Critical bug fixes

[elicpeter]

Summary

This pull request includes a variety of important improvements and bug fixes across several languages and analysis features. The changes focus on enhancing taint analysis accuracy, reducing false positives in security findings, improving resource management detection, and expanding language and framework support. The most significant updates are grouped below by theme.

Taint Analysis and Validation Improvements:

• Cross-function helper-validation propagation: Now tracks parameters validated by helper functions and propagates this information at call sites, closing gaps like the one behind PayloadCMS CVE-2026-25544.
• Validation err-check narrowing for Go: The common idiom _, err := strconv.Atoi(input); if err != nil { return } now marks input as validated on the correct branch.
• Regex-allowlist branch narrowing: Improved recognition of validation using regex checks, especially for cases like if (!SAFE_STRING_REGEX.test(value)) throw ….

False Positive Reductions and Sink Modeling:

• Project-level web-framework signal in Rust: Auth analysis now considers whether a Rust project is actually a web service, reducing false positives in non-web Rust codebases.
• Auth value-ref walker improvement: No longer treats keyword argument keys as user input subjects in ORM filter calls, reducing false positives in frameworks like Django.
• PHP fopen modeled as SSRF sink: Now only fires on tainted arguments, addressing CVE-2026-33486 and aligning with the behavior of file_get_contents.

Resource Management Enhancements (Go):

• Field-LHS resource acquires: Assignments like b.cpuprof = os.Create(...) are no longer counted as leaks, as responsibility is transferred to the struct.
• Inner-call release in argument position: Calls like require.NoError(t, f.Close()) now correctly mark resources as closed, improving resource leak detection accuracy.

Other Notable Updates:

• JS/TS ternary-branch source classification: Improved taint tracking through ternary branches, fixing missed flows in certain patterns.
• Minor documentation: Added a link to the Simplified Chinese README for broader accessibility.

Checklist

• cargo test --bin nyx passes
• cargo clippy --all -- -D warnings is clean
• cargo fmt -- --check passes
• User-visible changes are noted in CHANGELOG.md under ## [Unreleased]
• Docs updated if behavior, flags, or config changed (docs/, README.md, CONTRIBUTING.md)
• New rules / language support include fixtures and integration tests

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[CLAassistant]

All committers have signed the CLA.