-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix sanitization bug, add tests #154
Fix sanitization bug, add tests #154
Conversation
Patrick, Vinayak: I've added you as reviewers, but I'm not looking for an actual review, I would just like to get your thoughts on these test cases. |
I do love tests. LGTM. |
Good! I would like to add these tests, but right now they would be failing. I have created an issue (#155), because I am not sure how to handle this right now, and they don't feel very high priority. I guess the bottom line is that it seems that the current way we check for domination is incorrect. In the cases above, the sanitizing call does dominate the sink call on the possible paths from source to sink, which are the relevant paths. Because of the pointers, currently I don't see a way to do this other than stepping through the instructions. |
I think it would be alright to introduced the tests suppressed with
I'm not sure how you mean this. Do you mean about handling the in situ sanitization? |
We can't use
Yeah. In the general case I don't see a clean way to say "on this path, because of the sanitization by reference, this value is safe". |
I was perhaps being glib in the particulars. I would do something like this func TestOnlySanitizedIfLoopIsTaken() {
var e interface{} = core.Source{}
for false {
e = core.Sanitize(e)[0]
}
// TODO want to not emit here
core.Sink(e) // want "a source has reached a sink"
} I might be inclined to keep a consistent pattern for searchability on
I see a few paths forward, but no obvious best.
|
I like your approach with the Concerning the paths you propose, I had 1 and 2 in mind as well but I didn't consider 3. Thank you for outlining these paths. I think it's very valuable that you brought up path 3. I think with an interpretation approach, this would be easy to do. I agree that there are pros and cons, though. I agree with your assessment of the 2nd path. Path 3 seems quite pragmatic to me. I'm not sure if it would be too much of an inconvenience to developers. It would certainly be easier to implement, and I don't see any obvious ways that it would fail. I think for now I'll just rewrite the tests using |
I've rewritten the failing tests with TODOs. These are captured in issue #155. |
(Nit: maybe edit out the The only one that comes to mind is a convoluted switch case that joins in the middle, e.g. func Foo() {
var obj interface{}
if flipCoin() {
obj = Source{}
} else {
obj = 10
}
genericSanitizer(obj)
if flipCoin() {
sink(obj)
} else {
somethingElse(obj)
}
} I don't predict that being too common, but still within the realm of possibility. I could see it being useful for some generic delegation logic, especially if the I'm still comfortable with reporting in that instance, though. And you could also probably layer that the I'll add this sort of test case to #149. |
I was expecting that test case to pass under the current implementation, so I added it to check my understanding. It failed. I think the domination logic is wrong: if the Please review the fix. |
I've removed myself from the review set for now. It's not clear if you're just iterating or if you wanted review now. Feel free to add me back when this PR is ready for review. |
SG, sorry for the confusion. I'm done iterating, I do want a review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Since we've iterated a good bit here, please update the commit summary and description to be more meaningful than "fixed bug." Maybe Prevent report in block dominated by block containing sanitization.
This PR fixes a bug in how sanitization status is evaluated. It also introduces tests covering the previously buggy behavior.
This PR also adds tests documenting another, more complicated bug also involving sanitization. This bug are described in #155.