Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Fix false-negatives and false-positives #99

Closed
wants to merge 24 commits into from
Closed

[WIP] Fix false-negatives and false-positives #99

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
3b4bf1b
Make a false_negatives directory with the issues from the 11/16/17 ev…
KevinHock Mar 29, 2018
153501f
Made a folder example/november_2017_evaluation with a directory for f…
KevinHock Mar 30, 2018
104cf80
Fix the foddy infinite loop
KevinHock Mar 31, 2018
4156984
Delete the infinite_loop folder since it is fixed
KevinHock Mar 31, 2018
97074f3
Make source_nested_in_sink.py test and pass it by making .args = list…
KevinHock Apr 4, 2018
98b49b6
Make a test for if_else_in_sink
KevinHock Apr 5, 2018
ff1bc89
Fix double import trap https://stackoverflow.com/questions/43393764/p…
KevinHock Apr 5, 2018
6c7a8d2
[False-negs] Problem illustration commit
KevinHock Apr 10, 2018
e9dd5e4
[comments] w/r/t ConnectStatements
KevinHock Apr 11, 2018
63c3f96
save current work emergency
KevinHock May 10, 2018
8367f68
save current work emergency
KevinHock May 10, 2018
2578c29
Merge branch 'master' into fix_oakie_false_negative
KevinHock Jun 21, 2018
6226a77
Added changes back to file that git merge missed
KevinHock Jun 21, 2018
62e7420
Fix whitespace
KevinHock Jun 21, 2018
8b72e52
Fixed some imports that got broken by the merge, indented EXPECTED in…
KevinHock Jun 21, 2018
d42243c
Delete tests/vulnerabilities_test.py that I accidentally added, Fix C…
KevinHock Jun 21, 2018
695bbde
Mostly finished BoolOp, IfExp and expr_star_handler
KevinHock Jul 4, 2018
7ecf462
Handle BoolOp inside of BoolOp, Make ConnectExpressions a class, Fix …
KevinHock Jul 5, 2018
1fa04e8
Finished IfExp, found bug in expr_star_handler
KevinHock Jul 6, 2018
4081900
Fix case where false-positives could occur by making the node before …
KevinHock Jul 7, 2018
c6d9e62
Add vulnerable_code_with_expressions/last_var_in_and_is_tainted and l…
KevinHock Jul 10, 2018
4d2ad46
Change visit_IfExp to handle .test better, change expr_cfg_test.py to…
KevinHock Jul 10, 2018
5b1f262
Add example of connecting_control_flow_exprs_in_connect_expressions.py
KevinHock Jul 10, 2018
b85c072
Things I did on 7/26/18
KevinHock Jul 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions example/november_2017_evaluation/false_negatives/source_nested_in_sink.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
"""
This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation
http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017
"""


@app.route('/login', methods=['GET', 'POST'])
def login():
return redirect(request.args.get("next"))
106 changes: 105 additions & 1 deletion pyt/expr_visitor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import ast
import itertools

from .alias_helper import (
handle_aliases_in_calls
Expand All @@ -9,6 +10,7 @@
)
from .expr_visitor_helper import (
BUILTINS,
CALL_IDENTIFIER,
CFG,
return_connection_handler,
SavedVariable
Expand All @@ -28,7 +30,7 @@
)
from .right_hand_side_visitor import RHSVisitor
from .stmt_visitor import StmtVisitor
from .stmt_visitor_helper import CALL_IDENTIFIER
from .vars_visitor import VarsVisitor


class ExprVisitor(StmtVisitor):
Expand Down Expand Up @@ -537,6 +539,108 @@ def process_function(self, call_node, definition):

return self.nodes[-1]

def add_blackbox_or_builtin_call(self, node, blackbox):
"""Processes a blackbox or builtin function when it is called.
Nothing gets assigned to ret_func_foo in the builtin/blackbox case.

Increments self.function_call_index each time it is called, we can refer to it as N in the comments.
Create e.g. ¤call_1 = ret_func_foo RestoreNode.

Create e.g. temp_N_def_arg1 = call_arg1_label_visitor.result for each argument.
Visit the arguments if they're calls. (save_def_args_in_temp)

I do not think I care about this one actually -- Create e.g. def_arg1 = temp_N_def_arg1 for each argument.
(create_local_scope_from_def_args)

Add RestoreNode to the end of the Nodes.

