[quandary] Also use summary for direct sources

Reviewed By: ngorogiannis Differential Revision: D13488414 fbshipit-source-id: fcf2947cf
6 years ago · dfd725d46c
parent 9868f7f763
commit dfd725d46c
2 changed files with 27 additions and 28 deletions
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@ -644,35 +644,32 @@ module Make (TaintSpecification : TaintSpec.S) = struct
          List.fold sinks ~init:astate ~f:(fun astate sink ->
              add_sink sink actuals astate proc_data call_site )
      in
-      let astate_with_summary =
+      let astate_with_direct_sources =
        let sources = TraceDomain.Source.get call_site actuals proc_data.tenv in
-        match sources with
+        List.fold sources ~init:astate_with_sink
-        | _ :: _ ->
+          ~f:(fun astate {TraceDomain.Source.source; index} ->
-            (* don't use a summary for a procedure that is a direct source *)
+            match index with
-            List.fold sources ~init:astate_with_sink
+            | None ->
-              ~f:(fun astate {TraceDomain.Source.source; index} ->
+                Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base ->
-                match index with
+                    add_return_source source ret_base astate )
-                | None ->
+            | Some index ->
-                    Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base ->
+                add_actual_source source index actuals astate_with_sink proc_data )
-                        add_return_source source ret_base astate )
+      in
-                | Some index ->
+      let astate_with_summary =
-                    add_actual_source source index actuals astate_with_sink proc_data )
+        match Payload.read proc_data.pdesc callee_pname with
-        | [] -> (
+        | None ->
-          match Payload.read proc_data.pdesc callee_pname with
+            handle_unknown_call callee_pname astate_with_direct_sources
-          | None ->
+        | Some summary -> (
-              handle_unknown_call callee_pname astate_with_sink
+            let ret_typ = snd ret_ap in
-          | Some summary -> (
+            let access_tree = TaintSpecification.of_summary_access_tree summary in
-              let ret_typ = snd ret_ap in
+            match
-              let access_tree = TaintSpecification.of_summary_access_tree summary in
+              TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv access_tree
-              match
+            with
-                TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv
+            | Some model ->
-                  access_tree
+                handle_model callee_pname astate_with_direct_sources model
-              with
+            | None ->
-              | Some model ->
+                apply_summary dummy_ret_opt actuals access_tree astate_with_direct_sources
-                  handle_model callee_pname astate_with_sink model
+                  proc_data call_site )
              | None ->
                  apply_summary dummy_ret_opt actuals access_tree astate_with_sink proc_data
                    call_site ) )
      in
      let astate_with_sanitizer =
        match dummy_ret_opt with
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -99,7 +99,9 @@ codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.ca
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 11, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndType(Uri,String) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 12, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndTypeAndNormalize(Uri,String) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 13, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setPackage(String) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri1Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.<init>(String,Uri),Call to void Activity.startActivity(Intent) with tainted index 1]
 codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri2Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.<init>(String,Uri,Context,Class),Call to void Activity.startActivity(Intent) with tainted index 1]