[taint] Fix taint policy exclude_in doc + add tests

Summary: Previously, the documentation said that `exclude_in` should be specified for each taint flow. In fact, when specified there it has no effect (and no warning is produced from config parsing). `exclude_in` property should be specified one level up for the whole taint policy. Reviewed By: geralt-encore Differential Revision: D50887109 fbshipit-source-id: ed3b3e4967325f17bf7f126b1401933ccaa0fb2a
facebook · Nov 1, 2023 · 6ad90ca · 6ad90ca
1 parent 995d540
commit 6ad90ca
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 10 deletions.
diff --git a/infer/man/man1/infer-analyze.txt b/infer/man/man1/infer-analyze.txt
@@ -844,8 +844,8 @@ PULSE CHECKER OPTIONS
            this JSON format:             { "short_description": "<a short description of the issue>",
                "taint_flows": [{ "source_kinds": [<kinds>],
                                  "sink_kinds": [<kinds>],
-                                 "sanitizer_kinds": [<kinds>],
-                                 "exclude_in": [<paths>] }]
+                                 "sanitizer_kinds": [<kinds>] }],
+               "exclude_in": [<paths>]
              }
            where <kinds> are specified in taint source/sanitizer/sink
            matchers (see --pulse-taint-sources). The fields "sanitizer_kinds"

diff --git a/infer/man/man1/infer-full.txt b/infer/man/man1/infer-full.txt
@@ -1450,8 +1450,8 @@ OPTIONS
            this JSON format:             { "short_description": "<a short description of the issue>",
                "taint_flows": [{ "source_kinds": [<kinds>],
                                  "sink_kinds": [<kinds>],
-                                 "sanitizer_kinds": [<kinds>],
-                                 "exclude_in": [<paths>] }]
+                                 "sanitizer_kinds": [<kinds>] }],
+               "exclude_in": [<paths>]
              }
            where <kinds> are specified in taint source/sanitizer/sink
            matchers (see --pulse-taint-sources). The fields "sanitizer_kinds"

diff --git a/infer/man/man1/infer.txt b/infer/man/man1/infer.txt
@@ -1450,8 +1450,8 @@ OPTIONS
            this JSON format:             { "short_description": "<a short description of the issue>",
                "taint_flows": [{ "source_kinds": [<kinds>],
                                  "sink_kinds": [<kinds>],
-                                 "sanitizer_kinds": [<kinds>],
-                                 "exclude_in": [<paths>] }]
+                                 "sanitizer_kinds": [<kinds>] }],
+               "exclude_in": [<paths>]
              }
            where <kinds> are specified in taint source/sanitizer/sink
            matchers (see --pulse-taint-sources). The fields "sanitizer_kinds"

diff --git a/infer/src/base/Config.ml b/infer/src/base/Config.ml
@@ -2568,8 +2568,8 @@ and pulse_taint_policies =
   { "short_description": "<a short description of the issue>",
     "taint_flows": [{ "source_kinds": [<kinds>],
                       "sink_kinds": [<kinds>],
-                      "sanitizer_kinds": [<kinds>],
-                      "exclude_in": [<paths>] }]
+                      "sanitizer_kinds": [<kinds>] }],
+    "exclude_in": [<paths>]
   }
 where <kinds> are specified in taint source/sanitizer/sink matchers (see $(b,--pulse-taint-sources)). The fields "sanitizer_kinds" and "exclude_in" are optional (assumed to be empty), and a single policy can specify several taint flows using a list. The following policy is always enabled:
 { "short_description": "...",

diff --git a/infer/tests/codetoanalyze/hack/pulse/.inferconfig b/infer/tests/codetoanalyze/hack/pulse/.inferconfig
@@ -22,7 +22,8 @@
     },
     { "class_names": ["IntraFile::KnownClass"], "method_names": ["genTaintSource"], "kinds": ["IntraFile"]},
     { "class_names": ["Sanitizers::Source"], "method_names": ["getTainted"], "kinds": ["Sanitizers"]},
-    { "class_names": ["Propagators::Source"], "method_names": ["getTainted"], "kinds": ["Propagators"]}
+    { "class_names": ["Propagators::Source"], "method_names": ["getTainted"], "kinds": ["Propagators"]},
+    { "class_names": ["Exclusions::Source"], "method_names": ["get"], "kinds": ["Exclusions"]}
   ],
   "pulse-taint-sinks": [
     { "procedure": "explicitSinkAllArgs" },
@@ -37,7 +38,8 @@
     { "procedure_regex": ".*", "kinds": ["BuiltinCatchAll"]},
     { "class_names": ["Shapes::ShapeLogger"], "method_names": ["logMixed"] },
     { "class_names": ["Sanitizers::Sink"], "procedure_regex": ".*", "kinds": ["Sanitizers"] },
-    { "class_names": ["Propagators::Sink"], "procedure_regex": ".*", "kinds": ["Propagators"] }
+    { "class_names": ["Propagators::Sink"], "procedure_regex": ".*", "kinds": ["Propagators"] },
+    { "class_names": ["Exclusions::Sink"], "procedure_regex": ".*", "kinds": ["Exclusions"] }
   ],
   "pulse-taint-sanitizers": [
     { "class_names": ["Sanitizers::San"], "procedure_regex": ".*", "kinds": ["Sanitizers"] }
@@ -57,6 +59,13 @@
     {
       "short_description": "Taint flow with a propagator and any method sink",
       "taint_flows": [{"source_kinds": ["Propagators"], "sink_kinds": ["BuiltinCatchAll"]}]
+    },
+    {
+      "short_description": "Check that exclude_in works",
+      "taint_flows": [
+        { "source_kinds": ["Exclusions"], "sink_kinds": ["Exclusions"] }
+      ],
+      "exclude_in": ["exclusions"]
     }
   ]
 }
diff --git a/infer/tests/codetoanalyze/hack/pulse/exclusions.hack b/infer/tests/codetoanalyze/hack/pulse/exclusions.hack
@@ -0,0 +1,23 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+namespace Exclusions;
+
+class Source {
+  public static function get(): int {
+    return 42;
+  }
+}
+
+class Sink {
+  public static function consume(mixed $arg): void {}
+}
+
+class Flows {
+  public static function excludedFlowOk(): void {
+    Sink::consume(Source::get());
+  }
+}
+