[quandary] Allow several kinds for external sources/sinks

Reviewed By: ngorogiannis

Differential Revision: D13417113

fbshipit-source-id: 0838c5704
master
Mehdi Bouaziz 6 years ago committed by Facebook Github Bot
parent 00b052826a
commit 87b3907628

@ -9,8 +9,8 @@ open! IStd
module F = Format module F = Format
module L = Logging module L = Logging
let parse_clang_procedure procedure kind index = let parse_clang_procedure procedure kinds index =
try Some (QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kind, index) try Some (QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kinds, index)
with QualifiedCppName.ParseError _ -> with QualifiedCppName.ParseError _ ->
(* Java and Clang sources/sinks live in the same inferconfig entry. If we try to parse a Java (* Java and Clang sources/sinks live in the same inferconfig entry. If we try to parse a Java
procedure that happens to be an invalid Clang qualified name (e.g., MyClass.<init>), procedure that happens to be an invalid Clang qualified name (e.g., MyClass.<init>),
@ -49,21 +49,21 @@ module SourceKind = struct
let external_sources = let external_sources =
List.filter_map List.filter_map
~f:(fun {QuandaryConfig.Source.procedure; kind; index} -> ~f:(fun {QuandaryConfig.Source.procedure; kinds; index} ->
parse_clang_procedure procedure kind index ) parse_clang_procedure procedure kinds index )
(QuandaryConfig.Source.of_json Config.quandary_sources) (QuandaryConfig.Source.of_json Config.quandary_sources)
let endpoints = String.Set.of_list (QuandaryConfig.Endpoint.of_json Config.quandary_endpoints) let endpoints = String.Set.of_list (QuandaryConfig.Endpoint.of_json Config.quandary_endpoints)
(* return Some(source kind) if [procedure_name] is in the list of externally specified sources *) (* return a list of source kinds if [procedure_name] is in the list of externally specified sources *)
let get_external_source qualified_pname = let get_external_source qualified_pname =
let return = None in let return = None in
List.filter_map external_sources ~f:(fun (qualifiers, kind, index) -> List.concat_map external_sources ~f:(fun (qualifiers, kinds, index) ->
if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then
let source_index = try Some (int_of_string index) with Failure _ -> return in let source_index = try Some (int_of_string index) with Failure _ -> return in
Some (of_string kind, source_index) List.rev_map kinds ~f:(fun kind -> (of_string kind, source_index))
else None ) else [] )
let get pname actuals tenv = let get pname actuals tenv =
@ -235,45 +235,50 @@ module SinkKind = struct
let external_sinks = let external_sinks =
List.filter_map List.filter_map
~f:(fun {QuandaryConfig.Sink.procedure; kind; index} -> ~f:(fun {QuandaryConfig.Sink.procedure; kinds; index} ->
parse_clang_procedure procedure kind index ) parse_clang_procedure procedure kinds index )
(QuandaryConfig.Sink.of_json Config.quandary_sinks) (QuandaryConfig.Sink.of_json Config.quandary_sinks)
(* taint the nth parameter (0-indexed) *) (* taint the nth parameter (0-indexed) *)
let taint_nth n kind actuals = let taint_nth n kinds actuals =
if n < List.length actuals then [(kind, IntSet.singleton n)] else [] if n < List.length actuals then
let indexes = IntSet.singleton n in
List.rev_map kinds ~f:(fun kind -> (kind, indexes))
else []
(* taint all parameters after the nth (exclusive) *) (* taint all parameters after the nth (exclusive) *)
let taint_after_nth n kind actuals = let taint_after_nth n kinds actuals =
match match
List.filter_mapi ~f:(fun actual_num _ -> Option.some_if (actual_num > n) actual_num) actuals List.filter_mapi ~f:(fun actual_num _ -> Option.some_if (actual_num > n) actual_num) actuals
with with
| [] -> | [] ->
[] []
| to_taint -> | to_taint ->
[(kind, IntSet.of_list to_taint)] let indexes = IntSet.of_list to_taint in
List.rev_map kinds ~f:(fun kind -> (kind, indexes))
let taint_all kind actuals = let taint_all kinds actuals =
[(kind, IntSet.of_list (List.mapi ~f:(fun actual_num _ -> actual_num) actuals))] let indexes = IntSet.of_list (List.mapi ~f:(fun actual_num _ -> actual_num) actuals) in
List.rev_map kinds ~f:(fun kind -> (kind, indexes))
(* return Some(sink kind) if [procedure_name] is in the list of externally specified sinks *) (* return Some(sink kinds) if [procedure_name] is in the list of externally specified sinks *)
