From 33fe8879a5c450f02f1e98151dc0105a441b45bd Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Wed, 28 Mar 2018 20:04:48 -0700 Subject: [PATCH] [quandary] report flows originating from `UserControlledEndpoint` as `_RISK` Reviewed By: fahndrich Differential Revision: D7420925 fbshipit-source-id: 5f40cb2 --- infer/src/base/IssueType.ml | 2 - infer/src/base/IssueType.mli | 2 - infer/src/quandary/ClangTrace.ml | 39 +++++++------------ .../codetoanalyze/cpp/quandary/issues.exp | 4 +- 4 files changed, 17 insertions(+), 30 deletions(-) diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml index 4d18ac827..f193a1907 100644 --- a/infer/src/base/IssueType.ml +++ b/infer/src/base/IssueType.ml @@ -351,8 +351,6 @@ let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK" let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION" -let untrusted_url = from_string "UNTRUSTED_URL" - let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK" let untrusted_variable_length_array = from_string "UNTRUSTED_VARIABLE_LENGTH_ARRAY" diff --git a/infer/src/base/IssueType.mli b/infer/src/base/IssueType.mli index 736332333..6efbb3134 100644 --- a/infer/src/base/IssueType.mli +++ b/infer/src/base/IssueType.mli @@ -262,8 +262,6 @@ val untrusted_file_risk : t val untrusted_intent_creation : t -val untrusted_url : t - val untrusted_url_risk : t val untrusted_variable_length_array : t diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index bd5ae06ff..9bd8cb682 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -449,43 +449,24 @@ include Trace.Make (struct | _ when List.mem sanitizers Sanitizer.All ~equal:Sanitizer.equal -> (* the All sanitizer clears any form of taint; don't report *) None - | UserControlledEndpoint (_, typ), CreateFile -> - Option.some_if - (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) - IssueType.untrusted_file - | Endpoint (_, typ), CreateFile -> + | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), CreateFile -> Option.some_if (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) IssueType.untrusted_file_risk - | UserControlledEndpoint (_, typ), URL -> - Option.some_if - (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers) - IssueType.untrusted_url - | Endpoint (_, typ), URL -> + | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), URL -> Option.some_if (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers) IssueType.untrusted_url_risk | (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL -> None - | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), SQL -> - if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then - Some IssueType.sql_injection - else - (* no injection risk, but still user-controlled *) - Some IssueType.user_controlled_sql_risk - | Endpoint (_, typ), SQL -> + | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), SQL -> if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then (* SQL injection if the caller of the endpoint doesn't sanitize on its end *) Some IssueType.sql_injection_risk else (* no injection risk, but still user-controlled *) Some IssueType.user_controlled_sql_risk - | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), ShellExec -> - (* we know the user controls the endpoint, so it's code injection without a sanitizer *) - Option.some_if - (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) - IssueType.shell_injection - | Endpoint (_, typ), ShellExec -> + | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec -> (* code injection if the caller of the endpoint doesn't sanitize on its end *) Option.some_if (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) @@ -500,15 +481,25 @@ include Trace.Make (struct (* untrusted flag, environment var, or file data flowing to buffer *) Some IssueType.quandary_taint_error | (EnvironmentVariable | ReadFile | Other), ShellExec -> - (* untrusted flag, environment var, or file data flowing to shell *) + (* environment var, or file data flowing to shell *) Option.some_if (is_injection_possible Sanitizer.EscapeShell sanitizers) IssueType.shell_injection + | CommandLineFlag (_, typ), ShellExec -> + (* untrusted flag, flowing to shell *) + Option.some_if + (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) + IssueType.shell_injection | (EnvironmentVariable | ReadFile | Other), SQL -> (* untrusted flag, environment var, or file data flowing to SQL *) Option.some_if (is_injection_possible Sanitizer.EscapeSQL sanitizers) IssueType.sql_injection + | CommandLineFlag (_, typ), SQL -> + (* untrusted flag, flowing to shell *) + Option.some_if + (is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers) + IssueType.sql_injection | Other, URL -> (* untrusted flag, environment var, or file data flowing to URL *) Option.some_if diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index ca28a69ac..5fbf3669e 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -57,8 +57,8 @@ codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_ codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_sql_sanitized_bad, 2, USER_CONTROLLED_SQL_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_sql_sanitized_bad,Call to __infer_sql_sink with tainted index 0] codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_struct_string_field_bad, 1, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_struct_string_field_bad,Call to system with tainted index 0] codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_unsanitized_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_unsanitized_sql_bad,Call to __infer_sql_sink with tainted index 0] -codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0] -codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0] +codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0] +codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0] codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service2_service2_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service2_service2_endpoint_bad,Call to system with tainted index 0] codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service3_service3_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service3_service3_endpoint_bad,Call to system with tainted index 0] codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, SHELL_INJECTION, ERROR, [Return from getenv,Call to execl with tainted index 1]