Page MenuHomePhabricator
Create Task
Maniphest T253875

Make taint-check understand array offsets
Closed, ResolvedPublic
Actions

Description

A possible implementation I've been thinking about:

  • In each possibly-array phan object, create a property like $obj->offsetTaintedness = [ 'overall' => 0, 'keys' => [] ]
  • When we find an offset assignment:
    • If we can determine the offset with 100% accuracy, add the taintedness (same $override as setTaintedness) to $obj->offsetTaintedness['keys'][ $key_being_assigned ]
    • If we cannot determine the offset, add the taintedness ($override = false) to $obj->offsetTaintedness['overall']
    • If we cannot determine an offset, but not with 100% accuracy (i.e. $idx = rand() ? 'literal' : $unknown), add it to both the key and the overall
  • When we find an offset access:
    • Always return the taintedness in 'overall'
    • If we can determine a key, OR the taintedness of that key to 'overall'
  • Perhaps handle array shape mutation (e.g. unset), but this is going to be difficult.

(Note: there might be more than one offset for both write and read operations)

This shouldn't be too hard to implement, and should work in easy cases. The main downside is that any uncertainty for a single write will affect all reads. For instance:

$arr['foo1'] = 'safe';
$arr['foo2'] = 'safe';
$arr['foo3'] = 'safe';
$arr[$unknown] = $_GET['tainted'];

echo $arr['foo1']; // Unsafe, same for foo2 and foo3

Details

SubjectRepoBranchLines +/-
Track taintedness of single array elementsmediawiki/tools/phan/SecurityCheckPluginmaster+1 K -65
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.May 28 2020, 2:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 28 2020, 2:33 PM
Daimona triaged this task as Lowest priority.May 28 2020, 5:28 PM

I tried implementing this, a few remarks:

  • When we find an offset assignment:
    • If we can determine the offset with 100% accuracy, add the taintedness (same $override as setTaintedness) to $obj->offsetTaintedness['keys'][ $key_being_assigned ]
    • If we cannot determine the offset, add the taintedness ($override = false) to $obj->offsetTaintedness['overall']
    • If we cannot determine an offset, but not with 100% accuracy (i.e. $idx = rand() ? 'literal' : $unknown), add it to both the key and the overall
  • Phan offers ContextNode::getEquivalentPHPScalarValue to do that; however, it can only either return a scalar if it's 100% sure, or nothing, so we only have two cases
  • If no offset taint exists at all, we should return the taintedness of the variable as always.
  • visitAssign becomes very complicated.
    • It would have to handle the case with AST_DIM at the LHS, and with AST_ARRAY at the RHS, and potentially both at the same time
    • It's already a mess due to potentially having many LHS object and/or many RHS objects...
    • It should also keep setting the taintedness property, for code paths that don't read offsetTaintedness
    • Handling of $override becomes messy
  • Getting taint of an AST_ARRAY node can now have two meanings...
  • When we find an offset access:
    • Always return the taintedness in 'overall'
    • If we can determine a key, OR the taintedness of that key to 'overall'

And if we cannot determine a key, add the taintedness of all keys as well.

Given this initial bit of investigation, I think this won't happen anytime soon.

Daimona raised the priority of this task from Lowest to Medium.Jun 29 2020, 10:45 PM

Given the recent improvements of conditional branches and a few other things still under review, I'd like to retry this one. I think this is currently the biggest limitation of the plugin; fixing this would get us very close to declaring the plugin out of beta.

Perhaps I should try a different implementation, that would likely take advantage of the UnionType of arrays (i.e. storing taint data there). Unsure if it's doable, but it would be way more precise.

Daimona claimed this task.Jul 1 2020, 9:32 AM
gerritbot added a comment.Jul 6 2020, 7:32 AM

Change 609500 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Analyze array elements on their own

https://gerrit.wikimedia.org/r/609500

gerritbot added a project: Patch-For-Review.Jul 6 2020, 7:32 AM
Daimona added a comment.Jul 6 2020, 7:37 AM
In T253875#6265949, @Daimona wrote:

Given the recent improvements of conditional branches and a few other things still under review, I'd like to retry this one. I think this is currently the biggest limitation of the plugin; fixing this would get us very close to declaring the plugin out of beta.

Perhaps I should try a different implementation, that would likely take advantage of the UnionType of arrays (i.e. storing taint data there). Unsure if it's doable, but it would be way more precise.

FTR, I ended up redoing the original implementation, but using value objects to store taintedness (as opposed to plain integers), so a single object can have multiple types of taintedness.

I also confirm that this is the last big limitation before moving out of beta; the rest is just fixing/improving stuff here and there, but nothing terrible.

gerritbot added a comment.Jul 6 2020, 7:42 AM

Change 609500 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Analyze array elements on their own

https://gerrit.wikimedia.org/r/609500

Daimona mentioned this in T204911: make phan-taint-check handle array_map.Jul 6 2020, 8:28 AM
Daimona merged a task: T201806: Using multi dimensions array in Database::select shows false positive on taint-check-plugin.Jul 6 2020, 11:50 AM
Daimona added subscribers: Umherirrender, Bawolff.
Daimona moved this task from Backlog to Plugin itself on the phan-taint-check-plugin board.Jul 9 2020, 4:00 PM
gerritbot added a comment.Nov 21 2020, 7:06 PM

Change 609500 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Track taintedness of single array elements

https://gerrit.wikimedia.org/r/609500

Daimona mentioned this in rMTPS031d64516ea2: Store taintedness in a value object.Nov 21 2020, 7:30 PM
Daimona mentioned this in rMTPSca728b66f2ae: Track taintedness of single array elements.
Daimona closed this task as Resolved.Nov 25 2020, 6:18 PM
Daimona removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL