Merge pull request diffblue#541 from diffblue/bugfix_apply_taint_summary_with_obtained_summary_inputs

SEC-633: Bugfix apply taint summary with obtained summary inputs

Author: marek-trtik

regression/end_to_end/xxe01/build.xml

@@ -0,0 +1,17 @@
+<project name="Main" basedir="." default="compile">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on" />
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+  </target>
+
+</project>

regression/end_to_end/xxe01/rules.json

@@ -0,0 +1,40 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Obtaining tainted XML text.",
+        "class": "xxe01.Main",
+        "method": "make_tainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted XML text"
+        }
+      },
+      {
+        "comment": "Obtaining XML stream reader with external entities enabled for tainted XML text.",
+        "class": "xxe01.XMLInputFactory",
+        "method": "DIFFBLUE_createXMLStreamReader:(Ljava/lang/String;)Lxxe01/XMLStreamReader;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted XML text"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Reader of tainted XML with external entities enabled"
+        }
+      },
+      {
+        "comment": "Unmarshalling an object by reading tainted XML document with external entities enabled.",
+        "class": "xxe01.Unmarshaller",
+        "method": "unmarshal:(Lxxe01/XMLStreamReader;)Ljava/lang/Object;",
+        "sinkTarget": {
+          "location": "arg1",
+          "vulnerability": "Reader of tainted XML with external entities enabled"
+        },
+        "message": "Unmarshalling an object by reading tainted XML document with external entities enabled."
+      }
+    ]
+}
+
+

regression/end_to_end/xxe01/src/JAXBContext.java

@@ -0,0 +1,13 @@
+package xxe01;
+
+
+class JAXBContext {
+    public static JAXBContext newInstance(String s) {
+        return new JAXBContext();
+    }
+    
+    public Unmarshaller createUnmarshaller() {
+        return new Unmarshaller();
+    }
+}
+

regression/end_to_end/xxe01/src/Main.java

@@ -0,0 +1,82 @@
+package xxe01;
+
+
+public class Main {
+
+    private static String make_tainted(String s) {
+        return s;
+    }
+    
+    private static void test_no_xxe_explicit(String xml_from_attacker) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    private static void test_no_xxe_implicit(String xml_from_attacker) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        //xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    private static void test_simple(String xml_from_attacker) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    private static void test_guess_value(String xml_from_attacker, boolean property_value) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty("javax.xml.stream.isSupportingExternalEntities", property_value);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    private static void test_guess_property(String xml_from_attacker, String property_name) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(property_name, true);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    private static void test_guess_property_and_value(String xml_from_attacker, String property_name, boolean property_value) {
+        JAXBContext jc = JAXBContext.newInstance("xxe01.MyClass");
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(property_name, property_value);
+        XMLStreamReader xsr = xif.createXMLStreamReader(xml_from_attacker);
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+    }
+
+    public static void main(String[] args) {
+        if (args.length < 3)
+            return;
+
+        String xml_from_attacker = make_tainted(args[0]);
+        String property_name = args[1];
+        boolean property_value = false;
+        if (args[2] == "TRUE")
+            property_value = true;
+
+        test_no_xxe_explicit(xml_from_attacker);
+        test_no_xxe_implicit(xml_from_attacker);
+        test_simple(xml_from_attacker);
+        test_guess_value(xml_from_attacker, property_value);
+        test_guess_property(xml_from_attacker, property_name);
+        test_guess_property_and_value(xml_from_attacker, property_name, property_value);
+    }
+}
+

regression/end_to_end/xxe01/src/MyClass.java

@@ -0,0 +1,7 @@
+package xxe01;
+
+
+// This is user's class to be unmarshaled from XML data.
+class MyClass {
+}
+

regression/end_to_end/xxe01/src/Unmarshaller.java

@@ -0,0 +1,9 @@
+package xxe01;
+
+
+class Unmarshaller {
+    public Object unmarshal(XMLStreamReader xsr) {
+        return new MyClass();
+    }
+}
+

regression/end_to_end/xxe01/src/XMLInputFactory.java

@@ -0,0 +1,52 @@
+package xxe01;
+import java.util.HashMap;
+
+
+class XMLInputFactory {
+    public static XMLInputFactory newFactory() {
+        return new XMLInputFactory();
+    }
+
+    public XMLInputFactory() {
+        this.props = new HashMap<String, Object>();
+        this.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    }
+
+    public void setProperty(String key, Object value) {
+        this.props.put(key, value);
+
+        // DIFFBLUE MODEL - BEGIN
+        if (key == "javax.xml.stream.isSupportingExternalEntities") {
+            if (value instanceof Boolean) {
+                if ((Boolean)value == true)
+                    this.DIFFBLUE_isSupportingExternalEntities = true;
+                else
+                    this.DIFFBLUE_isSupportingExternalEntities = false;
+            }
+        }
+        // DIFFBLUE MODEL - END
+    }
+
+    public Object getProperty(String key) {
+        return this.props.get(key);
+    }
+
+    public XMLStreamReader createXMLStreamReader(String xml) {
+        // DIFFBLUE MODEL - BEGIN
+        if (DIFFBLUE_isSupportingExternalEntities == true)
+            return DIFFBLUE_createXMLStreamReader(xml);
+        // DIFFBLUE MODEL - END
+        return new XMLStreamReader();
+    }
+
+    private HashMap<String, Object> props;
+
+    // DIFFBLUE MODEL - BEGIN
+    private XMLStreamReader DIFFBLUE_createXMLStreamReader(String xml) {
+        return new XMLStreamReader();
+    }
+
+    private boolean DIFFBLUE_isSupportingExternalEntities;
+    // DIFFBLUE MODEL - END
+}
+

