Support sanitizing all parameters in the analysis

Summary: This implements all parameters sanitizers and adds documentation for it.

Reviewed By: pradeep90

Differential Revision: D30948252

fbshipit-source-id: a503d8845a2a27cb046d8233298374eb931006f4

Author: arthaud

documentation/website/docs/pysa_basics.md

@@ -281,7 +281,7 @@ def django.utils.html.escape(text: TaintInTaintOut): ...
 def module.sanitize_for_logging_and_sql(): ...
 ```
 
-Parameters can be marked as sanitized to remove all taint passing through them:
+Specific parameters can be marked as sanitized to remove all taint passing through them:
 
 ```python
 def module.safe_function(
@@ -302,6 +302,19 @@ def modules.safe_return_source() -> Sanitize[TaintSource]: ...
 def modules.return_not_user_controlled() -> Sanitize[TaintSource[UserControlled]]: ...
 ```
 
+All parameters can be marked as sanitized as well:
+
+```python
+@Sanitize(Parameters)
+def module.sanitize_all_parameters(): ...
+
+@Sanitize(Parameters[TaintSource[UserControlled]))
+def module.parameters_not_user_controlled(): ...
+
+@Sanitize(Parameters[TaintInTaintOut[TaintSource[UserControlled], TaintSink[SQL]]]))
+def module.parameters_not_taint_in_taint_out(): ...
+```
+
 Attributes can also be marked as sanitizers to remove all taint passing through
 them:
 

source/interprocedural_analyses/taint/backwardAnalysis.ml

@@ -275,7 +275,9 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
             List.map
               ~f:(fun { AccessPath.root; _ } -> SanitizeRootMap.get root sanitizers.roots)
               sanitize_matches
-            |> List.fold ~f:Sanitize.join ~init:sanitizers.global
+            |> List.fold ~f:Sanitize.join ~init:Sanitize.empty
+            |> Sanitize.join sanitizers.global
+            |> Sanitize.join sanitizers.parameters
           in
           match sanitize.Sanitize.tito with
           | Some AllTito -> BackwardState.Tree.bottom

source/interprocedural_analyses/taint/forwardAnalysis.ml

@@ -183,7 +183,9 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
             List.map
               ~f:(fun { AccessPath.root; _ } -> SanitizeRootMap.get root sanitizers.roots)
               sanitize_matches
-            |> List.fold ~f:Sanitize.join ~init:sanitizers.global
+            |> List.fold ~f:Sanitize.join ~init:Sanitize.empty
+            |> Sanitize.join sanitizers.global
+            |> Sanitize.join sanitizers.parameters
           in
           match sanitize.Sanitize.tito with
           | Some AllTito -> ForwardState.Tree.bottom

source/interprocedural_analyses/taint/model.ml

@@ -468,7 +468,7 @@ let apply_sanitizers
     {
       forward = { source_taint };
       backward = { taint_in_taint_out; sink_taint };
-      sanitizers = { global; roots; _ } as sanitizers;
+      sanitizers = { global; parameters; roots } as sanitizers;
       modes;
     }
   =
@@ -487,7 +487,19 @@ let apply_sanitizers
   let taint_in_taint_out =
     match global.tito with
     | Some AllTito -> BackwardState.empty
-    | _ -> taint_in_taint_out
+    | _ ->
+        (* We cannot apply source or sink specific taint-in-taint-out sanitizers
+         * here because the tito model does not know about source or sink kinds.
+         *
+         * For instance, in `def f(x): return x`, we infer that `f` propagates
+         * the taint from `x` to its return value, regardless of the source or
+         * sink kind.
+         *
+         * Therefore, we apply those in `apply_call_target` in the forward and
+         * backward analysis, where we actually see source and sink kinds of the
+         * arguments.
+         *)
+        taint_in_taint_out
   in
   let sink_taint =
     match global.sinks with
@@ -500,6 +512,23 @@ let apply_sanitizers
           sink_taint
     | None -> sink_taint
   in
+  (* Apply the parameters sanitizer. *)
+  let taint_in_taint_out =
+    match parameters.tito with
+    | Some AllTito -> BackwardState.empty
+    | _ -> taint_in_taint_out
+  in
+  let sink_taint =
+    match parameters.sinks with
+    | Some Sanitize.AllSinks -> BackwardState.empty
+    | Some (Sanitize.SpecificSinks sanitized_sinks) ->
+        BackwardState.transform
+          BackwardTaint.kind
+          Filter
+          ~f:(fun sink -> not (Sinks.Set.mem sink sanitized_sinks))
+          sink_taint
+    | None -> sink_taint
+  in
   (* Apply root specific sanitizers. *)
   let sanitize_root (root, sanitize) (source_taint, taint_in_taint_out, sink_taint) =
     let source_taint =

source/interprocedural_analyses/taint/test/integration/sanitize.py

@@ -464,7 +464,7 @@ def no_propagation_with_sanitize_parameter_a_sink_tito(x):
 
 
 def propagation_of_b_with_sanitize_parameter_a_sink_tito(x):
-    y = sanitize_a_sink_tito(x)
+    y = sanitize_parameter_a_sink_tito(x)
     b_sink(y)
 
 
@@ -508,3 +508,101 @@ def sanitize_return_a_and_b_source():
 
 def sanitize_return_with_user_declared_source(x):
     return 0
+
+
+def sanitize_all_parameters(x, y):
+    _test_sink(x)
+    _test_sink(y)
+    return source_with_tito(x) + source_with_tito(y)
+
+
+def sanitize_all_parameters_all_sources(x, y):
+    _test_sink(x)
+    _test_sink(y)
+    return source_with_tito(x) + source_with_tito(y)
+
+
+def sanitize_all_parameters_all_sinks(x, y):
+    _test_sink(x)
+    _test_sink(y)
+    return source_with_tito(x) + source_with_tito(y)
+
+
+def sanitize_all_parameters_all_tito(x, y):
+    _test_sink(x)
+    _test_sink(y)
+    return source_with_tito(x) + source_with_tito(y)
+
+
+def sanitize_all_parameters_a_sink(x):
+    if 1 > 2:
+        a_sink(x)
+    else:
+        b_sink(x)
+
+
+def sanitize_all_parameters_b_sink(x):
+    if 1 > 2:
+        a_sink(x)
+    else:
+        b_sink(x)
+
+
+def sanitize_all_parameters_a_source_tito(x):
+    return x
+
+
+def no_propagation_with_sanitize_all_parameters_a_source_tito():
+    a = a_source()
+    b = sanitize_all_parameters_a_source_tito(a)
+    return b
+
+
+def propagation_of_b_with_sanitize_all_parameters_a_source_tito():
+    b = b_source()
+    tito = sanitize_all_parameters_a_source_tito(b)
+    return tito
+
+
+def sanitize_all_parameters_a_sink_tito(x):
+    return x
+
+
+def no_propagation_with_sanitize_all_parameters_a_sink_tito(x):
+    y = sanitize_all_parameters_a_sink_tito(x)
+    a_sink(y)
+
+
+def propagation_of_b_with_sanitize_all_parameters_a_sink_tito(x):
+    y = sanitize_all_parameters_a_sink_tito(x)
+    b_sink(y)
+
+
+def sanitize_all_parameters_a_source_sink_tito(x):
+    return x
+
+
+def no_propagation_of_a_source_with_sanitize_all_parameters_a_source_sink_tito():
+    a = a_source()
+    b = sanitize_all_parameters_a_source_sink_tito(a)
+    return b
+
+
+def propagation_of_b_source_with_sanitize_all_parameters_a_source_sink_tito():
+    b = b_source()
+    tito = sanitize_all_parameters_a_source_sink_tito(b)
+    return tito
+
+
+def no_propagation_of_a_sink_with_sanitize_all_parameters_a_source_sink_tito(x):
+    y = sanitize_all_parameters_a_source_sink_tito(x)
+    a_sink(y)
+
+
+def propagation_of_b_sink_with_sanitize_all_parameters_a_source_sink_tito(x):
+    y = sanitize_all_parameters_a_sink_tito(x)
+    b_sink(y)
+
+
+def sanitize_all_parameters_with_user_declared_sink(x):
+    return x

source/interprocedural_analyses/taint/test/integration/sanitize.py.cg

@@ -9,12 +9,20 @@ sanitize.C_sanitized_all_sources::__init__ (method) -> []
 sanitize.C_sanitized_b_sink::__init__ (method) -> []
 sanitize.C_sanitized_b_source::__init__ (method) -> []
 sanitize.no_propagation_of_a_sink (fun) -> [sanitize.a_sink (fun) sanitize.sanitize_a_sink_tito (fun)]
+sanitize.no_propagation_of_a_sink_with_sanitize_all_parameters_a_source_sink_tito (fun) -> [sanitize.a_sink (fun) sanitize.sanitize_all_parameters_a_source_sink_tito (fun)]
