
        receiver: "CSharpScript",
        name: "EvaluateAsync",
        kind: SinkKind::Eval,
    },
];

// ---- C / C++ -------------------------------------------------------------------

// C++ shares C_SINKS. The narrow list covers only the clearest cases where tainted
// data reaches a bare libc / POSIX function that is *always* dangerous.
const C_SINKS: &[Sink] = &[
    Sink {
        receiver: "",
        name: "system",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "",
        name: "popen",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "",
        name: "execve",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "",
        name: "execvp",
        kind: SinkKind::Exec,
    },
    Sink {
        receiver: "",
        name: "execv",
        kind: SinkKind::Exec,
    },
];

// ---- Dispatch -------------------------------------------------------------------

fn sinks_for(lang: Lang) -> &'static [Sink] {
    match lang {
        Lang::Js | Lang::Ts => JS_SINKS,
        Lang::Python => PY_SINKS,
        Lang::Rust => RUST_SINKS,
        Lang::Go => GO_SINKS,
        Lang::Java => JAVA_SINKS,
        Lang::CSharp => CSHARP_SINKS,
        Lang::C | Lang::Cpp => C_SINKS,
    }
}

// ---- Public API -----------------------------------------------------------------

/// Classify a call site as a dangerous sink, if it is one.
///
/// `receiver` is the qualifier text before the dot (module / object), or `""` for a bare
/// call. `name` is the method or function name (no dot). Returns `None` if the site is
/// not in the registry — the caller must NOT promote it to Blocking.
pub fn classify_sink(lang: Lang, receiver: &str, name: &str) -> Option<SinkKind> {
    sinks_for(lang)
        .iter()
        .find(|s| s.receiver == receiver && s.name == name)
        .map(|s| s.kind)
}

// ---- Tests ----------------------------------------------------------------------

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn classifies_known_sinks() {
        assert_eq!(
            classify_sink(Lang::Js, "child_process", "exec"),
            Some(SinkKind::Exec)
        );
        assert_eq!(classify_sink(Lang::Js, "", "eval"), Some(SinkKind::Eval));
        assert_eq!(
            classify_sink(Lang::Python, "os", "system"),
            Some(SinkKind::Exec)
        );
        assert_eq!(classify_sink(Lang::Python, "", "println"), None); // not a sink
        assert_eq!(
            classify_sink(Lang::Rust, "Command", "new"),
            Some(SinkKind::Exec)
        );
        assert_eq!(SinkKind::Exec.as_str(), "exec");
    }

    #[test]
    fn classifies_js_sinks_exhaustively() {
        // Eval
        assert_eq!(
            classify_sink(Lang::Js, "", "Function"),
            Some(SinkKind::Eval)
        );
        // FS write
        assert_eq!(
            classify_sink(Lang::Js, "fs", "writeFile"),
            Some(SinkKind::FsWritePath)
        );
        assert_eq!(
            classify_sink(Lang::Js, "fs", "createWriteStream"),
            Some(SinkKind::FsWritePath)
        );
        assert_eq!(
            classify_sink(Lang::Js, "fs", "unlink"),
            Some(SinkKind::FsWritePath)
        );
        // URL fetch
        assert_eq!(
            classify_sink(Lang::Js, "", "fetch"),
            Some(SinkKind::UrlFetch)
        );
        assert_eq!(
            classify_sink(Lang::Js, "axios", "get"),
            Some(SinkKind::UrlFetch)
        );
        assert_eq!(
            classify_sink(Lang::Js, "https", "get"),
            Some(SinkKind::UrlFetch)
        );
        // HTML
        assert_eq!(
            classify_sink(Lang::Js, "document", "write"),
            Some(SinkKind::HtmlSink)
        );
    }

    #[test]
    fn classifies_python_sinks_exhaustively() {
        // exec
        assert_eq!(
            classify_sink(Lang::Python, "subprocess", "run"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::Python, "subprocess", "Popen"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::Python, "os", "popen"),
            Some(SinkKind::Exec)
        );
        // eval
        assert_eq!(
            classify_sink(Lang::Python, "", "eval"),
            Some(SinkKind::Eval)
        );
        assert_eq!(
            classify_sink(Lang::Python, "", "exec"),
            Some(SinkKind::Eval)
        );
        // fs
        assert_eq!(
            classify_sink(Lang::Python, "", "open"),
            Some(SinkKind::FsWritePath)
        );
        // deserialize
        assert_eq!(
            classify_sink(Lang::Python, "pickle", "loads"),
            Some(SinkKind::Deserialize)
        );
        assert_eq!(
            classify_sink(Lang::Python, "yaml", "load"),
            Some(SinkKind::Deserialize)
        );
        // url
        assert_eq!(
            classify_sink(Lang::Python, "requests", "get"),
            Some(SinkKind::UrlFetch)
        );
        assert_eq!(
            classify_sink(Lang::Python, "urllib", "urlopen"),
            Some(SinkKind::UrlFetch)
        );
    }

