pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] add new issue types for sql injection and shell injection

Browse Source 
Reviewed By: mbouaziz

Differential Revision: D6153804

fbshipit-source-id: a5a97db
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent fc20d8a6cb
commit 6ea6c74a5c
4 changed files with 50 additions and 36 deletions
Show Stats Download Patch File Download Diff File

4
infer/src/base/IssueType.ml
Unescape View File

@ -281,6 +281,10 @@ let skip_function = from_string "SKIP_FUNCTION"
let skip_pointer_dereference = from_string "SKIP_POINTER_DEREFERENCE"
let shell_injection = from_string "SHELL_INJECTION"
let sql_injection = from_string "SQL_INJECTION"
let stack_variable_address_escape = from_string ~enabled:false "STACK_VARIABLE_ADDRESS_ESCAPE"
let static_initialization_order_fiasco = from_string "STATIC_INITIALIZATION_ORDER_FIASCO"

4
infer/src/base/IssueType.mli
Unescape View File

@ -194,6 +194,10 @@ val skip_function : t
val skip_pointer_dereference : t
val shell_injection : t
val sql_injection : t
val stack_variable_address_escape : t
val static_initialization_order_fiasco : t

26
infer/src/quandary/ClangTrace.ml
Unescape View File

@ -288,17 +288,23 @@ include Trace.Make (struct
| Endpoint _, BufferAccess ->
(* untrusted data from an endpoint flowing into a buffer *)
Some IssueType.quandary_taint_error
| Endpoint (_, typ), (ShellExec | SQL) ->
(* untrusted string data flowing to shell exec/SQL *)
Option.some_if (is_stringy typ) IssueType.quandary_taint_error
| (EnvironmentVariable | File), (BufferAccess | ShellExec | SQL) ->
(* untrusted environment var or file data flowing to buffer or code injection *)
| Endpoint (_, typ), ShellExec ->
(* untrusted string data flowing to shell ShellExec *)
Option.some_if (is_stringy typ) IssueType.shell_injection
| Endpoint (_, typ), SQL ->
(* untrusted string data flowing to SQL *)
Option.some_if (is_stringy typ) IssueType.sql_injection
| (CommandLineFlag _ | EnvironmentVariable | File | Other), BufferAccess ->
(* untrusted flag, environment var, or file data flowing to buffer *)
Some IssueType.quandary_taint_error
| (Endpoint _ | EnvironmentVariable | File), Allocation ->
(* untrusted data flowing to memory allocation *)
Some IssueType.quandary_taint_error
| CommandLineFlag _, (Allocation | BufferAccess | Other | ShellExec | SQL) ->
(* data controlled by a command line flag flowing somewhere sensitive *)
| (CommandLineFlag _ | EnvironmentVariable | File | Other), ShellExec ->
(* untrusted flag, environment var, or file data flowing to shell *)
Some IssueType.shell_injection
| (CommandLineFlag _ | EnvironmentVariable | File | Other), SQL ->
(* untrusted flag, environment var, or file data flowing to SQL *)
Some IssueType.sql_injection
| (CommandLineFlag _ | Endpoint _ | EnvironmentVariable | File), Allocation ->
(* untrusted data of any kind flowing to memory allocation *)
Some IssueType.quandary_taint_error
| Other, _ ->
(* Other matches everything *)

52
infer/tests/codetoanalyze/cpp/quandary/issues.exp
Unescape View File

@ -35,32 +35,32 @@ codetoanalyze/cpp/quandary/basics.cpp, basics::via_field_bad1, 3, QUANDARY_TAINT
codetoanalyze/cpp/quandary/basics.cpp, basics::via_field_bad2, 2, QUANDARY_TAINT_ERROR, [Return from basics::template_source<std::basic_string<char>_>,Call to basics::template_sink<std::basic_string<char>_>]
codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad1, 4, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink]
codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad2, 3, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 9, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 10, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 11, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 12, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 8, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 11, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 13, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execlp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 15, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execlp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 17, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execle]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 19, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execle]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 21, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execv]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 23, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execvp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 25, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execv]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 27, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execvp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, QUANDARY_TAINT_ERROR, [Return from getenv,Call to system]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, QUANDARY_TAINT_ERROR, [Return from getenv,Call to popen]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, QUANDARY_TAINT_ERROR, [Return from __global_access,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_interproc_bad, 2, QUANDARY_TAINT_ERROR, [Return from __global_access with tainted data &return,Return from execs::return_global,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, QUANDARY_TAINT_ERROR, [Return from getenv,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_read,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_readsome,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad5, 4, QUANDARY_TAINT_ERROR, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 9, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 10, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 11, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 12, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, SHELL_INJECTION, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 8, SHELL_INJECTION, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 11, SHELL_INJECTION, [Return from getenv,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 13, SHELL_INJECTION, [Return from getenv,Call to execlp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 15, SHELL_INJECTION, [Return from getenv,Call to execlp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 17, SHELL_INJECTION, [Return from getenv,Call to execle]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 19, SHELL_INJECTION, [Return from getenv,Call to execle]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 21, SHELL_INJECTION, [Return from getenv,Call to execv]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 23, SHELL_INJECTION, [Return from getenv,Call to execvp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 25, SHELL_INJECTION, [Return from getenv,Call to execv]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 27, SHELL_INJECTION, [Return from getenv,Call to execvp]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, SHELL_INJECTION, [Return from getenv,Call to execve]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, SHELL_INJECTION, [Return from getenv,Call to execve]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, SHELL_INJECTION, [Return from getenv,Call to system]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, SHELL_INJECTION, [Return from getenv,Call to popen]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, SHELL_INJECTION, [Return from __global_access,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_interproc_bad, 2, SHELL_INJECTION, [Return from __global_access with tainted data &return,Return from execs::return_global,Call to execl]
codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, SQL_INJECTION, [Return from getenv,Call to __infer_sql_sink]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_read,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_readsome,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad5, 4, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
codetoanalyze/cpp/quandary/pointers.cpp, pointers::FP_reuse_pointer_as_local_ok, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::reuse_pointer_as_local,Call to __infer_taint_sink]
codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad1, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]
codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad2, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]

Write Preview
Loading…
Cancel
Save