Skip to main content

Crate fallow_security

Crate fallow_security 

Source
Expand description

Data-driven catalogue of syntactic security-sink candidate matchers.

The catalogue is community-maintainable: every matcher lives in crates/security/data/security_matchers.toml, embedded via include_str! and parsed once behind a OnceLock. There is NO regeneration step. Adding a category is a single [[matcher]] TOML edit plus ZERO Rust enum or discriminant churn (the tainted_sink detector matches captured category-blind SinkSites against the loaded catalogue).

Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities: fallow is deterministic and syntactic, never taint-proof. Matchers default to non-literal arguments. A row can opt into narrowly captured literal or context predicates when the literal itself is the signal.

Structs§

CalleePattern
A pre-segmented callee pattern. Matching is segment-aware (NOT substring): the pattern is split on ., a leading * segment means “any object” (*.innerHTML matches el.innerHTML and this.node.innerHTML by suffix-matching the trailing non-* segments), and a trailing * segment means “any member” (child_process.* matches child_process.exec by prefix-matching the leading non-* segments). The security catalogue uses exact and leading-wildcard rows; the trailing form serves the boundary forbidden-call detector.
Catalogue
The parsed catalogue: an ordered list of sink matchers plus untrusted-source matchers. Order is preserved from the TOML so the detector can break on the first match deterministically.
Matcher
A parsed, validated matcher with the sink shape resolved to the typed enum and callee patterns pre-segmented for O(1)-ish matching.
ObjectPropertyPredicate
SourceMatcher
A parsed, validated untrusted-source matcher (issue #859). Its path_patterns reuse the segment-aware CalleePattern engine: a leading *. matches any object prefix (*.query matches req.query and ctx.req.query); a bare path matches exactly.

Enums§

LiteralPredicate

Constants§

HARDCODED_SECRET_CATEGORY_ID
HARDCODED_SECRET_CATEGORY_TITLE

Functions§

catalogue
Parse and cache the embedded catalogue once. Unwraps the parse Result; in a released binary this is unreachable because the bytes are compile-time embedded and gated by security_catalogue_parses.
catalogue_title
The human-readable title for a category id, used by the CLI renderer.