new capacity bits

[elicpeter]

Summary

This pull request introduces several enhancements and bug fixes to the taint analysis and AST handling logic, with a focus on improving language support, AST traversal, and configuration extraction. The most significant changes include improved handling of new taint capability classes, expanded literal and kwarg extraction for multiple languages, and more robust receiver chain analysis. Below are the most important changes grouped by theme:

Taint Analysis and Rule Routing Improvements

• Added cap-specific rule routing for new taint capability classes (LDAP Injection, XPath Injection, Header Injection, Open Redirect, SSTI, XXE, Prototype Pollution). These now use the canonical rule IDs and severities from the registry, ensuring consistent handling and easier maintenance. [1] [2] [3]
• Increased the bit width for sink capability bits from u16 to u32 to support additional capability classes.

AST and Literal Extraction Enhancements

• Improved extraction of constant arguments and macro arguments: now supports boolean literals, PHP encapsed strings, Ruby constants (including scope-qualified), and numeric literals. This ensures more accurate gate matching and opt-in detection across languages. [1] [2]
• Enhanced extraction of chained inner calls to better handle Rust, Python, and JS/TS method/constructor chains, ensuring correct identification of the innermost method for gate matching. [1] [2]

Configuration and Kwarg Extraction

• JS/TS object-literal positional arguments are now lifted into the kwargs vector, making their fields accessible to downstream consumers (e.g., XML config opt-in detection). Also, boolean/numeric/string kwarg values are now captured as raw text for better cross-language support. [1] [2] [3] [4]

Language-Specific Handling

• PHP variable names now have the leading `## Summary

stripped when constructing receiver chains, ensuring that suffix matchers work correctly for idiomatic PHP method calls.

• Added a function to detect strict Object.create(null) calls in JS/TS, improving prototype pollution detection.

Miscellaneous

• Added a new field is_class to the RuleListItem interface in the frontend API types.
• Test updates and infrastructure: added produces_null_proto to test structs and improved test coverage for JS object-literal kwarg lifting. [1] [2] [3]

These changes collectively improve the accuracy, maintainability, and language coverage of the taint analysis engine and its configuration extraction mechanisms.

Checklist

• cargo test --bin nyx passes
• cargo clippy --all -- -D warnings is clean
• cargo fmt -- --check passes
• User-visible changes are noted in CHANGELOG.md under ## [Unreleased]
• Docs updated if behavior, flags, or config changed (docs/, README.md, CONTRIBUTING.md)
• New rules / language support include fixtures and integration tests

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ elicpeter
❌ pitboss

---

pitboss seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Expands the taint engine’s capability-class coverage (LDAP/XPath/Header/Open Redirect/SSTI/XXE/Prototype Pollution), widens cap-bit storage to u32, and adds new SSA sidecar analyses (XML/XPath receiver config) plus broad fixture/test coverage across languages.

Changes:

• Widen cap and sink-cap bitfields from u16 to u32 across summaries, evidence, cache keys, and tests.
• Add SSA receiver-config analyses for XML parsers and XPath resolvers, and route taint findings to canonical cap-class rule IDs/severities.
• Add extensive integration tests + multi-language fixtures for new cap classes and related rule routing/dedup.

