Skip to content

Commit

Permalink
Improve taint analysis a little more
Browse files Browse the repository at this point in the history
  • Loading branch information
@muglug
muglug committed Mar 25, 2024
1 parent 20e79e9 commit f06eae7
Show file tree
Hide file tree
Showing 8 changed files with 525 additions and 148 deletions.
2 changes: 1 addition & 1 deletion src/analyzer/expr/binop/concat_analyzer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ pub(crate) fn analyze_concat_nodes(
result_type
}

fn get_concat_nodes(expr: &aast::Expr<(), ()>) -> Vec<&aast::Expr<(), ()>> {
pub(crate) fn get_concat_nodes(expr: &aast::Expr<(), ()>) -> Vec<&aast::Expr<(), ()>> {
match &expr.2 {
aast::Expr_::Binop(x) => {
let (binop, e1, e2) = (&x.bop, &x.lhs, &x.rhs);
Expand Down
24 changes: 24 additions & 0 deletions src/analyzer/expr/call/arguments_analyzer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ pub(crate) fn check_arguments_match(
|| matches!(functionlike_info.effects, FnEffect::Arg(_))
|| functionlike_info.pure_can_throw
|| functionlike_info.user_defined
|| functionlike_info.method_info.is_some()
{
context.inside_general_use = true;
}
Expand Down Expand Up @@ -1113,6 +1114,29 @@ fn handle_possibly_matching_inout_param(
vec![],
vec![],
);
} else if matches!(
functionlike_id,
FunctionLikeIdentifier::Function(StrId::JSON_DECODE_WITH_ERROR)
) && argument_offset == 1
{
let argument_node = DataFlowNode::get_for_method_argument(
functionlike_id.to_string(statements_analyzer.get_interner()),
0,
Some(statements_analyzer.get_hpos(all_args[1].1.pos())),
Some(statements_analyzer.get_hpos(function_call_pos)),
);

analysis_data
.data_flow_graph
.add_node(argument_node.clone());

analysis_data.data_flow_graph.add_path(
&argument_node,
&out_node,
PathKind::Aggregate,
vec![],
vec![],
);
}

analysis_data.data_flow_graph.add_node(out_node);
Expand Down
48 changes: 25 additions & 23 deletions src/analyzer/expr/call/existing_atomic_method_call_analyzer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ use oxidized::{
};
use rustc_hash::FxHashMap;

use crate::expr::fetch::array_fetch_analyzer::add_array_fetch_dataflow;
use crate::expr::fetch::array_fetch_analyzer::{
add_array_fetch_dataflow, get_array_access_type_given_offset,
};
use crate::stmt_analyzer::AnalysisError;
use crate::{
expr::{
Expand Down Expand Up @@ -468,31 +470,31 @@ fn handle_shapes_static_method(
.get_rc_expr_type(call_expr.1[1].1.pos())
.cloned();

let mut expr_type = None;

if let (Some(dict_type), Some(dim_type)) = (dict_type, dim_type) {
for atomic_type in &dict_type.types {
if let TAtomic::TDict { .. } = atomic_type {
let expr_type_inner = handle_array_access_on_dict(
statements_analyzer,
pos,
analysis_data,
context,
atomic_type,
&dim_type,
false,
&mut false,
true,
&mut false,
&mut false,
);

expr_type = Some(expr_type_inner);
}
}
let mut expr_type_inner = get_array_access_type_given_offset(
statements_analyzer,
analysis_data,
(&call_expr.1[0].1, Some(&call_expr.1[1].1), pos),
&dict_type,
&dim_type,
false,
&None,
context,
);

add_array_fetch_dataflow(
statements_analyzer,
call_expr.1[0].1.pos(),
analysis_data,
None,
&mut expr_type_inner,
&mut (*dim_type).clone(),
);

return Some(expr_type_inner);
}

return Some(expr_type.unwrap_or(get_mixed_any()));
return Some(get_mixed_any());
}
}
StrId::TO_DICT | StrId::TO_ARRAY => {
Expand Down
Loading

0 comments on commit f06eae7

Please sign in to comment.