Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Display positions in SourceDuplicate errors #741

Closed

Conversation

abishekvashok
Copy link
Contributor

@abishekvashok abishekvashok commented Jun 2, 2023

Pre-submission checklist

  • I've ran the linters locally and fixed lint errors related to the files I modified in this PR. You can install the linters by running pip install -r requirements-dev.txt && pre-commit install
  • pre-commit run

Summary

Previously when SourceDuplicate errors occured, we just left a note specifying the duplicate name. Now we can specify the locations where the duplicates occured.

Modifies annotationParser as annotationParser.source_or_sink is where the sink or source is parsed into from taint.config files to contain the location information to be used incase duplicates occur.

Modifies and updates tests to confirm and check the new record field and type of SourceDuplicate error.

Test Plan

  • Post changes with the default taint.config, running pysa on documentation/pysa_tutorial/exercise1
Screenshot 2023-06-02 at 1 21 52 PM
  • Modify taint.config to:
{
  "sources": [
    {
      "name": "CustomUserControlled",
      "comment": "use to annotate user input"
    },
    {
      "name": "CustomUserControlled",
      "comment": "duplicate for testing"
    }
  ],

  "sinks": [
    {
      "name": "CodeExecution",
      "comment": "use to annotate execution of python code"
    }
  ],

  "features": [],

  "rules": [
    {
      "name": "Possible RCE:",
      "code": 5001,
      "sources": [ "CustomUserControlled" ],
      "sinks": [ "CodeExecution" ],
      "message_format": "User specified data may reach a code execution sink"
    }
  ]
}

Before this PR:
Screenshot 2023-06-02 at 1 27 04 PM

After this PR:
Screenshot 2023-06-02 at 1 25 08 PM

  • make test

Footnotes:

  • pysa github action was failing before this PR

Fixes part of: MLH-Fellowship#82
Signed-off-by: Abishek V Ashok abishekvashok@gmail.com

Previously when SourceDuplicate errors occured, we just left a note
specifying the duplicate name. Now we can specify the locations where
the duplicates occured.

Modifies annotationParser as annotationParser.source_or_sink is where
the sink or source is parsed into from taint.config files to contain the
location information to be used incase duplicates occur.

Modifies and updates tests to confirm and check the new record field and
type of SourceDuplicate error.

Signed-off-by: Abishek V Ashok <abishekvashok@gmail.com>
Copy link
Contributor

@arthaud arthaud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks great, thanks!

@facebook-github-bot
Copy link
Contributor

@arthaud has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@arthaud
Copy link
Contributor

arthaud commented Jul 19, 2023

Do you plan to work on the same thing for sink/transform/features?

@abishekvashok
Copy link
Contributor Author

abishekvashok commented Jul 19, 2023

Do you plan to work on the same thing for sink/transform/features?

Yes - @arthaud Is it okay if I do?

@arthaud
Copy link
Contributor

arthaud commented Jul 19, 2023

Of course :)

@facebook-github-bot
Copy link
Contributor

@arthaud merged this pull request in 1003a5e.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants