diff --git a/infer/src/pulse/PulseAttribute.ml b/infer/src/pulse/PulseAttribute.ml index 0ea7e4394e8..f20a985438c 100644 --- a/infer/src/pulse/PulseAttribute.ml +++ b/infer/src/pulse/PulseAttribute.ml @@ -513,9 +513,14 @@ module Attribute = struct in MustNotBeTainted (TaintSinkSet.map add_call_to_sink sinks) | PropagateTaintFrom taints_in -> + let add_propagation_event_to_history hist = + let hist = add_call_to_history hist in + let propagation_event = ValueHistory.TaintPropagated (call_location, timestamp) in + ValueHistory.sequence propagation_event hist + in PropagateTaintFrom (List.map taints_in ~f:(fun {v; history} -> - {v= subst v; history= add_call_to_history history} ) ) + {v= subst v; history= add_propagation_event_to_history history} ) ) | ReturnedFromUnknown values -> ReturnedFromUnknown (List.map values ~f:subst) | Tainted tainted -> diff --git a/infer/src/pulse/PulseTaintOperations.ml b/infer/src/pulse/PulseTaintOperations.ml index e2e324b7ba3..2998f7b78f8 100644 --- a/infer/src/pulse/PulseTaintOperations.ml +++ b/infer/src/pulse/PulseTaintOperations.ml @@ -385,6 +385,8 @@ let check_source_against_sink_policy location ~source source_times intra_procedu let check = function | ValueHistory.TaintSource (taint_item, _, _) -> List.exists taint_item.kinds ~f:(source_matches_sink_policy sink_kind sink_policy) + | ValueHistory.TaintPropagated _ -> + true | _ -> false in diff --git a/infer/src/pulse/PulseValueHistory.ml b/infer/src/pulse/PulseValueHistory.ml index 9b36c685de4..c5ee7c8c6eb 100644 --- a/infer/src/pulse/PulseValueHistory.ml +++ b/infer/src/pulse/PulseValueHistory.ml @@ -30,6 +30,7 @@ type event = | Returned of Location.t * Timestamp.t | StructFieldAddressCreated of Fieldname.t RevList.t * Location.t * Timestamp.t | TaintSource of TaintItem.t * Location.t * Timestamp.t + | TaintPropagated of Location.t * Timestamp.t | VariableAccessed of Pvar.t * Location.t * Timestamp.t | VariableDeclared of Pvar.t * Location.t * Timestamp.t @@ -75,6 +76,7 @@ let location_of_event = function | Returned (location, _) | StructFieldAddressCreated (_, location, _) | TaintSource (_, location, _) + | TaintPropagated (location, _) | VariableAccessed (_, location, _) | VariableDeclared (_, location, _) -> location @@ -93,6 +95,7 @@ let timestamp_of_event = function | Returned (_, timestamp) | StructFieldAddressCreated (_, _, timestamp) | TaintSource (_, _, timestamp) + | TaintPropagated (_, timestamp) | VariableAccessed (_, _, timestamp) | VariableDeclared (_, _, timestamp) -> timestamp @@ -252,6 +255,8 @@ let pp_event_no_location fmt event = F.fprintf fmt "struct field address `%a` created" pp_fields field_names | TaintSource (taint_source, _, _) -> F.fprintf fmt "source of the taint here: %a" TaintItem.pp taint_source + | TaintPropagated _ -> + F.fprintf fmt "taint propagated" | VariableAccessed (pvar, _, _) -> F.fprintf fmt "%a accessed here" pp_pvar pvar | VariableDeclared (pvar, _, _) -> @@ -310,7 +315,7 @@ let is_taint_event = function | VariableAccessed _ | VariableDeclared _ -> false - | TaintSource _ -> + | TaintSource _ | TaintPropagated _ -> true diff --git a/infer/src/pulse/PulseValueHistory.mli b/infer/src/pulse/PulseValueHistory.mli index 371251717d9..9deb98bb3a3 100644 --- a/infer/src/pulse/PulseValueHistory.mli +++ b/infer/src/pulse/PulseValueHistory.mli @@ -28,6 +28,7 @@ type event = | Returned of Location.t * Timestamp.t | StructFieldAddressCreated of Fieldname.t RevList.t * Location.t * Timestamp.t | TaintSource of TaintItem.t * Location.t * Timestamp.t + | TaintPropagated of Location.t * Timestamp.t | VariableAccessed of Pvar.t * Location.t * Timestamp.t | VariableDeclared of Pvar.t * Location.t * Timestamp.t diff --git a/infer/tests/codetoanalyze/cpp/pulse/issues.exp b/infer/tests/codetoanalyze/cpp/pulse/issues.exp index 5b34d0b09e8..fcde1f55208 100644 --- a/infer/tests/codetoanalyze/cpp/pulse/issues.exp +++ b/infer/tests/codetoanalyze/cpp/pulse/issues.exp @@ -280,7 +280,7 @@ codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_field_ok2, 2, PULSE_UNNECE codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/basics.cpp, basics::taint_arg_source_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value passed as argument `#0` to `basics::Obj::taint_arg_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: basics::Obj::taint_arg_source, sink: __infer_taint_sink, tainted expression: source codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_sanitizer_ok1, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] @@ -354,7 +354,9 @@ codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1, 0, P codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2, 