Reviewed changes

Copilot reviewed 260 out of 262 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/ssti_tests.rs	Adds SSTI integration test harness across multiple languages.
tests/python_proto_pollution_tests.rs	Adds a dedicated Python proto-pollution opt-in gate test binary.
tests/prototype_pollution_tests.rs	Adds/expands prototype-pollution integration tests (library + full SSA).
tests/integration_tests.rs	Updates cap-bit width in an integration assertion.
tests/header_injection_tests.rs	Adds header-injection integration tests + co-fire test with open-redirect.
tests/fixtures/xxe/typescript/unsafe_xxe.ts	Adds TS XXE unsafe fixture for xml2js opt-in.
tests/fixtures/xxe/typescript/unsafe_fast_xml_parser.ts	Adds TS XXE unsafe fixture for fast-xml-parser opt-in.
tests/fixtures/xxe/typescript/safe_xxe.ts	Adds TS XXE safe fixture (default options).
tests/fixtures/xxe/typescript/irrelevant_xml_call.ts	Adds TS baseline fixture (non-parser XML string op).
tests/fixtures/xxe/ruby/unsafe_xxe_nokogiri.rb	Adds Ruby XXE unsafe fixture (Nokogiri NOENT).
tests/fixtures/xxe/ruby/unsafe_xxe.rb	Adds Ruby XXE unsafe fixture (REXML default behavior).
tests/fixtures/xxe/ruby/safe_xxe_nokogiri.rb	Adds Ruby XXE safe fixture (DEFAULT_XML).
tests/fixtures/xxe/ruby/irrelevant_xml_call.rb	Adds Ruby baseline fixture (non-parser XML op).
tests/fixtures/xxe/python/unsafe_xxe.py	Adds Python XXE unsafe fixture (xml.sax).
tests/fixtures/xxe/python/unsafe_lxml_resolve_entities.py	Adds Python XXE unsafe fixture (lxml resolve_entities opt-in).
tests/fixtures/xxe/python/safe_xxe.py	Adds Python XXE safe fixture (defusedxml sanitizer).
tests/fixtures/xxe/python/safe_lxml.py	Adds Python XXE safe fixture (lxml default-safe parse).
tests/fixtures/xxe/python/irrelevant_xml_call.py	Adds Python baseline fixture (non-parser XML op).
tests/fixtures/xxe/php/unsafe_xxe.php	Adds PHP XXE unsafe fixture (LIBXML_NOENT).
tests/fixtures/xxe/php/safe_xxe.php	Adds PHP XXE safe fixture (flags = 0).
tests/fixtures/xxe/php/irrelevant_xml_call.php	Adds PHP baseline fixture (non-parser XML op).
tests/fixtures/xxe/javascript/unsafe_xxe.js	Adds JS XXE unsafe fixture (xml2js opt-in).
tests/fixtures/xxe/javascript/unsafe_fast_xml_parser.js	Adds JS XXE unsafe fixture (fast-xml-parser opt-in).
tests/fixtures/xxe/javascript/safe_xxe.js	Adds JS XXE safe fixture (default options).
tests/fixtures/xxe/javascript/irrelevant_xml_call.js	Adds JS baseline fixture (non-parser XML op).
tests/fixtures/xxe/java/UnsafeXxe.java	Adds Java XXE unsafe fixture (unhardened JAXP builder).
tests/fixtures/xxe/java/UnsafeLog4jConfig.java	Adds Java XXE unsafe fixture modeling Log4j config parsing.
tests/fixtures/xxe/java/SafeXxePhi.java	Adds Java XXE safe fixture testing SSA phi preservation of hardening.
tests/fixtures/xxe/java/SafeXxeConfig.java	Adds Java XXE safe fixture (hardened factory features).
tests/fixtures/xxe/java/SafeXxe.java	Adds Java XXE baseline fixture (no parser sink).
tests/fixtures/xxe/java/SafeLog4jConfig.java	Adds Java XXE safe fixture counterpart to UnsafeLog4jConfig.
tests/fixtures/xxe/java/IrrelevantXmlCall.java	Adds Java baseline fixture (XML-adjacent string ops only).
tests/fixtures/xpath_injection/typescript/unsafe_xpath_query.ts	Adds TS XPath injection unsafe fixture.
tests/fixtures/xpath_injection/typescript/safe_xpath_query.ts	Adds TS XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/typescript/baseline_constant_xpath.ts	Adds TS XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/ruby/unsafe_xpath_query.rb	Adds Ruby XPath injection unsafe fixture.
tests/fixtures/xpath_injection/ruby/safe_xpath_query.rb	Adds Ruby XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/ruby/baseline_constant_xpath.rb	Adds Ruby XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/python/unsafe_xpath_query.py	Adds Python XPath injection unsafe fixture.
tests/fixtures/xpath_injection/python/safe_xpath_query.py	Adds Python XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/python/baseline_constant_xpath.py	Adds Python XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/php/unsafe_xpath_query.php	Adds PHP XPath injection unsafe fixture.
tests/fixtures/xpath_injection/php/safe_xpath_query.php	Adds PHP XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/php/baseline_constant_xpath.php	Adds PHP XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/javascript/unsafe_xpath_query.js	Adds JS XPath injection unsafe fixture.
