infer_clone/infer/tests/codetoanalyze/java/quandary/ExternalSpecs.java

/*
 * Copyright (c) 2017-present, Facebook, Inc.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */

package codetoanalyze.java.quandary;

import android.app.Activity;
import android.content.Intent;
import android.util.Log;
import com.facebook.infer.builtins.InferTaint;

/** Testing that sources and sinks specified in external JSON work correctly */
public class ExternalSpecs {

  // we specify this as a source with kind PrivateData in .inferconfig
  private static Object privateDataSource() {
    return new Object();
  }

  public static void logExternalSourceBad() {
    Log.e("", (String) privateDataSource());
  }

  // we specified that this is a private data source, so passing it an intent sink like
  // startActivity() is fine
  public static void externalSourceAsIntentOk(Activity activity) {
    activity.startActivity((Intent) privateDataSource());
  }

  // we specify that index 1 is an external sink with type Logging in .inferconfig
  public static void loggingSink1(Object notASink, Object sink) {}

  public static void callExternalSinkBad() {
    loggingSink1(null, privateDataSource());
  }

  // passing to non-tainted param
  public static void callExternalSinkOk1() {
    loggingSink1(privateDataSource(), null);
  }

  // passing intent source to logging sink is fine
  public static void callExternalSinkOk2(Activity activity) {
    loggingSink1(null, activity.getIntent());
  }

  // we specify that all the indices are tainted with type Logging in .inferconfig
  public static void loggingSink2(Object sink1, Object sink2) {}

  public static void callExternalSink2Bad1() {
    loggingSink2(privateDataSource(), null);
  }

  public static void callExternalSink2Bad2() {
    loggingSink2(null, privateDataSource());
  }

  // passing intent sources to logging sink is fine
  public static void callExternalSink2Ok(Activity activity) {
    loggingSink2(activity.getIntent(), activity.getIntent());
  }

  static Object sanitizer(Object o) {
    return o;
  }

  void viaSanitizerOk() {
    Object source = InferTaint.inferSecretSource();
    Object sanitized = sanitizer(source);
    InferTaint.inferSensitiveSink(sanitized);
  }

  void sanitizeFootprint(Object o) {
    Object sanitized = sanitizer(o);
    InferTaint.inferSensitiveSink(sanitized);
  }

  void callSanitizeFootprintOk() {
    sanitizeFootprint(InferTaint.inferSecretSource());
  }

  Object returnSanitizedSource() {
    Object source = InferTaint.inferSecretSource();
    return sanitizer(source);
  }

  void callSinkOnSanitizedSourceOk() {
    InferTaint.inferSensitiveSink(returnSanitizedSource());
  }

  Object missedSanitizerBad() {
    Object source = InferTaint.inferSecretSource();
    Object sanitized = sanitizer(source);
    InferTaint.inferSensitiveSink(source);
    return sanitized;
  }

  void FN_sanitizeOneBranchBad(boolean b) {
    Object source = InferTaint.inferSecretSource();
    Object o;
    if (b) {
      o = sanitizer(source);
    } else {
      o = source;
    }
    InferTaint.inferSensitiveSink(o);
  }

  Object sanitizeOneBranchInCallee(Object o, boolean b) {
    if (b) {
      return sanitizer(o);
    } else {
      return o;
    }
  }

  void FN_sanitizerWeakUpdateBad(boolean b) {
    Object source = InferTaint.inferSecretSource();
    Object o = sanitizeOneBranchInCallee(source, b);
    InferTaint.inferSensitiveSink(o);
  }

  // if theres' a procedure with the same name defined in .inferconfig as a sink on parameter 1,
  // we shouldn't crash
  public static void loggingSink1() {}

  // we shouldn't fail when calling this either
  public static void loggingSink1(Object notASink) {}

  void callLoggingSink1sOk(Object o) {
    loggingSink1();
    loggingSink1(o);
  }

  public static Object sinkThatPropagates(Object o) {
    return o;
  }

  void callSinkThatPropagatesBad() {
    Object source = InferTaint.inferSecretSource();
    Object sourceAgain = sinkThatPropagates(source); // should report
    loggingSink1(null, sourceAgain); // should report here too
  }
}

interface InterfaceSpec {

  // marked as source in .inferconfig
  public Object source();

  // marked as sink in .inferconfig
  public void sink(Object o);
}

class InterfaceSpecImpl implements InterfaceSpec {

  @Override
  public Object source() {
    return null;
  }

  @Override
  public void sink(Object o) {}

  public void externalSpecBad() {
    sink(source());
  }
}

class ConstructorSink {

  // specified as a source in .inferconfig
  public ConstructorSink(Object o) {}

  public static ConstructorSink constructorSinkBad() {
    Object source = InferTaint.inferSecretSource();
    return new ConstructorSink(source);
  }
}
[quandary] allow sources to be specified in inferconfig Reviewed By: jberdine Differential Revision: D4448458 fbshipit-source-id: 5aa30c5 8 years ago			`/*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* Copyright (c) 2017-present, Facebook, Inc.`
[quandary] allow sources to be specified in inferconfig Reviewed By: jberdine Differential Revision: D4448458 fbshipit-source-id: 5aa30c5 8 years ago			`*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* This source code is licensed under the MIT license found in the`
			`* LICENSE file in the root directory of this source tree.`
[quandary] allow sources to be specified in inferconfig Reviewed By: jberdine Differential Revision: D4448458 fbshipit-source-id: 5aa30c5 8 years ago			`*/`

			`package codetoanalyze.java.quandary;`

			`import android.app.Activity;`
			`import android.content.Intent;`
			`import android.util.Log;`
			`import com.facebook.infer.builtins.InferTaint;`

			`/** Testing that sources and sinks specified in external JSON work correctly */`
			`public class ExternalSpecs {`

			`// we specify this as a source with kind PrivateData in .inferconfig`
			`private static Object privateDataSource() {`
			`return new Object();`
			`}`

			`public static void logExternalSourceBad() {`
			`Log.e("", (String) privateDataSource());`
			`}`

			`// we specified that this is a private data source, so passing it an intent sink like`
			`// startActivity() is fine`
			`public static void externalSourceAsIntentOk(Activity activity) {`
			`activity.startActivity((Intent) privateDataSource());`
			`}`

[quandary] allow sinks to be specified in inferconfig Reviewed By: jberdine Differential Revision: D4464461 fbshipit-source-id: 1b0359d 8 years ago			`// we specify that index 1 is an external sink with type Logging in .inferconfig`
			`public static void loggingSink1(Object notASink, Object sink) {}`

			`public static void callExternalSinkBad() {`
			`loggingSink1(null, privateDataSource());`
			`}`

			`// passing to non-tainted param`
			`public static void callExternalSinkOk1() {`
			`loggingSink1(privateDataSource(), null);`
			`}`

			`// passing intent source to logging sink is fine`
			`public static void callExternalSinkOk2(Activity activity) {`
			`loggingSink1(null, activity.getIntent());`
			`}`

			`// we specify that all the indices are tainted with type Logging in .inferconfig`
			`public static void loggingSink2(Object sink1, Object sink2) {}`

			`public static void callExternalSink2Bad1() {`
			`loggingSink2(privateDataSource(), null);`
			`}`

			`public static void callExternalSink2Bad2() {`
			`loggingSink2(null, privateDataSource());`
			`}`

			`// passing intent sources to logging sink is fine`
			`public static void callExternalSink2Ok(Activity activity) {`
			`loggingSink2(activity.getIntent(), activity.getIntent());`
			`}`

[quandary] support for basic return value sanitizers Summary: For now, we just support clearing the taint on a return value. Ideally, we would associate a kind with the sanitizer and only clear taint that matches that kind. However, it's fairly complicated to make that work properly with footprint sources. I have some ideas about how to do it with passthroughs instead, but let's just do the simple thing for now. Reviewed By: jeremydubreil Differential Revision: D5141906 fbshipit-source-id: a5b8b5e 8 years ago			`static Object sanitizer(Object o) {`
			`return o;`
			`}`

			`void viaSanitizerOk() {`
			`Object source = InferTaint.inferSecretSource();`
			`Object sanitized = sanitizer(source);`
			`InferTaint.inferSensitiveSink(sanitized);`
			`}`

			`void sanitizeFootprint(Object o) {`
			`Object sanitized = sanitizer(o);`
			`InferTaint.inferSensitiveSink(sanitized);`
			`}`

			`void callSanitizeFootprintOk() {`
			`sanitizeFootprint(InferTaint.inferSecretSource());`
			`}`

			`Object returnSanitizedSource() {`
			`Object source = InferTaint.inferSecretSource();`
			`return sanitizer(source);`
			`}`

			`void callSinkOnSanitizedSourceOk() {`
			`InferTaint.inferSensitiveSink(returnSanitizedSource());`
			`}`

			`Object missedSanitizerBad() {`
			`Object source = InferTaint.inferSecretSource();`
			`Object sanitized = sanitizer(source);`
			`InferTaint.inferSensitiveSink(source);`
			`return sanitized;`
			`}`

[quandary] tests documenting limitations of sanitizers Reviewed By: mbouaziz Differential Revision: D7257570 fbshipit-source-id: 5f97e31 7 years ago			`void FN_sanitizeOneBranchBad(boolean b) {`
			`Object source = InferTaint.inferSecretSource();`
			`Object o;`
			`if (b) {`
			`o = sanitizer(source);`
			`} else {`
			`o = source;`
			`}`
			`InferTaint.inferSensitiveSink(o);`
			`}`

			`Object sanitizeOneBranchInCallee(Object o, boolean b) {`
			`if (b) {`
			`return sanitizer(o);`
			`} else {`
			`return o;`
			`}`
			`}`

			`void FN_sanitizerWeakUpdateBad(boolean b) {`
			`Object source = InferTaint.inferSecretSource();`
			`Object o = sanitizeOneBranchInCallee(source, b);`
			`InferTaint.inferSensitiveSink(o);`
			`}`

[quandary] handle procedures that have name conflict with sinks, but different number of args Summary: When a sink name is specified in `.inferconfig` or in OCaml, it might conflict with a function of the same name that has a different number of args. We shouldn't try to create a sink in this case, and we definitely shouldn't crash. Reviewed By: jeremydubreil Differential Revision: D5561216 fbshipit-source-id: fa1859b 7 years ago			`// if theres' a procedure with the same name defined in .inferconfig as a sink on parameter 1,`
			`// we shouldn't crash`
			`public static void loggingSink1() {}`

			`// we shouldn't fail when calling this either`
[RFC] Format all java files Reviewed By: jeremydubreil Differential Revision: D10067033 fbshipit-source-id: 73975664e 6 years ago			`public static void loggingSink1(Object notASink) {}`
[quandary] handle procedures that have name conflict with sinks, but different number of args Summary: When a sink name is specified in `.inferconfig` or in OCaml, it might conflict with a function of the same name that has a different number of args. We shouldn't try to create a sink in this case, and we definitely shouldn't crash. Reviewed By: jeremydubreil Differential Revision: D5561216 fbshipit-source-id: fa1859b 7 years ago
			`void callLoggingSink1sOk(Object o) {`
			`loggingSink1();`
			`loggingSink1(o);`
			`}`
[quandary] support for basic return value sanitizers Summary: For now, we just support clearing the taint on a return value. Ideally, we would associate a kind with the sanitizer and only clear taint that matches that kind. However, it's fairly complicated to make that work properly with footprint sources. I have some ideas about how to do it with passthroughs instead, but let's just do the simple thing for now. Reviewed By: jeremydubreil Differential Revision: D5141906 fbshipit-source-id: a5b8b5e 8 years ago
[quandary] apply summary for sinks Summary: A function can both be a sink and propagate source info, but we currently ignore the summary for any function that is also a sink. This will cause us to under-report for (e.g.) `src1 = source(); src2 = strcpy(dest, src1); exec(src2)`. This is both a potential buffer overflow and a potential shell injection, but we won't report the second issue. Reviewed By: jberdine Differential Revision: D5676167 fbshipit-source-id: 232ab2f 7 years ago			`public static Object sinkThatPropagates(Object o) {`
			`return o;`
			`}`

			`void callSinkThatPropagatesBad() {`
			`Object source = InferTaint.inferSecretSource();`
			`Object sourceAgain = sinkThatPropagates(source); // should report`
			`loggingSink1(null, sourceAgain); // should report here too`
			`}`
[quandary] allow sources to be specified in inferconfig Reviewed By: jberdine Differential Revision: D4448458 fbshipit-source-id: 5aa30c5 8 years ago			`}`
[quandary] check for subclassing in externally specified sources/sinks Reviewed By: jeremydubreil Differential Revision: D7221876 fbshipit-source-id: 682900e 7 years ago
			`interface InterfaceSpec {`

			`// marked as source in .inferconfig`
			`public Object source();`

			`// marked as sink in .inferconfig`
			`public void sink(Object o);`
			`}`

			`class InterfaceSpecImpl implements InterfaceSpec {`

			`@Override`
			`public Object source() {`
			`return null;`
			`}`

			`@Override`
			`public void sink(Object o) {}`

			`public void externalSpecBad() {`
			`sink(source());`
			`}`
			`}`
[quandary] don't crash if JSON source/sink is invalid procedure name Summary: At the moment, Java and Clang sources/sinks live in the same inferconfig entry. If we try to parse a Java procedure that happens to be an invalid Clang qualified name (e.g., `MyClass.<init>`), parsing will crash. As a temporary fix, throw an exception and catch it instead. In the future, we can avoid this by requiring that JSON source/sink specifications to indicate the language. Reviewed By: mbouaziz Differential Revision: D7291880 fbshipit-source-id: f8f4502 7 years ago
			`class ConstructorSink {`

			`// specified as a source in .inferconfig`
[RFC] Format all java files Reviewed By: jeremydubreil Differential Revision: D10067033 fbshipit-source-id: 73975664e 6 years ago			`public ConstructorSink(Object o) {}`
[quandary] don't crash if JSON source/sink is invalid procedure name Summary: At the moment, Java and Clang sources/sinks live in the same inferconfig entry. If we try to parse a Java procedure that happens to be an invalid Clang qualified name (e.g., `MyClass.<init>`), parsing will crash. As a temporary fix, throw an exception and catch it instead. In the future, we can avoid this by requiring that JSON source/sink specifications to indicate the language. Reviewed By: mbouaziz Differential Revision: D7291880 fbshipit-source-id: f8f4502 7 years ago
			`public static ConstructorSink constructorSinkBad() {`
			`Object source = InferTaint.inferSecretSource();`
			`return new ConstructorSink(source);`
			`}`
			`}`