0, PULSE_CONST_REFABLE, no_bucket, ERROR, [Parameter fmt with type `std::basic_string,std::allocator>`] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string,std::allocator>&`)] +codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] +codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `strings::format3` with no summary,in call to function `strings::Formatter,std::allocator>&>::str` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] @@ -383,7 +385,7 @@ codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 0, codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] diff --git a/infer/tests/codetoanalyze/cpp/pulse/issues.exp-11 b/infer/tests/codetoanalyze/cpp/pulse/issues.exp-11 index abc495dd528..a679cf87bda 100644 --- a/infer/tests/codetoanalyze/cpp/pulse/issues.exp-11 +++ b/infer/tests/codetoanalyze/cpp/pulse/issues.exp-11 @@ -281,7 +281,7 @@ codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_field_ok2, 2, PULSE_UNNECE codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/basics.cpp, basics::taint_arg_source_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value passed as argument `#0` to `basics::Obj::taint_arg_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: basics::Obj::taint_arg_source, sink: __infer_taint_sink, tainted expression: source codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_sanitizer_ok1, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] @@ -355,9 +355,9 @@ codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1, 0, P codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2, 0, PULSE_CONST_REFABLE, no_bucket, ERROR, [Parameter fmt with type `std::basic_string,std::allocator>`] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,in call to function `strings::format3` with no summary,in call to function `strings::Formatter,std::allocator>&>::str` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] @@ -386,7 +386,7 @@ codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 0, codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] -codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN +codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,in call to function `std::basic_string,std::allocator>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string,std::allocator>&`)] diff --git a/infer/tests/codetoanalyze/cpp/pulse/taint/strings.cpp b/infer/tests/codetoanalyze/cpp/pulse/taint/strings.cpp index 7b6d6a8a06e..5ce800b285f 100644 --- a/infer/tests/codetoanalyze/cpp/pulse/taint/strings.cpp +++ b/infer/tests/codetoanalyze/cpp/pulse/taint/strings.cpp @@ -180,14 +180,12 @@ Formatter format3(std::string fmt, Args&&... args); template Formatter* format4(std::string fmt, Args&&... args); -// doesn't work with --pulse-taint-check-history on some clang versions void format1_bad() { auto source = __infer_taint_source(); auto laundered_source = format1("%s", source).str(); __infer_taint_sink(laundered_source); } -// doesn't work with --pulse-taint-check-history on some clang versions void format2_bad() { auto source = __infer_taint_source(); auto laundered_source = format2("%s", source)->str(); diff --git a/infer/tests/codetoanalyze/java/pulse/issues.exp b/infer/tests/codetoanalyze/java/pulse/issues.exp index 9f702c7382f..337714ae42b 100644 --- a/infer/tests/codetoanalyze/java/pulse/issues.exp +++ b/infer/tests/codetoanalyze/java/pulse/issues.exp @@ -226,6 +226,7 @@ codetoanalyze/java/pulse/taint/DynamicDispatch.java, codetoanalyze.java.pulse.Dy codetoanalyze/java/pulse/taint/Exceptions.java, codetoanalyze.java.pulse.Exceptions.sinkInFinallyBad1():void, 5, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: source codetoanalyze/java/pulse/taint/Exceptions.java, codetoanalyze.java.pulse.Exceptions.sinkInFinallyBad2():void, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: source codetoanalyze/java/pulse/taint/Exceptions.java, codetoanalyze.java.pulse.Exceptions.callSinkThenThrowBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,when calling `void Exceptions.callSinkThenThrow(Object)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: Object InferTaint.inferSecretSource() +codetoanalyze/java/pulse/taint/Exceptions.java, codetoanalyze.java.pulse.Exceptions.callSinkWithSourceInsideExceptionObjectBad():void, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: e codetoanalyze/java/pulse/taint/ExternalSpecs.java, codetoanalyze.java.pulse.ExternalSpecs.logExternalSourceBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object ExternalSpecs.privateDataSource()` with kind `PrivateData`,value passed as argument `#1` to `int Log.e(String,String)` with kind `Logging`], source: Object ExternalSpecs.privateDataSource(), sink: int Log.e(String,String), tainted expression: Object ExternalSpecs.privateDataSource() codetoanalyze/java/pulse/taint/ExternalSpecs.java, codetoanalyze.java.pulse.ExternalSpecs.callExternalSinkBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object ExternalSpecs.privateDataSource()` with kind `PrivateData`,value passed as argument `#1` to `void ExternalSpecs.loggingSink1(Object,Object)` with kind `Logging`], source: Object ExternalSpecs.privateDataSource(), sink: void ExternalSpecs.loggingSink1(Object,Object), tainted expression: Object ExternalSpecs.privateDataSource() codetoanalyze/java/pulse/taint/ExternalSpecs.java, codetoanalyze.java.pulse.ExternalSpecs.callExternalSink2Bad1():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object ExternalSpecs.privateDataSource()` with kind `PrivateData`,value passed as argument `#0` to `void ExternalSpecs.loggingSink2(Object,Object)` with kind `Logging`], source: Object ExternalSpecs.privateDataSource(), sink: void ExternalSpecs.loggingSink2(Object,Object), tainted expression: Object ExternalSpecs.privateDataSource() @@ -419,6 +420,7 @@ codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.Unknow codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.propagateEmptyBad():void, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: buffer codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.propagateEmptyBad():void, 7, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,in call to function `StringBuffer StringBuffer.append(String)` with no summary,in call to function `StringBuffer StringBuffer.append(String)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: alias codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.callPropagateFootprintBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,when calling `void UnknownCode.propagateFootprint(String)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: Object InferTaint.inferSecretSource() +codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.callPropagateThenPropagateFootprintBad():void, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,when calling `void UnknownCode.propagateFootprint(String)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: String UnknownCode.propagateTaint(String) codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.propagateViaInterfaceCodeBad(codetoanalyze.java.pulse.UnknownCode$Interface):void, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,in call to function `Object UnknownCode$Interface.interfaceMethod(Object)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: launderedSource codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.propagateViaUnknownNativeCodeBad():void, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,in call to function `Object UnknownCode.nativeMethod(Object)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: launderedSource codetoanalyze/java/pulse/taint/UnknownCode.java, codetoanalyze.java.pulse.UnknownCode.propagateViaUnknownAbstractCodeBad():void, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kinds `Simple`,`UserControlledString`,in call to function `Object UnknownCode.nativeMethod(Object)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: launderedSource diff --git a/infer/tests/codetoanalyze/java/pulse/taint/Exceptions.java b/infer/tests/codetoanalyze/java/pulse/taint/Exceptions.java index aeb30f2abd9..9c5edf149b1 100644 --- a/infer/tests/codetoanalyze/java/pulse/taint/Exceptions.java +++ b/infer/tests/codetoanalyze/java/pulse/taint/Exceptions.java @@ -117,8 +117,7 @@ public static void doThrow(Object param) throws RuntimeException { throw new RuntimeException(param.toString()); } - // doesn't work with pulse-taint-check-history flag - public static void FN_callSinkWithSourceInsideExceptionObjectBad() { + public static void callSinkWithSourceInsideExceptionObjectBad() { try { doThrow(InferTaint.inferSecretSource()); } catch (RuntimeException e) { diff --git a/infer/tests/codetoanalyze/java/pulse/taint/UnknownCode.java b/infer/tests/codetoanalyze/java/pulse/taint/UnknownCode.java index 8bdd3852182..464ef3d9325 100644 --- a/infer/tests/codetoanalyze/java/pulse/taint/UnknownCode.java +++ b/infer/tests/codetoanalyze/java/pulse/taint/UnknownCode.java @@ -76,8 +76,7 @@ String propagateTaint(String param) { return (String) nativeMethod2(a, i); } - // doesn't work with pulse-taint-check-history flag - void FN_callPropagateThenPropagateFootprintBad() { + void callPropagateThenPropagateFootprintBad() { String source = (String) InferTaint.inferSecretSource(); propagateFootprint(propagateTaint(source)); } diff --git a/infer/tests/codetoanalyze/kotlin/pulse/issues.exp b/infer/tests/codetoanalyze/kotlin/pulse/issues.exp index fb352b1ba04..ad6116e447f 100644 --- a/infer/tests/codetoanalyze/kotlin/pulse/issues.exp +++ b/infer/tests/codetoanalyze/kotlin/pulse/issues.exp @@ -30,6 +30,7 @@ taint/DynamicDispatch.kt, codetoanalyze.kotlin.pulse.DynamicDispatch.propagateVi taint/Exceptions.kt, codetoanalyze.kotlin.pulse.Exceptions.sinkInFinallyBad1():void, 5, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: source taint/Exceptions.kt, codetoanalyze.kotlin.pulse.Exceptions.sinkInFinallyBad2():void, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: source taint/Exceptions.kt, codetoanalyze.kotlin.pulse.Exceptions.callSinkThenThrowBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,when calling `void Exceptions.callSinkThenThrow(Object)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: Object InferTaint.inferSecretSource() +taint/Exceptions.kt, codetoanalyze.kotlin.pulse.Exceptions.callSinkWithSourceInsideExceptionObjectBad():void, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: e taint/Fields.kt, codetoanalyze.kotlin.pulse.Fields.instanceFieldBad():void, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: this->mFld taint/Fields.kt, codetoanalyze.kotlin.pulse.Fields.staticFieldBad():void, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: #GB<>$codetoanalyze.kotlin.pulse.Fields.sFld taint/Fields.kt, codetoanalyze.kotlin.pulse.Fields.viaFieldBad1(codetoanalyze.kotlin.pulse.Fields$Obj):void, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: Object Fields$Obj.getF() @@ -103,6 +104,7 @@ taint/TaintedThis.kt, codetoanalyze.kotlin.pulse.TaintedThis.taintThisBad():void taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode.propagateEmptyBad():void, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: buffer taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode.propagateEmptyBad():void, 7, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,in call to function `StringBuffer StringBuffer.append(String)` with no summary,in call to function `StringBuffer StringBuffer.append(String)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: alias taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode.callPropagateFootprintBad():void, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,when calling `void UnknownCode.propagateFootprint(String)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: Object InferTaint.inferSecretSource() +taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode.callPropagateThenPropagateFootprintBad():void, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,when calling `void UnknownCode.propagateFootprint(String)` here,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: String UnknownCode.propagateTaint(String) taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode.propagateViaUnknownNativeCodeBad():void, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,in call to function `Object UnknownCode$Companion.nativeMethod(Object)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: launderedSource taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode$Companion.propagateViaUnknownConstructorBad():void, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,in call to function `String.(String)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: unknownConstructor taint/UnknownCode.kt, codetoanalyze.kotlin.pulse.UnknownCode$Companion.propagateViaInterfaceCodeBad(codetoanalyze.kotlin.pulse.UnknownCode$Interface):void, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `Object InferTaint.inferSecretSource()` with kind `Simple`,in call to function `Object UnknownCode$Interface.interfaceMethod(Object)` with no summary,value passed as argument `#0` to `void InferTaint.inferSensitiveSink(Object)` with kind `Simple`], source: Object InferTaint.inferSecretSource(), sink: void InferTaint.inferSensitiveSink(Object), tainted expression: launderedSource diff --git a/infer/tests/codetoanalyze/kotlin/pulse/taint/Exceptions.kt b/infer/tests/codetoanalyze/kotlin/pulse/taint/Exceptions.kt index 840493f2650..e97d4bf44b9 100644 --- a/infer/tests/codetoanalyze/kotlin/pulse/taint/Exceptions.kt +++ b/infer/tests/codetoanalyze/kotlin/pulse/taint/Exceptions.kt @@ -125,8 +125,7 @@ class Exceptions { throw RuntimeException(param.toString()) } - // doesn't work with pulse-taint-check-history flag - fun FN_callSinkWithSourceInsideExceptionObjectBad() { + fun callSinkWithSourceInsideExceptionObjectBad() { try { doThrow(inferSecretSource()) } catch (e: RuntimeException) { diff --git a/infer/tests/codetoanalyze/kotlin/pulse/taint/UnknownCode.kt