(* * Copyright (c) 2016 - present Facebook, Inc. * All rights reserved. * * This source code is licensed under the BSD style license found in the * LICENSE file in the root directory of this source tree. An additional grant * of patent rights can be found in the PATENTS file in the same directory. *) open! IStd module F = Format module L = Logging module SourceKind = struct type t = | CommandLineFlag of Var.t (** source that was read from a command line flag *) | Endpoint of (Mangled.t * Typ.desc) (** source originating from formal of an endpoint *) | EnvironmentVariable (** source that was read from an environment variable *) | File (** source that was read from a file *) | Other (** for testing or uncategorized sources *) | UserControlledEndpoint of (Mangled.t * Typ.desc) (** source originating from formal of an endpoint that is known to hold user-controlled data *) [@@deriving compare] let matches ~caller ~callee = Int.equal 0 (compare caller callee) let of_string = function | "CommandLineFlag" -> L.die UserError "User-specified CommandLineFlag sources are not supported" | "Endpoint" -> Endpoint (Mangled.from_string "NONE", Typ.Tvoid) | "EnvironmentVariable" -> EnvironmentVariable | "File" -> File | "UserControlledEndpoint" -> Endpoint (Mangled.from_string "NONE", Typ.Tvoid) | _ -> Other let external_sources = List.map ~f:(fun {QuandaryConfig.Source.procedure; kind; index} -> (QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kind, index)) (QuandaryConfig.Source.of_json Config.quandary_sources) let endpoints = String.Set.of_list (QuandaryConfig.Endpoint.of_json Config.quandary_endpoints) (* return Some(source kind) if [procedure_name] is in the list of externally specified sources *) let get_external_source qualified_pname = let return = None in List.find_map ~f:(fun (qualifiers, kind, index) -> if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then let source_index = try Some (int_of_string index) with Failure _ -> return in Some (of_string kind, source_index) else None) external_sources let get pname actuals _ = let return = None in match pname with | Typ.Procname.ObjC_Cpp cpp_name -> ( let qualified_pname = Typ.Procname.get_qualifiers pname in match ( QualifiedCppName.to_list (Typ.Name.unqualified_name (Typ.Procname.objc_cpp_get_class_type_name cpp_name)) , Typ.Procname.get_method pname ) with | ( ["std"; ("basic_istream" | "basic_iostream")] , ("getline" | "read" | "readsome" | "operator>>") ) -> Some (File, Some 1) | _ -> get_external_source qualified_pname ) | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__global_access -> ( (* is this var a command line flag created by the popular C++ gflags library for creating command-line flags (https://github.com/gflags/gflags)? *) let is_gflag access_path = let pvar_is_gflag pvar = String.is_substring ~substring:"FLAGS_" (Pvar.get_simplified_name pvar) in match access_path with | (Var.ProgramVar pvar, _), _ -> Pvar.is_global pvar && pvar_is_gflag pvar | _ -> false in (* accessed global will be passed to us as the only parameter *) match actuals with | [(HilExp.AccessPath access_path)] when is_gflag access_path -> let (global_pvar, _), _ = access_path in Some (CommandLineFlag global_pvar, None) | _ -> None ) | Typ.Procname.C _ -> ( match Typ.Procname.to_string pname with | "getenv" -> Some (EnvironmentVariable, return) | _ -> get_external_source (Typ.Procname.get_qualifiers pname) ) | Typ.Procname.Block _ -> None | pname -> L.(die InternalError) "Non-C++ procname %a in C++ analysis" Typ.Procname.pp pname let get_tainted_formals pdesc tenv = if PredSymb.equal_access (Procdesc.get_attributes pdesc).ProcAttributes.access PredSymb.Private then Source.all_formals_untainted pdesc else let is_thrift_service cpp_pname = let is_thrift_service_ typename _ = match QualifiedCppName.to_list (Typ.Name.unqualified_name typename) with | ["facebook"; "fb303"; "cpp2"; ("FacebookServiceSvIf" | "FacebookServiceSvAsyncIf")] -> true | _ -> false in let typename = Typ.Procname.objc_cpp_get_class_type_name cpp_pname in PatternMatch.supertype_exists tenv is_thrift_service_ typename in let taint_all ~make_source = List.map ~f:(fun (name, typ) -> (name, typ, Some (make_source name typ.Typ.desc))) (Procdesc.get_formals pdesc) in match Procdesc.get_proc_name pdesc with | Typ.Procname.ObjC_Cpp