From aabf8aec55d68e91cf724ad56fc8e49ba514fb5a Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Fri, 23 Mar 2018 10:24:48 -0700 Subject: [PATCH] [quandary] use `_risk` warning types for endpoint sources in Java Summary: Matching what we do on the C++ side. Reviewed By: jeremydubreil Differential Revision: D7374902 fbshipit-source-id: 7b25e6d --- infer/src/quandary/JavaTrace.ml | 9 +++++++-- infer/tests/codetoanalyze/java/quandary/issues.exp | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index 191dd2df9..50908b60e 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -496,9 +496,12 @@ include Trace.Make (struct | (Endpoint _ | Intent | UserControlledString | UserControlledURI), CreateIntent -> (* creating Intent from user-congrolled data *) Some IssueType.untrusted_intent_creation - | (Endpoint _ | Intent | IntentFromURI | UserControlledString | UserControlledURI), CreateFile -> + | (Intent | IntentFromURI | UserControlledString | UserControlledURI), CreateFile -> (* user-controlled file creation; may be vulnerable to path traversal + more *) Some IssueType.untrusted_file + | Endpoint _, CreateFile -> + (* user-controlled file creation; may be vulnerable to path traversal + more *) + Some IssueType.untrusted_file_risk | ( (Endpoint _ | Intent | IntentFromURI | UserControlledString | UserControlledURI) , Deserialization ) -> (* shouldn't let anyone external control what we deserialize *) @@ -518,8 +521,10 @@ include Trace.Make (struct Some IssueType.create_intent_from_uri | PrivateData, Logging -> Some IssueType.logging_private_data - | (Endpoint _ | Intent | UserControlledString | UserControlledURI), ShellExec -> + | (Intent | UserControlledString | UserControlledURI), ShellExec -> Some IssueType.shell_injection + | Endpoint _, ShellExec -> + Some IssueType.shell_injection_risk | Other, _ | _, Other -> (* for testing purposes, Other matches everything *) Some IssueType.quandary_taint_error diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index c37c58351..60a7422d0 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -176,8 +176,8 @@ codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.log codetoanalyze/java/quandary/Recursion.java, void Recursion.callSinkThenDivergeBad(), 1, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.callSinkThenDiverge(Object) with tainted index 0,Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Recursion.java, void Recursion.safeRecursionCallSinkBad(), 1, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Recursion.safeRecursionCallSink(int,Object) with tainted index 0,Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Serialization.java, Object Serialization.taintedObjectInputStreamBad(), 2, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to ObjectInputStream.(InputStream) with tainted index 1] -codetoanalyze/java/quandary/Services.java, void Implementer.interfaceServiceMethodBad(String), 1, SHELL_INJECTION, ERROR, [Return from void Implementer.interfaceServiceMethodBad(String),Call to Process Runtime.exec(String) with tainted index 1] -codetoanalyze/java/quandary/Services.java, void Service1.serviceMethodBad(String), 1, SHELL_INJECTION, ERROR, [Return from void Service1.serviceMethodBad(String),Call to Process Runtime.exec(String) with tainted index 1] +codetoanalyze/java/quandary/Services.java, void Implementer.interfaceServiceMethodBad(String), 1, SHELL_INJECTION_RISK, ERROR, [Return from void Implementer.interfaceServiceMethodBad(String),Call to Process Runtime.exec(String) with tainted index 1] +codetoanalyze/java/quandary/Services.java, void Service1.serviceMethodBad(String), 1, SHELL_INJECTION_RISK, ERROR, [Return from void Service1.serviceMethodBad(String),Call to Process Runtime.exec(String) with tainted index 1] codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]