tainting: Introduce a special kind of sanitizer #4033
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PA-455 Re-think "sanitizers cannot conflict with sources/sinks"
Consider and Here we get a match because |
mjambon
approved these changes
Oct 11, 2021
In PA-402 we made all sanitizers "not-conflicting" so that one could declare `$F(...)` as a sanitizer without conflicting with sources and sinks. That makes sense in that particular use case, but it partially breaks our ability to simulate sanitizers by side effect. For example: pattern-sanitizers: - patterns: - pattern-inside: | $JWT.verify($TOKEN, ...) ... - pattern: $TOKEN pattern-sinks: - patterns: - pattern: $JWT.decode($TOKEN, ...) - pattern: $TOKEN pattern-sources: - pattern: $TOKEN no longer works on this example: jwt.verify(token, key); // ok: test jwt.decode(token, true); Since the second `token` is both matched by a sanitizer and a sink (and a source), the sanitizer is now "disabled" due to the changes made by 0b35ab5 in connection with PA-402. This is not at all desirable, but we still want the ability to declare `$F(...)` as a sanitizer. Then the simplest solution seems to be to support two different kinds of sanitizers. Closes: PA-455 Changes: 0b35ab5 ("tainting: Filter out sanitizers that conflict with sources/sinks (#3958)") test plan: make test # tests included
IagoAbal
force-pushed
the
iago/pa-455-re-think-sanitizers-cannot-conflict-with
branch
from
8bdfb0c
to
18e6c27
Compare
IagoAbal
deleted the
iago/pa-455-re-think-sanitizers-cannot-conflict-with
branch
ievans
pushed a commit
that referenced
this pull request
Oct 19, 2021
In PA-402 we made all sanitizers "not-conflicting" so that one could declare `$F(...)` as a sanitizer without conflicting with sources and sinks. That makes sense in that particular use case, but it partially breaks our ability to simulate sanitizers by side effect. For example: pattern-sanitizers: - patterns: - pattern-inside: | $JWT.verify($TOKEN, ...) ... - pattern: $TOKEN pattern-sinks: - patterns: - pattern: $JWT.decode($TOKEN, ...) - pattern: $TOKEN pattern-sources: - pattern: $TOKEN no longer works on this example: jwt.verify(token, key); // ok: test jwt.decode(token, true); Since the second `token` is both matched by a sanitizer and a sink (and a source), the sanitizer is now "disabled" due to the changes made by 0b35ab5 in connection with PA-402. This is not at all desirable, but we still want the ability to declare `$F(...)` as a sanitizer. Then the simplest solution seems to be to support two different kinds of sanitizers. Closes: PA-455 Changes: 0b35ab5 ("tainting: Filter out sanitizers that conflict with sources/sinks (#3958)") test plan: make test # tests included
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In PA-402 we made all sanitizers "not-conflicting" so that one could
declare
$F(...)as a sanitizer without conflicting with sources andsinks. That makes sense in that particular use case, but it partially
breaks our ability to simulate sanitizers by side effect. For example:
no longer works on this example:
Since the second
tokenis both matched by a sanitizer and a sink (anda source), the sanitizer is now "disabled" due to the changes made by
0b35ab5 in connection with PA-402. This is not at all desirable, but
we still want the ability to declare
$F(...)as a sanitizer. Then thesimplest solution seems to be to support two different kinds of
sanitizers.
Closes: PA-455
Changes: 0b35ab5 ("tainting: Filter out sanitizers that conflict with sources/sinks (#3958)")
test plan:
make test # tests included
PR checklist: