infer_clone/infer/src/quandary/JavaTaintAnalysis.ml

(*
 * Copyright (c) 2016 - present Facebook, Inc.
 * All rights reserved.
 *
 * This source code is licensed under the BSD style license found in the
 * LICENSE file in the root directory of this source tree. An additional grant
 * of patent rights can be found in the PATENTS file in the same directory.
 *)

open! IStd

module F = Format
module L = Logging

include
  TaintAnalysis.Make(struct
    module Trace = JavaTrace
    module AccessTree = AccessTree.Make(Trace)

    let to_summary_access_tree access_tree = QuandarySummary.AccessTree.Java access_tree

    let of_summary_access_tree = function
      | QuandarySummary.AccessTree.Java access_tree -> access_tree
      | _ -> assert false

    let handle_unknown_call pname ret_typ_opt actuals tenv =
      let get_receiver_typ tenv = function
        | HilExp.AccessPath access_path -> AccessPath.Raw.get_typ access_path tenv
        | _ -> None in
      let types_match typ class_string tenv =
        match typ with
        | Some ({ Typ.desc=Typ.Tptr ({desc=Tstruct original_typename}, _) }) ->
            PatternMatch.supertype_exists
              tenv
              (fun typename _ -> String.equal (Typ.Name.name typename) class_string)
              original_typename
        | _ ->
            false in
      match pname with
      | (Typ.Procname.Java java_pname) as pname ->
          let is_static = Typ.Procname.java_is_static pname in
          begin
            match Typ.Procname.java_get_class_name java_pname,
                  Typ.Procname.java_get_method java_pname,
                  ret_typ_opt with
            | "android.content.Intent", ("putExtra" | "putExtras"), _ ->
                (* don't care about tainted extras. instead. we'll check that result of getExtra is
                   always used safely *)
                []
            | _ when Typ.Procname.is_constructor pname ->
                [TaintSpec.Propagate_to_receiver]
            | _, _, (Some {Typ.desc=Tvoid} | None) when not is_static ->
                (* for instance methods with no return value, propagate the taint to the receiver *)
                [TaintSpec.Propagate_to_receiver]
            | classname, _, Some ({Typ.desc=Tptr _ | Tstruct _}) ->
                begin
                  match actuals with
                  | receiver_exp :: _
                    when not is_static &&
                         types_match (get_receiver_typ tenv receiver_exp) classname tenv ->
                      (* if the receiver and return type are the same, propagate to both. we're
                         assuming the call is one of the common "builder-style" methods that both
                         updates and returns the receiver *)
                      [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
                  | _ ->
                      (* receiver doesn't match return type; just propagate to the return type *)
                      [TaintSpec.Propagate_to_return]
                end
            | _ ->
                []
          end
      | pname when BuiltinDecl.is_declared pname ->
          []
      | pname ->
          failwithf "Non-Java procname %a in Java analysis@." Typ.Procname.pp pname

    let external_sanitizers =
      List.map
        ~f:(fun { QuandaryConfig.Sanitizer.procedure; } -> Str.regexp procedure)
        (QuandaryConfig.Sanitizer.of_json Config.quandary_sanitizers)

    let get_sanitizer = function
      | Typ.Procname.Java java_pname ->
          let procedure_string =
            Printf.sprintf "%s.%s"
              (Typ.Procname.java_get_class_name java_pname)
              (Typ.Procname.java_get_method java_pname) in
          List.find_map
            ~f:(fun procedure_regex ->
                if Str.string_match procedure_regex procedure_string 0
                then Some TaintSpec.Return
                else None)
            external_sanitizers
      | _ ->
          None

    let is_taintable_type typ =
      match typ.Typ.desc with
      | Typ.Tptr ({desc=Tstruct (JavaClass typename)}, _) | Tstruct (JavaClass typename) ->
          begin
            match Mangled.to_string_full typename with
            | "android.content.Intent"
            | "android.net.Uri"
            | "java.lang.String"
            | "java.net.URI" ->
                true
            | _ ->
                false
          end
      | _ ->
          false
  end)
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`(*`
			`* Copyright (c) 2016 - present Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*)`

Divide Utils into Utils, Pp, and IStd Summary: Utils contains definitions intended to be in the global namespace for all of the infer code-base, as well as pretty-printing functions, and assorted utility functions mostly for dealing with files and processes. This diff changes the module opened into the global namespace to IStd (Std conflict with extlib), and moves the pretty-printing definitions from Utils to Pp. Reviewed By: jvillard Differential Revision: D4232457 fbshipit-source-id: 1e070e0 8 years ago			`open! IStd`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
			`module F = Format`
			`module L = Logging`

			`include`
			`TaintAnalysis.Make(struct`
[quandary] adding TaintSpec module for clearer naming Reviewed By: jberdine Differential Revision: D3997622 fbshipit-source-id: 3f22c8e 9 years ago			`module Trace = JavaTrace`
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`module AccessTree = AccessTree.Make(Trace)`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`let to_summary_access_tree access_tree = QuandarySummary.AccessTree.Java access_tree`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`let of_summary_access_tree = function`
			`\| QuandarySummary.AccessTree.Java access_tree -> access_tree`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`\| _ -> assert false`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`let handle_unknown_call pname ret_typ_opt actuals tenv =`
[quandary] delegate handling of call to HIL Reviewed By: jeremydubreil Differential Revision: D4950905 fbshipit-source-id: ea35d83 8 years ago			`let get_receiver_typ tenv = function`
			`\| HilExp.AccessPath access_path -> AccessPath.Raw.get_typ access_path tenv`
			`\| _ -> None in`
			`let types_match typ class_string tenv =`
			`match typ with`
			`\| Some ({ Typ.desc=Typ.Tptr ({desc=Tstruct original_typename}, _) }) ->`
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`PatternMatch.supertype_exists`
			`tenv`
[IR] Make template info part of Typename.t, rename Typename to Typ.Name Reviewed By: jberdine Differential Revision: D4722070 fbshipit-source-id: 0bf8996 8 years ago			`(fun typename _ -> String.equal (Typ.Name.name typename) class_string)`
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`original_typename`
			`\| _ ->`
			`false in`
[quandary] making it easier to specify behavior for unknown functions Summary: In Java, we handle unknown code by propagating behavior from the parameters of the unknown function call to the return value (or constructed object, in the case of a constructor). But we do this in a somewhat silly way--generating a new summary with these semantics at each unknown call site. Instead, this diff introduces these two options as predefined behaviors and adds specialized code for them. As a side effect of this approach, unknown functions are no longer counted as passthroughs. This is ok; the original behavior was less of a reasoned decision and more of an unintended consequence of the way we decided to handle unknown code. This new approach ought to be more efficient than the old one, and as a virtuous side effect it will be easier to specify how to handle unknown code in other languages like C++. Reviewed By: jeremydubreil Differential Revision: D4205624 fbshipit-source-id: bf97445 8 years ago			`match pname with`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`\| (Typ.Procname.Java java_pname) as pname ->`
			`let is_static = Typ.Procname.java_is_static pname in`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`begin`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`match Typ.Procname.java_get_class_name java_pname,`
			`Typ.Procname.java_get_method java_pname,`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`ret_typ_opt with`
[quandary] don't complain about transferring extras between intents Reviewed By: AmarBhosale Differential Revision: D4806571 fbshipit-source-id: cf138e9 8 years ago			`\| "android.content.Intent", ("putExtra" \| "putExtras"), _ ->`
			`(* don't care about tainted extras. instead. we'll check that result of getExtra is`
			`always used safely *)`
			`[]`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`\| _ when Typ.Procname.is_constructor pname ->`
[quandary] making it easier to specify behavior for unknown functions Summary: In Java, we handle unknown code by propagating behavior from the parameters of the unknown function call to the return value (or constructed object, in the case of a constructor). But we do this in a somewhat silly way--generating a new summary with these semantics at each unknown call site. Instead, this diff introduces these two options as predefined behaviors and adds specialized code for them. As a side effect of this approach, unknown functions are no longer counted as passthroughs. This is ok; the original behavior was less of a reasoned decision and more of an unintended consequence of the way we decided to handle unknown code. This new approach ought to be more efficient than the old one, and as a virtuous side effect it will be easier to specify how to handle unknown code in other languages like C++. Reviewed By: jeremydubreil Differential Revision: D4205624 fbshipit-source-id: bf97445 8 years ago			`[TaintSpec.Propagate_to_receiver]`
[IR] add type qualifiers to Typ.t Reviewed By: jberdine, jvillard Differential Revision: D4867359 fbshipit-source-id: eef5be0 8 years ago			`\| _, _, (Some {Typ.desc=Tvoid} \| None) when not is_static ->`
[quandary] for instance methods with no return value, propagate the taint to the receiver Summary: If we have code like ``` o.setF(source()) sink(o) ``` and `setF` is an unknown method, we probably want to report. Reviewed By: jeremydubreil, mburman Differential Revision: D4438896 fbshipit-source-id: 5edd204 8 years ago			`(* for instance methods with no return value, propagate the taint to the receiver *)`
			`[TaintSpec.Propagate_to_receiver]`
