infer_clone/infer/tests/codetoanalyze/java/quandary/UnknownCode.java

/*
 * Copyright (c) 2016 - present Facebook, Inc.
 * All rights reserved.
 *
 * This source code is licensed under the BSD style license found in the
 * LICENSE file in the root directory of this source tree. An additional grant
 * of patent rights can be found in the PATENTS file in the same directory.
 */

package codetoanalyze.java.quandary;

import com.facebook.infer.builtins.InferTaint;

import android.content.Intent;
import android.os.Parcel;

/** testing how the analysis handles missing/unknown code */

public abstract class UnknownCode {

  native static Object nativeMethod(Object o);

  abstract Object abstractMethod(Object o);

  static interface Interface {
    Object interfaceMethod(Object o);
  }

  static void propagateViaUnknownConstructorBad() {
    String source = (String) InferTaint.inferSecretSource();
    // we don't analyze the code for the core Java libraries, so this constructor will be unknown
    String unknownConstructor = new String(source);
    InferTaint.inferSensitiveSink(unknownConstructor);
  }

  static void propagateViaUnknownConstructorOk() {
    String unknownConstructor = new String("");
    InferTaint.inferSensitiveSink(unknownConstructor);
  }

  void propagateViaUnknownCodeOk(Interface i) {
    Object notASource = new Object();
    Object launderedSource1 = nativeMethod(notASource);
    Object launderedSource2 = abstractMethod(launderedSource1);
    Object launderedSource3 = i.interfaceMethod(launderedSource2);
    InferTaint.inferSensitiveSink(launderedSource3);
  }

  void callUnknownSetterBad(Intent i) {
    Object source = InferTaint.inferSecretSource();
    // we don't analyze the source code for Android, so this will be unknown
    i.writeToParcel((Parcel) source, 0);
    InferTaint.inferSensitiveSink(i);
  }

  void propagateEmptyBad() {
    String source = (String) InferTaint.inferSecretSource();
    StringBuffer buffer = new StringBuffer();
    buffer.append(source); // buffer is now tainted
    // even though "" is not tainted, buffer and alias should still be tainted
    StringBuffer alias = buffer.append("");
    InferTaint.inferSensitiveSink(buffer); // should report
    InferTaint.inferSensitiveSink(alias); // should report
  }

  void propagateFootprint(String param) {
    StringBuffer buffer = new StringBuffer();
    buffer.append(param);
    InferTaint.inferSensitiveSink(buffer);
  }

  void callPropagateFootprintBad() {
    propagateFootprint((String) InferTaint.inferSecretSource());
  }

  static void propagateViaInterfaceCodeBad(Interface i) {
    Object source = InferTaint.inferSecretSource();
    Object launderedSource = i.interfaceMethod(source);
    InferTaint.inferSensitiveSink(launderedSource);
  }

  void propagateViaUnknownNativeCodeBad() {
    Object source = InferTaint.inferSecretSource();
    Object launderedSource = nativeMethod(source);
    InferTaint.inferSensitiveSink(launderedSource);
  }

  static void propagateViaUnknownAbstractCodeBad() {
    Object source = InferTaint.inferSecretSource();
    Object launderedSource = nativeMethod(source);
    InferTaint.inferSensitiveSink(launderedSource);
  }

}
[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago			`/*`
			`* Copyright (c) 2016 - present Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*/`

			`package codetoanalyze.java.quandary;`

			`import com.facebook.infer.builtins.InferTaint;`

[quandary] for instance methods with no return value, propagate the taint to the receiver Summary: If we have code like ``` o.setF(source()) sink(o) ``` and `setF` is an unknown method, we probably want to report. Reviewed By: jeremydubreil, mburman Differential Revision: D4438896 fbshipit-source-id: 5edd204 8 years ago			`import android.content.Intent;`
			`import android.os.Parcel;`

[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago			`/** testing how the analysis handles missing/unknown code */`

[backend] differentiate unknown methods and methods with empty summaries Summary: Analyses should handle methods whose code is unknown and methods whose summary is a no-op differently. Previously, this was done correctly for some kinds of methods (e.g., native methods, which were recognized as unknown), but not for others (interface and abstract methods). This diff makes sure we correctly treat all three kinds as unknown. Reviewed By: jeremydubreil Differential Revision: D4142697 fbshipit-source-id: c88cff3 8 years ago			`public abstract class UnknownCode {`
[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago
[backend] differentiate unknown methods and methods with empty summaries Summary: Analyses should handle methods whose code is unknown and methods whose summary is a no-op differently. Previously, this was done correctly for some kinds of methods (e.g., native methods, which were recognized as unknown), but not for others (interface and abstract methods). This diff makes sure we correctly treat all three kinds as unknown. Reviewed By: jeremydubreil Differential Revision: D4142697 fbshipit-source-id: c88cff3 8 years ago			`native static Object nativeMethod(Object o);`
[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago
[backend] differentiate unknown methods and methods with empty summaries Summary: Analyses should handle methods whose code is unknown and methods whose summary is a no-op differently. Previously, this was done correctly for some kinds of methods (e.g., native methods, which were recognized as unknown), but not for others (interface and abstract methods). This diff makes sure we correctly treat all three kinds as unknown. Reviewed By: jeremydubreil Differential Revision: D4142697 fbshipit-source-id: c88cff3 8 years ago			`abstract Object abstractMethod(Object o);`
[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago
[backend] differentiate unknown methods and methods with empty summaries Summary: Analyses should handle methods whose code is unknown and methods whose summary is a no-op differently. Previously, this was done correctly for some kinds of methods (e.g., native methods, which were recognized as unknown), but not for others (interface and abstract methods). This diff makes sure we correctly treat all three kinds as unknown. Reviewed By: jeremydubreil Differential Revision: D4142697 fbshipit-source-id: c88cff3 8 years ago			`static interface Interface {`
			`Object interfaceMethod(Object o);`
			`}`

