From 4fe9110ad3f37feee878079b366db833c63ec86c Mon Sep 17 00:00:00 2001
From: Sam Blackshear <shb@fb.com>
Date: Fri, 9 Jun 2017 08:49:41 -0700
Subject: [PATCH] [quandary] SQL sinks

Reviewed By: jeremydubreil

Differential Revision: D5214059

fbshipit-source-id: 101f94e
---
 infer/src/quandary/ClangTrace.ml                    | 11 +++++++----
 infer/tests/codetoanalyze/cpp/quandary/.inferconfig |  5 +++++
 infer/tests/codetoanalyze/cpp/quandary/execs.cpp    |  9 ++++++++-
 infer/tests/codetoanalyze/cpp/quandary/issues.exp   |  1 +
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml
index 6fb0fabf1..1cb9854fd 100644
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@@ -116,12 +116,14 @@ module SinkKind = struct
   type t =
     | Allocation (** memory allocation *)
     | ShellExec (** shell exec function *)
+    | SQL (** SQL query *)
     | Other (** for testing or uncategorized sinks *)
   [@@deriving compare]
 
   let of_string = function
     | "Allocation" -> Allocation
     | "ShellExec" -> ShellExec
+    | "SQL" -> SQL
     | _ -> Other
 
   let external_sinks =
@@ -181,6 +183,7 @@ module SinkKind = struct
       (match kind with
        | Allocation -> "Allocation"
        | ShellExec -> "ShellExec"
+       | SQL -> "SQL"
        | Other -> "Other")
 end
 
@@ -193,13 +196,13 @@ include
 
     let should_report source sink =
       match Source.kind source, Sink.kind sink with
-      | (Endpoint _ | EnvironmentVariable | File), ShellExec ->
-          (* untrusted data flowing to exec *)
+      | (Endpoint _ | EnvironmentVariable | File), (ShellExec | SQL) ->
+          (* untrusted data flowing to exec/sql *)
           true
       | (Endpoint _ | EnvironmentVariable | File), Allocation ->
           (* untrusted data flowing to memory allocation *)
           true
-      | _, (Allocation | Other | ShellExec) when Source.is_footprint source ->
+      | _, (Allocation | Other | ShellExec | SQL) when Source.is_footprint source ->
           (* is this var a command line flag created by the popular gflags library? *)
           let is_gflag pvar =
             String.is_substring ~substring:"FLAGS_" (Pvar.get_simplified_name pvar) in
@@ -216,6 +219,6 @@ include
           true
       | _, Other ->
           true
-      | Unknown, (Allocation | ShellExec) ->
+      | Unknown, (Allocation | ShellExec | SQL) ->
           false
   end)
diff --git a/infer/tests/codetoanalyze/cpp/quandary/.inferconfig b/infer/tests/codetoanalyze/cpp/quandary/.inferconfig
index 77f04f417..2f1afbb05 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/.inferconfig
+++ b/infer/tests/codetoanalyze/cpp/quandary/.inferconfig
@@ -36,6 +36,11 @@
       "kind": "Other",
       "index": "0"
     },
+    {
+      "procedure": "__infer_sql_sink",
+      "kind": "SQL",
+      "index": "all"
+    },
     {
       "procedure": "basics::Obj::method_sink",
       "kind": "Other",
diff --git a/infer/tests/codetoanalyze/cpp/quandary/execs.cpp b/infer/tests/codetoanalyze/cpp/quandary/execs.cpp
index 357ecacd0..4f5cef729 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/execs.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/execs.cpp
@@ -8,14 +8,16 @@
  */
 
 #include <cstdlib>
+#include <string>
 #include <unistd.h>
 
 extern int rand();
 
-// mocking gflags-generated field
+extern void __infer_sql_sink(std::string query);
 
 namespace execs {
 
+// mocking gflags-generated field
 extern char* FLAGS_cli_string;
 
 int callAllSinks(const char* stringSource, char ** arrSource) {
@@ -94,4 +96,9 @@ void customGetEnvOk() {
 }
 
 void exec_flag_bad() { execl(FLAGS_cli_string, NULL); }
+
+void sql_on_env_var_bad() {
+  std::string source = (std::string)std::getenv("ENV_VAR");
+  __infer_sql_sink(source);
+}
 }
diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
index d0a48fbd5..a1b715bfa 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@@ -36,6 +36,7 @@ codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, QUANDARY_TAINT_ERR
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve]
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, QUANDARY_TAINT_ERROR, [Return from getenv,Call to system]
 codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, QUANDARY_TAINT_ERROR, [Return from execs::exec_flag_bad,Call to execl]
+codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, QUANDARY_TAINT_ERROR, [Return from getenv,Call to __infer_sql_sink]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_read,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_readsome,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]