[IR] add type qualifiers to Typ.t Reviewed By: jberdine, jvillard Differential Revision: D4867359 fbshipit-source-id: eef5be0 8 years ago			`\| classname, _, Some ({Typ.desc=Tptr _ \| Tstruct _}) ->`
[quandary] improve taint propagation for unknown calls Summary: When the receiver type and return type of an unknown call are the same, propagate taint to both the receiver and the return type. This does the right thing for common "builder-style" methods that both update and return the receiver. We already had custom models for a few such methods (e.g., `StringBuilder.append`), but we can remove them now. Reviewed By: jeremydubreil Differential Revision: D4490071 fbshipit-source-id: 325ea88 8 years ago			`begin`
			`match actuals with`
[quandary] delegate handling of call to HIL Reviewed By: jeremydubreil Differential Revision: D4950905 fbshipit-source-id: ea35d83 8 years ago			`\| receiver_exp :: _`
			`when not is_static &&`
			`types_match (get_receiver_typ tenv receiver_exp) classname tenv ->`
[quandary] improve taint propagation for unknown calls Summary: When the receiver type and return type of an unknown call are the same, propagate taint to both the receiver and the return type. This does the right thing for common "builder-style" methods that both update and return the receiver. We already had custom models for a few such methods (e.g., `StringBuilder.append`), but we can remove them now. Reviewed By: jeremydubreil Differential Revision: D4490071 fbshipit-source-id: 325ea88 8 years ago			`(* if the receiver and return type are the same, propagate to both. we're`
			`assuming the call is one of the common "builder-style" methods that both`
			`updates and returns the receiver *)`
			`[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| _ ->`
			`(* receiver doesn't match return type; just propagate to the return type *)`
			`[TaintSpec.Propagate_to_return]`
			`end`
			`\| _ ->`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`[]`
			`end`
[backend] Split construction of builtin pnames and builtin registration Summary: this makes frontends no longer depend on SymExec.ml. `ModelBuiltins` was split into two modules: - `BuiltinDecl` with procnames for builtins (used to determine whether some function is a builtin) - `BuiltinDefn` with implementations used by `SymExec` - they both have similar type defined in `BUILTINS.S` which makes sure that new builtin gets added into both modules. During the refactor I ran some scripts: `BuiltinDecl.ml`: let X = create_procname "X" cat BuiltinDecl.ml \| grep "create_procname" \| tail -70 \| awk ' { print $1,$2,$3,$4,"\42"$2"\42"} ' then manually confirm string match. Exceptions: "__exit" -> "_exit" "objc_cpp_throw" -> "__infer_objc_cpp_throw" __objc_dictionary_literal nsArray_arrayWithObjects nsArray_arrayWithObjectsCount `BuiltinDefn.ml`: let X = Builtin.register BuiltinDecl.X execute_X cat BuiltinDecl.ml \| grep "create_procname" \| tail -70 \| awk ' { print $1,$2,$3,"Builtin.register BuiltinDecl."$2,"execute_"$2} ' then, fix all compilation problems Reviewed By: jberdine Differential Revision: D3951035 fbshipit-source-id: f059602 8 years ago			`\| pname when BuiltinDecl.is_declared pname ->`
[quandary] fix missing check for builtin in Quandary models Reviewed By: jeremydubreil Differential Revision: D3972830 fbshipit-source-id: d431dfe 9 years ago			`[]`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`\| pname ->`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`failwithf "Non-Java procname %a in Java analysis@." Typ.Procname.pp pname`
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc 8 years ago
[quandary] support for basic return value sanitizers Summary: For now, we just support clearing the taint on a return value. Ideally, we would associate a kind with the sanitizer and only clear taint that matches that kind. However, it's fairly complicated to make that work properly with footprint sources. I have some ideas about how to do it with passthroughs instead, but let's just do the simple thing for now. Reviewed By: jeremydubreil Differential Revision: D5141906 fbshipit-source-id: a5b8b5e 8 years ago			`let external_sanitizers =`
			`List.map`
			`~f:(fun { QuandaryConfig.Sanitizer.procedure; } -> Str.regexp procedure)`
			`(QuandaryConfig.Sanitizer.of_json Config.quandary_sanitizers)`

			`let get_sanitizer = function`
			`\| Typ.Procname.Java java_pname ->`
			`let procedure_string =`
			`Printf.sprintf "%s.%s"`
			`(Typ.Procname.java_get_class_name java_pname)`
			`(Typ.Procname.java_get_method java_pname) in`
			`List.find_map`
			`~f:(fun procedure_regex ->`
			`if Str.string_match procedure_regex procedure_string 0`
			`then Some TaintSpec.Return`
			`else None)`
			`external_sanitizers`
			`\| _ ->`
			`None`

			`let is_taintable_type typ =`
[IR] add type qualifiers to Typ.t Reviewed By: jberdine, jvillard Differential Revision: D4867359 fbshipit-source-id: eef5be0 8 years ago			`match typ.Typ.desc with`
			`\| Typ.Tptr ({desc=Tstruct (JavaClass typename)}, _) \| Tstruct (JavaClass typename) ->`
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc 8 years ago			`begin`
			`match Mangled.to_string_full typename with`
			`\| "android.content.Intent"`
			`\| "android.net.Uri"`
			`\| "java.lang.String"`
			`\| "java.net.URI" ->`
			`true`
			`\| _ ->`
			`false`
			`end`
			`\| _ ->`
			`false`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`end)`