let get_external_sink pname actuals = let get_external_sink pname actuals =
let qualified_pname = Typ.Procname.get_qualifiers pname in let qualified_pname = Typ.Procname.get_qualifiers pname in
List.find_map List.find_map
~f:(fun (qualifiers, kind, index) -> ~f:(fun (qualifiers, kinds, index) ->
if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then
let kind = of_string kind in let kinds = List.rev_map ~f:of_string kinds in
try try
let n = int_of_string index in let n = int_of_string index in
let taint = taint_nth n kind actuals in let taint = taint_nth n kinds actuals in
Option.some_if (not (List.is_empty taint)) taint Option.some_if (not (List.is_empty taint)) taint
with Failure _ -> with Failure _ ->
(* couldn't parse the index, just taint everything *) (* couldn't parse the index, just taint everything *)
Some (taint_all kind actuals) Some (taint_all kinds actuals)
else None ) else None )
external_sinks external_sinks
|> Option.value ~default:[] |> Option.value ~default:[]
@ -301,24 +306,24 @@ module SinkKind = struct
with with
| ( ["std"; ("basic_fstream" | "basic_ifstream" | "basic_ofstream")] | ( ["std"; ("basic_fstream" | "basic_ifstream" | "basic_ofstream")]
, ("basic_fstream" | "basic_ifstream" | "basic_ofstream" | "open") ) -> , ("basic_fstream" | "basic_ifstream" | "basic_ofstream" | "open") ) ->
taint_nth 1 CreateFile actuals taint_nth 1 [CreateFile] actuals
| _, "operator[]" when Config.developer_mode && is_buffer_like pname -> | _, "operator[]" when Config.developer_mode && is_buffer_like pname ->
taint_nth 1 BufferAccess actuals taint_nth 1 [BufferAccess] actuals
| _ -> | _ ->
get_external_sink pname actuals ) get_external_sink pname actuals )
| Typ.Procname.C _ | Typ.Procname.C _
when String.is_substring ~substring:"SetCommandLineOption" (Typ.Procname.to_string pname) -> when String.is_substring ~substring:"SetCommandLineOption" (Typ.Procname.to_string pname) ->
taint_nth 1 EnvironmentChange actuals taint_nth 1 [EnvironmentChange] actuals
| Typ.Procname.C _ | Typ.Procname.C _
when Config.developer_mode && Typ.Procname.equal pname BuiltinDecl.__array_access -> when Config.developer_mode && Typ.Procname.equal pname BuiltinDecl.__array_access ->
taint_all BufferAccess actuals taint_all [BufferAccess] actuals
| Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__set_array_length -> | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__set_array_length ->
(* called when creating a stack-allocated array *) (* called when creating a stack-allocated array *)
taint_nth 1 StackAllocation actuals taint_nth 1 [StackAllocation] actuals
| Typ.Procname.C _ -> ( | Typ.Procname.C _ -> (
match Typ.Procname.to_string pname with match Typ.Procname.to_string pname with
| "creat" | "fopen" | "freopen" | "open" -> | "creat" | "fopen" | "freopen" | "open" ->
taint_nth 0 CreateFile actuals taint_nth 0 [CreateFile] actuals
| "curl_easy_setopt" -> ( | "curl_easy_setopt" -> (
(* magic constant for setting request URL *) (* magic constant for setting request URL *)
let controls_request = function let controls_request = function
@ -335,31 +340,31 @@ module SinkKind = struct
(* check if the data kind might be CURLOPT_URL *) (* check if the data kind might be CURLOPT_URL *)
IntLit.to_int i IntLit.to_int i
|> Option.value_map ~default:[] ~f:(fun n -> |> Option.value_map ~default:[] ~f:(fun n ->
if controls_request n then taint_after_nth 1 URL actuals else [] ) if controls_request n then taint_after_nth 1 [URL] actuals else [] )
| _ -> | _ ->
(* can't statically resolve data kind; taint it just in case *) (* can't statically resolve data kind; taint it just in case *)
taint_after_nth 1 URL actuals ) taint_after_nth 1 [URL] actuals )
| None -> | None ->
[] ) [] )
| "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system" -> | "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system" ->
taint_all ShellExec actuals taint_all [ShellExec] actuals
| "openat" -> | "openat" ->
taint_nth 1 CreateFile actuals taint_nth 1 [CreateFile] actuals
| "popen" -> | "popen" ->
taint_nth 0 ShellExec actuals taint_nth 0 [ShellExec] actuals
| "putenv" -> | "putenv" ->
taint_nth 0 EnvironmentChange actuals taint_nth 0 [EnvironmentChange] actuals
| ("brk" | "calloc" | "malloc" | "realloc" | "sbrk") when Config.developer_mode -> | ("brk" | "calloc" | "malloc" | "realloc" | "sbrk") when Config.developer_mode ->