tests/fixtures/xpath_injection/javascript/safe_xpath_query.js	Adds JS XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/javascript/baseline_constant_xpath.js	Adds JS XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/java/UnsafeXPathQuery.java	Adds Java XPath injection unsafe fixture.
tests/fixtures/xpath_injection/java/TaintedParameterizedXpath.java	Adds Java fixture validating resolver-binding suppression behavior.
tests/fixtures/xpath_injection/java/SafeXPathQuery.java	Adds Java XPath injection safe fixture (escape helper).
tests/fixtures/xpath_injection/java/ParameterizedXpath.java	Adds Java baseline-ish parameterized XPath fixture (constant expr).
tests/fixtures/xpath_injection/java/BaselineConstantXpath.java	Adds Java XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/cpp/unsafe_xpath_query.cpp	Adds C++ XPath injection unsafe fixture (libxml2).
tests/fixtures/xpath_injection/cpp/safe_xpath_query.cpp	Adds C++ XPath injection safe fixture (sanitize helper).
tests/fixtures/xpath_injection/cpp/baseline_constant_xpath.cpp	Adds C++ XPath injection baseline fixture (constant expr).
tests/fixtures/xpath_injection/c/unsafe_xpath_query.c	Adds C XPath injection unsafe fixture (libxml2).
tests/fixtures/xpath_injection/c/safe_xpath_query.c	Adds C XPath injection safe fixture (sanitize helper).
tests/fixtures/xpath_injection/c/baseline_constant_xpath.c	Adds C XPath injection baseline fixture (constant expr).
tests/fixtures/ssti/typescript/unsafe_nunjucks_render_string.ts	Adds TS SSTI unsafe fixture (tainted template source).
tests/fixtures/ssti/typescript/unsafe_handlebars_compile.ts	Adds TS SSTI unsafe fixture (Handlebars.compile).
tests/fixtures/ssti/typescript/safe_nunjucks_render_string.ts	Adds TS SSTI safe fixture (constant template source).
tests/fixtures/ssti/typescript/safe_handlebars_constant.ts	Adds TS SSTI safe fixture (constant template source).
tests/fixtures/ssti/ruby/unsafe_erb_new.rb	Adds Ruby SSTI unsafe fixture (ERB.new tainted source).
tests/fixtures/ssti/ruby/safe_erb_template_var.rb	Adds Ruby SSTI safe fixture (template name constant).
tests/fixtures/ssti/ruby/safe_erb_constant.rb	Adds Ruby SSTI safe fixture (constant template source).
tests/fixtures/ssti/python/unsafe_mako_lookup_get_template.py	Adds Python SSTI unsafe fixture (tainted get_template name).
tests/fixtures/ssti/python/unsafe_jinja_template.py	Adds Python SSTI unsafe fixture (Template tainted source).
tests/fixtures/ssti/python/unsafe_jinja_get_template.py	Adds Python SSTI unsafe fixture (Environment.get_template tainted name).
tests/fixtures/ssti/python/unsafe_jinja_compile_expression.py	Adds Python SSTI unsafe fixture (compile_expression tainted source).
tests/fixtures/ssti/python/safe_render_template_var.py	Adds Python SSTI safe fixture (render_template constant path).
tests/fixtures/ssti/python/safe_mako_lookup_constant.py	Adds Python SSTI safe fixture (constant get_template name).
tests/fixtures/ssti/python/safe_jinja_constant.py	Adds Python SSTI safe fixture (constant template source).
tests/fixtures/ssti/php/unsafe_twig_create_template.php	Adds PHP SSTI unsafe fixture (Twig createTemplate tainted source).
tests/fixtures/ssti/php/unsafe_smarty_string_fetch.php	Adds PHP SSTI unsafe fixture (Smarty string: prefix).
tests/fixtures/ssti/php/safe_twig_template_var.php	Adds PHP SSTI safe fixture (render by name, not source).
tests/fixtures/ssti/php/safe_twig_constant.php	Adds PHP SSTI safe fixture (constant createTemplate source).
tests/fixtures/ssti/php/safe_smarty_file_fetch.php	Adds PHP SSTI safe fixture (file fetch, no string: prefix).
tests/fixtures/ssti/javascript/unsafe_nunjucks_render_string.js	Adds JS SSTI unsafe fixture (tainted renderString source).
tests/fixtures/ssti/javascript/unsafe_handlebars_compile.js	Adds JS SSTI unsafe fixture (Handlebars.compile).
tests/fixtures/ssti/javascript/safe_nunjucks_render_string.js	Adds JS SSTI safe fixture (constant template source).
tests/fixtures/ssti/javascript/safe_handlebars_constant.js	Adds JS SSTI safe fixture (constant template source).
tests/fixtures/ssti/java/UnsafeFreemarkerTemplate.java	Adds Java SSTI unsafe fixture (Velocity.evaluate shape).
tests/fixtures/ssti/java/UnsafeFreemarkerProcess.java	Adds Java SSTI unsafe fixture (FreeMarker Template + process).
tests/fixtures/ssti/java/SafeFreemarkerConstant.java	Adds Java SSTI safe fixture (Velocity constant template source).
