[quandary] report gflags to shell exec, but not file or url creation

Reviewed By: mbouaziz

Differential Revision: D6716776

fbshipit-source-id: 942f716
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent d0a30d61c4
commit fb7556816f

@ -76,8 +76,7 @@ module SourceKind = struct
Some (ReadFile, Some 1) Some (ReadFile, Some 1)
| _ -> | _ ->
get_external_source qualified_pname ) get_external_source qualified_pname )
| Typ.Procname.C _ | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__global_access
when Config.developer_mode && Typ.Procname.equal pname BuiltinDecl.__global_access
-> ( -> (
(* is this var a command line flag created by the popular C++ gflags library for creating (* is this var a command line flag created by the popular C++ gflags library for creating
command-line flags (https://github.com/gflags/gflags)? *) command-line flags (https://github.com/gflags/gflags)? *)
@ -438,7 +437,7 @@ include Trace.Make (struct
Option.some_if Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
IssueType.untrusted_file IssueType.untrusted_file
| (Endpoint (_, typ) | CommandLineFlag (_, typ)), CreateFile -> | Endpoint (_, typ), CreateFile ->
Option.some_if Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeShell sanitizers) (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
IssueType.untrusted_file_risk IssueType.untrusted_file_risk
@ -446,11 +445,11 @@ include Trace.Make (struct
Option.some_if Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeURL sanitizers) (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
IssueType.untrusted_url IssueType.untrusted_url
| (Endpoint (_, typ) | CommandLineFlag (_, typ)), URL -> | Endpoint (_, typ), URL ->
Option.some_if Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeURL sanitizers) (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
IssueType.untrusted_url_risk IssueType.untrusted_url_risk
| (EnvironmentVariable | ReadFile), URL -> | (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL ->
None None
| (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), SQL -> | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), SQL ->
if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
@ -508,7 +507,7 @@ include Trace.Make (struct
(* untrusted data of any kind flowing to stack buffer allocation. trying to allocate a stack (* untrusted data of any kind flowing to stack buffer allocation. trying to allocate a stack
buffer that's too large will cause a stack overflow. *) buffer that's too large will cause a stack overflow. *)
Some IssueType.untrusted_variable_length_array Some IssueType.untrusted_variable_length_array
| (EnvironmentVariable | ReadFile), CreateFile -> | (CommandLineFlag _ | EnvironmentVariable | ReadFile), CreateFile ->
None None
| Other, _ -> | Other, _ ->
(* Other matches everything *) (* Other matches everything *)

@ -9,6 +9,7 @@
#include <fcntl.h> #include <fcntl.h>
#include <fstream> #include <fstream>
#include <iostream>
#include <string> #include <string>
extern void __infer_sql_sink(std::string); extern void __infer_sql_sink(std::string);

@ -10,8 +10,12 @@
#include <fstream> #include <fstream>
#include <unistd.h> #include <unistd.h>
extern void __infer_url_sink(char*);
namespace files { namespace files {
extern char* FLAGS_cli_string;
void read_file_call_exec_bad1(int length) { void read_file_call_exec_bad1(int length) {
std::ifstream is("test.txt", std::ifstream::binary); std::ifstream is("test.txt", std::ifstream::binary);
if (is) { if (is) {
@ -62,4 +66,10 @@ void read_file_call_exec_bad5(std::iostream is, int length) {
} }
} }
void read_file_from_flag_ok(int length) {
std::ofstream file1(FLAGS_cli_string, std::ifstream::binary);
}
void url_from_flag_ok() { __infer_url_sink(FLAGS_cli_string); }
} }

Loading…
Cancel
Save