Args:
node(ast.Call) : The node that calls the definition.
blackbox(bool): Whether or not it is a builtin or blackbox call.
Returns:
call_node(BBorBInode): The call node.
"""
self.function_call_index += 1
saved_function_call_index = self.function_call_index
self.undecided = False

call_label = LabelVisitor()
call_label.visit(node)

index = call_label.result.find('(')

# Create e.g. ¤call_1 = ret_func_foo
LHS = CALL_IDENTIFIER + 'call_' + str(saved_function_call_index)
RHS = 'ret_' + call_label.result[:index] + '('

call_node = BBorBInode(
label='',
left_hand_side=LHS,
right_hand_side_variables=[],
line_number=node.lineno,
path=self.filenames[-1],
func_name=call_label.result[:index]
)
visual_args = list()
rhs_vars = list()
last_return_value_of_nested_call = None

for arg in itertools.chain(node.args, node.keywords):
if isinstance(arg, ast.Call):
return_value_of_nested_call = self.visit(arg)

if last_return_value_of_nested_call:
# connect inner to other_inner in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
# I should probably loop to the inner most call of other_inner here.
try:
last_return_value_of_nested_call.connect(return_value_of_nested_call.first_node)
except AttributeError:
last_return_value_of_nested_call.connect(return_value_of_nested_call)
else:
# I should only set this once per loop, inner in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
# (inner_most_call is used when predecessor is a ControlFlowNode in connect_control_flow_node)
call_node.inner_most_call = return_value_of_nested_call
last_return_value_of_nested_call = return_value_of_nested_call

visual_args.append(return_value_of_nested_call.left_hand_side)
rhs_vars.append(return_value_of_nested_call.left_hand_side)
else:
label = LabelVisitor()
label.visit(arg)
visual_args.append(label.result)

vv = VarsVisitor()
vv.visit(arg)
rhs_vars.extend(vv.result)
if last_return_value_of_nested_call:
# connect other_inner to outer in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
last_return_value_of_nested_call.connect(call_node)

if len(visual_args) > 0:
for arg in visual_args:
RHS = RHS + arg + ", "
# Replace the last ", " with a )
RHS = RHS[:len(RHS) - 2] + ')'
else:
RHS = RHS + ')'
call_node.label = LHS + " = " + RHS

# .args is only used in get_sink_args
# We make a new list because right_hand_side_variables is extended in assignment_call_node
call_node.right_hand_side_variables = rhs_vars
call_node.args = list(rhs_vars)
Copy link
Collaborator Author

@KevinHock KevinHock Apr 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we did not make a new list, things like this would happen:

 > User input at line 8, trigger word "request.args.get(":
     ¤call_1 = ret_request.args.get('image_name')
Reassigned in:
    File: example/vulnerable_code/path_traversal_sanitised.py
     > Line 8: image_name = ¤call_1
File: example/vulnerable_code/path_traversal_sanitised.py
 > reaches line 10, trigger word "replace(":
    ¤call_2 = ret_image_name.replace('..', '')

though the problem on master was that we didn't include ~call_N in .args, and thus in the return value of get_sink_args and so we had a false-negative that's now fixed. However, or_in_sink.py remains unsolved, for the time being.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason or_in_sink.py doesn't pass yet is because we don't if isinstance for BoolOp in the 'loop through args' code in visit_Call, should be easy enough.


if blackbox:
self.blackbox_assignments.add(call_node)

self.connect_if_allowed(self.nodes[-1], call_node)
self.nodes.append(call_node)

return call_node

def visit_Call(self, node):
_id = get_call_names_as_string(node.func)
local_definitions = self.module_definitions_stack[-1]
Expand Down
15 changes: 8 additions & 7 deletions pyt/expr_visitor_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,7 @@
from .node_types import ConnectToExitNode


