|
|
|
|
(*
|
|
|
|
|
* Copyright (c) 2016 - present Facebook, Inc.
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This source code is licensed under the BSD style license found in the
|
|
|
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
|
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
|
|
|
*)
|
|
|
|
|
|
|
|
|
|
open! IStd
|
|
|
|
|
|
|
|
|
|
module F = Format
|
|
|
|
|
module L = Logging
|
|
|
|
|
|
|
|
|
|
module SourceKind = struct
|
|
|
|
|
type t =
|
|
|
|
|
| EnvironmentVariable (** source that was read from an environment variable *)
|
|
|
|
|
| Other (** for testing or uncategorized sources *)
|
|
|
|
|
| Unknown
|
|
|
|
|
[@@deriving compare]
|
|
|
|
|
|
|
|
|
|
let unknown = Unknown
|
|
|
|
|
|
|
|
|
|
let of_string = function
|
|
|
|
|
| "EnvironmentVariable" -> EnvironmentVariable
|
|
|
|
|
| _ -> Other
|
|
|
|
|
|
|
|
|
|
let external_sources =
|
|
|
|
|
List.map
|
|
|
|
|
~f:(fun { QuandaryConfig.Source.procedure; kind; } ->
|
|
|
|
|
QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kind)
|
|
|
|
|
(QuandaryConfig.Source.of_json Config.quandary_sources)
|
|
|
|
|
|
|
|
|
|
(* return Some(source kind) if [procedure_name] is in the list of externally specified sources *)
|
|
|
|
|
let get_external_source pname =
|
|
|
|
|
let qualified_pname = Typ.Procname.get_qualifiers pname in
|
|
|
|
|
List.find_map
|
|
|
|
|
~f:(fun (qualifiers, kind) ->
|
|
|
|
|
if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname
|
|
|
|
|
then Some (of_string kind)
|
|
|
|
|
else None)
|
|
|
|
|
external_sources
|
|
|
|
|
|
|
|
|
|
let get pname _ = match pname with
|
|
|
|
|
| Typ.Procname.ObjC_Cpp _ ->
|
|
|
|
|
get_external_source pname
|
|
|
|
|
| Typ.Procname.C _ ->
|
|
|
|
|
begin
|
|
|
|
|
match Typ.Procname.to_string pname with
|
|
|
|
|
| "getenv" -> Some EnvironmentVariable
|
|
|
|
|
| _ -> get_external_source pname
|
|
|
|
|
end
|
|
|
|
|
| Typ.Procname.Block _ ->
|
|
|
|
|
None
|
|
|
|
|
| pname when BuiltinDecl.is_declared pname ->
|
|
|
|
|
None
|
|
|
|
|
| pname ->
|
|
|
|
|
failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname
|
|
|
|
|
|
|
|
|
|
let get_tainted_formals pdesc _ =
|
|
|
|
|
Source.all_formals_untainted pdesc
|
|
|
|
|
|
|
|
|
|
let pp fmt = function
|
|
|
|
|
| EnvironmentVariable -> F.fprintf fmt "EnvironmentVariable"
|
|
|
|
|
| Other -> F.fprintf fmt "Other"
|
|
|
|
|
| Unknown -> F.fprintf fmt "Unknown"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
module CppSource = Source.Make(SourceKind)
|
|
|
|
|
|
|
|
|
|
module SinkKind = struct
|
|
|
|
|
|
|
|
|
|
type t =
|
|
|
|
|
| ShellExec (** shell exec function *)
|
|
|
|
|
| Other (** for testing or uncategorized sinks *)
|
|
|
|
|
[@@deriving compare]
|
|
|
|
|
|
|
|
|
|
let of_string = function
|
|
|
|
|
| "ShellExec" -> ShellExec
|
|
|
|
|
| _ -> Other
|
|
|
|
|
|
|
|
|
|
let external_sinks =
|
|
|
|
|
List.map
|
|
|
|
|
~f:(fun { QuandaryConfig.Sink.procedure; kind; index; } ->
|
|
|
|
|
QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kind, index)
|
|
|
|
|
(QuandaryConfig.Sink.of_json Config.quandary_sinks)
|
|
|
|
|
|
|
|
|
|
(* taint the nth parameter (0-indexed) *)
|
|
|
|
|
let taint_nth n kind ~report_reachable =
|
|
|
|
|
[kind, n, report_reachable]
|
|
|
|
|
|
|
|
|
|
let taint_all actuals kind ~report_reachable =
|
|
|
|
|
List.mapi
|
|
|
|
|
~f:(fun actual_num _ -> kind, actual_num, report_reachable)
|
|
|
|
|
actuals
|
|
|
|
|
|
|
|
|
|
(* return Some(sink kind) if [procedure_name] is in the list of externally specified sinks *)
|
|
|
|
|
let get_external_sink pname actuals =
|
|
|
|
|
let qualified_pname = Typ.Procname.get_qualifiers pname in
|
|
|
|
|
List.find_map
|
|
|
|
|
~f:(fun (qualifiers, kind, index) ->
|
|
|
|
|
if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname
|
|
|
|
|
then
|
|
|
|
|
let kind = of_string kind in
|
|
|
|
|
try
|
|
|
|
|
let n = int_of_string index in
|
|
|
|
|
Some (taint_nth n kind ~report_reachable:true)
|
|
|
|
|
with Failure _ ->
|
|
|
|
|
(* couldn't parse the index, just taint everything *)
|
|
|
|
|
Some (taint_all actuals kind ~report_reachable:true)
|
|
|
|
|
else
|
|
|
|
|
None)
|
|
|
|
|
external_sinks
|
|
|
|
|
|
|
|
|
|
let get pname actuals _ =
|
|
|
|
|
match pname with
|
|
|
|
|
| Typ.Procname.ObjC_Cpp _ ->
|
|
|
|
|
Option.value (get_external_sink pname actuals) ~default:[]
|
|
|
|
|
| Typ.Procname.C _ ->
|
|
|
|
|
begin
|
|
|
|
|
match Typ.Procname.to_string pname with
|
|
|
|
|
| "execl" | "execlp" | "execle" | "execv" | "execvp" ->
|
|
|
|
|
taint_all actuals ShellExec ~report_reachable:false
|
|
|
|
|
| _ ->
|
|
|
|
|
Option.value (get_external_sink pname actuals) ~default:[]
|
|
|
|
|
end
|
|
|
|
|
| Typ.Procname.Block _ ->
|
|
|
|
|
[]
|
|
|
|
|
| pname when BuiltinDecl.is_declared pname ->
|
|
|
|
|
[]
|
|
|
|
|
| pname ->
|
|
|
|
|
failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname
|
|
|
|
|
|
|
|
|
|
let pp fmt = function
|
|
|
|
|
| ShellExec -> F.fprintf fmt "ShellExec"
|
|
|
|
|
| Other -> F.fprintf fmt "Other"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
module CppSink = Sink.Make(SinkKind)
|
|
|
|
|
|
|
|
|
|
include
|
|
|
|
|
Trace.Make(struct
|
|
|
|
|
module Source = CppSource
|
|
|
|
|
module Sink = CppSink
|
|
|
|
|
|
|
|
|
|
let should_report source sink =
|
|
|
|
|
match Source.kind source, Sink.kind sink with
|
|
|
|
|
| EnvironmentVariable, ShellExec ->
|
|
|
|
|
true
|
|
|
|
|
| Other, Other ->
|
|
|
|
|
true
|
|
|
|
|
| _ ->
|
|
|
|
|
false
|
|
|
|
|
end)
|
