From 34b0a6165ca14281ee26b91addc2b7be45fe088c Mon Sep 17 00:00:00 2001 From: Julian Sutherland Date: Wed, 5 Sep 2018 12:13:24 -0700 Subject: [PATCH] Added new issues to differentiate tainted buffer accesses and heap allocations Reviewed By: mbouaziz Differential Revision: D9654758 fbshipit-source-id: 1c3c240f8 --- infer/src/base/IssueType.ml | 4 ++ infer/src/base/IssueType.mli | 4 ++ infer/src/quandary/ClangTrace.ml | 34 ++++++++----- .../codetoanalyze/cpp/quandary/issues.exp | 48 +++++++++---------- 4 files changed, 54 insertions(+), 36 deletions(-) diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml index 97b497a7e..66a8ad9f3 100644 --- a/infer/src/base/IssueType.ml +++ b/infer/src/base/IssueType.ml @@ -344,12 +344,16 @@ let use_after_lifetime = from_string "USE_AFTER_LIFETIME" let user_controlled_sql_risk = from_string "USER_CONTROLLED_SQL_RISK" +let untrusted_buffer_access = from_string "UNTRUSTED_BUFFER_ACCESS" + let untrusted_deserialization = from_string "UNTRUSTED_DESERIALIZATION" let untrusted_file = from_string "UNTRUSTED_FILE" let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK" +let untrusted_heap_allocation = from_string "UNTRUSTED_HEAP_ALLOCATION" + let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION" let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK" diff --git a/infer/src/base/IssueType.mli b/infer/src/base/IssueType.mli index d212b49ff..028b7ca93 100644 --- a/infer/src/base/IssueType.mli +++ b/infer/src/base/IssueType.mli @@ -255,12 +255,16 @@ val use_after_free : t val use_after_lifetime : t +val untrusted_buffer_access : t + val untrusted_deserialization : t val untrusted_file : t val untrusted_file_risk : t +val untrusted_heap_allocation : t + val untrusted_intent_creation : t val untrusted_url_risk : t diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index 1dd8f9293..d8b8a6710 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -486,15 +486,15 @@ include Trace.Make (struct Option.some_if (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) IssueType.shell_injection_risk - | UserControlledEndpoint _, BufferAccess -> - (* untrusted data from an endpoint flowing into a buffer *) - Some IssueType.quandary_taint_error - | Endpoint _, (BufferAccess | HeapAllocation | StackAllocation) -> - (* may want to report this in the future, but don't care for now *) - None - | (CommandLineFlag _ | EnvironmentVariable | ReadFile | Other), BufferAccess -> - (* untrusted flag, environment var, or file data flowing to buffer *) - Some IssueType.quandary_taint_error + | ( ( UserControlledEndpoint _ + | Endpoint _ + | CommandLineFlag _ + | EnvironmentVariable + | ReadFile + | Other ) + , BufferAccess ) -> + (* untrusted data of any kind flowing to buffer *) + Some IssueType.untrusted_buffer_access | (EnvironmentVariable | ReadFile | Other), ShellExec -> (* environment var, or file data flowing to shell *) Option.some_if @@ -510,11 +510,21 @@ include Trace.Make (struct Option.some_if (is_injection_possible Sanitizer.EscapeURL sanitizers) IssueType.untrusted_url_risk - | ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | ReadFile | Other) + | ( ( CommandLineFlag _ + | Endpoint _ + | UserControlledEndpoint _ + | EnvironmentVariable + | ReadFile + | Other ) , HeapAllocation ) -> (* untrusted data of any kind flowing to heap allocation. this can cause crashes or DOS. *) - Some IssueType.quandary_taint_error - | ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | ReadFile | Other) + Some IssueType.untrusted_heap_allocation + | ( ( CommandLineFlag _ + | Endpoint _ + | UserControlledEndpoint _ + | EnvironmentVariable + | ReadFile + | Other ) , StackAllocation ) -> (* untrusted data of any kind flowing to stack buffer allocation. trying to allocate a stack buffer that's too large will cause a stack overflow. *) diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index e1039bb5b..b744b1b77 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -1,25 +1,25 @@ -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to brk with tainted index 0] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 0] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 1] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to malloc with tainted index 0] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 0] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 1] -codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to sbrk with tainted index 0] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to brk with tainted index 0] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 0] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 1] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to malloc with tainted index 0] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 0] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 1] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to sbrk with tainted index 0] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] codetoanalyze/cpp/quandary/arrays.cpp, arrays::gflag_to_stack_allocated_array_bad, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __global_access,Call to __set_array_length with tainted index 1] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::memcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memcpy with tainted index 2] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::memmove_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memmove with tainted index 2] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::memset_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memset with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::memcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memcpy with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::memmove_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memmove with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::memset_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memset with tainted index 2] codetoanalyze/cpp/quandary/arrays.cpp, arrays::stack_smash_bad, 2, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::array_operator[] with tainted index 1] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::basic_string,std::allocator>_operator[] with tainted index 1] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::strcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from getenv,Call to strcpy with tainted index 1] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::strncpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strncpy with tainted index 2] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemcpy with tainted index 2] -codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemmove_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemmove with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::array_operator[] with tainted index 1] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::basic_string,std::allocator>_operator[] with tainted index 1] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::strcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from getenv,Call to strcpy with tainted index 1] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::strncpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strncpy with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemcpy with tainted index 2] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemmove_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemmove with tainted index 2] codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from basics::Obj_endpoint,Call to basics::Obj_string_sink with tainted index 1] codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from basics::Obj_endpoint,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/basics.cpp, basics::funCall_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to basics::funCall_bad2 with tainted index 1,Call to __infer_taint_sink with tainted index 0] @@ -131,9 +131,9 @@ codetoanalyze/cpp/quandary/strings.cpp, strings::replace1_bad, 2, QUANDARY_TAINT codetoanalyze/cpp/quandary/strings.cpp, strings::replace2_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/strings.cpp, strings::sprintf1_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/strings.cpp, strings::sprintf2_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] -codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1] +codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1] codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] -codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1] +codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1] codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/strings.cpp, strings::strncpy_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/strings.cpp, strings::swap_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] @@ -145,5 +145,5 @@ codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::direct_bad, 2, QUANDA codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_pointer_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_value_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] -codetoanalyze/cpp/quandary/vectors.cpp, vectors::read_vector_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector>_operator[] with tainted index 1] -codetoanalyze/cpp/quandary/vectors.cpp, vectors::write_vector_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector>_operator[] with tainted index 1] +codetoanalyze/cpp/quandary/vectors.cpp, vectors::read_vector_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector>_operator[] with tainted index 1] +codetoanalyze/cpp/quandary/vectors.cpp, vectors::write_vector_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector>_operator[] with tainted index 1]