Remove UserControlled -> Getattr detection

Summary: In most of the cases this rule detects benign scenarios. In order to be exploitable the result from getattr need to be called with usercontrolled parameters. Let's disable the rule while we think of a way to improve this. Reviewed By: tianhan0 Differential Revision: D45315670 Privacy Context Container: L1152058 fbshipit-source-id: 855e7b9518181f2dbd4de125b367218f136f8913
facebook · Apr 27, 2023 · da572f0 · da572f0
1 parent ecd6883
commit da572f0
Showing 1 changed file with 0 additions and 11 deletions.
diff --git a/stubs/taint/core_privacy_security/taint.config b/stubs/taint/core_privacy_security/taint.config
@@ -295,17 +295,6 @@
         "Demo"
       ]
     },
-    {
-      "code": 5010,
-      "message_format": "Attacker may control at least one argument to getattr(,).",
-      "name": "User data to getattr",
-      "sinks": [
-        "GetAttr"
-      ],
-      "sources": [
-        "UserControlled"
-      ]
-    },
     {
       "code": 5011,
       "message_format": "Data from [{$sources}] source(s) may reach [{$sinks}] sink(s)",