[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago			`static void propagateViaUnknownConstructorBad() {`
			`String source = (String) InferTaint.inferSecretSource();`
			`// we don't analyze the code for the core Java libraries, so this constructor will be unknown`
			`String unknownConstructor = new String(source);`
			`InferTaint.inferSensitiveSink(unknownConstructor);`
			`}`

			`static void propagateViaUnknownConstructorOk() {`
			`String unknownConstructor = new String("");`
			`InferTaint.inferSensitiveSink(unknownConstructor);`
			`}`

[backend] differentiate unknown methods and methods with empty summaries Summary: Analyses should handle methods whose code is unknown and methods whose summary is a no-op differently. Previously, this was done correctly for some kinds of methods (e.g., native methods, which were recognized as unknown), but not for others (interface and abstract methods). This diff makes sure we correctly treat all three kinds as unknown. Reviewed By: jeremydubreil Differential Revision: D4142697 fbshipit-source-id: c88cff3 8 years ago			`void propagateViaUnknownCodeOk(Interface i) {`
			`Object notASource = new Object();`
			`Object launderedSource1 = nativeMethod(notASource);`
			`Object launderedSource2 = abstractMethod(launderedSource1);`
			`Object launderedSource3 = i.interfaceMethod(launderedSource2);`
			`InferTaint.inferSensitiveSink(launderedSource3);`
[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago			`}`

[quandary] for instance methods with no return value, propagate the taint to the receiver Summary: If we have code like ``` o.setF(source()) sink(o) ``` and `setF` is an unknown method, we probably want to report. Reviewed By: jeremydubreil, mburman Differential Revision: D4438896 fbshipit-source-id: 5edd204 8 years ago			`void callUnknownSetterBad(Intent i) {`
			`Object source = InferTaint.inferSecretSource();`
			`// we don't analyze the source code for Android, so this will be unknown`
			`i.writeToParcel((Parcel) source, 0);`
			`InferTaint.inferSensitiveSink(i);`
			`}`

[quandary] don't clobber existing taint on receiver when propagating taint from unknown call Reviewed By: jeremydubreil Differential Revision: D4497098 fbshipit-source-id: 83c6a62 8 years ago			`void propagateEmptyBad() {`
			`String source = (String) InferTaint.inferSecretSource();`
			`StringBuffer buffer = new StringBuffer();`
			`buffer.append(source); // buffer is now tainted`
			`// even though "" is not tainted, buffer and alias should still be tainted`
			`StringBuffer alias = buffer.append("");`
			`InferTaint.inferSensitiveSink(buffer); // should report`
			`InferTaint.inferSensitiveSink(alias); // should report`
			`}`

			`void propagateFootprint(String param) {`
			`StringBuffer buffer = new StringBuffer();`
			`buffer.append(param);`
			`InferTaint.inferSensitiveSink(buffer);`
			`}`

			`void callPropagateFootprintBad() {`
			`propagateFootprint((String) InferTaint.inferSecretSource());`
			`}`

[infer][java] make the translation and analysis of abstract methods and native methods consistent Summary: With this, we can now get now get inter-procedural issues involving native methods. Reviewed By: sblackshear Differential Revision: D5730638 fbshipit-source-id: 3bdbdbd 7 years ago			`static void propagateViaInterfaceCodeBad(Interface i) {`
[quandary] cheaper handling of unknown code Summary: Let's introduce some concepts. A "known unknown" function is one for which no Java code exists (e.g., `native`, `abstract`, and `interface methods`). An "unknown unknown" function is one for which Java code may or may not exist, but we don't have the code or we choose not to analyze it (e.g., non-modeled methods from the core Java or Android libraries). Previously, Quandary handled both known unknowns and unknown unknowns by propagating taint from the parameters of the unknown function to its return value. It turns out that it is really expensive to do this for known unknown functions. D4142697 was the diff that starting handling known unknown functions in this way, and bisecting shows that it was the start of the recent performance problems for Quandary. This diff essentially reverts D4142697 by handling known unknowns as skips instead. Pragmatically, doing the propagation trick for Java/Android library functions (e.g., `String` functions!) matters much more, so i'm not too worried about the missed behaviors from this. Ideally, we will go back to the old handling once performance has improved (have lots of ideas there). But I need this to unblock me in the meantime. Reviewed By: jeremydubreil Differential Revision: D4205507 fbshipit-source-id: 79cb9c8 8 years ago			`Object source = InferTaint.inferSecretSource();`
			`Object launderedSource = i.interfaceMethod(source);`
			`InferTaint.inferSensitiveSink(launderedSource);`
			`}`

