[PATCH] D73536: [analyser][taint] Remove taint from symbolic expressions if used in comparisons
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Jan 28 10:11:57 PST 2020
NoQ requested changes to this revision.
NoQ added a comment.
This revision now requires changes to proceed.
> Describing value constraints in the taint config file is unfeasible.
This is the only correct way to go, because, as you yourself point out, every sink function (or other use of tainted value) does indeed have different constraint requirements. Checking the wrong requirements is a very common source of security issues and we cannot afford destroying our ability to catch them.
Like, checking that the tainted value is non-zero is a good idea before dividing by that value, but it's clearly not sufficient before using the same value as an array index.
What exactly is preventing you from describing value constraints in the config file? Like, i get it that the generic case may get pretty rough (given that constraints may be potentially arbitrary algebraic expressions over function argument values and possibly other values), and i guess you could do a "poor man's" wildcard suppression for some sinks ("the constraint for this sink is so complicated that let's see if it was checked at all and think of it as fine if it was), but we definitely should be able to try harder when it matters.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D73536/new/
https://reviews.llvm.org/D73536
More information about the cfe-commits
mailing list