Merge pull request diffblue#303 from diffblue/enhancment/more_end_to_end_regression_tests

SEC-167: Introducing 4 failing end-to-end regression tests

Author: marek-trtik

regression/end_to_end/overloaded_source/build.xml

@@ -0,0 +1,27 @@
+<project name="overloaded_source" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/overloaded_source.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>

regression/end_to_end/overloaded_source/rules.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Obtaining tainted data.",
+      "class": "HTTPServletRequest",
+      "method": "getTaintedData:()I",
+      "result": {
+        "location": "return_value",
+        "taint": "Tainted string"
+      }
+    },
+    {
+      "comment": "Writing potentially tainted data to a sink.",
+      "class": "Main",
+      "method": "sink:(I)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "Tainted string"
+      }
+    }
+  ]
+}

regression/end_to_end/overloaded_source/src/Main.java

@@ -0,0 +1,18 @@
+interface HTTPServletRequest {
+    public int getTaintedData();
+}
+
+class MyHTTPServletRequest implements HTTPServletRequest {
+    public int getTaintedData() {
+        return 0;
+    }
+}
+
+public class Main {
+    private static void sink(int o) {}
+
+    public static void main() {
+        MyHTTPServletRequest source = new MyHTTPServletRequest();
+        sink(source.getTaintedData());
+    }
+}

regression/end_to_end/overloaded_source/test_overloaded_source.py

@@ -0,0 +1,22 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import subprocess
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_overloaded_source():
+    """
+    The 'Obtaining tainted data.' rule is defined over the interface, but
+    the data are taken from an implementation class. And so the rule is not
+    applied.
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("dist", "overloaded_source.jar"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() == 1
+    assert traces.trace_exists("java::Main.main:()V", 16)

regression/end_to_end/taint_over_downcast/build.xml

@@ -0,0 +1,27 @@
+<project name="taint_over_downcast" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_over_downcast.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>

regression/end_to_end/taint_over_downcast/rules.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Obtaining tainted data.",
+      "class": "Main",
+      "method": "makeTainted:(LBase;)V",
+      "result": {
+        "location": "arg0",
+        "taint": "Tainted data"
+      }
+    },
+    {
+      "comment": "Writing potentially tainted data to a sink.",
+      "class": "Main",
+      "method": "sink:(LDerived;)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "Tainted data"
+      }
+    }
+  ]
+}

regression/end_to_end/taint_over_downcast/src/Main.java

@@ -0,0 +1,13 @@
+class Base {}
+class Derived extends Base {}
+
+public class Main {
+    private static void makeTainted(Base o) {}
+    private static void sink(Derived o) {}
+
+    public static void main() {
+        Base a = new Derived();
+        makeTainted(a);
+        sink((Derived)a);
+    }
+}

regression/end_to_end/taint_over_downcast/test_taint_over_downcast.py

@@ -0,0 +1,29 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import subprocess
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_taint_over_downcast():
+    """
+    Wrong handling of down-casting. Here are related lines of the goto program:
+            new_tmp0 = ALLOCATE(struct Derived, 5ul, false);
+            a = (struct Base *)&new_tmp0->@Base;
+            a->@__CPROVER_com_diffblue_security_Tainted_data = true;
+            IF !((struct Derived *)a)->@__CPROVER_com_diffblue_security_Tainted_data THEN GOTO 2
+            ASSERT false
+        2:  ...
+    So, the access path to @__CPROVER_com_diffblue_security_Tainted in the IF
+    statement should rather be
+            (&(((struct Derived *)a)->@Base))->@__CPROVER_com_diffblue_security_Tainted
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("dist", "taint_over_downcast.jar"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() == 1
+    assert traces.trace_exists("java::Main.main:()V", 11)

regression/end_to_end/taint_over_list/build.xml

@@ -0,0 +1,27 @@
+<project name="taint_over_list" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_over_list.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>

regression/end_to_end/taint_over_list/rules.json

@@ -0,0 +1,50 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Obtaining tainted data.",
+      "class": "Main",
+      "method": "makeTainted:(LA;)V",
+      "result": {
+        "location": "arg0",
+        "taint": "Tainted data"
+      }
+    },
+    {
+      "comment": "Put tainted data to list",
+      "class": "ArrayList",
+      "method": "add:(LA;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted data"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted list"
+      }
+    },
+    {
+      "comment": "Get tainted data from list",
+      "class": "ArrayList",
+      "method": "get:(I)LA;",
+      "input": {
+        "location": "this",
+        "taint": "Tainted list"
+      },
+      "result": {
+        "location": "returns",
+        "taint": "Tainted data"
+      }
+    },
+    {
+      "comment": "Writing potentially tainted data to a sink.",
+      "class": "Main",
+      "method": "sink:(LA;)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "Tainted data"
+      }
+    }
+  ]
+}

regression/end_to_end/taint_over_list/src/Main.java

@@ -0,0 +1,35 @@
+interface List<T> {
+    public T get(int idx);
+    public void add(T o);
+}
+
+class ArrayList<T> implements List<T> {
+    ArrayList() {
+        this.data = (T[])new Object[10];
+        last = 0;
+    }
+    public T get(int idx) {
+        return (T)data[idx];
+    }
+    public void add(T o) {
+        data[last] = o;
+        last += 1;
+    }
+
+    private T[] data;
+    private int last;
+}
+
+class A {}
+
+public class Main {
+    private static void makeTainted(A o) {}
+    private static void sink(A o) {}
+
+    public static void main() {
+        ArrayList<A> L = new ArrayList<A>();
+        L.add(new A());
+        makeTainted(L.get(0));
+        sink(L.get(0));
+    }
+}

regression/end_to_end/taint_over_list/test_taint_over_list.py

@@ -0,0 +1,21 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import subprocess
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_taint_over_list():
+    """
+    The problem is in the full-slicer. It removes code from ArrayList.add.
+    When the slicer is disabled (skipped) the results is correct.
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("dist", "taint_over_list.jar"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() == 1
+    assert traces.trace_exists("java::Main.main:()V", 33)

regression/end_to_end/taint_over_list_models/build.xml

@@ -0,0 +1,27 @@
+<project name="taint_over_list_models" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_over_list_models.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>