formalsec · filipeom · Mar 25, 2024 · Mar 25, 2024
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -26,9 +26,16 @@ jobs:
         uses: ocaml/setup-ocaml@v2
         with:
           ocaml-compiler: ${{ matrix.ocaml-compiler }}
+          dune-cache: true
+          allow-prerelease-opam: true
       - name: Install dependencies
         run: opam install -y . --deps-only --with-test
       - name: Build
         run: opam exec -- dune build @install
       - name: Test
-        run: opam exec -- dune runtest
+        run: BISECT_FILE=`pwd`/bisect opam exec -- dune runtest --force --instrument-with bisect_ppx
+      - name: Upload coverage
+        if: matrix.os == 'ubuntu-latest'
+        run: opam exec -- bisect-ppx-report send-to Coveralls
+        env:
+          COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
diff --git a/README.md b/README.md
@@ -0,0 +1 @@
+# Instrumentation2 [![Build](https://github.com/formalsec/instrumentation2/actions/workflows/build.yml/badge.svg)](https://github.com/formalsec/instrumentation2/actions/workflows/build.yml) [![Coverage Status](https://coveralls.io/repos/github/formalsec/instrumentation2/badge.svg)](https://coveralls.io/github/formalsec/instrumentation2)
diff --git a/src/main.ml b/src/main.ml
@@ -1,9 +1,9 @@
 open I2
 open Cmdliner
 
-let main debug file config output =
+let main debug taint_summary file output =
   if debug then Logs.set_level (Some Debug);
-  match Run.run ~file ~config ~output with
+  match Run.run ?file ~config:taint_summary ~output () with
   | Ok _n -> 0
   | Error (`Msg msg) ->
     Format.eprintf "error: %s@." msg;
@@ -13,13 +13,13 @@ let debug =
   let doc = "debug mode" in
   Arg.(value & flag & info [ "debug" ] ~doc)
 
+let taint_summary =
+  let doc = "taint summary" in
+  Arg.(required & pos 0 (some non_dir_file) None & info [] ~docv:"SUMM" ~doc)
+
 let file =
   let doc = "normalized file" in
-  Arg.(required & pos 0 (some non_dir_file) None & info [] ~docv:"FILE" ~doc)
-
-let config =
-  let doc = "taint summary" in
-  Arg.(required & pos 1 (some non_dir_file) None & info [] ~docv:"SUMM" ~doc)
+  Arg.(value & pos 1 (some non_dir_file) None & info [] ~docv:"FILE" ~doc)
 
 let output =
   let doc = "output file" in
@@ -33,6 +33,6 @@ let cmd =
     ]
   in
   let info = Cmd.info "instrumentation2" ~version:"%%VERSION%%" ~doc ~man in
-  Cmd.v info Term.(const main $ debug $ file $ config $ output)
+  Cmd.v info Term.(const main $ debug $ taint_summary $ file  $ output)
 
 let () = exit @@ Cmd.eval' cmd
diff --git a/src/run.ml b/src/run.ml
@@ -13,21 +13,32 @@ let write_test ~file module_data vuln =
   OS.File.writef file "%s@\n%a@." module_data Vuln.pp vuln
 
 (** [run file config output] creates symbolic tests [file] from [config] *)
-let run ~file ~config ~output =
-  let* vulns = Vuln_parser.from_file config in
-  let+ module_data = OS.File.read (Fpath.v file) in
+let run ?file ~config ~output () =
+  let+ vulns = Vuln_parser.from_file config in
   List.mapi
     (fun i vuln ->
       let confs = Vuln.unroll vuln in
       List.mapi
         (fun j conf ->
-          let file = get_test_name output (i, j) in
+          let output_file = get_test_name output (i, j) in
+          let filename =
+            match file with
+            | Some f -> f
+            | None ->
+              let filename =
+                match conf.Vuln.filename with
+                | Some f -> f
+                | None -> assert false
+              in
+              Filename.(concat (dirname config) filename)
+          in
+          let module_data = In_channel.(with_open_text filename input_all) in
           begin
-            match write_test ~file module_data conf with
+            match write_test ~file:output_file module_data conf with
             | Ok () -> ()
             | Error (`Msg msg) -> failwith msg
           end;
-          file )
+          output_file )
         confs )
     vulns
   |> List.concat
diff --git a/src/run.mli b/src/run.mli
@@ -1,5 +1,6 @@
 val run :
-     file:string
+     ?file:string
   -> config:string
   -> output:string
+  -> unit
   -> (Fpath.t list, [> `Msg of string ]) Result.t
diff --git a/src/vuln.ml b/src/vuln.ml
@@ -21,7 +21,8 @@ and object_type =
   ]
 
 type vuln_conf =
-  { ty : vuln_type
+  { filename : string option
+  ; ty : vuln_type
   ; source : string
   ; source_lineno : int option
   ; sink : string

diff --git a/src/vuln_parser.ml b/src/vuln_parser.ml
@@ -55,6 +55,7 @@ let rec parse_param ?file (param : Json.t) : param_type =
     assert false
 
 let rec from_json ?file (assoc : Json.t) =
+  let filename = Util.(member "filename" assoc |> to_option to_string) in
   let* ty = Util.member "vuln_type" assoc |> parse_vuln_type ?file in
   let source = Util.member "source" assoc |> Util.to_string in
   let source_lineno = Util.(member "source_lineno" assoc |> to_option to_int) in
@@ -83,7 +84,8 @@ let rec from_json ?file (assoc : Json.t) =
       Some (Return tree)
   in
   Ok
-    { ty
+    { filename
+    ; ty
     ; source
     ; source_lineno
     ; sink

diff --git a/test/test_toy.t b/test/test_toy.t
@@ -1,5 +1,5 @@
 Test toy examples:
-  $ instrumentation2 toy/vfunexported.js toy/vfunexported.json -o -
+  $ instrumentation2 toy/vfunexported.json toy/vfunexported.js -o -
   Genrating -
   let exec = require('child_process').exec;
 
