Dynamic: add Fuzzy token #13737
Open
Dynamic: add Fuzzy token #13737
+316
−17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The API graph entry point depended on API::Node. This was due to depending on the the TComponent newtype which has a branch that depends on API::Node
43fbd08
to
eb5c600
Compare
yoff
approved these changes
Jul 17, 2023
There was a problem hiding this comment.
Python 👍
And thanks for implementing this for Python, also!
I suppose that in getAFuzzySuccessor we should make sure to avoid loops and that is why self parameters are avoided in Ruby. The Python implementation does look loop-free as far as I can tell. Do the DCA runs actually test the new feature, if we have no fuzzy specifications yet?
jorgectf
reviewed
Jul 20, 2023
| conn.query(q, (err, rows) => {...}); // <-- add 'q' as a SQL injection sink | ||
| }); | ||
| We can recognize this using a fuzzy model, as showin in the following extension: |
There was a problem hiding this comment.
Suggested change
| We can recognize this using a fuzzy model, as showin in the following extension: | |
| We can recognize this using a fuzzy model, as shown in the following extension: |
| data: | ||
| - ["mysql", "Fuzzy.Member[query].Argument[0]", "sql-injection"] | ||
| - The first column, **"mysql"**, begins the search at at places where the `mysql` package is imported. |
There was a problem hiding this comment.
Suggested change
| - The first column, **"mysql"**, begins the search at at places where the `mysql` package is imported. | |
| - The first column, **"mysql"**, begins the search at places where the `mysql` package is imported. |
| In principle, this would also find expressions such as `pool.query` and `err.query`, but in practice such expressions | ||
| are not likely to occur, because the `pool` and `err` objects do not have a member named `query`. | ||
| - **Argument[0]** selects the first argument of a call to the selected member, that is, the `q` argument to `conn.query`. | ||
| - **sql-injection** indicates that this is considered a sink for the SQL injection query. |
There was a problem hiding this comment.
Suggested change
| - **sql-injection** indicates that this is considered a sink for the SQL injection query. | |
| - **sql-injection** indicates that this is considered as a sink for the SQL injection query. |
| @@ -431,6 +484,9 @@ The following components are supported: | |||
| - **MapValue** selects a value of a map object. | |||
| - **Awaited** selects the value of a promise. | |||
| - **Instance** selects instances of a class. | |||
| - **Fuzzy** selects all values that are derived from the current value through a combination of the other operations described in this list. | |||
| For example, this can be used to find all values the appear to originate from a particular package. This can be useful for finding method calls | |||
There was a problem hiding this comment.
Suggested change
| For example, this can be used to find all values the appear to originate from a particular package. This can be useful for finding method calls | |
| For example, this can be used to find all values that appear to originate from a particular package. This can be useful for finding method calls |
alexrford
approved these changes
Jul 27, 2023
| or | ||
| result = node.getAnElement() | ||
| or | ||
| result = node.getInstance() |
There was a problem hiding this comment.
I guess that this means that "FuzzyLib!;Fuzzy.<path>;test-sink" will find strictly more results than "FuzzyLib;Fuzzy.<path>;test-sink"?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a
Fuzzytoken to the identifying access path for all dynamic languages, which will match, loosely speaking, an arbitrary series of operations.For example, suppose we wanted to add a SQL injection sink for the
querymethod in themysqlpackage, but we don't have a detailed enough knowledge of the library to do this precisely. So we just write the model like this:This would match all
querycalls whose receiver is an object that appears to come from themysqlpackage. The latter criterion comes from "tracking through an arbitrary series of operations".This can serve as a foundation for a dedicated extension point for fuzzy models. An entry in such a fuzzy model might simply look like: