Make everything optional

formalsec · May 31, 2024 · b90aae1 · b90aae1
1 parent 1c1bf26
commit b90aae1
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 20 deletions.
diff --git a/src/vuln.ml b/src/vuln.ml
@@ -22,10 +22,10 @@ and object_type =
 
 type vuln_conf =
   { filename : string option
-  ; ty : vuln_type
-  ; source : string
+  ; ty : vuln_type option
+  ; source : string option
   ; source_lineno : int option
-  ; sink : string
+  ; sink : string option
   ; sink_lineno : int option
   ; tainted_params : string list
   ; params : (string * param_type) list
@@ -50,8 +50,8 @@ let template1 : ('a, Format.formatter, unit) format =
    console.log(({}).toString);"
 
 let get_template = function
-  | Cmd_injection | Code_injection | Path_traversal -> template0
-  | Proto_pollution -> template1
+  | Some (Cmd_injection | Code_injection | Path_traversal) -> template0
+  | Some Proto_pollution | None -> template1
 
 let fresh_str =
   let id = ref 0 in
@@ -101,10 +101,11 @@ module Fmt = struct
   open Format
 
   let pp_vuln_type fmt = function
-    | Cmd_injection -> fprintf fmt "command-injection"
-    | Code_injection -> fprintf fmt "code-injection"
-    | Path_traversal -> fprintf fmt "path-traversal"
-    | Proto_pollution -> fprintf fmt "prototype-pollution"
+    | Some Cmd_injection -> fprintf fmt "command-injection"
+    | Some Code_injection -> fprintf fmt "code-injection"
+    | Some Path_traversal -> fprintf fmt "path-traversal"
+    | Some Proto_pollution -> fprintf fmt "prototype-pollution"
+    | None -> ()
 
   let array_iter x f arr =
     List.iteri (fun i v -> f (x ^ string_of_int i, v)) arr
@@ -156,21 +157,28 @@ module Fmt = struct
       pp_print_string fmt args
 
   let normalize = String.map (fun c -> match c with '.' | ' ' -> '_' | _ -> c)
+  let ( let* ) v f = Option.bind v f
 
   let pp fmt (v : vuln_conf) =
     let rec pp_aux fmt { source; params; cont; _ } =
       if List.length params > 0 then
         fprintf fmt "%a;@\n" pp_params_as_decl params;
-      match cont with
-      | None -> fprintf fmt "%s(%a);" source pp_params_as_args params
-      | Some (Return ret) ->
+      match (cont, source) with
+      | None, Some source ->
+        fprintf fmt "%s(%a);" source pp_params_as_args params
+      | Some (Return ret), Some source ->
         let var_aux = "ret_" ^ normalize source in
         fprintf fmt "var %s = %s(%a);@\n" var_aux source pp_params_as_args
           params;
-        pp_aux fmt { ret with source = var_aux ^ ret.source }
-      | Some (Sequence cont) ->
+        let source =
+          let* ret_source = ret.source in
+          Some (var_aux ^ ret_source)
+        in
+        pp_aux fmt { ret with source }
+      | Some (Sequence cont), Some source ->
         fprintf fmt "%s(%a);@\n" source pp_params_as_args params;
         pp_aux fmt cont
+      | _, None -> assert false
     in
     let template = get_template v.ty in
     fprintf fmt template pp_vuln_type v.ty pp_aux v

diff --git a/src/vuln_parser.ml b/src/vuln_parser.ml
@@ -4,13 +4,12 @@ open Vuln
 open Format
 open Syntax.Result
 
-let vuln_type (ty : Json.t) =
-  match Util.to_string ty with
+let vuln_type = function
   | "command-injection" -> Ok Cmd_injection
   | "code-injection" -> Ok Code_injection
   | "path-traversal" -> Ok Path_traversal
   | "prototype-pollution" -> Ok Proto_pollution
-  | _ -> Error (`Unknown_vuln_type (asprintf "%a" Json.pp ty))
+  | str -> Error (`Unknown_vuln_type str)
 
 let param_type (ty : string) =
   match String.trim ty with
@@ -57,12 +56,19 @@ let int_opt = function `Int i -> Some i | `Null | _ -> None
 let list = function `List lst -> Ok lst | _ -> Error `Expected_list
 let assoc = function `Assoc lst -> Ok lst | _ -> Error `Expected_assoc
 
+let bind v f =
+  match v with
+  | None -> Ok None
+  | Some v ->
+    let+ v = f v in
+    Some v
+
 let rec from_json (json : Json.t) : (vuln_conf, [> Result.err ]) result =
   let filename = string_opt (Util.member "filename" json) in
-  let* ty = vuln_type (Util.member "vuln_type" json) in
-  let* source = string (Util.member "source" json) in
+  let* ty = bind (string_opt (Util.member "vuln_type" json)) vuln_type in
+  let source = string_opt (Util.member "source" json) in
   let source_lineno = int_opt (Util.member "source_lineno" json) in
-  let* sink = string (Util.member "sink" json) in
+  let sink = string_opt (Util.member "sink" json) in
   let sink_lineno = int_opt (Util.member "sink_lineno" json) in
   let* tainted_params =
     let* tainted = list (Util.member "tainted_params" json) in

diff --git a/test/test_toy.t b/test/test_toy.t
@@ -14,6 +14,22 @@ Test toy examples:
   module.exports(x);
   $ instrumentation2 toy/vfunretbyexport.json -o -
   Genrating -
+  Genrating -
+  function f1(a) {
+    return function f2(b) {
+      if (b > 0) {
+        eval(a);
+      }
+    };
+  };
+
+  let esl_symbolic = require("esl_symbolic");
+  esl_symbolic.sealProperties(Object.prototype);
+  // Vuln: code-injection
+  let a = esl_symbolic.string("a");
+  var ret_f1 = f1(a);
+  let b = esl_symbolic.number("b");
+  ret_f1(b);
   function f1(a) {
     return function f2(b) {
       if (b > 0) {

diff --git a/test/toy/vfunretbyexport.json b/test/toy/vfunretbyexport.json
@@ -13,5 +13,17 @@
       "tainted_params" : [ "b" ],
       "params_types" : { "b" : "number" }
     }
+  },
+  {
+    "filename" : "./vfunretbyexport.js",
+    "vuln_type" : "code-injection",
+    "source" : "f1",
+    "tainted_params" : [ "a" ],
+    "params_types" : { "a" : "string" },
+    "returns" : {
+      "source" : "",
+      "tainted_params" : [ "b" ],
+      "params_types" : { "b" : "number" }
+    }
   }
 ]