[quandary] Also use summary for direct sources

Reviewed By: ngorogiannis

Differential Revision: D13488414

fbshipit-source-id: fcf2947cf
master
Mehdi Bouaziz 6 years ago committed by Facebook Github Bot
parent 9868f7f763
commit dfd725d46c

@ -644,11 +644,8 @@ module Make (TaintSpecification : TaintSpec.S) = struct
List.fold sinks ~init:astate ~f:(fun astate sink ->
add_sink sink actuals astate proc_data call_site )
in
let astate_with_summary =
let astate_with_direct_sources =
let sources = TraceDomain.Source.get call_site actuals proc_data.tenv in
match sources with
| _ :: _ ->
(* don't use a summary for a procedure that is a direct source *)
List.fold sources ~init:astate_with_sink
~f:(fun astate {TraceDomain.Source.source; index} ->
match index with
@ -657,22 +654,22 @@ module Make (TaintSpecification : TaintSpec.S) = struct
add_return_source source ret_base astate )
| Some index ->
add_actual_source source index actuals astate_with_sink proc_data )
| [] -> (
in
let astate_with_summary =
match Payload.read proc_data.pdesc callee_pname with
| None ->
handle_unknown_call callee_pname astate_with_sink
handle_unknown_call callee_pname astate_with_direct_sources
| Some summary -> (
let ret_typ = snd ret_ap in
let access_tree = TaintSpecification.of_summary_access_tree summary in
match
TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv
access_tree
TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv access_tree
with
| Some model ->
handle_model callee_pname astate_with_sink model
handle_model callee_pname astate_with_direct_sources model
| None ->
apply_summary dummy_ret_opt actuals access_tree astate_with_sink proc_data
call_site ) )
apply_summary dummy_ret_opt actuals access_tree astate_with_direct_sources
proc_data call_site )
in
let astate_with_sanitizer =
match dummy_ret_opt with

@ -99,7 +99,9 @@ codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.ca
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 11, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndType(Uri,String) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 12, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setDataAndTypeAndNormalize(Uri,String) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.callAllIntentSinks():void, 13, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setPackage(String) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 5, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setData(Uri) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.extraToDataBad():void, 7, UNTRUSTED_INTENT_CREATION, no_bucket, ERROR, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri1Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.<init>(String,Uri),Call to void Activity.startActivity(Intent) with tainted index 1]
codetoanalyze/java/quandary/Intents.java, codetoanalyze.java.quandary.Intents.startWithUri2Bad(android.net.Uri):void, 1, CREATE_INTENT_FROM_URI, no_bucket, ERROR, [Return from Intent.<init>(String,Uri,Context,Class),Call to void Activity.startActivity(Intent) with tainted index 1]

Loading…
Cancel
Save