[quandary] don't taint dummy Thrift `_return` formals

Summary: In C++, Thrift implements return values using these. They shouldn't be tainted.

Reviewed By: mbouaziz

Differential Revision: D7362176

fbshipit-source-id: af8e515
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent 082e3f1f9e
commit 57a8c2f594

@ -145,12 +145,14 @@ module SourceKind = struct
PatternMatch.supertype_exists tenv is_thrift_service_ typename PatternMatch.supertype_exists tenv is_thrift_service_ typename
in in
(* taint all formals except for [this] *) (* taint all formals except for [this] *)
let taint_all_but_this ~make_source = let taint_all_but_this_and_return ~make_source =
List.map List.map
~f:(fun (name, typ) -> ~f:(fun (name, typ) ->
let taint = let taint =
match Mangled.to_string name with match Mangled.to_string name with
| "this" -> | "this" | "_return" ->
(* thrift methods implement returning values using dummy _return parameters that
the C++ code assigns to. these are sinks, not sources *)
None None
| _ -> | _ ->
Some (make_source name typ.Typ.desc) Some (make_source name typ.Typ.desc)
@ -166,9 +168,10 @@ module SourceKind = struct
(Typ.Procname.get_method pname) (Typ.Procname.get_method pname)
in in
if String.Set.mem endpoints qualified_pname then if String.Set.mem endpoints qualified_pname then
taint_all_but_this ~make_source:(fun name desc -> UserControlledEndpoint (name, desc)) taint_all_but_this_and_return ~make_source:(fun name desc ->
UserControlledEndpoint (name, desc) )
else if is_thrift_service cpp_pname then else if is_thrift_service cpp_pname then
taint_all_but_this ~make_source:(fun name desc -> Endpoint (name, desc)) taint_all_but_this_and_return ~make_source:(fun name desc -> Endpoint (name, desc))
else Source.all_formals_untainted pdesc else Source.all_formals_untainted pdesc
| _ -> | _ ->
Source.all_formals_untainted pdesc Source.all_formals_untainted pdesc

@ -137,6 +137,11 @@ class Service1 : facebook::fb303::cpp2::FacebookServiceSvIf {
system((const char*)this); system((const char*)this);
} }
void service_return_param_ok(std::string& _return) {
// dummy return object should not be treated as tainted
system(_return.c_str());
}
private: private:
void private_not_endpoint_ok(std::string formal) { system(formal.c_str()); } void private_not_endpoint_ok(std::string formal) { system(formal.c_str()); }
}; };

Loading…
Cancel
Save