diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index 1b22fdd12..48812c96e 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -472,7 +472,8 @@ include Trace.Make (struct IssueType.untrusted_url_risk | (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL -> None - | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), SQLInjection -> + | ( (CommandLineFlag (_, typ) | Endpoint (_, typ) | UserControlledEndpoint (_, typ)) + , SQLInjection ) -> if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then (* SQL injection if the caller of the endpoint doesn't sanitize on its end *) Some IssueType.sql_injection_risk @@ -482,7 +483,7 @@ include Trace.Make (struct | (Endpoint _ | UserControlledEndpoint _), (SQLRead | SQLWrite) -> (* no injection risk, but still user-controlled *) Some IssueType.user_controlled_sql_risk - | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec -> + | (CommandLineFlag (_, typ) | Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec -> (* code injection if the caller of the endpoint doesn't sanitize on its end *) Option.some_if (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) @@ -501,21 +502,11 @@ include Trace.Make (struct Option.some_if (is_injection_possible Sanitizer.EscapeShell sanitizers) IssueType.shell_injection - | CommandLineFlag (_, typ), ShellExec -> - (* untrusted flag, flowing to shell *) - Option.some_if - (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) - IssueType.shell_injection | (EnvironmentVariable | ReadFile | Other), SQLInjection -> (* untrusted flag, environment var, or file data flowing to SQL *) Option.some_if (is_injection_possible Sanitizer.EscapeSQL sanitizers) IssueType.sql_injection - | CommandLineFlag (_, typ), SQLInjection -> - (* untrusted flag, flowing to shell *) - Option.some_if - (is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers) - IssueType.sql_injection | Other, URL -> (* untrusted flag, environment var, or file data flowing to URL *) Option.some_if diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index 37eade9a8..ac3589752 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -79,8 +79,8 @@ codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, SHELL_INJECTION, E codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, SHELL_INJECTION, ERROR, [Return from getenv,Call to execve with tainted index 1] codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, SHELL_INJECTION, ERROR, [Return from getenv,Call to system with tainted index 0] codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, SHELL_INJECTION, ERROR, [Return from getenv,Call to popen with tainted index 0] -codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_bad, 0, SHELL_INJECTION, ERROR, [Return from __global_access,Call to execl with tainted index 0] -codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_interproc_bad, 2, SHELL_INJECTION, ERROR, [Return from __global_access with tainted data return,Return from execs::return_global,Call to execl with tainted index 0] +codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_bad, 0, SHELL_INJECTION_RISK, ERROR, [Return from __global_access,Call to execl with tainted index 0] +codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_interproc_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from __global_access with tainted data return,Return from execs::return_global,Call to execl with tainted index 0] codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, SQL_INJECTION, ERROR, [Return from getenv,Call to __infer_sql_sink with tainted index 0] codetoanalyze/cpp/quandary/expressions.cpp, expressions::propagate_via_binop1_bad, 3, QUANDARY_TAINT_ERROR, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0] codetoanalyze/cpp/quandary/expressions.cpp, expressions::propagate_via_binop2_bad, 5, QUANDARY_TAINT_ERROR, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]