@@ -12,7 +12,7 @@ Test toy examples:
   // Vuln: command-injection
   let x = esl_symbolic.string("x");
   module.exports(x);
-  $ instrumentation2 toy/vfunretbyexport.js toy/vfunretbyexport.json -o -
+  $ instrumentation2 toy/vfunretbyexport.json -o -
   Genrating -
   function f1(a) {
     return function f2(b) {
@@ -29,7 +29,7 @@ Test toy examples:
   var ret_f1 = f1(a);
   let b = esl_symbolic.number("b");
   ret_f1(b);
-  $ instrumentation2 toy/vfunpropofexportedobj.js toy/vfunpropofexportedobj.json -o -
+  $ instrumentation2 toy/vfunpropofexportedobj.json toy/vfunpropofexportedobj.js -o -
   Genrating -
   let Obj = (function () {
     function Obj(source) { this.source = source; }
@@ -52,7 +52,7 @@ Test toy examples:
   var ret_module_exports_Obj = module.exports.Obj(source);
   let obj = { cond: esl_symbolic.number("cond") };
   ret_module_exports_Obj.f(obj);
-  $ instrumentation2 toy/example-20.js toy/example-20.json -o -
+  $ instrumentation2 toy/example-20.json toy/example-20.js -o -
   Genrating -
   var target = "";
 

diff --git a/test/test_unit.t b/test/test_unit.t
@@ -1,5 +1,5 @@
 Test unit:
-  $ instrumentation2 -o - unit/identity.js unit/any.json
+  $ instrumentation2 -o - unit/any.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -10,7 +10,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = esl_symbolic.any("some_arg");
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/array.json
+  $ instrumentation2 -o - unit/array.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -21,7 +21,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = [ esl_symbolic.string("some_arg0") ];
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/array2.json
+  $ instrumentation2 -o - unit/array2.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -33,7 +33,7 @@ Test unit:
   let some_arg =
     [ esl_symbolic.string("some_arg0"), esl_symbolic.boolean("some_arg1"), esl_symbolic.number("some_arg2") ];
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/bool.json
+  $ instrumentation2 -o - unit/bool.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -44,7 +44,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = esl_symbolic.boolean("some_arg");
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/function.json
+  $ instrumentation2 -o - unit/function.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -55,7 +55,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = esl_symbolic.function("some_arg");
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/lazy_object.json
+  $ instrumentation2 -o - unit/lazy_object.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -66,7 +66,7 @@ Test unit:
   // Vuln: path-traversal
   let some_arg = esl_symbolic.lazy_object();
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/number.json
+  $ instrumentation2 -o - unit/number.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -77,7 +77,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = esl_symbolic.number("some_arg");
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/object.json
+  $ instrumentation2 -o - unit/object.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -88,7 +88,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = {  };
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/polluted_object2.json
+  $ instrumentation2 -o - unit/polluted_object2.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -100,7 +100,7 @@ Test unit:
   let some_arg = esl_symbolic.polluted_object(2);
   module.exports(some_arg);
   console.log(({}).toString);
-  $ instrumentation2 -o - unit/identity.js unit/polluted_object3.json
+  $ instrumentation2 -o - unit/polluted_object3.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -112,7 +112,7 @@ Test unit:
   let some_arg = esl_symbolic.polluted_object(3);
   module.exports(some_arg);
   console.log(({}).toString);
-  $ instrumentation2 -o - unit/identity.js unit/string.json
+  $ instrumentation2 -o - unit/string.json unit/identity.js
   Genrating -
   module.exports = function identity(some_arg) {
     return some_arg
@@ -123,7 +123,7 @@ Test unit:
   // Vuln: command-injection
   let some_arg = esl_symbolic.string("some_arg");
   module.exports(some_arg);
-  $ instrumentation2 -o - unit/identity.js unit/union.json
+  $ instrumentation2 -o - unit/union.json unit/identity.js
   Genrating -
   Genrating -
   Genrating -

diff --git a/test/toy/vfunretbyexport.json b/test/toy/vfunretbyexport.json
@@ -1,5 +1,6 @@
 [
   {
+    "filename" : "./vfunretbyexport.js",
     "vuln_type" : "code-injection",
     "source" : "f1",
     "sink" : "anon",
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# Instrumentation2 [![Build](https://github.com/formalsec/instrumentation2/actions/workflows/build.yml/badge.svg)](https://github.com/formalsec/instrumentation2/actions/workflows/build.yml) [![Coverage Status](https://coveralls.io/repos/github/formalsec/instrumentation2/badge.svg)](https://coveralls.io/github/formalsec/instrumentation2)