regression/end_to_end/xxe01/src/XMLStreamReader.java

@@ -0,0 +1,6 @@
+package xxe01;
+
+
+class XMLStreamReader {
+}
+

regression/end_to_end/xxe01/test_xxe01.py

@@ -0,0 +1,29 @@
+import fasteners
+import os
+import subprocess
+import pytest
+
+from regression.end_to_end.driver import run_security_analyser_pipeline
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+@fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
+def test_xxe01(load_strategy):
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call(["ant"])
+    with run_security_analyser_pipeline(
+            "build",
+            "rules.json",
+            os.path.realpath(os.path.dirname(__file__)),
+            "xxe01.Main.main",
+            load_strategy) as traces:
+        assert traces.count_traces() == 4
+        assert traces.trace_exists(
+            "java::xxe01.Main.test_simple:(Ljava/lang/String;)V", 34)
+        assert traces.trace_exists(
+            "java::xxe01.Main.test_guess_value:(Ljava/lang/String;B)V", 43)
+        assert traces.trace_exists(
+            "java::xxe01.Main.test_guess_property:(Ljava/lang/String;Ljava/lang/String;)V", 52)
+        assert traces.trace_exists(
+            "java::xxe01.Main.test_guess_property:(Ljava/lang/String;Ljava/lang/String;B)V", 61)

src/taint-analysis/taint_summary.cpp

@@ -591,6 +591,7 @@ void  taint_algorithm_computing_summary_of_functiont::
     std::map<taint_variablet,taint_sett> &symbols_substitution,
     const numbered_lvalue_to_taint_mapt &a,
     const std::shared_ptr<taint_summaryt> summary,
+    const taint_summary_inputt &caller_summary_input,
     const code_function_callt &fn_call,
     const code_typet &fn_type,
     const local_value_set_analysist &lvsa,
@@ -656,6 +657,12 @@ void  taint_algorithm_computing_summary_of_functiont::
       const auto it = a.find(lvalue);
       if(it != a.cend())
         argument_taint |= it->second;
+      else
+      {
+        const auto input_it = caller_summary_input.find(lvalue);
+        if(input_it != caller_summary_input.cend())
+          argument_taint += input_it->second;
+      }
     }
 
     symbols_substitution.insert({ input.second, argument_taint });
@@ -759,25 +766,13 @@ void taint_algorithm_computing_summary_of_functiont::initialise_input(
         continue;
       irep_idt callee_id = to_symbol_expr(callee_expr).get_identifier();
 
-      if(!database.contains(callee_id) || transition_rules->has_rule(callee_id))
+      for(const auto &arg : fn_call.arguments())
       {
-        // This is either a recursive function or a function for which we have
-        // a rule (any function not in the database has not been processed and
-        // since we're following an inverted topological ordering it therefore
-        // must recursively call us)
-        // If we don't have a summary then we assume that the function could
-        // use any of its arguments. If the function has a rule then it
-        // probably will use some of its arguments.
-        // In the future we could be more precise about exactly which arguments
-        // are used in the rule.
-        for(const auto &arg : fn_call.arguments())
-        {
-          collect_lvsa_access_paths_extended(
-            arg, it, lvsa, environment, false);
-        }
-        if(!database.contains(callee_id))
-          continue;
+        collect_lvsa_access_paths_extended(
+          arg, it, lvsa, environment, false);
       }
+      if(!database.contains(callee_id))
+        continue;
 
       const std::shared_ptr<taint_summaryt> summary = database.at(callee_id);
       for(const std::pair<taint_lvalue_numbert, taint_sett> &lvalue_taint
@@ -1031,6 +1026,7 @@ taint_algorithm_computing_summary_of_functiont::transform(
             symbols_substitution,
             a,
             summary,
+            input,
             fn_call,
             fn_type,
             lvsa,

src/taint-analysis/taint_summary.h

@@ -361,6 +361,7 @@ class taint_algorithm_computing_summary_of_functiont
     std::map<taint_variablet,taint_sett> &symbols_substitution,
     const numbered_lvalue_to_taint_mapt &a,
     const std::shared_ptr<taint_summaryt> summary,
+    const taint_summary_inputt &caller_summary_input,
     const code_function_callt &fn_call,
     const code_typet &fn_type,
     const local_value_set_analysist &lvsa,