taint_all HeapAllocation actuals taint_all [HeapAllocation] actuals
| "rename" -> | "rename" ->
taint_all CreateFile actuals taint_all [CreateFile] actuals
| "strcpy" when Config.developer_mode -> | "strcpy" when Config.developer_mode ->
(* warn if source array is tainted *) (* warn if source array is tainted *)
taint_nth 1 BufferAccess actuals taint_nth 1 [BufferAccess] actuals
| ("memcpy" | "memmove" | "memset" | "strncpy" | "wmemcpy" | "wmemmove") | ("memcpy" | "memmove" | "memset" | "strncpy" | "wmemcpy" | "wmemmove")
when Config.developer_mode -> when Config.developer_mode ->
(* warn if count argument is tainted *) (* warn if count argument is tainted *)
taint_nth 2 BufferAccess actuals taint_nth 2 [BufferAccess] actuals
| _ -> | _ ->
get_external_sink pname actuals ) get_external_sink pname actuals )
| Typ.Procname.Block _ -> | Typ.Procname.Block _ ->

@ -42,7 +42,7 @@ module SourceKind = struct
let external_sources = let external_sources =
List.map List.map
~f:(fun {QuandaryConfig.Source.procedure; kind} -> (Str.regexp procedure, kind)) ~f:(fun {QuandaryConfig.Source.procedure; kinds} -> (Str.regexp procedure, kinds))
(QuandaryConfig.Source.of_json Config.quandary_sources) (QuandaryConfig.Source.of_json Config.quandary_sources)
@ -65,9 +65,10 @@ module SourceKind = struct
(* check the list of externally specified sources *) (* check the list of externally specified sources *)
let procedure = class_name ^ "." ^ method_name in let procedure = class_name ^ "." ^ method_name in
let sources = let sources =
List.filter_map external_sources ~f:(fun (procedure_regex, kind) -> List.concat_map external_sources ~f:(fun (procedure_regex, kinds) ->
if Str.string_match procedure_regex procedure 0 then Some (of_string kind, return) if Str.string_match procedure_regex procedure 0 then
else None ) List.rev_map kinds ~f:(fun kind -> (of_string kind, return))
else [] )
in in
Option.some_if (not (List.is_empty sources)) sources Option.some_if (not (List.is_empty sources)) sources
in in
@ -314,7 +315,7 @@ module SinkKind = struct
let external_sinks = let external_sinks =
List.map List.map
~f:(fun {QuandaryConfig.Sink.procedure; kind; index} -> (Str.regexp procedure, kind, index)) ~f:(fun {QuandaryConfig.Sink.procedure; kinds; index} -> (Str.regexp procedure, kinds, index))
(QuandaryConfig.Sink.of_json Config.quandary_sinks) (QuandaryConfig.Sink.of_json Config.quandary_sinks)
@ -323,7 +324,7 @@ module SinkKind = struct
| Typ.Procname.Java java_pname -> | Typ.Procname.Java java_pname ->
(* taint all the inputs of [pname]. for non-static procedures, taints the "this" parameter (* taint all the inputs of [pname]. for non-static procedures, taints the "this" parameter
only if [taint_this] is true. *) only if [taint_this] is true. *)
let taint_all ?(taint_this = false) kind = let taint_all ?(taint_this = false) kinds =
let actuals_to_taint, offset = let actuals_to_taint, offset =
if Typ.Procname.Java.is_static java_pname || taint_this then (actuals, 0) if Typ.Procname.Java.is_static java_pname || taint_this then (actuals, 0)
else (List.tl_exn actuals, 1) else (List.tl_exn actuals, 1)
@ -331,42 +332,48 @@ module SinkKind = struct
let indexes = let indexes =
IntSet.of_list (List.mapi ~f:(fun param_num _ -> param_num + offset) actuals_to_taint) IntSet.of_list (List.mapi ~f:(fun param_num _ -> param_num + offset) actuals_to_taint)
in in
Some [(kind, indexes)] Some (List.rev_map kinds ~f:(fun kind -> (kind, indexes)))
in in
(* taint the nth non-"this" parameter (0-indexed) *) (* taint the nth non-"this" parameter (0-indexed) *)
let taint_nth n kind = let taint_nth n kinds =
let first_index = if Typ.Procname.Java.is_static java_pname then n else n + 1 in let first_index = if Typ.Procname.Java.is_static java_pname then n else n + 1 in
if first_index < List.length actuals then Some [(kind, IntSet.singleton first_index)] if first_index < List.length actuals then
let first_index = IntSet.singleton first_index in
Some (List.rev_map kinds ~f:(fun kind -> (kind, first_index)))
else None else None
in in
let get_external_sink class_name method_name = let get_external_sink class_name method_name =
(* check the list of externally specified sinks *) (* check the list of externally specified sinks *)
let procedure = class_name ^ "." ^ method_name in let procedure = class_name ^ "." ^ method_name in
List.find_map let sinks =
~f:(fun (procedure_regex, kind, index) -> List.concat_map external_sinks ~f:(fun (procedure_regex, kinds, index) ->
if Str.string_match procedure_regex procedure 0 then if Str.string_match procedure_regex procedure 0 then
let kind = of_string kind in let kinds = List.rev_map ~f:of_string kinds in
try let taints =
let n = int_of_string index in try
taint_nth n kind let n = int_of_string index in
with Failure _ -> taint_nth n kinds
(* couldn't parse the index, just taint everything *) with Failure _ ->
taint_all kind (* couldn't parse the index, just taint everything *)
else None ) taint_all kinds
external_sinks in
Option.value taints ~default:[]
else [] )
in
Option.some_if (not (List.is_empty sinks)) sinks
in in
let method_name = Typ.Procname.Java.get_method java_pname in let method_name = Typ.Procname.Java.get_method java_pname in
let taint_matching_supertype typename = let taint_matching_supertype typename =
match (Typ.Name.name typename, method_name) with match (Typ.Name.name typename, method_name) with
| "android.app.Activity", ("startActivityFromChild" | "startActivityFromFragment") -> | "android.app.Activity", ("startActivityFromChild" | "startActivityFromFragment") ->
taint_nth 1 StartComponent taint_nth 1 [StartComponent]
| ( ( "android.app.Activity" | ( ( "android.app.Activity"
| "android.content.Context" | "android.content.Context"
| "android.support.v4.app.Fragment" ) | "android.support.v4.app.Fragment" )
, "startIntentSenderForResult" ) -> , "startIntentSenderForResult" ) ->
taint_nth 2 StartComponent taint_nth 2 [StartComponent]
| "android.app.Activity", "startIntentSenderFromChild" -> | "android.app.Activity", "startIntentSenderFromChild" ->
taint_nth 3 StartComponent taint_nth 3 [StartComponent]
| ( ( "android.app.Fragment" | ( ( "android.app.Fragment"
| "android.content.Context" | "android.content.Context"
| "android.support.v4.app.Fragment" ) | "android.support.v4.app.Fragment" )
@ -386,9 +393,9 @@ module SinkKind = struct
| "startNextMatchingActivity" | "startNextMatchingActivity"
| "startService" | "startService"
| "stopService" ) ) -> | "stopService" ) ) ->
taint_nth 0 StartComponent taint_nth 0 [StartComponent]
| "android.content.Context", "startIntentSender" -> | "android.content.Context", "startIntentSender" ->
taint_nth 1 StartComponent taint_nth 1 [StartComponent]
| ( "android.content.Intent" | ( "android.content.Intent"
, ( "parseUri" , ( "parseUri"
| "getIntent" | "getIntent"
@ -399,13 +406,13 @@ module SinkKind = struct
| "setDataAndType" | "setDataAndType"
| "setDataAndTypeAndNormalize" | "setDataAndTypeAndNormalize"
| "setPackage" ) ) -> | "setPackage" ) ) ->
taint_nth 0 CreateIntent taint_nth 0 [CreateIntent]
| "android.content.Intent", "setClassName" -> | "android.content.Intent", "setClassName" ->
taint_all CreateIntent taint_all [CreateIntent]
| "android.text.Html", "fromHtml" -> | "android.text.Html", "fromHtml" ->
taint_nth 0 HTML taint_nth 0 [HTML]
| "android.util.Log", ("e" | "println" | "w" | "wtf") -> | "android.util.Log", ("e" | "println" | "w" | "wtf") ->
taint_all Logging taint_all [Logging]
| ( "android.webkit.WebView" | ( "android.webkit.WebView"
, ( "evaluateJavascript" , ( "evaluateJavascript"
| "loadData" | "loadData"
@ -413,32 +420,32 @@ module SinkKind = struct
| "loadUrl" | "loadUrl"
| "postUrl" | "postUrl"
| "postWebMessage" ) ) -> | "postWebMessage" ) ) ->
taint_all JavaScript taint_all [JavaScript]
| "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink" -> | "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink" ->
taint_nth 0 Other taint_nth 0 [Other]
| "java.io.File", "<init>" | "java.io.File", "<init>"
| "java.nio.file.FileSystem", "getPath" | "java.nio.file.FileSystem", "getPath"
| "java.nio.file.Paths", "get" -> | "java.nio.file.Paths", "get" ->
taint_all CreateFile taint_all [CreateFile]
| "java.io.ObjectInputStream", "<init>" -> | "java.io.ObjectInputStream", "<init>" ->
taint_all Deserialization taint_all [Deserialization]
| "java.lang.Class", "forName" | "java.lang.ClassLoader", "loadClass" -> | "java.lang.Class", "forName" | "java.lang.ClassLoader", "loadClass" ->
taint_nth 0 ClassLoading taint_nth 0 [ClassLoading]
| "java.lang.ClassLoader", "defineClass" -> | "java.lang.ClassLoader", "defineClass" ->
taint_nth 1 ClassLoading taint_nth 1 [ClassLoading]
