diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml index 34cd62833..ad9aa43a9 100644 --- a/infer/src/base/IssueType.ml +++ b/infer/src/base/IssueType.ml @@ -281,6 +281,10 @@ let skip_function = from_string "SKIP_FUNCTION" let skip_pointer_dereference = from_string "SKIP_POINTER_DEREFERENCE" +let shell_injection = from_string "SHELL_INJECTION" + +let sql_injection = from_string "SQL_INJECTION" + let stack_variable_address_escape = from_string ~enabled:false "STACK_VARIABLE_ADDRESS_ESCAPE" let static_initialization_order_fiasco = from_string "STATIC_INITIALIZATION_ORDER_FIASCO" diff --git a/infer/src/base/IssueType.mli b/infer/src/base/IssueType.mli index 87acb5c0a..cd98d7529 100644 --- a/infer/src/base/IssueType.mli +++ b/infer/src/base/IssueType.mli @@ -194,6 +194,10 @@ val skip_function : t val skip_pointer_dereference : t +val shell_injection : t + +val sql_injection : t + val stack_variable_address_escape : t val static_initialization_order_fiasco : t diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index 4a85ac505..aab2ddb51 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -288,17 +288,23 @@ include Trace.Make (struct | Endpoint _, BufferAccess -> (* untrusted data from an endpoint flowing into a buffer *) Some IssueType.quandary_taint_error - | Endpoint (_, typ), (ShellExec | SQL) -> - (* untrusted string data flowing to shell exec/SQL *) - Option.some_if (is_stringy typ) IssueType.quandary_taint_error - | (EnvironmentVariable | File), (BufferAccess | ShellExec | SQL) -> - (* untrusted environment var or file data flowing to buffer or code injection *) + | Endpoint (_, typ), ShellExec -> + (* untrusted string data flowing to shell ShellExec *) + Option.some_if (is_stringy typ) IssueType.shell_injection + | Endpoint (_, typ), SQL -> + (* untrusted string data flowing to SQL *) + Option.some_if (is_stringy typ) IssueType.sql_injection + | (CommandLineFlag _ | EnvironmentVariable | File | Other), BufferAccess -> + (* untrusted flag, environment var, or file data flowing to buffer *) Some IssueType.quandary_taint_error - | (Endpoint _ | EnvironmentVariable | File), Allocation -> - (* untrusted data flowing to memory allocation *) - Some IssueType.quandary_taint_error - | CommandLineFlag _, (Allocation | BufferAccess | Other | ShellExec | SQL) -> - (* data controlled by a command line flag flowing somewhere sensitive *) + | (CommandLineFlag _ | EnvironmentVariable | File | Other), ShellExec -> + (* untrusted flag, environment var, or file data flowing to shell *) + Some IssueType.shell_injection + | (CommandLineFlag _ | EnvironmentVariable | File | Other), SQL -> + (* untrusted flag, environment var, or file data flowing to SQL *) + Some IssueType.sql_injection + | (CommandLineFlag _ | Endpoint _ | EnvironmentVariable | File), Allocation -> + (* untrusted data of any kind flowing to memory allocation *) Some IssueType.quandary_taint_error | Other, _ -> (* Other matches everything *) diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index 4c75b5250..622177c7b 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -35,32 +35,32 @@ codetoanalyze/cpp/quandary/basics.cpp, basics::via_field_bad1, 3, QUANDARY_TAINT codetoanalyze/cpp/quandary/basics.cpp, basics::via_field_bad2, 2, QUANDARY_TAINT_ERROR, [Return from basics::template_source_>,Call to basics::template_sink_>] codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad1, 4, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink] codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad2, 3, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink] -codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 9, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] -codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 10, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] -codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 11, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] -codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 12, QUANDARY_TAINT_ERROR, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 8, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 11, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execl] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 13, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execlp] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 15, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execlp] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 17, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execle] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 19, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execle] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 21, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execv] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 23, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execvp] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 25, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execv] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 27, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execvp] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, QUANDARY_TAINT_ERROR, [Return from getenv,Call to execve] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, QUANDARY_TAINT_ERROR, [Return from getenv,Call to system] -codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, QUANDARY_TAINT_ERROR, [Return from getenv,Call to popen] -codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, QUANDARY_TAINT_ERROR, [Return from __global_access,Call to execl] -codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_interproc_bad, 2, QUANDARY_TAINT_ERROR, [Return from __global_access with tainted data &return,Return from execs::return_global,Call to execl] -codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, QUANDARY_TAINT_ERROR, [Return from getenv,Call to __infer_sql_sink] -codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream>_read,Call to execle] -codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream>_readsome,Call to execle] -codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, QUANDARY_TAINT_ERROR, [Return from std::basic_istream>_getline,Call to execle] -codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad5, 4, QUANDARY_TAINT_ERROR, [Return from std::basic_istream>_getline,Call to execle] +codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 9, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] +codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 10, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] +codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 11, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] +codetoanalyze/cpp/quandary/execs.cpp, execs::Obj_endpoint, 12, SQL_INJECTION, [Return from execs::Obj_endpoint,Call to __infer_sql_sink] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, SHELL_INJECTION, [Return from getenv,Call to execl] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 8, SHELL_INJECTION, [Return from getenv,Call to execl] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 11, SHELL_INJECTION, [Return from getenv,Call to execl] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 13, SHELL_INJECTION, [Return from getenv,Call to execlp] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 15, SHELL_INJECTION, [Return from getenv,Call to execlp] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 17, SHELL_INJECTION, [Return from getenv,Call to execle] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 19, SHELL_INJECTION, [Return from getenv,Call to execle] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 21, SHELL_INJECTION, [Return from getenv,Call to execv] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 23, SHELL_INJECTION, [Return from getenv,Call to execvp] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 25, SHELL_INJECTION, [Return from getenv,Call to execv] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 27, SHELL_INJECTION, [Return from getenv,Call to execvp] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, SHELL_INJECTION, [Return from getenv,Call to execve] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, SHELL_INJECTION, [Return from getenv,Call to execve] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, SHELL_INJECTION, [Return from getenv,Call to system] +codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, SHELL_INJECTION, [Return from getenv,Call to popen] +codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_bad, 0, SHELL_INJECTION, [Return from __global_access,Call to execl] +codetoanalyze/cpp/quandary/execs.cpp, execs::exec_flag_interproc_bad, 2, SHELL_INJECTION, [Return from __global_access with tainted data &return,Return from execs::return_global,Call to execl] +codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, SQL_INJECTION, [Return from getenv,Call to __infer_sql_sink] +codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, SHELL_INJECTION, [Return from std::basic_istream>_read,Call to execle] +codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, SHELL_INJECTION, [Return from std::basic_istream>_readsome,Call to execle] +codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, SHELL_INJECTION, [Return from std::basic_istream>_getline,Call to execle] +codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad5, 4, SHELL_INJECTION, [Return from std::basic_istream>_getline,Call to execle] codetoanalyze/cpp/quandary/pointers.cpp, pointers::FP_reuse_pointer_as_local_ok, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::reuse_pointer_as_local,Call to __infer_taint_sink] codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad1, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink] codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad2, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]