pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] de-prioritize command line flag sources

Browse Source 
Reviewed By: the-st0rm

Differential Revision: D7988572

fbshipit-source-id: b665f70
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent 4e821129a4
commit 85b8087f66
2 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File

15
infer/src/quandary/ClangTrace.ml
Unescape View File

@ -472,7 +472,8 @@ include Trace.Make (struct
IssueType.untrusted_url_risk
| (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL ->
None
| (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), SQLInjection ->
| ( (CommandLineFlag (_, typ) | Endpoint (_, typ) | UserControlledEndpoint (_, typ))
, SQLInjection ) ->
if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
(* SQL injection if the caller of the endpoint doesn't sanitize on its end *)
Some IssueType.sql_injection_risk
@ -482,7 +483,7 @@ include Trace.Make (struct
| (Endpoint _ | UserControlledEndpoint _), (SQLRead | SQLWrite) ->
(* no injection risk, but still user-controlled *)
Some IssueType.user_controlled_sql_risk
| (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec ->
| (CommandLineFlag (_, typ) | Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec ->
(* code injection if the caller of the endpoint doesn't sanitize on its end *)
Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
@ -501,21 +502,11 @@ include Trace.Make (struct
Option.some_if
(is_injection_possible Sanitizer.EscapeShell sanitizers)
IssueType.shell_injection
| CommandLineFlag (_, typ), ShellExec ->
(* untrusted flag, flowing to shell *)
Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
IssueType.shell_injection
| (EnvironmentVariable | ReadFile | Other), SQLInjection ->
(* untrusted flag, environment var, or file data flowing to SQL *)
Option.some_if
(is_injection_possible Sanitizer.EscapeSQL sanitizers)
IssueType.sql_injection
| CommandLineFlag (_, typ), SQLInjection ->
(* untrusted flag, flowing to shell *)
Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers)
IssueType.sql_injection
| Other, URL ->
(* untrusted flag, environment var, or file data flowing to URL *)
Option.some_if

4
infer/tests/codetoanalyze/cpp/quandary/issues.exp
Unescape View File

@ -79,8 +79,8 @@ codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 29, SHELL_INJECTION, E
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 31, SHELL_INJECTION, ERROR, [Return from getenv,Call to execve with tainted index 1]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 33, SHELL_INJECTION, ERROR, [Return from getenv,Call to system with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 35, SHELL_INJECTION, ERROR, [Return from getenv,Call to popen with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_bad, 0, SHELL_INJECTION, ERROR, [Return from __global_access,Call to execl with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_interproc_bad, 2, SHELL_INJECTION, ERROR, [Return from __global_access with tainted data return,Return from execs::return_global,Call to execl with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_bad, 0, SHELL_INJECTION_RISK, ERROR, [Return from __global_access,Call to execl with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::exec_string_flag_interproc_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from __global_access with tainted data return,Return from execs::return_global,Call to execl with tainted index 0]
codetoanalyze/cpp/quandary/execs.cpp, execs::sql_on_env_var_bad, 2, SQL_INJECTION, ERROR, [Return from getenv,Call to __infer_sql_sink with tainted index 0]
codetoanalyze/cpp/quandary/expressions.cpp, expressions::propagate_via_binop1_bad, 3, QUANDARY_TAINT_ERROR, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/expressions.cpp, expressions::propagate_via_binop2_bad, 5, QUANDARY_TAINT_ERROR, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]

Write Preview
Loading…
Cancel
Save