infer_clone/infer/src/quandary/ClangTaintAnalysis.ml

(*
 * Copyright (c) 2016 - present Facebook, Inc.
 * All rights reserved.
 *
 * This source code is licensed under the BSD style license found in the
 * LICENSE file in the root directory of this source tree. An additional grant
 * of patent rights can be found in the PATENTS file in the same directory.
 *)

open! IStd
module F = Format
module L = Logging

include TaintAnalysis.Make (struct
  module Trace = ClangTrace
  module AccessTree = AccessTree.Make (Trace)

  let to_summary_access_tree tree = QuandarySummary.AccessTree.Clang tree

  let of_summary_access_tree = function
    | QuandarySummary.AccessTree.Clang tree
     -> tree
    | _
     -> assert false

  let handle_unknown_call pname ret_typ_opt actuals _ =
    let handle_generic_unknown ret_typ_opt actuals =
      match (ret_typ_opt, List.rev actuals) with
      | Some _, _
       -> (* propagate taint from actuals to return value *)
          [TaintSpec.Propagate_to_return]
      | None, []
       -> []
      | None, _ when Typ.Procname.is_constructor pname
       -> (* "this" is always the first arg of a constructor; propagate taint there *)
          [TaintSpec.Propagate_to_receiver]
      | ( None
        , (HilExp.AccessPath ((Var.ProgramVar pvar, {desc= Typ.Tptr (_, Typ.Pk_pointer)}), []))
          :: _ )
        when Pvar.is_frontend_tmp pvar
       -> (* no return value, but the frontend has introduced a dummy return variable and will
               assign the return value to this variable. So propagate taint to the dummy return
               variable *)
          let actual_index = List.length actuals - 1 in
          [TaintSpec.Propagate_to_actual actual_index]
      | None, _
       -> (* no return value; propagate taint from actuals to receiver *)
          [TaintSpec.Propagate_to_receiver]
    in
    (* if we have a specific model for a procedure, use that. otherwise, use the generic
         heuristics for dealing with unknown code *)
    match Typ.Procname.get_method pname with
    | "operator+="
    | "operator-="
    | "operator*="
    | "operator/="
    | "operator%="
    | "operator<<="
    | "operator>>="
    | "operator&="
    | "operator^="
    | "operator|="
     -> [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
    | "memcpy" | "memmove" | "strcpy" | "strncpy"
     -> [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
    | "sprintf"
     -> [TaintSpec.Propagate_to_receiver]
    | _
     -> handle_generic_unknown ret_typ_opt actuals

  (* treat folly functions as unknown library code. we often specify folly functions as sinks,
       and we don't want to double-report if these functions eventually call other sinks (e.g.,
       when folly::Subprocess calls exec), in addition some folly functions are heavily optimized in
       a way that obscures what they're actually doing (e.g., they use assembly code). it's better
       to write models for these functions or treat them as unknown *)
  let models_matcher = QualifiedCppName.Match.of_fuzzy_qual_names ["folly"]

  let get_model pname ret_typ_opt actuals tenv summary =
    (* hack for default C++ constructors, which get translated as an empty body (and will thus
         have an empty summary). We don't want that because we want to be able to propagate taint
         from comstructor parameters to the constructed object. so we treat the empty constructor
         as a skip function instead *)
    let is_default_constructor pname =
      Typ.Procname.is_c_method pname && Typ.Procname.is_constructor pname
      && AccessTree.BaseMap.is_empty summary
    in
    match pname with
    | Typ.Procname.ObjC_Cpp _
      when is_default_constructor pname
           || QualifiedCppName.Match.match_qualifiers models_matcher
                (Typ.Procname.get_qualifiers pname)
     -> Some (handle_unknown_call pname ret_typ_opt actuals tenv)
    | _
     -> None

  let external_sanitizers =
    List.map
      ~f:(fun {QuandaryConfig.Sanitizer.procedure} ->
        QualifiedCppName.Match.of_fuzzy_qual_names [procedure])
      (QuandaryConfig.Sanitizer.of_json Config.quandary_sanitizers)

  let get_sanitizer pname =
    let qualified_pname = Typ.Procname.get_qualifiers pname in
    List.find_map
      ~f:(fun qualifiers ->
        if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then
          Some TaintSpec.Return
        else None)
      external_sanitizers

  let is_taintable_type _ = true
end)
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`(*`
			`* Copyright (c) 2016 - present Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*)`

