[hack] Add an example taint flow with shapes

Summary: This used to be a FN but with dictionary models from D45741308 the flow is properly identified. Reviewed By: geralt-encore Differential Revision: D45986709 fbshipit-source-id: ad1c0eb50fa8d1910e849f04b793b75def3ce9b8
facebook · May 18, 2023 · 9bfc837 · 9bfc837
1 parent 98c79c4
commit 9bfc837
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/infer/tests/codetoanalyze/hack/pulse/issues.exp b/infer/tests/codetoanalyze/hack/pulse/issues.exp
@@ -40,3 +40,4 @@ method_resolution_trait2.hack, $root.basicFlowBad20, 3, TAINT_ERROR, no_bucket,
 method_resolution_trait2.hack, $root.basicFlowBad21, 3, TAINT_ERROR, no_bucket, ERROR, [in call to `BadP.runSource`,source of the taint here: value returned from `$root.Level1::taintSource` with kind `Simple`,return from call to `BadP.runSource`,value passed as argument `#1` to `$root.Level1::taintSink` with kind `Simple`], source: $root.Level1::taintSource, sink: $root.Level1::taintSink, tainted expression: $tainted
 method_resolution_trait2.hack, $root.basicFlowOk22, 3, TAINT_ERROR, no_bucket, ERROR, [in call to `BadP.runSource`,source of the taint here: value returned from `$root.Level1::taintSource` with kind `Simple`,return from call to `BadP.runSource`,value passed as argument `#1` to `$root.Level1::taintSink` with kind `Simple`], source: $root.Level1::taintSource, sink: $root.Level1::taintSink, tainted expression: $untainted
 method_resolution_trait3.hack, $root.basicFlowBad30, 3, TAINT_ERROR, no_bucket, ERROR, [in call to `BadP.runSource`,source of the taint here: value returned from `$root.Level1::taintSource` with kind `Simple`,return from call to `BadP.runSource`,value passed as argument `#1` to `$root.Level1::taintSink` with kind `Simple`], source: $root.Level1::taintSource, sink: $root.Level1::taintSink, tainted expression: $tainted
+shapes.hack, Shapes::C1.passViaShapeBad, 1, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value passed as argument `#1` to `Shapes::C1.passViaShapeBad` with kind `Simple`,value passed as argument `#1` to `Shapes::ShapeLogger$static.logData` with kind `Simple`], source: Shapes::C1.passViaShapeBad, sink: Shapes::ShapeLogger$static.logData, tainted expression: $sc->sensitiveField
diff --git a/infer/tests/codetoanalyze/hack/pulse/shapes.hack b/infer/tests/codetoanalyze/hack/pulse/shapes.hack
@@ -0,0 +1,23 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+namespace Shapes;
+
+class ShapeLogger {
+  const type TSchemaShape = shape(
+    ?'msg' => ?string,
+    ?'debug_data' => ?string,
+  );
+
+  public static function logData(this::TSchemaShape $data) {
+    \Level1\taintSink($data);
+  }
+}
+
+class C1 {
+  public function passViaShapeBad(SensitiveClass $sc) {
+    ShapeLogger::logData(shape('msg' => 'Oh-oh', 'debug_data' => $sc->sensitiveField));
+  }
+}