SavedVariable = namedtuple(
'SavedVariable',
(
'LHS',
'RHS'
)
)
CALL_IDENTIFIER = '¤'
BUILTINS = (
'get',
'Flask',
Expand All @@ -31,6 +25,13 @@
'flash',
'jsonify'
)
SavedVariable = namedtuple(
'SavedVariable',
(
'LHS',
'RHS'
)
)


class CFG():
Expand Down
105 changes: 0 additions & 105 deletions pyt/stmt_visitor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import ast
import itertools
import os.path

from .alias_helper import (
Expand Down Expand Up @@ -36,7 +35,6 @@
from .project_handler import get_directory_modules
from .right_hand_side_visitor import RHSVisitor
from .stmt_visitor_helper import (
CALL_IDENTIFIER,
ConnectStatements,
connect_nodes,
extract_left_hand_side,
Expand Down Expand Up @@ -528,109 +526,6 @@ def visit_While(self, node):

return self.loop_node_skeleton(test, node)

def add_blackbox_or_builtin_call(self, node, blackbox):
"""Processes a blackbox or builtin function when it is called.
Nothing gets assigned to ret_func_foo in the builtin/blackbox case.

Increments self.function_call_index each time it is called, we can refer to it as N in the comments.
Create e.g. ¤call_1 = ret_func_foo RestoreNode.

Create e.g. temp_N_def_arg1 = call_arg1_label_visitor.result for each argument.
Visit the arguments if they're calls. (save_def_args_in_temp)

I do not think I care about this one actually -- Create e.g. def_arg1 = temp_N_def_arg1 for each argument.
(create_local_scope_from_def_args)

Add RestoreNode to the end of the Nodes.

Args:
node(ast.Call) : The node that calls the definition.
blackbox(bool): Whether or not it is a builtin or blackbox call.
Returns:
call_node(BBorBInode): The call node.
"""
self.function_call_index += 1
saved_function_call_index = self.function_call_index
self.undecided = False

call_label = LabelVisitor()
call_label.visit(node)

index = call_label.result.find('(')

# Create e.g. ¤call_1 = ret_func_foo
LHS = CALL_IDENTIFIER + 'call_' + str(saved_function_call_index)
RHS = 'ret_' + call_label.result[:index] + '('

call_node = BBorBInode(
label='',
left_hand_side=LHS,
right_hand_side_variables=[],
line_number=node.lineno,
path=self.filenames[-1],
func_name=call_label.result[:index]
)
visual_args = list()
rhs_vars = list()
last_return_value_of_nested_call = None

for arg in itertools.chain(node.args, node.keywords):
if isinstance(arg, ast.Call):
return_value_of_nested_call = self.visit(arg)

if last_return_value_of_nested_call:
# connect inner to other_inner in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
# I should probably loop to the inner most call of other_inner here.
try:
last_return_value_of_nested_call.connect(return_value_of_nested_call.first_node)
except AttributeError:
last_return_value_of_nested_call.connect(return_value_of_nested_call)
else:
# I should only set this once per loop, inner in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
# (inner_most_call is used when predecessor is a ControlFlowNode in connect_control_flow_node)
call_node.inner_most_call = return_value_of_nested_call
last_return_value_of_nested_call = return_value_of_nested_call

visual_args.append(return_value_of_nested_call.left_hand_side)
rhs_vars.append(return_value_of_nested_call.left_hand_side)
else:
label = LabelVisitor()
label.visit(arg)
visual_args.append(label.result)

vv = VarsVisitor()
vv.visit(arg)
rhs_vars.extend(vv.result)
if last_return_value_of_nested_call:
# connect other_inner to outer in e.g.
# `scrypt.outer(scrypt.inner(image_name), scrypt.other_inner(image_name))`
last_return_value_of_nested_call.connect(call_node)

if len(visual_args) > 0:
for arg in visual_args:
RHS = RHS + arg + ", "
# Replace the last ", " with a )
RHS = RHS[:len(RHS) - 2] + ')'
else:
RHS = RHS + ')'
call_node.label = LHS + " = " + RHS

call_node.right_hand_side_variables = rhs_vars
# Used in get_sink_args, not using right_hand_side_variables because it is extended in assignment_call_node
rhs_visitor = RHSVisitor()
rhs_visitor.visit(node)
call_node.args = rhs_visitor.result

if blackbox:
self.blackbox_assignments.add(call_node)

self.connect_if_allowed(self.nodes[-1], call_node)
self.nodes.append(call_node)

return call_node

def visit_With(self, node):
label_visitor = LabelVisitor()
label_visitor.visit(node.items[0])
Expand Down
2 changes: 1 addition & 1 deletion pyt/stmt_visitor_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import random
from collections import namedtuple

from .expr_visitor_helper import CALL_IDENTIFIER
from .node_types import (
AssignmentCallNode,
BBorBInode,
Expand All @@ -11,7 +12,6 @@
)