tests/fixtures/ssti/go/unsafe_template_parse.go	Adds Go SSTI unsafe fixture (text/template Parse tainted src).
tests/fixtures/ssti/go/safe_template_parsefiles.go	Adds Go SSTI safe fixture (ParseFiles loads from disk).
tests/fixtures/ssti/go/safe_template_constant.go	Adds Go SSTI safe fixture (Parse constant src).
tests/fixtures/rust_framework_rules/expectations.json	Updates expected findings to include open-redirect and adjust counts.
tests/fixtures/real_world/typescript/taint/express_redirect.expect.json	Switches expected rule_id to taint-open-redirect.
tests/fixtures/real_world/ruby/taint/rails_redirect.expect.json	Switches expected rule_id to taint-open-redirect.
tests/fixtures/real_world/javascript/taint/open_redirect_unsafe.expect.json	Switches expected rule_id to taint-open-redirect.
tests/fixtures/real_world/javascript/taint/open_redirect.expect.json	Switches expected rule_id(s) to taint-open-redirect.
tests/fixtures/real_world/javascript/taint/express_redirect.expect.json	Switches expected rule_id(s) to taint-open-redirect.
tests/fixtures/prototype_pollution/typescript/unsafe_object_assign.ts	Adds TS prototype-pollution unsafe fixture (Object.assign).
tests/fixtures/prototype_pollution/typescript/unsafe_lodash_merge.ts	Adds TS prototype-pollution unsafe fixture (_.merge).
tests/fixtures/prototype_pollution/typescript/unsafe_bare_extend_deep.ts	Adds TS prototype-pollution unsafe fixture (extend(true,...)).
tests/fixtures/prototype_pollution/typescript/safe_object_assign_const.ts	Adds TS prototype-pollution safe fixture (constant source).
tests/fixtures/prototype_pollution/typescript/safe_lodash_merge_const.ts	Adds TS prototype-pollution safe fixture (constant source).
tests/fixtures/prototype_pollution/typescript/safe_bare_extend_class.ts	Adds TS fixture ensuring LiteralOnly gate suppresses class-extend.
tests/fixtures/prototype_pollution/python/unsafe_dict_update.py	Adds Python proto-pollution unsafe fixture (dict.update / dict.update).
tests/fixtures/prototype_pollution/javascript/unsafe_set_value.js	Adds JS prototype-pollution unsafe fixture (set-value).
tests/fixtures/prototype_pollution/javascript/unsafe_object_assign.js	Adds JS prototype-pollution unsafe fixture (Object.assign).
tests/fixtures/prototype_pollution/javascript/unsafe_lodash_merge.js	Adds JS prototype-pollution unsafe fixture (_.merge).
tests/fixtures/prototype_pollution/javascript/unsafe_jsonpath_set.js	Adds JS prototype-pollution unsafe fixture (jsonpath set).
tests/fixtures/prototype_pollution/javascript/unsafe_dot_prop_set.js	Adds JS prototype-pollution unsafe fixture (dot-prop set).
tests/fixtures/prototype_pollution/javascript/unsafe_bare_extend_deep.js	Adds JS prototype-pollution unsafe fixture (extend(true,...)).
tests/fixtures/prototype_pollution/javascript/safe_set_value_const.js	Adds JS prototype-pollution safe fixture (constant inputs).
tests/fixtures/prototype_pollution/javascript/safe_object_assign_const.js	Adds JS prototype-pollution safe fixture (constant source).
tests/fixtures/prototype_pollution/javascript/safe_lodash_merge_const.js	Adds JS prototype-pollution safe fixture (constant source).
tests/fixtures/prototype_pollution/javascript/safe_bare_extend_dynamic.js	Adds JS fixture ensuring LiteralOnly suppresses dynamic arg0.
tests/fixtures/prototype_pollution/javascript/safe_bare_extend_class.js	Adds JS fixture ensuring class extension is suppressed.
tests/fixtures/prototype_pollution/full/unsafe_partial_null_proto.js	Adds full-SSA regression fixture for partial null-proto.
tests/fixtures/prototype_pollution/full/unsafe_dynamic_key.js	Adds full-SSA unsafe fixture for tainted dynamic key assignment.
tests/fixtures/prototype_pollution/full/safe_reject_list.js	Adds full-SSA safe fixture using reject-list guard.
tests/fixtures/prototype_pollution/full/safe_object_create_null.js	Adds full-SSA safe fixture for Object.create(null) receiver.
tests/fixtures/prototype_pollution/full/safe_allowlist.js	Adds full-SSA safe fixture using allowlist guard.
tests/fixtures/open_redirect/typescript/unsafe_redirect.ts	Adds TS open-redirect unsafe fixture (res.redirect).
tests/fixtures/open_redirect/typescript/safe_relative_redirect.ts	Adds TS open-redirect safe fixture (relative-only check).
tests/fixtures/open_redirect/typescript/safe_redirect.ts	Adds TS open-redirect safe fixture (validateRedirectUrl allowlist).