Divide Utils into Utils, Pp, and IStd Summary: Utils contains definitions intended to be in the global namespace for all of the infer code-base, as well as pretty-printing functions, and assorted utility functions mostly for dealing with files and processes. This diff changes the module opened into the global namespace to IStd (Std conflict with extlib), and moves the pretty-printing definitions from Utils to Pp. Reviewed By: jvillard Differential Revision: D4232457 fbshipit-source-id: 1e070e0 8 years ago			`open! IStd`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`module F = Format`
			`module L = Logging`

Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`include TaintAnalysis.Make (struct`
			`module Trace = ClangTrace`
			`module AccessTree = AccessTree.Make (Trace)`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let to_summary_access_tree tree = QuandarySummary.AccessTree.Clang tree`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let of_summary_access_tree = function`
			`\| QuandarySummary.AccessTree.Clang tree`
			`-> tree`
			`\| _`
			`-> assert false`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let handle_unknown_call pname ret_typ_opt actuals _ =`
			`let handle_generic_unknown ret_typ_opt actuals =`
			`match (ret_typ_opt, List.rev actuals) with`
			`\| Some _, _`
			`-> (* propagate taint from actuals to return value *)`
			`[TaintSpec.Propagate_to_return]`
			`\| None, []`
			`-> []`
			`\| None, _ when Typ.Procname.is_constructor pname`
			`-> (* "this" is always the first arg of a constructor; propagate taint there *)`
			`[TaintSpec.Propagate_to_receiver]`
			`\| ( None`
			`, (HilExp.AccessPath ((Var.ProgramVar pvar, {desc= Typ.Tptr (_, Typ.Pk_pointer)}), []))`
			`:: _ )`
			`when Pvar.is_frontend_tmp pvar`
			`-> (* no return value, but the frontend has introduced a dummy return variable and will`
[quandary] tests for string functionality Summary: String are very important for taint analysis, have to make sure that we have the right models/the right behaviors for unknown code. Reviewed By: jvillard Differential Revision: D5054832 fbshipit-source-id: 7e7ee07 8 years ago			`assign the return value to this variable. So propagate taint to the dummy return`
			`variable *)`
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let actual_index = List.length actuals - 1 in`
			`[TaintSpec.Propagate_to_actual actual_index]`
			`\| None, _`
			`-> (* no return value; propagate taint from actuals to receiver *)`
[quandary] handle return value passed by reference in sources Summary: Needed because this is how the Clang frontend translates returns of non-POD, non pointer values (I think)? Will handle the more general case of pass by reference soon. Reviewed By: jvillard Differential Revision: D5017653 fbshipit-source-id: 1fbcea5 8 years ago			`[TaintSpec.Propagate_to_receiver]`
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`in`
			`(* if we have a specific model for a procedure, use that. otherwise, use the generic`
			`heuristics for dealing with unknown code *)`
			`match Typ.Procname.get_method pname with`
			`\| "operator+="`
			`\| "operator-="`
			`\| "operator*="`
			`\| "operator/="`
			`\| "operator%="`
			`\| "operator<<="`
			`\| "operator>>="`
			`\| "operator&="`
			`\| "operator^="`
			`\| "operator\|="`
			`-> [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| "memcpy" \| "memmove" \| "strcpy" \| "strncpy"`
			`-> [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| "sprintf"`
			`-> [TaintSpec.Propagate_to_receiver]`
			`\| _`
			`-> handle_generic_unknown ret_typ_opt actuals`
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc 8 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`(* treat folly functions as unknown library code. we often specify folly functions as sinks,`
[quandary] make it possible to specify code that should be modeled even if we have a summary Summary: Have found this useful in Quandary for fbcode, where we want to do this for folly due to its use of assembly (details in comments). Reviewed By: mbouaziz Differential Revision: D5167564 fbshipit-source-id: bf6d7e0 8 years ago			`and we don't want to double-report if these functions eventually call other sinks (e.g.,`
