pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] ProcessBuilder as sink

Browse Source 
Summary: Another common API for shelling out in Java.

Reviewed By: oebeling

Differential Revision: D6814616

fbshipit-source-id: ba815b5
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent ab77cfe803
commit 37ab9ec391
4 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File

5
infer/src/quandary/JavaTaintAnalysis.ml
Unescape View File

@ -55,8 +55,9 @@ include TaintAnalysis.Make (struct
[]
| _ when Typ.Procname.is_constructor pname ->
[TaintSpec.Propagate_to_receiver]
| _, _, (Some {Typ.desc= Tvoid} | None) when not is_static ->
(* for instance methods with no return value, propagate the taint to the receiver *)
| _, _, (Some {Typ.desc= Tvoid | Tint _ | Tfloat _} | None) when not is_static ->
(* for instance methods with a non-Object return value, propagate the taint to the
receiver *)
[TaintSpec.Propagate_to_receiver]
| classname, _, Some {Typ.desc= Tptr _ | Tstruct _} -> (
match actuals with

4
infer/src/quandary/JavaTrace.ml
Unescape View File

@ -344,6 +344,10 @@ module SinkKind = struct
taint_all Deserialization
| "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink" ->
taint_nth 0 Other
| "java.lang.ProcessBuilder", "<init>" ->
taint_all ShellExec
| "java.lang.ProcessBuilder", "command" ->
taint_all ShellExec
| class_name, method_name ->
let taint_matching_supertype typename =
match (Typ.Name.name typename, method_name) with

20
infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java
Unescape View File

@ -15,7 +15,10 @@ import android.text.Html;
import android.text.Spanned;
import android.widget.EditText;
import java.io.IOException;
import java.lang.ProcessBuilder;
import java.lang.Runtime;
import java.util.ArrayList;
import java.util.List;
import com.facebook.infer.builtins.InferTaint;
@ -49,5 +52,22 @@ public class UserControlledStrings {
Runtime.getRuntime().exec(cmds);
}
ProcessBuilder clipboardToProcessBuilder1Bad() {
return new ProcessBuilder(clipboard.getText().toString());
}
ProcessBuilder clipboardToProcessBuilder2Bad() {
return new ProcessBuilder("sh", clipboard.getText().toString());
}
ProcessBuilder clipboardToProcessBuilder3Bad(ProcessBuilder builder) {
return builder.command(clipboard.getText().toString());
}
ProcessBuilder clipboardToProcessBuilder4Bad(ProcessBuilder builder) {
List<String> cmds = new ArrayList();
cmds.add(clipboard.getText().toString());
return builder.command(cmds);
}
}

4
infer/tests/codetoanalyze/java/quandary/issues.exp
Unescape View File

@ -204,6 +204,10 @@ codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaInter
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownAbstractCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder1Bad(), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder.<init>(java.lang.String[]) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder2Bad(), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder.<init>(java.lang.String[]) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder3Bad(ProcessBuilder), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder ProcessBuilder.command(java.lang.String[]) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder4Bad(ProcessBuilder), 3, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder ProcessBuilder.command(List) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.clipboardToShellArrayBad(), 2, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to Process Runtime.exec(java.lang.String[]) with tainted index 1]

Write Preview
Loading…
Cancel
Save