From 6338997cf532c6b766c59e3abf374fc7c1673103 Mon Sep 17 00:00:00 2001
From: Sam Blackshear <shb@fb.com>
Date: Thu, 2 Feb 2017 10:12:29 -0800
Subject: [PATCH] [quandary] don't clobber existing taint on receiver when
 propagating taint from unknown call

Reviewed By: jeremydubreil

Differential Revision: D4497098

fbshipit-source-id: 83c6a62
---
 infer/src/quandary/TaintAnalysis.ml           |  4 +++-
 .../java/quandary/UnknownCode.java            | 20 +++++++++++++++++++
 .../codetoanalyze/java/quandary/issues.exp    |  3 +++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/infer/src/quandary/TaintAnalysis.ml b/infer/src/quandary/TaintAnalysis.ml
index b0fb5c72f..dfc514f52 100644
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@@ -384,8 +384,10 @@ module Make (TaintSpecification : TaintSpec.S) = struct
               | Some (trace, _) -> TraceDomain.join trace trace_acc
               | None -> trace_acc in
             let propagate_to_access_path access_path actuals (astate : Domain.astate) =
+              let initial_trace =
+                access_path_get_trace access_path astate.access_tree proc_data callee_loc in
               let trace_with_propagation =
-                IList.fold_left exp_join_traces TraceDomain.empty actuals in
+                IList.fold_left exp_join_traces initial_trace actuals in
               let access_tree =
                 TaintDomain.add_trace access_path trace_with_propagation astate.access_tree in
               { astate with access_tree; } in
diff --git a/infer/tests/codetoanalyze/java/quandary/UnknownCode.java b/infer/tests/codetoanalyze/java/quandary/UnknownCode.java
index 6e8ac0695..4e4edb409 100644
--- a/infer/tests/codetoanalyze/java/quandary/UnknownCode.java
+++ b/infer/tests/codetoanalyze/java/quandary/UnknownCode.java
@@ -53,6 +53,26 @@ public abstract class UnknownCode {
     InferTaint.inferSensitiveSink(i);
   }
 
+  void propagateEmptyBad() {
+    String source = (String) InferTaint.inferSecretSource();
+    StringBuffer buffer = new StringBuffer();
+    buffer.append(source); // buffer is now tainted
+    // even though "" is not tainted, buffer and alias should still be tainted
+    StringBuffer alias = buffer.append("");
+    InferTaint.inferSensitiveSink(buffer); // should report
+    InferTaint.inferSensitiveSink(alias); // should report
+  }
+
+  void propagateFootprint(String param) {
+    StringBuffer buffer = new StringBuffer();
+    buffer.append(param);
+    InferTaint.inferSensitiveSink(buffer);
+  }
+
+  void callPropagateFootprintBad() {
+    propagateFootprint((String) InferTaint.inferSecretSource());
+  }
+
   static void FN_propagateViaInterfaceCodeBad(Interface i) {
     Object source = InferTaint.inferSecretSource();
     Object launderedSource = i.interfaceMethod(source);
diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp
index f08890207..069110127 100644
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@@ -179,7 +179,10 @@ codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedCont
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 2, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 3, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 4, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callPropagateFootprintBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void UnknownCode.propagateFootprint(String),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callUnknownSetterBad(Intent), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateEmptyBad(), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateEmptyBad(), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsAlert(WebView,String,String,JsResult)]
 codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult)]