b/infer/tests/codetoanalyze/kotlin/pulse/taint/UnknownCode.kt index c64e4a0a021..4e2ab6eb8ee 100644 --- a/infer/tests/codetoanalyze/kotlin/pulse/taint/UnknownCode.kt +++ b/infer/tests/codetoanalyze/kotlin/pulse/taint/UnknownCode.kt @@ -48,8 +48,7 @@ abstract class UnknownCode { return nativeMethod2(param, i) as String? } - // doesn't work with pulse-taint-check-history flag - fun FN_callPropagateThenPropagateFootprintBad() { + fun callPropagateThenPropagateFootprintBad() { val source = InferTaint.inferSecretSource() as String propagateFootprint(propagateTaint(source)) } diff --git a/infer/tests/codetoanalyze/objc/pulse-data-lineage/issues.exp b/infer/tests/codetoanalyze/objc/pulse-data-lineage/issues.exp index 9c16a5cb80a..bef4923b1c4 100644 --- a/infer/tests/codetoanalyze/objc/pulse-data-lineage/issues.exp +++ b/infer/tests/codetoanalyze/objc/pulse-data-lineage/issues.exp @@ -4,6 +4,7 @@ codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.cre codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.test, 2, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [in call to `SensitiveDataFlow.create_then_mutate`,in call to `SensitiveDataFlow.create_taint`,source of the taint here: value returned from `SensitiveDataFlow.__infer_taint_source` with kind `SimpleSource`,return from call to `SensitiveDataFlow.create_taint`,return from call to `SensitiveDataFlow.create_then_mutate`,when calling `SensitiveDataFlow.mutate_then_consume:` here,value passed as argument `#0` to `SensitiveDataFlow.consume:` with kind `SensitiveSink` (data flow only)], source: SensitiveDataFlow.__infer_taint_source, tainted expression: start codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.test_flow_to_unknown, 2, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [source of the taint here: value returned from `SensitiveDataFlow.__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `unknown` with kind `SensitiveSink` (data flow only)], source: SensitiveDataFlow.__infer_taint_source, tainted expression: obj codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.test_taint_propagation, 2, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [source of the taint here: value returned from `SensitiveDataFlow.__infer_taint_source` with kind `SimpleSource`,when calling `SensitiveDataFlow.propagate_taint:` here,value passed as argument `#0` to `unknown` with kind `SensitiveSink` (data flow only)], source: SensitiveDataFlow.__infer_taint_source, tainted expression: obj +codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.test_taint_propagation, 3, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [source of the taint here: value returned from `SensitiveDataFlow.__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `SensitiveDataFlow.might_be_a_sink:` with kind `SensitiveSink` (data flow only)], source: SensitiveDataFlow.__infer_taint_source, tainted expression: ret codetoanalyze/objc/pulse-data-lineage/SensitiveDataFlow.m, SensitiveDataFlow.test_ignored_calls, 2, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [source of the taint here: value returned from `TaintedObject.__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `SensitiveDataFlow.might_be_a_sink:` with kind `SensitiveSink` (data flow only)], source: TaintedObject.__infer_taint_source, tainted expression: tainted codetoanalyze/objc/pulse-data-lineage/basics.m, callSinkDirectBad, 2, DATA_FLOW_TO_SINK, no_bucket, ADVICE, [in call to `InferTaint.source`,allocated by call to `alloc` (modelled),source of the taint here: allocation of type `NSObject` by `alloc` with kind `InitSource` (data flow only),return from call to `InferTaint.source`,value passed as argument `#0` to `InferTaint.sink:` with kind `SimpleSink`], , sink: InferTaint.sink:, tainted expression: source codetoanalyze/objc/pulse-data-lineage/basics.m, callSinkDirectBad, 2, SENSITIVE_DATA_FLOW, no_bucket, ADVICE, [source of the taint here: value returned from `InferTaint.source` with kind `SimpleSource`,value passed as argument `#0` to `InferTaint.sink:` with kind `SensitiveSink` (data flow only)], source: InferTaint.source, tainted expression: source diff --git a/infer/tests/codetoanalyze/objc/pulse/issues.exp b/infer/tests/codetoanalyze/objc/pulse/issues.exp index 46c18aa1992..28f4e872b2d 100644 --- a/infer/tests/codetoanalyze/objc/pulse/issues.exp +++ b/infer/tests/codetoanalyze/objc/pulse/issues.exp @@ -261,7 +261,10 @@ codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_WriteToURLErrorBad, 8, codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_ArrayByApplyingDifferenceBad, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,in call