tests/fixtures/open_redirect/typescript/safe_host_allowlist_redirect.ts	Adds TS open-redirect safe fixture (URL host allowlist).
tests/fixtures/open_redirect/rust/unsafe_redirect.rs	Adds Rust open-redirect unsafe fixture (axum Redirect::to).
tests/fixtures/open_redirect/rust/unsafe_actix_location_chained.rs	Adds Rust open-redirect unsafe fixture (actix Location header in chain).
tests/fixtures/open_redirect/rust/unsafe_actix_location.rs	Adds Rust open-redirect unsafe fixture (actix Location header).
tests/fixtures/open_redirect/rust/safe_relative_redirect.rs	Adds Rust open-redirect safe fixture (ensure_relative_url).
tests/fixtures/open_redirect/rust/safe_redirect.rs	Adds Rust open-redirect safe fixture (validate_redirect_url).
tests/fixtures/open_redirect/rust/safe_host_allowlist_redirect.rs	Adds Rust open-redirect safe fixture (Url parse + host allowlist).
tests/fixtures/open_redirect/rust/safe_actix_content_type.rs	Adds Rust fixture ensuring non-Location header doesn’t trigger open-redirect.
tests/fixtures/open_redirect/ruby/unsafe_redirect.rb	Adds Ruby open-redirect unsafe fixture (redirect_to).
tests/fixtures/open_redirect/ruby/safe_relative_redirect.rb	Adds Ruby open-redirect safe fixture (relative-only check).
tests/fixtures/open_redirect/ruby/safe_redirect.rb	Adds Ruby open-redirect safe fixture (validate_redirect_url).
tests/fixtures/open_redirect/python/unsafe_redirect.py	Adds Python open-redirect unsafe fixture (flask.redirect).
tests/fixtures/open_redirect/python/safe_relative_redirect.py	Adds Python open-redirect safe fixture (relative-only check).
tests/fixtures/open_redirect/python/safe_redirect.py	Adds Python open-redirect safe fixture (validate_redirect_url).
tests/fixtures/open_redirect/python/safe_host_allowlist_redirect.py	Adds Python open-redirect safe fixture (urlparse host allowlist).
tests/fixtures/open_redirect/php/unsafe_redirect.php	Adds PHP open-redirect unsafe fixture (header Location).
tests/fixtures/open_redirect/php/safe_relative_redirect.php	Adds PHP open-redirect safe fixture (relative-only check).
tests/fixtures/open_redirect/php/safe_redirect.php	Adds PHP open-redirect safe fixture (validateRedirectUrl sanitizer).
tests/fixtures/open_redirect/javascript/unsafe_redirect.js	Adds JS open-redirect unsafe fixture (res.redirect).
tests/fixtures/open_redirect/javascript/safe_relative_redirect.js	Adds JS open-redirect safe fixture (relative-only check).
tests/fixtures/open_redirect/javascript/safe_redirect.js	Adds JS open-redirect safe fixture (validateRedirectUrl allowlist).
tests/fixtures/open_redirect/javascript/safe_host_allowlist_redirect.js	Adds JS open-redirect safe fixture (URL host allowlist).
tests/fixtures/open_redirect/java/UnsafeSpringRedirect.java	Adds Java open-redirect unsafe fixture (Spring redirect: view name).
tests/fixtures/open_redirect/java/UnsafeRedirect.java	Adds Java open-redirect unsafe fixture (sendRedirect).
tests/fixtures/open_redirect/java/SafeRelativeRedirect.java	Adds Java open-redirect safe fixture (relative-only helper).
tests/fixtures/open_redirect/java/SafeRedirect.java	Adds Java open-redirect safe fixture (validateRedirectUrl allowlist).
tests/fixtures/open_redirect/java/SafeInlineRelative.java	Adds Java open-redirect safe fixture (inline startsWith("/") predicate).
tests/fixtures/open_redirect/go/unsafe_redirect.go	Adds Go open-redirect unsafe fixture (http.Redirect).
tests/fixtures/open_redirect/go/safe_relative_redirect.go	Adds Go open-redirect safe fixture (ensureRelativeUrl).
tests/fixtures/open_redirect/go/safe_redirect.go	Adds Go open-redirect safe fixture (validateRedirectUrl).
tests/fixtures/open_redirect/go/safe_host_allowlist_redirect.go	Adds Go open-redirect safe fixture (url.Parse host allowlist).
tests/fixtures/ldap_injection/typescript/unsafe_ldap_search.ts	Adds TS LDAP injection unsafe fixture (ldapjs search filter).
tests/fixtures/ldap_injection/typescript/safe_ldap_search.ts	Adds TS LDAP injection safe fixture (ldap-escape).
tests/fixtures/ldap_injection/typescript/baseline_constant_ldap.ts	Adds TS LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/ruby/unsafe_ldap_search.rb	Adds Ruby LDAP injection unsafe fixture (Net::LDAP#search).
tests/fixtures/ldap_injection/ruby/safe_ldap_search.rb	Adds Ruby LDAP injection safe fixture (Filter.escape).
