You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 lines
2.7 KiB
107 lines
2.7 KiB
/*
|
|
* Copyright (c) 2017 - present Facebook, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This source code is licensed under the BSD style license found in the
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
*/
|
|
|
|
#include <string>
|
|
|
|
extern void __infer_sql_sink(std::string);
|
|
extern std::string __infer_all_sanitizer(std::string);
|
|
extern std::string __infer_string_sanitizer(std::string);
|
|
|
|
namespace facebook {
|
|
namespace fb303 {
|
|
namespace cpp2 {
|
|
|
|
class FacebookServiceSvIf {};
|
|
|
|
class FacebookServiceSvAsyncIf {};
|
|
} // namespace cpp2
|
|
} // namespace fb303
|
|
} // namespace facebook
|
|
|
|
namespace endpoints {
|
|
|
|
struct request {
|
|
std::string s;
|
|
int i;
|
|
};
|
|
|
|
class Service1 : facebook::fb303::cpp2::FacebookServiceSvIf {
|
|
|
|
public:
|
|
void service1_endpoint_bad(std::string formal) {
|
|
// this should report REMOTE_CODE_EXECUTION_RISK
|
|
system(formal.c_str());
|
|
}
|
|
|
|
// this is specified as user-controlled in .inferconfig
|
|
void user_controlled_endpoint_to_sql_bad(std::string formal) {
|
|
// this should report SQL_INJECTION
|
|
__infer_sql_sink(formal);
|
|
}
|
|
|
|
// this is specified as user-controlled in .inferconfig
|
|
void user_controlled_endpoint_to_shell_bad(std::string formal) {
|
|
// this should report SHELL_INJECTION
|
|
system(formal.c_str());
|
|
}
|
|
|
|
void unsanitized_sql_bad(std::string formal) {
|
|
// this should report REMOTE_CODE_EXECUTION_RISK
|
|
__infer_sql_sink(formal);
|
|
}
|
|
|
|
void sanitized_sql_bad(std::string formal) {
|
|
// this should report USER_CONTROLLED_SQL_RISK
|
|
__infer_sql_sink(__infer_string_sanitizer(formal));
|
|
}
|
|
|
|
void service1_endpoint_sql_sanitized_ok(std::string formal) {
|
|
__infer_sql_sink(__infer_all_sanitizer(formal));
|
|
}
|
|
|
|
void service1_endpoint_shell_sanitized_ok(std::string formal) {
|
|
system(__infer_string_sanitizer(formal).c_str());
|
|
}
|
|
|
|
void service1_endpoint_struct_string_field_bad(request formal) {
|
|
system(formal.s.c_str());
|
|
}
|
|
|
|
void FP_service1_endpoint_struct_int_field_ok(request formal) {
|
|
system(std::to_string(formal.i).c_str());
|
|
}
|
|
|
|
void service_this_ok() {
|
|
// endpoint object itself should not be treated as tainted
|
|
system((const char*)this);
|
|
}
|
|
|
|
private:
|
|
void private_not_endpoint_ok(std::string formal) { system(formal.c_str()); }
|
|
};
|
|
|
|
class Service2 : facebook::fb303::cpp2::FacebookServiceSvAsyncIf {
|
|
|
|
public:
|
|
void service2_endpoint_bad(std::string formal) {
|
|
// this should report REMOTE_CODE_EXECUTION_RISK
|
|
system(formal.c_str());
|
|
}
|
|
};
|
|
|
|
class Service3 : Service1 {
|
|
public:
|
|
void service3_endpoint_bad(std::string formal) {
|
|
// this should report REMOTE_CODE_EXECUTION_RISK
|
|
system(formal.c_str());
|
|
}
|
|
};
|
|
|
|
} // namespace endpoints
|