From dfd725d46c5748639188cf98d968b1c491404785 Mon Sep 17 00:00:00 2001 From: Mehdi Bouaziz Date: Tue, 18 Dec 2018 04:42:38 -0800 Subject: [PATCH] [quandary] Also use summary for direct sources Reviewed By: ngorogiannis Differential Revision: D13488414 fbshipit-source-id: fcf2947cf --- infer/src/quandary/TaintAnalysis.ml | 53 +++++++++---------- .../codetoanalyze/java/quandary/issues.exp | 2 + 2 files changed, 27 insertions(+), 28 deletions(-) diff --git a/infer/src/quandary/TaintAnalysis.ml b/infer/src/quandary/TaintAnalysis.ml index 189034b2e..445ee8bdd 100644 --- a/infer/src/quandary/TaintAnalysis.ml +++ b/infer/src/quandary/TaintAnalysis.ml @@ -644,35 +644,32 @@ module Make (TaintSpecification : TaintSpec.S) = struct List.fold sinks ~init:astate ~f:(fun astate sink -> add_sink sink actuals astate proc_data call_site ) in - let astate_with_summary = + let astate_with_direct_sources = let sources = TraceDomain.Source.get call_site actuals proc_data.tenv in - match sources with - | _ :: _ -> - (* don't use a summary for a procedure that is a direct source *) - List.fold sources ~init:astate_with_sink - ~f:(fun astate {TraceDomain.Source.source; index} -> - match index with - | None -> - Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base -> - add_return_source source ret_base astate ) - | Some index -> - add_actual_source source index actuals astate_with_sink proc_data ) - | [] -> ( - match Payload.read proc_data.pdesc callee_pname with - | None -> - handle_unknown_call callee_pname astate_with_sink - | Some summary -> ( - let ret_typ = snd ret_ap in - let access_tree = TaintSpecification.of_summary_access_tree summary in - match - TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv - access_tree - with - | Some model -> - handle_model callee_pname astate_with_sink model - | None -> - apply_summary dummy_ret_opt actuals access_tree astate_with_sink proc_data - call_site ) ) + List.fold sources ~init:astate_with_sink + ~f:(fun astate {TraceDomain.Source.source; index} -> + match index with + | None -> + Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base -> + add_return_source source ret_base astate ) + | Some index -> + add_actual_source source index actuals astate_with_sink proc_data ) + in + let astate_with_summary = + match Payload.read proc_data.pdesc callee_pname with + | None -> + handle_unknown_call callee_pname astate_with_direct_sources + | Some summary -> ( + let ret_typ = snd ret_ap in + let access_tree = TaintSpecification.of_summary_access_tree summary in + match + TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv access_tree + with + | Some model -> + handle_model callee_pname astate_with_direct_sources model + | None -> + apply_summary dummy_ret_opt actuals access_tree astate_with_direct_sources + proc_data call_site ) in let astate_with_sanitizer = match dummy_ret_opt with diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 4aa4646a0..32c29ecfe 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -99,7 +99,9 @@ codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.ca codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 11, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndType(Uri,String) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 12, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndTypeAndNormalize(Uri,String) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 13, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setPackage(String) with tainted index 1] +codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1] +codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri1Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.(String,Uri),Call to void Activity.startActivity(Intent) with tainted index 1] codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri2Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.(String,Uri,Context,Class),Call to void Activity.startActivity(Intent) with tainted index 1]