[infer][checkers] Prevent the race conditions between the summaries passed as parameter to the checkers and the summaries from the specs table Summary: This is step further simplify the code to avoid cases where the summary of the procedure being analyzed can exist in two different versions: # one version is the summary passed as parameter to every checker # the other is a copy of the summary in the in-memory specs table This diff implements: # the analysis always run through the `Ondemand` module (was already the case before) # the summary of the procedure being analyzed is created at the beginning of the on-demand analysis call # all the checkers run in sequence, update their respective part of the payload and log errors to the error table # the summary is store at the end of the on-demand analysis call Reviewed By: sblackshear Differential Revision: D4787414 fbshipit-source-id: 2d115c9 8 years ago			`void propagateViaUnknownNativeCodeBad() {`
[quandary] cheaper handling of unknown code Summary: Let's introduce some concepts. A "known unknown" function is one for which no Java code exists (e.g., `native`, `abstract`, and `interface methods`). An "unknown unknown" function is one for which Java code may or may not exist, but we don't have the code or we choose not to analyze it (e.g., non-modeled methods from the core Java or Android libraries). Previously, Quandary handled both known unknowns and unknown unknowns by propagating taint from the parameters of the unknown function to its return value. It turns out that it is really expensive to do this for known unknown functions. D4142697 was the diff that starting handling known unknown functions in this way, and bisecting shows that it was the start of the recent performance problems for Quandary. This diff essentially reverts D4142697 by handling known unknowns as skips instead. Pragmatically, doing the propagation trick for Java/Android library functions (e.g., `String` functions!) matters much more, so i'm not too worried about the missed behaviors from this. Ideally, we will go back to the old handling once performance has improved (have lots of ideas there). But I need this to unblock me in the meantime. Reviewed By: jeremydubreil Differential Revision: D4205507 fbshipit-source-id: 79cb9c8 8 years ago			`Object source = InferTaint.inferSecretSource();`
			`Object launderedSource = nativeMethod(source);`
			`InferTaint.inferSensitiveSink(launderedSource);`
			`}`

[infer][checkers] Prevent the race conditions between the summaries passed as parameter to the checkers and the summaries from the specs table Summary: This is step further simplify the code to avoid cases where the summary of the procedure being analyzed can exist in two different versions: # one version is the summary passed as parameter to every checker # the other is a copy of the summary in the in-memory specs table This diff implements: # the analysis always run through the `Ondemand` module (was already the case before) # the summary of the procedure being analyzed is created at the beginning of the on-demand analysis call # all the checkers run in sequence, update their respective part of the payload and log errors to the error table # the summary is store at the end of the on-demand analysis call Reviewed By: sblackshear Differential Revision: D4787414 fbshipit-source-id: 2d115c9 8 years ago			`static void propagateViaUnknownAbstractCodeBad() {`
[quandary] cheaper handling of unknown code Summary: Let's introduce some concepts. A "known unknown" function is one for which no Java code exists (e.g., `native`, `abstract`, and `interface methods`). An "unknown unknown" function is one for which Java code may or may not exist, but we don't have the code or we choose not to analyze it (e.g., non-modeled methods from the core Java or Android libraries). Previously, Quandary handled both known unknowns and unknown unknowns by propagating taint from the parameters of the unknown function to its return value. It turns out that it is really expensive to do this for known unknown functions. D4142697 was the diff that starting handling known unknown functions in this way, and bisecting shows that it was the start of the recent performance problems for Quandary. This diff essentially reverts D4142697 by handling known unknowns as skips instead. Pragmatically, doing the propagation trick for Java/Android library functions (e.g., `String` functions!) matters much more, so i'm not too worried about the missed behaviors from this. Ideally, we will go back to the old handling once performance has improved (have lots of ideas there). But I need this to unblock me in the meantime. Reviewed By: jeremydubreil Differential Revision: D4205507 fbshipit-source-id: 79cb9c8 8 years ago			`Object source = InferTaint.inferSecretSource();`
			`Object launderedSource = nativeMethod(source);`
			`InferTaint.inferSensitiveSink(launderedSource);`
			`}`

[quandary] propagating taint from unknown procedures and constructors Summary: Right now, taint gets lost if it flows into a constructor or procedure whose implementation is missing. Since the core Java (e.g., String) and Android classes (e.g, Intent) are among these, this is bad. We could handle this by writing a bunch of models instead, but that would be a lot of work (plus we may still miss cases). Reviewed By: jvillard Differential Revision: D4051591 fbshipit-source-id: 65851c8 8 years ago			`}`