diff --git a/infer/src/backend/InferPrint.ml b/infer/src/backend/InferPrint.ml index f42e04a6d..cddfb653a 100644 --- a/infer/src/backend/InferPrint.ml +++ b/infer/src/backend/InferPrint.ml @@ -1037,9 +1037,7 @@ let pp_summary_and_issues formats_by_report_kind issue_formats = all_issues := process_summary filters formats_by_report_kind linereader stats summary !all_issues ) ; all_issues := Issue.sort_filter_issues !all_issues ; - ( if Config.quandaryBO then - let quandaryBO_issues = QuandaryBO.get_issues !all_issues in - all_issues := List.rev_append !all_issues quandaryBO_issues ) ; + if Config.quandaryBO then all_issues := QuandaryBO.update_issues !all_issues ; List.iter ~f:(fun ({Issue.proc_name} as issue) -> let error_filter = error_filter filters proc_name in diff --git a/infer/src/quandary/quandaryBO.ml b/infer/src/quandary/quandaryBO.ml index fd54dc8c9..a5d0bdb45 100644 --- a/infer/src/quandary/quandaryBO.ml +++ b/infer/src/quandary/quandaryBO.ml @@ -7,7 +7,7 @@ open! IStd -let get_issues all_issues = +let update_issues all_issues = let quandary_bug_names = IssueType.[untrusted_buffer_access; untrusted_heap_allocation; untrusted_variable_length_array] in @@ -68,4 +68,30 @@ let get_issues all_issues = in (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *) let quandaryBO_issues = List.map ~f:merge_issues paired_issues in - quandaryBO_issues + let quandary_issuetypes = + IssueType. + [ quandary_taint_error + ; shell_injection + ; shell_injection_risk + ; sql_injection + ; sql_injection_risk + ; untrusted_buffer_access + ; untrusted_file_risk + ; untrusted_heap_allocation + ; untrusted_url_risk + ; untrusted_variable_length_array + ; user_controlled_sql_risk ] + in + let inferBO_issuetypes = inferbo_bug_names in + let all_issues_filtered = + List.filter + ~f:(fun issue -> + ( Config.quandary + || not (List.mem quandary_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal) + ) + && ( Config.bufferoverrun + || not (List.mem inferBO_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal) + ) ) + all_issues + in + List.rev_append all_issues_filtered quandaryBO_issues diff --git a/infer/src/quandary/quandaryBO.mli b/infer/src/quandary/quandaryBO.mli index 2e0c1bacc..711e9809d 100644 --- a/infer/src/quandary/quandaryBO.mli +++ b/infer/src/quandary/quandaryBO.mli @@ -7,4 +7,4 @@ open! IStd -val get_issues : Issue.t list -> Issue.t list +val update_issues : Issue.t list -> Issue.t list diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp index a198393ff..25456e245 100644 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp @@ -1,6 +1,3 @@ -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10] codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] +codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Alloc: Length: [-oo, 2147483647]] codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0] diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp index b60f55142..a5b350d0a 100644 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp +++ b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp @@ -24,3 +24,12 @@ void multi_level_bad() { int i = multi_level_source_bad(); multi_level_sink_bad(i); } + +void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; } + +void memory_alloc_bad2() { + int s = __infer_taint_source(); + if (s <= 2147483647) { + int arr[s]; + } +}