tests/fixtures/ldap_injection/ruby/baseline_constant_ldap.rb	Adds Ruby LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/python/unsafe_ldap_search.py	Adds Python LDAP injection unsafe fixture (python-ldap search_s).
tests/fixtures/ldap_injection/python/safe_ldap_search.py	Adds Python LDAP injection safe fixture (escape_filter_chars).
tests/fixtures/ldap_injection/python/baseline_constant_ldap.py	Adds Python LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/php/unsafe_ldap_search.php	Adds PHP LDAP injection unsafe fixture (ldap_search).
tests/fixtures/ldap_injection/php/safe_ldap_search.php	Adds PHP LDAP injection safe fixture (ldap_escape).
tests/fixtures/ldap_injection/php/baseline_constant_ldap.php	Adds PHP LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/javascript/unsafe_ldap_search.js	Adds JS LDAP injection unsafe fixture (ldapjs search filter).
tests/fixtures/ldap_injection/javascript/safe_ldap_search.js	Adds JS LDAP injection safe fixture (ldap-escape).
tests/fixtures/ldap_injection/javascript/baseline_constant_ldap.js	Adds JS LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/java/UnsafeLdapSearch.java	Adds Java LDAP injection unsafe fixture (DirContext.search).
tests/fixtures/ldap_injection/java/SafeLdapSearch.java	Adds Java LDAP injection safe fixture (Spring LdapEncoder).
tests/fixtures/ldap_injection/java/BaselineConstantLdap.java	Adds Java LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/go/unsafe_ldap_search.go	Adds Go LDAP injection unsafe fixture (NewSearchRequest tainted filter).
tests/fixtures/ldap_injection/go/safe_ldap_search.go	Adds Go LDAP injection safe fixture (ldap.EscapeFilter).
tests/fixtures/ldap_injection/go/baseline_constant_ldap.go	Adds Go LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/cpp/unsafe_ldap_search.cpp	Adds C++ LDAP injection unsafe fixture (ldap_search_ext_s).
tests/fixtures/ldap_injection/cpp/safe_ldap_search.cpp	Adds C++ LDAP injection safe fixture (sanitize helper).
tests/fixtures/ldap_injection/cpp/baseline_constant_ldap.cpp	Adds C++ LDAP injection baseline fixture (constant filter).
tests/fixtures/ldap_injection/c/unsafe_ldap_search.c	Adds C LDAP injection unsafe fixture (ldap_search_ext_s).
tests/fixtures/ldap_injection/c/safe_ldap_search.c	Adds C LDAP injection safe fixture (sanitize helper).
tests/fixtures/ldap_injection/c/baseline_constant_ldap.c	Adds C LDAP injection baseline fixture (constant filter).
tests/fixtures/internal_redirect_taint/expectations.json	Updates expected rule prefix to taint-open-redirect.
tests/fixtures/header_injection/typescript/unsafe_subscript_set.ts	Adds TS header injection unsafe fixture (headers[...] = tainted).
tests/fixtures/header_injection/typescript/unsafe_set_header.ts	Adds TS header injection unsafe fixture (setHeader).
tests/fixtures/header_injection/typescript/safe_subscript_set.ts	Adds TS header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/header_injection/typescript/safe_set_header.ts	Adds TS header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/header_injection/rust/unsafe_set_header.rs	Adds Rust header injection unsafe fixture (HeaderMap insert).
tests/fixtures/header_injection/rust/safe_set_header.rs	Adds Rust header injection safe fixture (strip_crlf sanitizer).
tests/fixtures/header_injection/ruby/unsafe_subscript_set.rb	Adds Ruby header injection unsafe fixture (headers[...] = tainted).
tests/fixtures/header_injection/ruby/safe_subscript_set.rb	Adds Ruby header injection safe fixture (strip_crlf sanitizer).
tests/fixtures/header_injection/python/unsafe_subscript_set.py	Adds Python header injection unsafe fixture (headers[...] = tainted).
tests/fixtures/header_injection/python/unsafe_set_header.py	Adds Python header injection unsafe fixture (headers.add).
tests/fixtures/header_injection/python/safe_subscript_set.py	Adds Python header injection safe fixture (strip_crlf sanitizer).
tests/fixtures/header_injection/python/safe_set_header.py	Adds Python header injection safe fixture (strip_crlf sanitizer).
tests/fixtures/header_injection/php/unsafe_set_header.php	Adds PHP header injection unsafe fixture (header()).
tests/fixtures/header_injection/php/safe_set_header.php	Adds PHP header injection safe fixture (strip_crlf sanitizer).
tests/fixtures/header_injection/javascript/unsafe_subscript_set.js	Adds JS header injection unsafe fixture (headers[...] = tainted).
tests/fixtures/header_injection/javascript/unsafe_set_header.js	Adds JS header injection unsafe fixture (setHeader).
tests/fixtures/header_injection/javascript/safe_subscript_set.js	Adds JS header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/header_injection/javascript/safe_set_header.js	Adds JS header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/header_injection/java/UnsafeSetHeader.java	Adds Java header injection unsafe fixture (setHeader).
tests/fixtures/header_injection/java/SafeSetHeader.java	Adds Java header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/header_injection/go/unsafe_set_header.go	Adds Go header injection unsafe fixture (Header().Set).
tests/fixtures/header_injection/go/safe_set_header.go	Adds Go header injection safe fixture (stripCRLF sanitizer).
tests/fixtures/cross_file_js_redirect/expectations.json	Updates expected rule prefix to taint-open-redirect.
src/utils/config.rs	Adds new CapName variants + string parsing aliases + display mapping; updates error message.
src/taint/tests.rs	Extends test optimize context with xml/xpath config slots; minor doc wording.
src/taint/ssa_transfer/tests.rs	Updates cap-bit widths + adds xml/xpath config fields to test contexts; doc tweaks.
src/taint/ssa_transfer/summary_extract.rs	Plumbs xml/xpath config placeholders into summary extraction context.
src/taint/ssa_transfer/inline.rs	Widens inline-cache keying/fingerprints to u32 cap bits.
src/taint/ssa_transfer/events.rs	Extends finding dedup key to include effective sink cap bits for multi-cap emission.
src/summary/tests.rs	Updates summary tests for u32 caps; adds serde round-trip test for new cap classes.
src/summary/ssa_summary.rs	Updates doc to clarify legacy summary deserialization behavior.
src/summary/mod.rs	Widens stored cap bitfields; updates sink-site dedup + snapshot types.
src/ssa/xpath_config.rs	Adds new XPath receiver-config sidecar analysis module + tests.
src/ssa/mod.rs	Plumbs xml/xpath config analyses into SSA optimization result.
src/server/routes/rules.rs	Extends rule API responses with is_class field.
src/server/owasp.rs	Improves OWASP bucketing via cap-registry matching + adds labels for new cap classes.
src/server/models.rs	Adds is_class to rule list/detail view models.
src/server/debug.rs	Extends type-kind display + plumbs xml/xpath config to debug taint analysis.
src/labels/rust.rs	Adds Rust rule coverage for header injection + open redirect; adds gated actix Location sink.
src/labels/go.rs	Adds Go rule coverage for LDAP, header injection, open redirect, SSTI.
src/labels/cpp.rs	Adds C++ rule coverage for LDAP and XPath injection sinks.
src/labels/c.rs	Adds C rule coverage for LDAP and XPath injection sinks.
src/evidence.rs	Widens Evidence.sink_caps to u32 and updates serialization skip logic.
src/database.rs	Bumps schema version to force rescan after cap-bit widening; updates tests/fixtures.
src/constraint/solver.rs	Maps additional Java class names to new TypeKind variants.
src/constraint/domain.rs	Widens TypeSet + refine counters for added TypeKind variants.
src/commands/scan.rs	Widens sink-cap grouping key + updates snapshot types; minor comment wording.
src/commands/rules.rs	Adds new nyx rules CLI implementation and smoke test.
src/commands/mod.rs	Wires nyx rules into command dispatcher.
src/cli.rs	Adds CLI subcommand surface for nyx rules list.
src/cfg/params.rs	Tweaks docs around DTO fallback semantics.
src/cfg/helpers.rs	Fixes PHP receiver chain text by stripping $ from variable names.
src/cfg/dto.rs	Tweaks docs around DTO fallback semantics.
src/cfg/cfg_tests.rs	Updates kwargs extraction test to assert JS object-literal ⇒ kwargs lifting.
src/auth_analysis/mod.rs	Updates comments to remove phase-specific labeling.
src/ast.rs	Widens sink cap bits; adds cap-class rule routing + severity from registry for new classes.
frontend/src/api/types.ts	Adds is_class to RuleListItem API type.
docs/rules.md	Documents cap-class rule IDs + new caps and aliases; points to CAP_RULE_REGISTRY and CLI.
docs/detectors/taint.md	Documents new caps in taint capability table and typical sinks/sanitizers.
docs/detectors.md	Documents cap-class taint rule IDs + semantics; adds CLI hints.
docs/configuration.md	Adds new cap names + aliases in configuration docs.
docs/cli.md	Documents new nyx rules subcommand and flags.
README.md	Documents cap-specific taint classes and adds nyx rules list mention.
.gitignore	Adds Python bytecode cache ignores.
.claude/scheduled_tasks.lock	Adds a lock file (appears tool-generated / machine-specific).