			`when folly::Subprocess calls exec), in addition some folly functions are heavily optimized in`
			`a way that obscures what they're actually doing (e.g., they use assembly code). it's better`
			`to write models for these functions or treat them as unknown *)`
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let models_matcher = QualifiedCppName.Match.of_fuzzy_qual_names ["folly"]`
[quandary] make it possible to specify code that should be modeled even if we have a summary Summary: Have found this useful in Quandary for fbcode, where we want to do this for folly due to its use of assembly (details in comments). Reviewed By: mbouaziz Differential Revision: D5167564 fbshipit-source-id: bf6d7e0 8 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let get_model pname ret_typ_opt actuals tenv summary =`
			`(* hack for default C++ constructors, which get translated as an empty body (and will thus`
[quandary] make it possible to specify code that should be modeled even if we have a summary Summary: Have found this useful in Quandary for fbcode, where we want to do this for folly due to its use of assembly (details in comments). Reviewed By: mbouaziz Differential Revision: D5167564 fbshipit-source-id: bf6d7e0 8 years ago			`have an empty summary). We don't want that because we want to be able to propagate taint`
			`from comstructor parameters to the constructed object. so we treat the empty constructor`
			`as a skip function instead *)`
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let is_default_constructor pname =`
			`Typ.Procname.is_c_method pname && Typ.Procname.is_constructor pname`
			`&& AccessTree.BaseMap.is_empty summary`
			`in`
			`match pname with`
			`\| Typ.Procname.ObjC_Cpp _`
			`when is_default_constructor pname`
			`\|\| QualifiedCppName.Match.match_qualifiers models_matcher`
			`(Typ.Procname.get_qualifiers pname)`
			`-> Some (handle_unknown_call pname ret_typ_opt actuals tenv)`
			`\| _`
			`-> None`
[quandary] make it possible to specify code that should be modeled even if we have a summary Summary: Have found this useful in Quandary for fbcode, where we want to do this for folly due to its use of assembly (details in comments). Reviewed By: mbouaziz Differential Revision: D5167564 fbshipit-source-id: bf6d7e0 8 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let external_sanitizers =`
			`List.map`
			`~f:(fun {QuandaryConfig.Sanitizer.procedure} ->`
			`QualifiedCppName.Match.of_fuzzy_qual_names [procedure])`
			`(QuandaryConfig.Sanitizer.of_json Config.quandary_sanitizers)`
[quandary] support for basic return value sanitizers Summary: For now, we just support clearing the taint on a return value. Ideally, we would associate a kind with the sanitizer and only clear taint that matches that kind. However, it's fairly complicated to make that work properly with footprint sources. I have some ideas about how to do it with passthroughs instead, but let's just do the simple thing for now. Reviewed By: jeremydubreil Differential Revision: D5141906 fbshipit-source-id: a5b8b5e 8 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let get_sanitizer pname =`
			`let qualified_pname = Typ.Procname.get_qualifiers pname in`
			`List.find_map`
			`~f:(fun qualifiers ->`
			`if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then`
			`Some TaintSpec.Return`
			`else None)`
			`external_sanitizers`
[quandary] support for basic return value sanitizers Summary: For now, we just support clearing the taint on a return value. Ideally, we would associate a kind with the sanitizer and only clear taint that matches that kind. However, it's fairly complicated to make that work properly with footprint sources. I have some ideas about how to do it with passthroughs instead, but let's just do the simple thing for now. Reviewed By: jeremydubreil Differential Revision: D5141906 fbshipit-source-id: a5b8b5e 8 years ago
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786 8 years ago			`let is_taintable_type _ = true`
			`end)`