[quandary] don't clobber existing taint on receiver when propagating taint from unknown call

Reviewed By: jeremydubreil Differential Revision: D4497098 fbshipit-source-id: 83c6a62
8 years ago · 6338997cf5
parent d41b500659
commit 6338997cf5
3 changed files with 26 additions and 1 deletions
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@ -384,8 +384,10 @@ module Make (TaintSpecification : TaintSpec.S) = struct
              | Some (trace, _) -> TraceDomain.join trace trace_acc
              | None -> trace_acc in
            let propagate_to_access_path access_path actuals (astate : Domain.astate) =
+              let initial_trace =
+                access_path_get_trace access_path astate.access_tree proc_data callee_loc in
              let trace_with_propagation =
-                IList.fold_left exp_join_traces TraceDomain.empty actuals in
+                IList.fold_left exp_join_traces initial_trace actuals in
              let access_tree =
                TaintDomain.add_trace access_path trace_with_propagation astate.access_tree in
              { astate with access_tree; } in
--- a/infer/tests/codetoanalyze/java/quandary/UnknownCode.java
+++ b/infer/tests/codetoanalyze/java/quandary/UnknownCode.java
@ -53,6 +53,26 @@ public abstract class UnknownCode {
    InferTaint.inferSensitiveSink(i);
  }

+  void propagateEmptyBad() {
+    String source = (String) InferTaint.inferSecretSource();
+    StringBuffer buffer = new StringBuffer();
+    buffer.append(source); // buffer is now tainted
+    // even though "" is not tainted, buffer and alias should still be tainted
+    StringBuffer alias = buffer.append("");
+    InferTaint.inferSensitiveSink(buffer); // should report
+    InferTaint.inferSensitiveSink(alias); // should report
+  }
+
+  void propagateFootprint(String param) {
+    StringBuffer buffer = new StringBuffer();
+    buffer.append(param);
+    InferTaint.inferSensitiveSink(buffer);
+  }
+
+  void callPropagateFootprintBad() {
+    propagateFootprint((String) InferTaint.inferSecretSource());
+  }
+
  static void FN_propagateViaInterfaceCodeBad(Interface i) {
    Object source = InferTaint.inferSecretSource();
    Object launderedSource = i.interfaceMethod(source);
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -179,7 +179,10 @@ codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedCont
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 2, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 3, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 4, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callPropagateFootprintBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void UnknownCode.propagateFootprint(String),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callUnknownSetterBad(Intent), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateEmptyBad(), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateEmptyBad(), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsAlert(WebView,String,String,JsResult)]
 codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult)]