cpp_pname as pname -> let qualified_pname = F.sprintf "%s::%s" (Typ.Procname.objc_cpp_get_class_name cpp_pname) (Typ.Procname.get_method pname) in if String.Set.mem endpoints qualified_pname then taint_all ~make_source:(fun name desc -> UserControlledEndpoint (name, desc)) else if is_thrift_service cpp_pname then taint_all ~make_source:(fun name desc -> Endpoint (name, desc)) else Source.all_formals_untainted pdesc | _ -> Source.all_formals_untainted pdesc let pp fmt = function | Endpoint (formal_name, _) -> F.fprintf fmt "Endpoint[%s]" (Mangled.to_string formal_name) | EnvironmentVariable -> F.fprintf fmt "EnvironmentVariable" | File -> F.fprintf fmt "File" | CommandLineFlag var -> F.fprintf fmt "CommandLineFlag[%a]" Var.pp var | Other -> F.fprintf fmt "Other" | UserControlledEndpoint (formal_name, _) -> F.fprintf fmt "UserControlledEndpoint[%s]" (Mangled.to_string formal_name) end module CppSource = Source.Make (SourceKind) module SinkKind = struct type t = | BufferAccess (** read/write an array *) | HeapAllocation (** heap memory allocation *) | ShellExec (** shell exec function *) | SQL (** SQL query *) | StackAllocation (** stack memory allocation *) | Other (** for testing or uncategorized sinks *) [@@deriving compare] let matches ~caller ~callee = Int.equal 0 (compare caller callee) let of_string = function | "BufferAccess" -> BufferAccess | "HeapAllocation" -> HeapAllocation | "ShellExec" -> ShellExec | "SQL" -> SQL | "StackAllocation" -> StackAllocation | _ -> Other let external_sinks = List.map ~f:(fun {QuandaryConfig.Sink.procedure; kind; index} -> (QualifiedCppName.Match.of_fuzzy_qual_names [procedure], kind, index)) (QuandaryConfig.Sink.of_json Config.quandary_sinks) (* taint the nth parameter (0-indexed) *) let taint_nth n kind actuals = if n < List.length actuals then Some (kind, IntSet.singleton n) else None let taint_all kind actuals = Some (kind, IntSet.of_list (List.mapi ~f:(fun actual_num _ -> actual_num) actuals)) (* return Some(sink kind) if [procedure_name] is in the list of externally specified sinks *) let get_external_sink pname actuals = let qualified_pname = Typ.Procname.get_qualifiers pname in List.find_map ~f:(fun (qualifiers, kind, index) -> if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then let kind = of_string kind in try let n = int_of_string index in taint_nth n kind actuals with Failure _ -> (* couldn't parse the index, just taint everything *) taint_all kind actuals else None) external_sinks let get pname actuals _ = let is_buffer_like pname = (* assume it's a buffer class if it's "vector-y", "array-y", or "string-y". don't want to report on accesses to maps etc., but also want to recognize custom vectors like fbvector rather than overfitting to std::vector *) let typename = Typ.Procname.get_qualifiers pname |> QualifiedCppName.strip_template_args |> QualifiedCppName.to_qual_string |> String.lowercase in String.is_substring ~substring:"vec" typename || String.is_substring ~substring:"array" typename || String.is_substring ~substring:"string" typename in match pname with | Typ.Procname.ObjC_Cpp _ -> ( match Typ.Procname.get_method pname with | "operator[]" when Config.developer_mode && is_buffer_like pname -> taint_nth 1 BufferAccess actuals | _ -> get_external_sink pname actuals ) | Typ.Procname.C _ when Config.developer_mode && Typ.Procname.equal pname BuiltinDecl.__array_access -> taint_all BufferAccess actuals | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__set_array_length -> (* called when creating a stack-allocated array *) taint_nth 1 StackAllocation actuals | Typ.Procname.C _ -> ( match Typ.Procname.to_string pname with | "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system" -> taint_all ShellExec actuals | "popen" -> taint_nth 0 ShellExec actuals | ("brk" | "calloc" | "malloc" | "realloc" | "sbrk") when Config.developer_mode -> taint_all HeapAllocation actuals | "strcpy" when Config.developer_mode -> (* warn if source array is tainted *) taint_nth 1 BufferAccess actuals | "memcpy" | "memmove" | "memset" | "strncpy" | "wmemcpy" | "wmemmove" when Config.developer_mode -> (* warn if count argument is tainted *) taint_nth 2 BufferAccess actuals | _ -> get_external_sink pname actuals ) | Typ.Procname.Block _ -> None | pname -> L.