Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect field assignment to zero-value as sanitization #92

Open
PurelyApplied opened this issue Sep 10, 2020 · 3 comments
Open

Detect field assignment to zero-value as sanitization #92

PurelyApplied opened this issue Sep 10, 2020 · 3 comments
Labels
inference Detection of source, sink, or sanitizer that is not explicitly configured

Comments

@PurelyApplied
Copy link
Collaborator

Consider the following:

type Source struct {
  secret string // `levee:"source"`
}

func Bar(s Source) {
  s.secret = ""
  Sink(s)  // This should not emit a Diagnostic.
}

Explicitly setting to zero-values all fields containing source data should be recognized as sanitization.
@PurelyApplied PurelyApplied added the inference Detection of source, sink, or sanitizer that is not explicitly configured label Sep 10, 2020
@PurelyApplied PurelyApplied mentioned this issue Sep 10, 2020
Closed
@PurelyApplied
Copy link
Collaborator Author

Optionally, a user may wish to provide sanctioned non-zero values, e.g. s.secret = "REDACTED".

@PurelyApplied
Copy link
Collaborator Author

Cross-referencing #97, a wrapping type should be able to likewise sanitize via either of Container.content = nil or Container.content.secret = "".

@mlevesquedion
Copy link
Contributor

I think we could handle some of these cases without too much headache, but in general this looks like it's going to be very tricky.

If we do a good job with it though, eventually we may be able to identify sanitizers automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inference Detection of source, sink, or sanitizer that is not explicitly configured
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PurelyApplied @mlevesquedion