richer sink specifications

Reviewed By: jeremydubreil

Differential Revision: D3831688

fbshipit-source-id: 199f1a5
master
Sam Blackshear 8 years ago committed by Facebook Github Bot 2
parent 0817ab0ec2
commit 27cfb141da

@ -130,18 +130,18 @@ module JavaSink = struct
let get site = let get site =
(* taint all the inputs of [pname] *) (* taint all the inputs of [pname] *)
let taint_all pname kind site = let taint_all pname kind site ~report_reachable =
IList.mapi IList.mapi
(fun param_num _ -> param_num,make kind site) (fun param_num _ -> Sink.make_sink_param (make kind site) param_num ~report_reachable)
(Procname.java_get_parameters pname) in (Procname.java_get_parameters pname) in
match CallSite.pname site with match CallSite.pname site with
| Procname.Java pname -> | Procname.Java pname ->
begin begin
match Procname.java_get_class_name pname, Procname.java_get_method pname with match Procname.java_get_class_name pname, Procname.java_get_method pname with
| "android.util.Log", ("d" | "e" | "i" | "println" | "v" | "w" | "wtf") -> | "android.util.Log", ("d" | "e" | "i" | "println" | "v" | "w" | "wtf") ->
taint_all pname Logging site taint_all pname Logging site ~report_reachable:true
| "com.facebook.infer.models.InferTaint", "inferSensitiveSink" -> | "com.facebook.infer.models.InferTaint", "inferSensitiveSink" ->
[0, make Other site] [Sink.make_sink_param (make Other site) 0 ~report_reachable:false]
| _ -> | _ ->
[] []
end end

@ -7,11 +7,23 @@
* of patent rights can be found in the PATENTS file in the same directory. * of patent rights can be found in the PATENTS file in the same directory.
*) *)
type 'a parameter =
{ sink : 'a;
(** sink type of the parameter *)
index : int;
(** index of the parameter *)
report_reachable : bool;
(** if true, report if *any* value heap-reachable from the sink parameter is a source.
if false, report only if the value passed to the sink is itself a source *)
}
let make_sink_param sink index ~report_reachable =
{ sink; index; report_reachable; }
module type S = sig module type S = sig
include TraceElem.S include TraceElem.S
val to_callee : t -> CallSite.t -> t val to_callee : t -> CallSite.t -> t
(** ith param * ith source kind *) val get : CallSite.t -> t parameter list
val get : CallSite.t -> (int * t) list
end end

@ -124,16 +124,19 @@ module Make (TraceDomain : Trace.S) = struct
let add_sinks sinks actuals ({ Domain.access_tree; id_map; } as astate) proc_data loc = let add_sinks sinks actuals ({ Domain.access_tree; id_map; } as astate) proc_data loc =
let f_resolve_id = resolve_id id_map in let f_resolve_id = resolve_id id_map in
(* add [sink] to the trace associated with the [formal_num]th actual *) (* add [sink] to the trace associated with the [formal_num]th actual *)
let add_sink_to_actual access_tree_acc (formal_num, sink) = let add_sink_to_actual access_tree_acc (sink_param : TraceDomain.Sink.t Sink.parameter) =
let actual_exp, actual_typ = IList.nth actuals formal_num in let actual_exp, actual_typ = IList.nth actuals sink_param.index in
match AccessPath.of_exp actual_exp actual_typ ~f_resolve_id with match AccessPath.of_exp actual_exp actual_typ ~f_resolve_id with
| Some actual_ap -> | Some actual_ap ->
let actual_ap = AccessPath.Exact actual_ap in let actual_ap =
if sink_param.report_reachable
then AccessPath.Abstracted actual_ap
else AccessPath.Exact actual_ap in
begin begin
match access_path_get_node actual_ap access_tree_acc proc_data loc with match access_path_get_node actual_ap access_tree_acc proc_data loc with
| Some (actual_trace, _) -> | Some (actual_trace, _) ->
(* add callee_pname to actual trace as a sink *) (* add callee_pname to actual trace as a sink *)
let actual_trace' = TraceDomain.add_sink sink actual_trace in let actual_trace' = TraceDomain.add_sink sink_param.sink actual_trace in
TraceDomain.log_reports TraceDomain.log_reports
actual_trace' actual_trace'
(Cfg.Procdesc.get_proc_name proc_data.ProcData.pdesc) (Cfg.Procdesc.get_proc_name proc_data.ProcData.pdesc)

@ -52,7 +52,7 @@ module MockTrace = Trace.Make(struct
let get site = let get site =
if string_is_prefix "SINK" (Procname.to_string (CallSite.pname site)) if string_is_prefix "SINK" (Procname.to_string (CallSite.pname site))
then [(0, site)] then [Sink.make_sink_param site 0 ~report_reachable:false]
else [] else []
end end

@ -22,6 +22,21 @@ public class LoggingPrivateData {
Log.d(prefs.getString("some", "data"), "value"); Log.d(prefs.getString("some", "data"), "value");
} }
static class StringWrapper extends Throwable {
private String mStr;
@Override
public String toString() {
return mStr;
}
}
public void logSharedPreferencesDataIndirectBad(SharedPreferences prefs) {
StringWrapper wrapper = new StringWrapper();
wrapper.mStr = prefs.getString("some", "data");
Log.w("tag", wrapper);
}
public void logDataOk(SharedPreferences prefs) { public void logDataOk(SharedPreferences prefs) {
Log.d("tag", "value"); Log.d("tag", "value");
} }

@ -31,3 +31,4 @@ Fields.java:56: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.infer
Fields.java:63: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 62]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 63]) via { } Fields.java:63: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 62]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 63]) via { }
LoggingPrivateData.java:18: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 18]) -> Logging(int Log.d(String,String) at [line 18]) via { } LoggingPrivateData.java:18: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 18]) -> Logging(int Log.d(String,String) at [line 18]) via { }
LoggingPrivateData.java:22: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 22]) -> Logging(int Log.d(String,String) at [line 22]) via { } LoggingPrivateData.java:22: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 22]) -> Logging(int Log.d(String,String) at [line 22]) via { }
LoggingPrivateData.java:37: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 36]) -> Logging(int Log.w(String,Throwable) at [line 37]) via { }

Loading…
Cancel
Save