pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] deserialization as sink

Browse Source 
Reviewed By: jeremydubreil

Differential Revision: D5810962

fbshipit-source-id: 92de23b
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent 81c0fe6754
commit 6533aa65c6
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File

10
infer/src/quandary/JavaTrace.ml
Unescape View File

@ -174,6 +174,7 @@ module SinkKind = struct
type t = type t =
| CreateFile (** sink that creates a file *) | CreateFile (** sink that creates a file *)
| CreateIntent (** sink that creates an Intent *) | CreateIntent (** sink that creates an Intent *)
| Deserialization (** sink that deserializes a Java object *)
| HTML (** sink that creates HTML *) | HTML (** sink that creates HTML *)
| JavaScript (** sink that passes its arguments to untrusted JS code *) | JavaScript (** sink that passes its arguments to untrusted JS code *)
| Logging (** sink that logs one or more of its arguments *) | Logging (** sink that logs one or more of its arguments *)
@ -186,6 +187,8 @@ module SinkKind = struct
-> CreateFile -> CreateFile
| "CreateIntent" | "CreateIntent"
-> CreateIntent -> CreateIntent
| "Deserialization"
-> Deserialization
| "HTML" | "HTML"
-> HTML -> HTML
| "JavaScript" | "JavaScript"
@ -233,6 +236,8 @@ module SinkKind = struct
| "java.nio.file.FileSystem", "getPath" | "java.nio.file.FileSystem", "getPath"
| "java.nio.file.Paths", "get" | "java.nio.file.Paths", "get"
-> taint_all CreateFile -> taint_all CreateFile
| "java.io.ObjectInputStream", "<init>"
-> taint_all Deserialization
| "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink" | "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink"
-> taint_nth 0 Other -> taint_nth 0 Other
| class_name, method_name | class_name, method_name
@ -295,6 +300,8 @@ module SinkKind = struct
-> "CreateFile" -> "CreateFile"
| CreateIntent | CreateIntent
-> "CreateIntent" -> "CreateIntent"
| Deserialization
-> "Deserialization"
| HTML | HTML
-> "HTML" -> "HTML"
| JavaScript | JavaScript
@ -332,6 +339,9 @@ include Trace.Make (struct
| UserControlledString, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML) | UserControlledString, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML)
-> (* do something sensitive with a user-controlled string *) -> (* do something sensitive with a user-controlled string *)
true true
| (Intent | UserControlledURI | UserControlledString), Deserialization
-> (* shouldn't let anyone external control what we deserialize *)
true
| Other, _ | _, Other | Other, _ | _, Other
-> (* for testing purposes, Other matches everything *) -> (* for testing purposes, Other matches everything *)
true true

28
infer/tests/codetoanalyze/java/quandary/Serialization.java
Unescape View File

@ -0,0 +1,28 @@
/*
* Copyright (c) 2017 - present Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
package codetoanalyze.java.quandary;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import com.facebook.infer.builtins.InferTaint;
public class Serialization {
// we could warn on only particular calls to the tainted ObjectInputStream (e.g., readObject,
// readUnshared, but nothing good can come from creating a tainted ObjectInputStream
Object taintedObjectInputStreamBad() throws IOException, ClassNotFoundException {
Object source = InferTaint.inferSecretSource();
ObjectInputStream stream = new ObjectInputStream((InputStream) source); // report here
return stream.readObject();
}
}

1
infer/tests/codetoanalyze/java/quandary/issues.exp
Unescape View File

@ -190,6 +190,7 @@ codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.log
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [Return from double Location.getLongitude(),Call to int Log.wtf(String,String)] codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [Return from double Location.getLongitude(),Call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/Recursion.java, void Recursion.callSinkThenDivergeBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.callSinkThenDiverge(Object),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Recursion.java, void Recursion.callSinkThenDivergeBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.callSinkThenDiverge(Object),Call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Recursion.java, void Recursion.safeRecursionCallSinkBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.safeRecursionCallSink(int,Object),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Recursion.java, void Recursion.safeRecursionCallSinkBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.safeRecursionCallSink(int,Object),Call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Serialization.java, Object Serialization.taintedObjectInputStreamBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to ObjectInputStream.<init>(InputStream)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]

Write Preview
Loading…
Cancel
Save