| "java.lang.ProcessBuilder", "<init>" -> | "java.lang.ProcessBuilder", "<init>" ->
taint_all ShellExec taint_all [ShellExec]
| "java.lang.ProcessBuilder", "command" -> | "java.lang.ProcessBuilder", "command" ->
taint_all ShellExec taint_all [ShellExec]
| "java.lang.Runtime", "exec" -> | "java.lang.Runtime", "exec" ->
taint_nth 0 ShellExec taint_nth 0 [ShellExec]
(* TODO: separate non-injection sinks for PreparedStatement's *) (* TODO: separate non-injection sinks for PreparedStatement's *)
| "java.sql.Statement", ("addBatch" | "execute") -> | "java.sql.Statement", ("addBatch" | "execute") ->
taint_nth 0 SQLInjection taint_nth 0 [SQLInjection]
| "java.sql.Statement", "executeQuery" -> | "java.sql.Statement", "executeQuery" ->
taint_nth 0 SQLRead taint_nth 0 [SQLRead]
| "java.sql.Statement", ("executeUpdate" | "executeLargeUpdate") -> | "java.sql.Statement", ("executeUpdate" | "executeLargeUpdate") ->
taint_nth 0 SQLWrite taint_nth 0 [SQLWrite]
| class_name, method_name -> | class_name, method_name ->
get_external_sink class_name method_name get_external_sink class_name method_name
in in

@ -9,19 +9,28 @@ open! IStd
(** utilities for importing JSON specifications of sources/sinks into Quandary *) (** utilities for importing JSON specifications of sources/sinks into Quandary *)
let get_kinds json =
let open Yojson.Basic in
match (Util.member "kinds" json, Util.member "kind" json) with
| `Null, kind ->
[Util.to_string kind]
| kinds, kind ->
(Util.to_string_option kind |> Option.to_list) @ Util.convert_each Util.to_string kinds
module Source = struct module Source = struct
type t = {procedure: string; kind: string; index: string} type t = {procedure: string; kinds: string list; index: string}
let of_json = function let of_json = function
| `List sources -> | `List sources ->
let parse_source json = let parse_source json =
let open Yojson.Basic in let open Yojson.Basic in
let procedure = Util.member "procedure" json |> Util.to_string in let procedure = Util.member "procedure" json |> Util.to_string in
let kind = Util.member "kind" json |> Util.to_string in let kinds = get_kinds json in
let index = let index =
Util.member "index" json |> Util.to_string_option |> Option.value ~default:"return" Util.member "index" json |> Util.to_string_option |> Option.value ~default:"return"
in in
{procedure; kind; index} {procedure; kinds; index}
in in
List.map ~f:parse_source sources List.map ~f:parse_source sources
| _ -> | _ ->
@ -29,18 +38,18 @@ module Source = struct
end end
module Sink = struct module Sink = struct
type t = {procedure: string; kind: string; index: string} type t = {procedure: string; kinds: string list; index: string}
let of_json = function let of_json = function
| `List sinks -> | `List sinks ->
let parse_sink json = let parse_sink json =
let open Yojson.Basic in let open Yojson.Basic in
let procedure = Util.member "procedure" json |> Util.to_string in let procedure = Util.member "procedure" json |> Util.to_string in
let kind = Util.member "kind" json |> Util.to_string in let kinds = get_kinds json in
let index = let index =
Util.member "index" json |> Util.to_string_option |> Option.value ~default:"all" Util.member "index" json |> Util.to_string_option |> Option.value ~default:"all"
in in
{procedure; kind; index} {procedure; kinds; index}
in in
List.map ~f:parse_sink sinks List.map ~f:parse_sink sinks
| _ -> | _ ->

@ -10,13 +10,13 @@ open! IStd
(** utilities for importing JSON specifications of sources/sinks into Quandary*) (** utilities for importing JSON specifications of sources/sinks into Quandary*)
module Source : sig module Source : sig
type t = {procedure: string; kind: string; index: string} type t = {procedure: string; kinds: string list; index: string}
val of_json : [> `List of Yojson.Basic.json list] -> t list val of_json : [> `List of Yojson.Basic.json list] -> t list
end end
module Sink : sig module Sink : sig
type t = {procedure: string; kind: string; index: string} type t = {procedure: string; kinds: string list; index: string}
val of_json : [> `List of Yojson.Basic.json list] -> t list val of_json : [> `List of Yojson.Basic.json list] -> t list
end end

@ -7,7 +7,7 @@
}, },
{ {
"procedure": "codetoanalyze.java.quandary.InterfaceSpec.source", "procedure": "codetoanalyze.java.quandary.InterfaceSpec.source",
"kind": "PrivateData" "kinds": ["PrivateData", "Other"]
} }
], ],
"quandary-sinks": [ "quandary-sinks": [

@ -47,11 +47,16 @@ codetoanalyze/java/quandary/Exceptions.java, codetoanalyze.java.quandary.Excepti
codetoanalyze/java/quandary/Exceptions.java, codetoanalyze.java.quandary.Exceptions.sinkInFinallyBad3():void, 7, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Exceptions.java, codetoanalyze.java.quandary.Exceptions.sinkInFinallyBad3():void, 7, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ConstructorSink.constructorSinkBad():codetoanalyze.java.quandary.ConstructorSink, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to ConstructorSink.<init>(Object) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ConstructorSink.constructorSinkBad():codetoanalyze.java.quandary.ConstructorSink, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to ConstructorSink.<init>(Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad1():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 0] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad1():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 0]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad1():void, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 0]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad2():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad2():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSink2Bad2():void, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink2(Object,Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSinkBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink1(Object,Object) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSinkBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink1(Object,Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callExternalSinkBad():void, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void ExternalSpecs.loggingSink1(Object,Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callSinkThatPropagatesBad():void, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Object ExternalSpecs.sinkThatPropagates(Object) with tainted index 0] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callSinkThatPropagatesBad():void, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Object ExternalSpecs.sinkThatPropagates(Object) with tainted index 0]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callSinkThatPropagatesBad():void, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void ExternalSpecs.loggingSink1(Object,Object) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.callSinkThatPropagatesBad():void, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void ExternalSpecs.loggingSink1(Object,Object) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.externalSourceAsIntentOk(android.app.Activity):void, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to void Activity.startActivity(Intent) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.logExternalSourceBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to int Log.e(String,String) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.logExternalSourceBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to int Log.e(String,String) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.logExternalSourceBad():void, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object ExternalSpecs.privateDataSource(),Call to int Log.e(String,String) with tainted index 1]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.missedSanitizerBad():java.lang.Object, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.ExternalSpecs.missedSanitizerBad():java.lang.Object, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.InterfaceSpecImpl.externalSpecBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object InterfaceSpecImpl.source(),Call to void InterfaceSpecImpl.sink(Object) with tainted index 1] codetoanalyze/java/quandary/ExternalSpecs.java, codetoanalyze.java.quandary.InterfaceSpecImpl.externalSpecBad():void, 1, LOGGING_PRIVATE_DATA, no_bucket, ERROR, [Return from Object InterfaceSpecImpl.source(),Call to void InterfaceSpecImpl.sink(Object) with tainted index 1]
codetoanalyze/java/quandary/Fields.java, codetoanalyze.java.quandary.Fields.instanceFieldBad():void, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Fields.java, codetoanalyze.java.quandary.Fields.instanceFieldBad():void, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]

Loading…
Cancel
Save