Expand description
Data-driven catalogue of syntactic security-sink candidate matchers.
The catalogue is community-maintainable: every matcher lives in
crates/security/data/security_matchers.toml, embedded via include_str! and
parsed once behind a OnceLock. There is NO regeneration step. Adding a
category is a single [[matcher]] TOML edit plus ZERO Rust enum or
discriminant churn (the tainted_sink detector matches captured
category-blind SinkSites against the loaded catalogue).
Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities: fallow is deterministic and syntactic, never taint-proof. Matchers default to non-literal arguments. A row can opt into narrowly captured literal or context predicates when the literal itself is the signal.
Structs§
- Callee
Pattern - A pre-segmented callee pattern. Matching is segment-aware (NOT substring):
the pattern is split on
., a leading*segment means “any object” (*.innerHTMLmatchesel.innerHTMLandthis.node.innerHTMLby suffix-matching the trailing non-*segments), and a trailing*segment means “any member” (child_process.*matcheschild_process.execby prefix-matching the leading non-*segments). The security catalogue uses exact and leading-wildcard rows; the trailing form serves the boundary forbidden-call detector. - Catalogue
- The parsed catalogue: an ordered list of sink matchers plus untrusted-source matchers. Order is preserved from the TOML so the detector can break on the first match deterministically.
- Matcher
- A parsed, validated matcher with the sink shape resolved to the typed enum and callee patterns pre-segmented for O(1)-ish matching.
- Object
Property Predicate - Source
Matcher - A parsed, validated untrusted-source matcher (issue #859). Its
path_patternsreuse the segment-awareCalleePatternengine: a leading*.matches any object prefix (*.querymatchesreq.queryandctx.req.query); a bare path matches exactly.
Enums§
Constants§
Functions§
- catalogue
- Parse and cache the embedded catalogue once. Unwraps the parse
Result; in a released binary this is unreachable because the bytes are compile-time embedded and gated bysecurity_catalogue_parses. - catalogue_
title - The human-readable title for a category id, used by the CLI renderer.