+sanitize.no_propagation_of_a_source_with_sanitize_all_parameters_a_source_sink_tito (fun) -> [sanitize.a_source (fun) sanitize.sanitize_all_parameters_a_source_sink_tito (fun)]
 sanitize.no_propagation_with_sanitize_a_tito (fun) -> [sanitize.a_source (fun) sanitize.sanitize_a_tito (fun)]
+sanitize.no_propagation_with_sanitize_all_parameters_a_sink_tito (fun) -> [sanitize.a_sink (fun) sanitize.sanitize_all_parameters_a_sink_tito (fun)]
+sanitize.no_propagation_with_sanitize_all_parameters_a_source_tito (fun) -> [sanitize.a_source (fun) sanitize.sanitize_all_parameters_a_source_tito (fun)]
 sanitize.no_propagation_with_sanitize_parameter_a_sink_tito (fun) -> [sanitize.a_sink (fun) sanitize.sanitize_parameter_a_sink_tito (fun)]
 sanitize.no_propagation_with_sanitize_parameter_a_source_tito (fun) -> [sanitize.a_source (fun) sanitize.sanitize_parameter_a_source_tito (fun)]
 sanitize.propagation_of_b_sink (fun) -> [sanitize.b_sink (fun) sanitize.sanitize_a_sink_tito (fun)]
+sanitize.propagation_of_b_sink_with_sanitize_all_parameters_a_source_sink_tito (fun) -> [sanitize.b_sink (fun) sanitize.sanitize_all_parameters_a_sink_tito (fun)]
+sanitize.propagation_of_b_source_with_sanitize_all_parameters_a_source_sink_tito (fun) -> [sanitize.b_source (fun) sanitize.sanitize_all_parameters_a_source_sink_tito (fun)]
 sanitize.propagation_of_b_with_sanitize_a_tito (fun) -> [sanitize.b_source (fun) sanitize.sanitize_a_tito (fun)]
-sanitize.propagation_of_b_with_sanitize_parameter_a_sink_tito (fun) -> [sanitize.b_sink (fun) sanitize.sanitize_a_sink_tito (fun)]
+sanitize.propagation_of_b_with_sanitize_all_parameters_a_sink_tito (fun) -> [sanitize.b_sink (fun) sanitize.sanitize_all_parameters_a_sink_tito (fun)]
+sanitize.propagation_of_b_with_sanitize_all_parameters_a_source_tito (fun) -> [sanitize.b_source (fun) sanitize.sanitize_all_parameters_a_source_tito (fun)]
+sanitize.propagation_of_b_with_sanitize_parameter_a_sink_tito (fun) -> [sanitize.b_sink (fun) sanitize.sanitize_parameter_a_sink_tito (fun)]
 sanitize.propagation_of_b_with_sanitize_parameter_a_source_tito (fun) -> [sanitize.b_source (fun) sanitize.sanitize_parameter_a_source_tito (fun)]
 sanitize.return_taint_sanitize (fun) -> []
 sanitize.sanitize_a_and_b_sinks (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
@@ -27,6 +35,16 @@ sanitize.sanitize_a_tito (fun) -> []
 sanitize.sanitize_a_tito_with_sink (fun) -> [sanitize.a_sink (fun)]
 sanitize.sanitize_ab_sinks_attribute (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
 sanitize.sanitize_ab_sinks_instance (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
+sanitize.sanitize_all_parameters (fun) -> [_test_sink (fun) sanitize.source_with_tito (fun)]
+sanitize.sanitize_all_parameters_a_sink (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
+sanitize.sanitize_all_parameters_a_sink_tito (fun) -> []
+sanitize.sanitize_all_parameters_a_source_sink_tito (fun) -> []
+sanitize.sanitize_all_parameters_a_source_tito (fun) -> []
+sanitize.sanitize_all_parameters_all_sinks (fun) -> [_test_sink (fun) sanitize.source_with_tito (fun)]
+sanitize.sanitize_all_parameters_all_sources (fun) -> [_test_sink (fun) sanitize.source_with_tito (fun)]
+sanitize.sanitize_all_parameters_all_tito (fun) -> [_test_sink (fun) sanitize.source_with_tito (fun)]
+sanitize.sanitize_all_parameters_b_sink (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
+sanitize.sanitize_all_parameters_with_user_declared_sink (fun) -> []
 sanitize.sanitize_all_sinks_attribute (fun) -> [_test_sink (fun) int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
 sanitize.sanitize_all_sinks_instance (fun) -> [_test_sink (fun) int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]
 sanitize.sanitize_b_sink (fun) -> [int::__gt__ (method) int::__le__ (method) sanitize.a_sink (fun) sanitize.b_sink (fun)]