Skip to content

Seed sinks for priority niche languages#95

Merged
andrew merged 2 commits into
git-pkgs:mainfrom
abhinavgautam01:issue-36-seed-niche-language-sinks
Jun 28, 2026
Merged

Seed sinks for priority niche languages#95
andrew merged 2 commits into
git-pkgs:mainfrom
abhinavgautam01:issue-36-seed-niche-language-sinks

Conversation

@abhinavgautam01

Copy link
Copy Markdown
Contributor

Closes #36.

Summary

Adds brief sinks coverage for the priority niche languages called out in #36:

  • Groovy
  • R
  • Julia
  • Haskell
  • OCaml
  • Nim
  • Crystal
  • F#
  • D
  • Erlang
  • Clojure

The added sinks cover common command execution, dynamic evaluation, deserialization, path traversal, SSRF, XXE and denial-of-service surfaces where applicable.

Also adds a KB regression test to ensure these priority language definitions continue to include sink data.

Validation

go test ./...

@andrew andrew left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, the coverage is solid and the regression test is a good addition.

One fix needed in knowledge/fsharp/language.toml: the Assembly.Load sink pairs threat = "code_injection" with cwe = "CWE-470", which crosses two registry entries. CWE-470 is the unsafe_reflection CWE; code_injection maps to CWE-94. Please change it to threat = "unsafe_reflection" so it lines up with Activator.CreateInstance just below it.

Two optional ones while you're in there, take or leave:

unsafePerformIO in knowledge/haskell/language.toml isn't really a code-injection sink. It breaks referential transparency but doesn't evaluate caller-controlled code. Almost every Haskell project with FFI will trip on this, so it'll mostly be noise in brief sinks. I'd drop it.

YAML.parse in knowledge/crystal/language.toml returns YAML::Any rather than instantiating arbitrary types, so the deserialization risk is much weaker than the Ruby equivalent. Fine to keep if you want the coverage, but the signal is thin.

@abhinavgautam01

Copy link
Copy Markdown
Contributor Author

Thanks for this, the coverage is solid and the regression test is a good addition.

One fix needed in knowledge/fsharp/language.toml: the Assembly.Load sink pairs threat = "code_injection" with cwe = "CWE-470", which crosses two registry entries. CWE-470 is the unsafe_reflection CWE; code_injection maps to CWE-94. Please change it to threat = "unsafe_reflection" so it lines up with Activator.CreateInstance just below it.

Two optional ones while you're in there, take or leave:

unsafePerformIO in knowledge/haskell/language.toml isn't really a code-injection sink. It breaks referential transparency but doesn't evaluate caller-controlled code. Almost every Haskell project with FFI will trip on this, so it'll mostly be noise in brief sinks. I'd drop it.

YAML.parse in knowledge/crystal/language.toml returns YAML::Any rather than instantiating arbitrary types, so the deserialization risk is much weaker than the Ruby equivalent. Fine to keep if you want the coverage, but the signal is thin.

thanks, fixed.

  • Changed Assembly.Load to unsafe_reflection so it lines up with CWE-470 and Activator.CreateInstance.
  • Dropped unsafePerformIO from Haskell sinks to avoid noisy/non-code-injection output.
  • Dropped YAML.parse from Crystal sinks since the deserialization signal is weak.

Validation: go test ./...

@andrew andrew left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All addressed: Assembly.Load is now unsafe_reflection/CWE-470, and the optional unsafePerformIO and Crystal YAML.parse sinks are dropped. Thanks.

@andrew andrew merged commit 5523019 into git-pkgs:main Jun 28, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Seed sinks for remaining niche languages

2 participants