[quandary] report flows originating from `UserControlledEndpoint` as `_RISK`

Reviewed By: fahndrich Differential Revision: D7420925 fbshipit-source-id: 5f40cb2
7 years ago · 33fe8879a5
parent f621dda0be
commit 33fe8879a5
4 changed files with 17 additions and 30 deletions
--- a/infer/src/base/IssueType.ml
+++ b/infer/src/base/IssueType.ml
@ -351,8 +351,6 @@ let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK"

 let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION"

-let untrusted_url = from_string "UNTRUSTED_URL"
-
 let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK"

 let untrusted_variable_length_array = from_string "UNTRUSTED_VARIABLE_LENGTH_ARRAY"
--- a/infer/src/base/IssueType.mli
+++ b/infer/src/base/IssueType.mli
@ -262,8 +262,6 @@ val untrusted_file_risk : t

 val untrusted_intent_creation : t

-val untrusted_url : t
-
 val untrusted_url_risk : t

 val untrusted_variable_length_array : t
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@ -449,43 +449,24 @@ include Trace.Make (struct
    | _ when List.mem sanitizers Sanitizer.All ~equal:Sanitizer.equal ->
        (* the All sanitizer clears any form of taint; don't report *)
        None
-    | UserControlledEndpoint (_, typ), CreateFile ->
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
-          IssueType.untrusted_file
-    | Endpoint (_, typ), CreateFile ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), CreateFile ->
        Option.some_if
          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
          IssueType.untrusted_file_risk
-    | UserControlledEndpoint (_, typ), URL ->
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
-          IssueType.untrusted_url
-    | Endpoint (_, typ), URL ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), URL ->
        Option.some_if
          (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
          IssueType.untrusted_url_risk
    | (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL ->
        None
-    | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), SQL ->
-        if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
-          Some IssueType.sql_injection
-        else
-          (* no injection risk, but still user-controlled *)
-          Some IssueType.user_controlled_sql_risk
-    | Endpoint (_, typ), SQL ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), SQL ->
        if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
          (* SQL injection if the caller of the endpoint doesn't sanitize on its end *)
          Some IssueType.sql_injection_risk
        else
          (* no injection risk, but still user-controlled *)
          Some IssueType.user_controlled_sql_risk
-    | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), ShellExec ->
-        (* we know the user controls the endpoint, so it's code injection without a sanitizer *)
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
-          IssueType.shell_injection
-    | Endpoint (_, typ), ShellExec ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec ->
        (* code injection if the caller of the endpoint doesn't sanitize on its end *)
        Option.some_if
          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
@ -500,15 +481,25 @@ include Trace.Make (struct
        (* untrusted flag, environment var, or file data flowing to buffer *)
        Some IssueType.quandary_taint_error
    | (EnvironmentVariable | ReadFile | Other), ShellExec ->
-        (* untrusted flag, environment var, or file data flowing to shell *)
+        (* environment var, or file data flowing to shell *)
        Option.some_if
          (is_injection_possible Sanitizer.EscapeShell sanitizers)
          IssueType.shell_injection
+    | CommandLineFlag (_, typ), ShellExec ->
+        (* untrusted flag, flowing to shell *)
+        Option.some_if
+          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
+          IssueType.shell_injection
    | (EnvironmentVariable | ReadFile | Other), SQL ->
        (* untrusted flag, environment var, or file data flowing to SQL *)
        Option.some_if
          (is_injection_possible Sanitizer.EscapeSQL sanitizers)
          IssueType.sql_injection
+    | CommandLineFlag (_, typ), SQL ->
+        (* untrusted flag, flowing to shell *)
+        Option.some_if
+          (is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers)
+          IssueType.sql_injection
    | Other, URL ->
        (* untrusted flag, environment var, or file data flowing to URL *)
        Option.some_if
--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@ -57,8 +57,8 @@ codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_sql_sanitized_bad, 2, USER_CONTROLLED_SQL_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_sql_sanitized_bad,Call to __infer_sql_sink with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_struct_string_field_bad, 1, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_struct_string_field_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_unsanitized_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_unsanitized_sql_bad,Call to __infer_sql_sink with tainted index 0]
-codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0]
-codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0]
+codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0]
+codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service2_service2_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service2_service2_endpoint_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service3_service3_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service3_service3_endpoint_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, SHELL_INJECTION, ERROR, [Return from getenv,Call to execl with tainted index 1]