[quandary] SQL sinks

Reviewed By: jeremydubreil

Differential Revision: D5214059

fbshipit-source-id: 101f94e

infer/src/quandary/ClangTrace.ml

@@ -116,12 +116,14 @@ module SinkKind = struct
   type t =
     | Allocation (** memory allocation *)
     | ShellExec (** shell exec function *)
+    | SQL (** SQL query *)
     | Other (** for testing or uncategorized sinks *)
   [@@deriving compare]
 
   let of_string = function
     | "Allocation" -> Allocation
     | "ShellExec" -> ShellExec
+    | "SQL" -> SQL
     | _ -> Other
 
   let external_sinks =
@@ -181,6 +183,7 @@ module SinkKind = struct
       (match kind with
        | Allocation -> "Allocation"
        | ShellExec -> "ShellExec"
+       | SQL -> "SQL"
        | Other -> "Other")
 end
 
@@ -193,13 +196,13 @@ include
 
     let should_report source sink =
       match Source.kind source, Sink.kind sink with
-      | (Endpoint _ | EnvironmentVariable | File), ShellExec ->
-          (* untrusted data flowing to exec *)
+      | (Endpoint _ | EnvironmentVariable | File), (ShellExec | SQL) ->
+          (* untrusted data flowing to exec/sql *)
           true
       | (Endpoint _ | EnvironmentVariable | File), Allocation ->
           (* untrusted data flowing to memory allocation *)
           true
-      | _, (Allocation | Other | ShellExec) when Source.is_footprint source ->
+      | _, (Allocation | Other | ShellExec | SQL) when Source.is_footprint source ->
           (* is this var a command line flag created by the popular gflags library? *)
           let is_gflag pvar =
             String.is_substring ~substring:"FLAGS_" (Pvar.get_simplified_name pvar) in
@@ -216,6 +219,6 @@ include
           true
       | _, Other ->
           true
-      | Unknown, (Allocation | ShellExec) ->
+      | Unknown, (Allocation | ShellExec | SQL) ->
           false
   end)

infer/tests/codetoanalyze/cpp/quandary/.inferconfig

@@ -36,6 +36,11 @@
       "kind": "Other",
       "index": "0"
     },
+    {
+      "procedure": "__infer_sql_sink",
+      "kind": "SQL",
+      "index": "all"
+    },
     {
       "procedure": "basics::Obj::method_sink",
       "kind": "Other",

infer/tests/codetoanalyze/cpp/quandary/execs.cpp

@@ -8,14 +8,16 @@
  */
 
 #include <cstdlib>
+#include <string>
 #include <unistd.h>
 
 extern int rand();
 
-// mocking gflags-generated field
+extern void __infer_sql_sink(std::string query);
 
 namespace execs {
 
+// mocking gflags-generated field
 extern char* FLAGS_cli_string;
 
 int callAllSinks(const char* stringSource, char ** arrSource) {
@@ -94,4 +96,9 @@ void customGetEnvOk() {
 }
 
 void exec_flag_bad() { execl(FLAGS_cli_string, NULL); }
+
+void sql_on_env_var_bad() {
+  std::string source = (std::string)std::getenv("ENV_VAR");
+  __infer_sql_sink(source);
+}
 }

infer/tests/codetoanalyze/cpp/quandary/issues.exp

@@ -36,6 +36,7 @@ codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, QUANDARY_TAINT_ERR
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve]
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, QUANDARY_TAINT_ERROR, [Return from getenv,Call to system]
 codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, QUANDARY_TAINT_ERROR, [Return from execs::exec_flag_bad,Call to execl]
+codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, QUANDARY_TAINT_ERROR, [Return from getenv,Call to __infer_sql_sink]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_read,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_readsome,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]