C++: Add DefaultTaintTracking diff tests #2697
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds support for arg-to-arg and arg-to-return taint.
Fix the help according to review comments.
When building SSA, we'll be assuming that stack variables do not escape, at least until we improve our alias analysis. I've added a new `IREscapeAnalysisConfiguration` class to allow the query to control this, and a new `UseSoundEscapeAnalysis.qll` module that can be imported to switch to the sound escape analysis. I've cloned the existing IR and SSA tests to have both sound and unsound versions. There were relatively few diffs in the IR dump tests, and the sanity tests still give the same results after one change described below. Assuming that stack variables do not escape exposed an existing bug where we do not emit an `Uninitialized` instruction for the temporary variables used by `return` statements and `throw` expressions, even if the initializer is a constructor call or array initializer. I've refactored the code for handling elements that initialize a variable to share a common base class. I added a test case for returning an object initialized by constructor call, and ensured that the IR diffs for the existing `throw` test cases are correct.
There was already a `WriteSideEffectInstruction` class that served as a superclass for all the specific write side effects. This new class serves the same purpose for read side effects.
Until we have better tracking of indirections, these flow rules conflate pointers and their contents.
Fix help and correct formatting.
Our definition of `toString` for the internal tuple objects we create during the
points-to analysis may have been a _tad_ too ambitious. In particular, it can
easily lead to non-termination, e.g. using the following piece of code:
```python
x = ()
while True:
x = (x, x)
```
This commit cuts off the infinite recursion by replacing _nested_ tuples with
the string "...". In particular this means even non-recursive tuples will be cut
off at that point, so that the following tuples
```python
(1, "2")
((3, 4), [5, 6])
(1, 2, 3, 4, 5)
```
Get the following string representations.
```
"(int 1, '2', )"
"(..., List, )"
"(int 1, int 2, int 3, 2 more...)"
```
…tostring Python: Fix divergence in tuple `toString`.
Add check for disabled CSRF protection in Spring
Java: Add a query for suspicious date format patterns.
C++: Model that string functions read their buffer
CPP: Model strndup.
C++: wire up models library to DefaultTaintTracking
C++/C#: Make escape analysis unsound by default
…query Java: Add change note for java/spring-disabled-csrf-protection.
jbj
reviewed
Jan 28, 2020
| ) | ||
| } | ||
|
|
||
| from Location source, Location sink, string note |
There was a problem hiding this comment.
Why compare the sources and sinks by Location rather than comparing them as Expr and Element respectively? If the two libraries find elements that are different, then I think we want to know about it even if they have the same location.
…o ql-tests-taint-tracking
|
Something went wrong with the merge from master... |
Oops... Yep. I'll fix it right away |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testing for potential taint differences involving virtual dispatch between
DefaultTaintTrackingandsecurity.TaintTracking. A couple of tests reveal TPs that are reported in the AST, but not in the IR.