(die InternalError) "Non-C++ procname %a in C++ analysis" Typ.Procname.pp pname let pp fmt kind = F.fprintf fmt ( match kind with | BufferAccess -> "BufferAccess" | HeapAllocation -> "HeapAllocation" | ShellExec -> "ShellExec" | SQL -> "SQL" | StackAllocation -> "StackAllocation" | Other -> "Other" ) end module CppSink = Sink.Make (SinkKind) module CppSanitizer = struct type t = | Escape (** escaped string to sanitize SQL injection or ShellExec sinks *) | All (** sanitizes all forms of taint *) [@@deriving compare] let equal = [%compare.equal : t] let of_string = function "Escape" -> Escape | _ -> All let external_sanitizers = List.map ~f:(fun {QuandaryConfig.Sanitizer.procedure; kind} -> (QualifiedCppName.Match.of_fuzzy_qual_names [procedure], of_string kind)) (QuandaryConfig.Sanitizer.of_json Config.quandary_sanitizers) let get pname = let qualified_pname = Typ.Procname.get_qualifiers pname in List.find_map ~f:(fun (qualifiers, kind) -> if QualifiedCppName.Match.match_qualifiers qualifiers qualified_pname then Some kind else None) external_sanitizers let pp fmt = function Escape -> F.fprintf fmt "Escape" | All -> F.fprintf fmt "All" end include Trace.Make (struct module Source = CppSource module Sink = CppSink module Sanitizer = CppSanitizer (* return true if code injection is possible because the source is a string/is not sanitized *) let is_injection_possible ?typ sanitizers = let is_escaped = List.mem sanitizers Sanitizer.Escape ~equal:Sanitizer.equal in not is_escaped && match typ with | Some (Typ.Tint _ | Tfloat _ | Tvoid) -> false | _ -> (* possible a string/object/struct type; assume injection possible *) true let get_report source sink sanitizers = match (Source.kind source, Sink.kind sink) with | _ when List.mem sanitizers Sanitizer.All ~equal:Sanitizer.equal -> (* the All sanitizer clears any form of taint; don't report *) None | UserControlledEndpoint (_, typ), SQL -> if is_injection_possible ~typ sanitizers then Some IssueType.sql_injection else (* no injection risk, but still user-controlled *) Some IssueType.user_controlled_sql_risk | Endpoint (_, typ), SQL -> if is_injection_possible ~typ sanitizers then (* code injection if the caller of the endpoint doesn't sanitize on its end *) Some IssueType.remote_code_execution_risk else (* no injection risk, but still user-controlled *) Some IssueType.user_controlled_sql_risk | Endpoint (_, typ), ShellExec -> (* code injection if the caller of the endpoint doesn't sanitize on its end *) Option.some_if (is_injection_possible ~typ sanitizers) IssueType.remote_code_execution_risk | UserControlledEndpoint (_, typ), ShellExec -> (* we know the user controls the endpoint, so it's code injection without a sanitizer *) Option.some_if (is_injection_possible ~typ sanitizers) IssueType.shell_injection | UserControlledEndpoint _, BufferAccess -> (* untrusted data from an endpoint flowing into a buffer *) Some IssueType.quandary_taint_error | Endpoint _, (BufferAccess | HeapAllocation | StackAllocation) -> (* may want to report this in the future, but don't care for now *) None | (CommandLineFlag _ | EnvironmentVariable | File | Other), BufferAccess -> (* untrusted flag, environment var, or file data flowing to buffer *) Some IssueType.quandary_taint_error | (CommandLineFlag _ | EnvironmentVariable | File | Other), ShellExec -> (* untrusted flag, environment var, or file data flowing to shell *) Option.some_if (is_injection_possible sanitizers) IssueType.shell_injection | (CommandLineFlag _ | EnvironmentVariable | File | Other), SQL -> (* untrusted flag, environment var, or file data flowing to SQL *) Option.some_if (is_injection_possible sanitizers) IssueType.sql_injection | ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | File | Other) , HeapAllocation ) -> (* untrusted data of any kind flowing to heap allocation. this can cause crashes or DOS. *) Some IssueType.quandary_taint_error | ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | File | Other) , StackAllocation ) -> (* untrusted data of any kind flowing to stack buffer allocation. trying to allocate a stack buffer that's too large will cause a stack overflow. *) Some IssueType.untrusted_variable_length_array | Other, _ -> (* Other matches everything *) Some IssueType.quandary_taint_error | _, Other -> Some IssueType.quandary_taint_error end)