to `NSArray.arrayByApplyingDifference:`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: propagated codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_ArrayWithContentsOfURLErrorBad, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,in call to `NSArray.arrayWithContentsOfURL:error:`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: error codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_ArrayWithContentsOfURLErrorBad, 7, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,in call to `NSArray.arrayWithContentsOfURL:error:`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: propagated +codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_cell_ObjectAtIndex_bad, 3, TAINT_ERROR, no_bucket, ERROR, [in call to `init_NSMutableArray_with_tainted_and_untainted`,source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,return from call to `init_NSMutableArray_with_tainted_and_untainted`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: value +codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_cell_ObjectAtIndexedSubscript_bad, 3, TAINT_ERROR, no_bucket, ERROR, [in call to `init_NSMutableArray_with_tainted_and_untainted`,source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,return from call to `init_NSMutableArray_with_tainted_and_untainted`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: value codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_cell_ArrayWithArrayBad, 2, NULLPTR_DEREFERENCE_LATENT, no_bucket, ERROR, [*** SUPPRESSED ***,source of the null value part of the trace starts here,is assigned to the null pointer,null pointer dereference part of the trace starts here,in call to `NSArray.arrayWithArray:` (modelled),in call to `NSArray.arrayWithArray:` (modelled),invalid access occurs here] +codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_cell_ArrayWithArrayBad, 5, TAINT_ERROR, no_bucket, ERROR, [in call to `init_NSMutableArray_with_tainted_and_untainted`,source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,return from call to `init_NSMutableArray_with_tainted_and_untainted`,value passed as argument `#0` to `testNSArray_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSArray_sink, tainted expression: value codetoanalyze/objc/pulse/taint/testNSArray.m, testNSArray_cell_ArrayWithArrayGood, 2, NULLPTR_DEREFERENCE_LATENT, no_bucket, ERROR, [*** SUPPRESSED ***,source of the null value part of the trace starts here,is assigned to the null pointer,null pointer dereference part of the trace starts here,in call to `NSArray.arrayWithArray:` (modelled),in call to `NSArray.arrayWithArray:` (modelled),invalid access occurs here] codetoanalyze/objc/pulse/taint/testNSDictionary.m, testNSDictionary_DictionaryWithObjectsForKeysBad, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `create_tainted` with kind `SimpleSource`,in call to `NSDictionary.dictionaryWithObjects:forKeys:`,value passed as argument `#0` to `testNSDictionary_sink` with kind `SimpleSink`], source: create_tainted, sink: testNSDictionary_sink, tainted expression: propagated codetoanalyze/objc/pulse/taint/testNSDictionary.m, testNSDictionary_DictionaryWithObjectsForKeysCountBad, 6, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `create_tainted_id` with kind `SimpleSource`,in call to `NSDictionary.dictionaryWithObjects:forKeys:count:`,value passed as argument `#0` to `testNSDictionary_sink` with kind `SimpleSink`], source: create_tainted_id, sink: testNSDictionary_sink, tainted expression: propagated diff --git a/infer/tests/codetoanalyze/objc/pulse/taint/testNSArray.m b/infer/tests/codetoanalyze/objc/pulse/taint/testNSArray.m index 29031c055cb..3622525b127 100644 --- a/infer/tests/codetoanalyze/objc/pulse/taint/testNSArray.m +++ b/infer/tests/codetoanalyze/objc/pulse/taint/testNSArray.m @@ -971,8 +971,7 @@ void NSMutableArray_insertObjectAt(NSMutableArray* mArr, void* value, int idx) { return (__bridge void*)obj; } -// doesn't work with pulse-taint-check-history flag -void testNSArray_cell_ObjectAtIndex_bad_FN(void) { +void testNSArray_cell_ObjectAtIndex_bad(void) { NSMutableArray* mArr = init_NSMutableArray_with_tainted_and_untainted(); void* value = NSArray_objectAt(mArr, 0); testNSArray_sink(value); @@ -989,8 +988,7 @@ void testNSArray_cell_ObjectAtIndex_good(void) { return (__bridge void*)obj; } -// doesn't work with pulse-taint-check-history flag -void testNSArray_cell_ObjectAtIndexedSubscript_bad_FN(void) { +void testNSArray_cell_ObjectAtIndexedSubscript_bad(void) { NSMutableArray* mArr = init_NSMutableArray_with_tainted_and_untainted(); void* value = NSArray_objectAtIndexedSubscript(mArr, 0); testNSArray_sink(value);