Skip to content

Seed sinks for priority niche languages#95

Open
abhinavgautam01 wants to merge 2 commits into
git-pkgs:mainfrom
abhinavgautam01:issue-36-seed-niche-language-sinks
Open

Seed sinks for priority niche languages#95
abhinavgautam01 wants to merge 2 commits into
git-pkgs:mainfrom
abhinavgautam01:issue-36-seed-niche-language-sinks

Conversation

@abhinavgautam01

@abhinavgautam01 abhinavgautam01 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Closes #36.

Summary

Adds brief sinks coverage for the priority niche languages called out in #36:

  • Groovy
  • R
  • Julia
  • Haskell
  • OCaml
  • Nim
  • Crystal
  • F#
  • D
  • Erlang
  • Clojure

The added sinks cover common command execution, dynamic evaluation, deserialization, path traversal, SSRF, XXE and denial-of-service surfaces where applicable.

Also adds a KB regression test to ensure these priority language definitions continue to include sink data.

Validation

go test ./...

andrew
andrew requested changes Jun 15, 2026
View reviewed changes

@andrew andrew left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, the coverage is solid and the regression test is a good addition.

One fix needed in knowledge/fsharp/language.toml: the Assembly.Load sink pairs threat = "code_injection" with cwe = "CWE-470", which crosses two registry entries. CWE-470 is the unsafe_reflection CWE; code_injection maps to CWE-94. Please change it to threat = "unsafe_reflection" so it lines up with Activator.CreateInstance just below it.

Two optional ones while you're in there, take or leave:

unsafePerformIO in knowledge/haskell/language.toml isn't really a code-injection sink. It breaks referential transparency but doesn't evaluate caller-controlled code. Almost every Haskell project with FFI will trip on this, so it'll mostly be noise in brief sinks. I'd drop it.

YAML.parse in knowledge/crystal/language.toml returns YAML::Any rather than instantiating arbitrary types, so the deserialization risk is much weaker than the Ruby equivalent. Fine to keep if you want the coverage, but the signal is thin.

@abhinavgautam01

abhinavgautam01 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for this, the coverage is solid and the regression test is a good addition.

One fix needed in knowledge/fsharp/language.toml: the Assembly.Load sink pairs threat = "code_injection" with cwe = "CWE-470", which crosses two registry entries. CWE-470 is the unsafe_reflection CWE; code_injection maps to CWE-94. Please change it to threat = "unsafe_reflection" so it lines up with Activator.CreateInstance just below it.

Two optional ones while you're in there, take or leave:

unsafePerformIO in knowledge/haskell/language.toml isn't really a code-injection sink. It breaks referential transparency but doesn't evaluate caller-controlled code. Almost every Haskell project with FFI will trip on this, so it'll mostly be noise in brief sinks. I'd drop it.

YAML.parse in knowledge/crystal/language.toml returns YAML::Any rather than instantiating arbitrary types, so the deserialization risk is much weaker than the Ruby equivalent. Fine to keep if you want the coverage, but the signal is thin.

thanks, fixed.

  • Changed Assembly.Load to unsafe_reflection so it lines up with CWE-470 and Activator.CreateInstance.
  • Dropped unsafePerformIO from Haskell sinks to avoid noisy/non-code-injection output.
  • Dropped YAML.parse from Crystal sinks since the deserialization signal is weak.

Validation: go test ./...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew andrew andrew requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Seed sinks for remaining niche languages

2 participants

@abhinavgautam01 @andrew