[quandary] curl function for setting URL as sink

Reviewed By: the-st0rm

Differential Revision: D6485858

fbshipit-source-id: fd38654

infer/src/base/IssueType.ml

@@ -329,6 +329,8 @@ let unsafe_guarded_by_access = from_string "UNSAFE_GUARDED_BY_ACCESS"
 
 let use_after_free = from_string "USE_AFTER_FREE"
 
+let user_controlled_sql_risk = from_string "USER_CONTROLLED_SQL_RISK"
+
 let untrusted_deserialization = from_string "UNTRUSTED_DESERIALIZATION"
 
 let untrusted_file = from_string "UNTRUSTED_FILE"
@@ -337,8 +339,10 @@ let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK"
 
 let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION"
 
-let untrusted_variable_length_array = from_string "UNTRUSTED_VARIABLE_LENGTH_ARRAY"
+let untrusted_url = from_string "UNTRUSTED_URL"
 
-let user_controlled_sql_risk = from_string "USER_CONTROLLED_SQL_RISK"
+let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK"
+
+let untrusted_variable_length_array = from_string "UNTRUSTED_VARIABLE_LENGTH_ARRAY"
 
 let wrong_argument_number = from_string "Wrong_argument_number" ~hum:"Wrong Argument Number"

infer/src/base/IssueType.mli

@@ -238,8 +238,6 @@ val unsafe_guarded_by_access : t
 
 val use_after_free : t
 
-val user_controlled_sql_risk : t
-
 val untrusted_deserialization : t
 
 val untrusted_file : t
@@ -248,6 +246,12 @@ val untrusted_file_risk : t
 
 val untrusted_intent_creation : t
 
+val untrusted_url : t
+
+val untrusted_url_risk : t
+
 val untrusted_variable_length_array : t
 
+val user_controlled_sql_risk : t
+
 val wrong_argument_number : t

infer/src/quandary/ClangTrace.ml

@@ -177,6 +177,7 @@ module SinkKind = struct
     | BufferAccess  (** read/write an array *)
     | CreateFile  (** create/open a file *)
     | HeapAllocation  (** heap memory allocation *)
+    | Network  (** network access *)
     | ShellExec  (** shell exec function *)
     | SQL  (** SQL query *)
     | StackAllocation  (** stack memory allocation *)
@@ -192,6 +193,8 @@ module SinkKind = struct
         CreateFile
     | "HeapAllocation" ->
         HeapAllocation
+    | "Network" ->
+        Network
     | "ShellExec" ->
         ShellExec
     | "SQL" ->
@@ -214,6 +217,17 @@ module SinkKind = struct
     if n < List.length actuals then Some (kind, IntSet.singleton n) else None
 
 
+  (* taint all parameters after the nth (exclusive) *)
+  let taint_after_nth n kind actuals =
+    match
+      List.filter_mapi ~f:(fun actual_num _ -> Option.some_if (actual_num > n) actual_num) actuals
+    with
+    | [] ->
+        None
+    | to_taint ->
+        Some (kind, IntSet.of_list to_taint)
+
+
   let taint_all kind actuals =
     Some (kind, IntSet.of_list (List.mapi ~f:(fun actual_num _ -> actual_num) actuals))
 
@@ -272,6 +286,9 @@ module SinkKind = struct
       match Typ.Procname.to_string pname with
       | "creat" | "fopen" | "freopen" | "open" ->
           taint_nth 0 CreateFile actuals
+      | "curl_easy_setopt" ->
+          (* first two actuals are curl object + a constant *)
+          taint_after_nth 1 Network actuals
       | "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system" ->
           taint_all ShellExec actuals
       | "openat" ->
@@ -311,6 +328,8 @@ module SinkKind = struct
           "CreateFile"
       | HeapAllocation ->
           "HeapAllocation"
+      | Network ->
+          "Network"
       | ShellExec ->
           "ShellExec"
       | SQL ->
@@ -380,6 +399,12 @@ include Trace.Make (struct
         Option.some_if (is_injection_possible ~typ sanitizers) IssueType.untrusted_file
     | Endpoint (_, typ), CreateFile ->
         Option.some_if (is_injection_possible ~typ sanitizers) IssueType.untrusted_file_risk
+    | UserControlledEndpoint (_, typ), Network ->
+        Option.some_if (is_injection_possible ~typ sanitizers) IssueType.untrusted_url
+    | Endpoint (_, typ), Network ->
+        Option.some_if (is_injection_possible ~typ sanitizers) IssueType.untrusted_url_risk
+    | (CommandLineFlag _ | EnvironmentVariable | ReadFile), Network ->
+        None
     | UserControlledEndpoint (_, typ), SQL ->
         if is_injection_possible ~typ sanitizers then Some IssueType.sql_injection
         else

infer/tests/codetoanalyze/cpp/quandary/endpoints.cpp

@@ -15,6 +15,8 @@ extern void __infer_sql_sink(std::string);
 extern std::string __infer_all_sanitizer(std::string);
 extern std::string __infer_string_sanitizer(std::string);
 
+extern void curl_easy_setopt(void*, int, ...);
+
 namespace facebook {
 namespace fb303 {
 namespace cpp2 {
@@ -102,6 +104,12 @@ class Service1 : facebook::fb303::cpp2::FacebookServiceSvIf {
     file2.open(filename);
   }
 
+  const int CURLOPT_URL = 10002;
+
+  void endpoint_to_curl_url_bad(request formal) {
+    curl_easy_setopt(nullptr, CURLOPT_URL, formal.s.c_str());
+  }
+
   void FP_service1_endpoint_struct_int_field_ok(request formal) {
     system(std::to_string(formal.i).c_str());
   }

infer/tests/codetoanalyze/cpp/quandary/issues.exp

@@ -37,6 +37,7 @@ codetoanalyze/cpp/quandary/basics.cpp, basics::via_field_bad2, 2, QUANDARY_TAINT
 codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad1, 4, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::via_passthrough_bad2, 3, QUANDARY_TAINT_ERROR, [Return from basics::Obj_string_source,Call to basics::Obj_string_sink]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_FP_service1_endpoint_struct_int_field_ok, 1, REMOTE_CODE_EXECUTION_RISK, [Return from endpoints::Service1_FP_service1_endpoint_struct_int_field_ok,Call to system]
+codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_endpoint_to_curl_url_bad, 1, UNTRUSTED_URL_RISK, [Return from endpoints::Service1_endpoint_to_curl_url_bad,Call to curl_easy_setopt]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_fstream_open_file_bad, 1, UNTRUSTED_FILE_RISK, [Return from endpoints::Service1_fstream_open_file_bad,Call to std::basic_fstream<char,std::char_traits<char>>_basic_fstream]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_fstream_open_file_bad, 3, UNTRUSTED_FILE_RISK, [Return from endpoints::Service1_fstream_open_file_bad,Call to std::basic_fstream<char,std::char_traits<char>>_open]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_ifstream_open_file_bad, 1, UNTRUSTED_FILE_RISK, [Return from endpoints::Service1_ifstream_open_file_bad,Call to std::basic_ifstream<char,std::char_traits<char>>_basic_ifstream]