Comments suppressed due to low confidence (1)

tests/fixtures/ssti/java/UnsafeFreemarkerTemplate.java:1

• The fixture/class name suggests FreeMarker (UnsafeFreemarkerTemplate), but the code and comments exercise Apache Velocity (Velocity.evaluate). This mismatch makes fixture intent harder to understand and can confuse future maintenance. Rename the file/class to reflect Velocity (or switch the code to a FreeMarker example) so test/fixture naming matches the exercised sink.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 260 out of 261 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (5)

tests/fixtures/ssti/java/UnsafeFreemarkerTemplate.java:1

• The fixture filename/class name references FreeMarker, but the code/comment is describing and using Apache Velocity. This mismatch makes the fixture set harder to understand and maintain. Consider renaming the file/class to match Velocity, or switching the implementation/comment to FreeMarker so naming, comments, and exercised sink align.
  tests/fixtures/ssti/java/SafeFreemarkerConstant.java:1
• Same naming mismatch as the unsafe counterpart: the file/class name references FreeMarker while the fixture is for Velocity. Align the filename/class name with the library under test (or vice versa) so the fixture set is self-describing.
  tests/fixtures/xxe/python/safe_lxml.py:1
• lxml.etree.parse(...) expects a filename/URL/file-like object; passing a query parameter string named xml reads oddly and can look like an accidental misuse of the API (even though fixtures aren't executed). To keep fixtures realistic and clearer as examples, consider using etree.fromstring(body) for XML content, or wrap bytes in io.BytesIO(body.encode()) if you specifically want to exercise parse.
  tests/fixtures/open_redirect/java/UnsafeSpringRedirect.java:1
• The handler takes @RequestParam(\"next\") String next but then ignores it and re-reads next from HttpServletRequest. For fixture clarity, prefer using the injected next parameter directly (or remove it and keep req.getParameter). This reduces confusion about the intended taint source.
  src/utils/config.rs:1
• The parser accepts multiple aliases (e.g. ldapi, xpathi, crlf, redirect, template_injection, proto_pollution), but the error message only lists canonical names. Consider including a short 'aliases also accepted: ...' clause (or referencing the docs) to make CLI/config errors easier to resolve.