    #[test]
    fn classifies_rust_sinks_exhaustively() {
        assert_eq!(
            classify_sink(Lang::Rust, "Command", "new"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::Rust, "fs", "write"),
            Some(SinkKind::FsWritePath)
        );
        assert_eq!(
            classify_sink(Lang::Rust, "File", "create"),
            Some(SinkKind::FsWritePath)
        );
        assert_eq!(
            classify_sink(Lang::Rust, "reqwest", "get"),
            Some(SinkKind::UrlFetch)
        );
    }

    #[test]
    fn classifies_go_sinks_exhaustively() {
        assert_eq!(
            classify_sink(Lang::Go, "exec", "Command"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::Go, "os", "Create"),
            Some(SinkKind::FsWritePath)
        );
        assert_eq!(
            classify_sink(Lang::Go, "http", "Get"),
            Some(SinkKind::UrlFetch)
        );
        assert_eq!(
            classify_sink(Lang::Go, "template", "HTML"),
            Some(SinkKind::HtmlSink)
        );
    }

    #[test]
    fn classifies_java_sinks_exhaustively() {
        assert_eq!(
            classify_sink(Lang::Java, "Runtime", "exec"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::Java, "Statement", "executeQuery"),
            Some(SinkKind::SqlExec)
        );
        assert_eq!(
            classify_sink(Lang::Java, "URL", "openConnection"),
            Some(SinkKind::UrlFetch)
        );
    }

    #[test]
    fn classifies_csharp_sinks_exhaustively() {
        assert_eq!(
            classify_sink(Lang::CSharp, "Process", "Start"),
            Some(SinkKind::Exec)
        );
        assert_eq!(
            classify_sink(Lang::CSharp, "SqlCommand", "ExecuteReader"),
            Some(SinkKind::SqlExec)
        );
        assert_eq!(
            classify_sink(Lang::CSharp, "HttpClient", "GetAsync"),
            Some(SinkKind::UrlFetch)
        );
    }

    #[test]
    fn classifies_c_and_cpp_sinks() {
        assert_eq!(classify_sink(Lang::C, "", "system"), Some(SinkKind::Exec));
        assert_eq!(classify_sink(Lang::C, "", "popen"), Some(SinkKind::Exec));
        assert_eq!(classify_sink(Lang::Cpp, "", "system"), Some(SinkKind::Exec));
        assert_eq!(classify_sink(Lang::Cpp, "", "execve"), Some(SinkKind::Exec));
    }

    #[test]
    fn ts_shares_js_sinks() {
        // TypeScript reuses the JS table
        assert_eq!(
            classify_sink(Lang::Ts, "child_process", "exec"),
            Some(SinkKind::Exec)
        );
        assert_eq!(classify_sink(Lang::Ts, "", "eval"), Some(SinkKind::Eval));
        assert_eq!(
            classify_sink(Lang::Ts, "axios", "request"),
            Some(SinkKind::UrlFetch)
        );
    }

    #[test]
    fn unknown_callees_return_none() {
        assert_eq!(classify_sink(Lang::Js, "", "console.log"), None);
        assert_eq!(classify_sink(Lang::Python, "", "print"), None);
        assert_eq!(classify_sink(Lang::Rust, "", "println"), None);
        assert_eq!(classify_sink(Lang::Go, "", "fmt.Println"), None);
    }

    #[test]
    fn sink_kind_as_str_round_trips() {
        assert_eq!(SinkKind::Exec.as_str(), "exec");
        assert_eq!(SinkKind::SqlExec.as_str(), "sql_exec");
        assert_eq!(SinkKind::Eval.as_str(), "eval");
        assert_eq!(SinkKind::FsWritePath.as_str(), "fs_write_path");
        assert_eq!(SinkKind::HtmlSink.as_str(), "html_sink");
        assert_eq!(SinkKind::UrlFetch.as_str(), "url_fetch");
        assert_eq!(SinkKind::Deserialize.as_str(), "deserialize");
        assert_eq!(SinkKind::Xxe.as_str(), "xxe");
        assert_eq!(SinkKind::NosqlQuery.as_str(), "nosql_query");
    }
}