pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] for instance methods with no return value, propagate the taint to the receiver

Browse Source 
Summary:
If we have code like
```
o.setF(source())
sink(o)
```

and `setF` is an unknown method, we probably want to report.

Reviewed By: jeremydubreil, mburman

Differential Revision: D4438896

fbshipit-source-id: 5edd204
master
Sam Blackshear 8 years ago committed by Facebook Github Bot
parent b9694ef086
commit c19bee7772
3 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File

5
infer/src/quandary/JavaTaintAnalysis.ml
Unescape View File

@ -36,9 +36,12 @@ include
Some _
when not (Procname.java_is_static pname) ->
[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
| _, _, (Some Typ.Tvoid | None) when not (Procname.java_is_static pname) ->
(* for instance methods with no return value, propagate the taint to the receiver *)
[TaintSpec.Propagate_to_receiver]
| _, _, Some _ ->
[TaintSpec.Propagate_to_return]
| _ ->
| _, _, None ->
[]
end
| pname when BuiltinDecl.is_declared pname ->

10
infer/tests/codetoanalyze/java/quandary/UnknownCode.java
Unescape View File

@ -11,6 +11,9 @@ package codetoanalyze.java.quandary;
import com.facebook.infer.builtins.InferTaint;
import android.content.Intent;
import android.os.Parcel;
/** testing how the analysis handles missing/unknown code */
public abstract class UnknownCode {
@ -43,6 +46,13 @@ public abstract class UnknownCode {
InferTaint.inferSensitiveSink(launderedSource3);
}
void callUnknownSetterBad(Intent i) {
Object source = InferTaint.inferSecretSource();
// we don't analyze the source code for Android, so this will be unknown
i.writeToParcel((Parcel) source, 0);
InferTaint.inferSensitiveSink(i);
}
static void FN_propagateViaInterfaceCodeBad(Interface i) {
Object source = InferTaint.inferSecretSource();
Object launderedSource = i.interfaceMethod(source);

1
infer/tests/codetoanalyze/java/quandary/issues.exp
Unescape View File

@ -175,6 +175,7 @@ codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedCont
codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 2, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 3, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 4, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callUnknownSetterBad(Intent), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsAlert(WebView,String,String,JsResult)]
codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult)]

Write Preview
Loading…
Cancel
Save