CALL_IDENTIFIER = '¤'
ConnectStatements = namedtuple(
'ConnectStatements',
(
Expand Down
33 changes: 22 additions & 11 deletions tests/vulnerabilities_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,13 @@
UImode,
VulnerabilityFiles
)
from pyt.constraint_table import(
constraint_table,
initialize_constraint_table
)
from pyt.constraint_table import initialize_constraint_table
from pyt.fixed_point import analyse
from pyt.framework_adaptor import FrameworkAdaptor
from pyt.framework_helper import(
from pyt.framework_helper import (
is_django_view_function,
is_flask_route_function
)
from pyt.lattice import Lattice
from pyt.node_types import Node
from pyt.reaching_definitions_taint import ReachingDefinitionsTaintAnalysis

Expand Down Expand Up @@ -99,17 +95,15 @@ def test_find_triggers(self):
l = vulnerabilities.find_triggers(XSS1.nodes, trigger_words)
self.assert_length(l, expected_length=1)


def test_find_sanitiser_nodes(self):
cfg_node = Node(None, None, line_number=None, path=None)
sanitiser_tuple = vulnerabilities.Sanitiser('escape', cfg_node)
sanitiser_tuple = vulnerabilities.Sanitiser('escape', cfg_node)
sanitiser = 'escape'

result = list(vulnerabilities.find_sanitiser_nodes(sanitiser, [sanitiser_tuple]))
self.assert_length(result, expected_length=1)
self.assertEqual(result[0], cfg_node)


def test_build_sanitiser_node_dict(self):
self.cfg_create_from_file('example/vulnerable_code/XSS_sanitised.py')
cfg_list = [self.cfg]
Expand All @@ -118,7 +112,7 @@ def test_build_sanitiser_node_dict(self):

cfg = cfg_list[1]

cfg_node = Node(None, None, line_number=None, path=None)
cfg_node = Node(None, None, line_number=None, path=None)
sinks_in_file = [vulnerabilities.TriggerNode('replace', ['escape'], cfg_node)]

sanitiser_dict = vulnerabilities.build_sanitiser_node_dict(cfg, sinks_in_file)
Expand Down Expand Up @@ -146,7 +140,6 @@ def run_analysis(self, path):
)
)


def test_find_vulnerabilities_assign_other_var(self):
vulnerability_log = self.run_analysis('example/vulnerable_code/XSS_assign_to_other_var.py')
self.assert_length(vulnerability_log.vulnerabilities, expected_length=1)
Expand Down Expand Up @@ -512,6 +505,24 @@ def test_XSS_variable_multiple_assign_result(self):

self.assertTrue(self.string_compare_alpha(vulnerability_description, EXPECTED_VULNERABILITY_DESCRIPTION))

def test_source_nested_in_sink(self):
vulnerability_log = self.run_analysis('example/november_2017_evaluation/false_negatives/source_nested_in_sink.py')
self.assert_length(vulnerability_log.vulnerabilities, expected_length=1)
vulnerability_description = str(vulnerability_log.vulnerabilities[0])

EXPECTED_VULNERABILITY_DESCRIPTION = """
File: example/november_2017_evaluation/false_negatives/source_nested_in_sink.py
> User input at line 8, trigger word "request.args.get(":
¤call_2 = ret_request.args.get('next')
Reassigned in:
File: example/november_2017_evaluation/false_negatives/source_nested_in_sink.py
> Line 8: ret_login = ¤call_1
File: example/november_2017_evaluation/false_negatives/source_nested_in_sink.py
> reaches line 8, trigger word "redirect(":
¤call_1 = ret_redirect(¤call_2)
"""
self.assertTrue(self.string_compare_alpha(vulnerability_description, EXPECTED_VULNERABILITY_DESCRIPTION))


class EngineDjangoTest(BaseTestCase):
def run_empty(self):
Expand Down