From 47ac8e0028d88f3f103412df1574eb8212d57765 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 20 Nov 2020 11:19:59 +0000 Subject: Add Psalm Taint Flow Analysis This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke --- build/psalm/AppFrameworkTainter.php | 60 +++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 build/psalm/AppFrameworkTainter.php (limited to 'build/psalm') diff --git a/build/psalm/AppFrameworkTainter.php b/build/psalm/AppFrameworkTainter.php new file mode 100644 index 00000000000..9b2f719a447 --- /dev/null +++ b/build/psalm/AppFrameworkTainter.php @@ -0,0 +1,60 @@ + + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +use Psalm\CodeLocation; +use Psalm\Plugin\Hook\AfterFunctionLikeAnalysisInterface; +use Psalm\Type\TaintKindGroup; + +class AppFrameworkTainter implements AfterFunctionLikeAnalysisInterface { + public static function afterStatementAnalysis( + PhpParser\Node\FunctionLike $stmt, + Psalm\Storage\FunctionLikeStorage $classlike_storage, + Psalm\StatementsSource $statements_source, + Psalm\Codebase $codebase, + array &$file_replacements = [] + ): ?bool { + if ($statements_source->getFQCLN() !== null) { + if ($codebase->classExtendsOrImplements($statements_source->getFQCLN(), \OCP\AppFramework\Controller::class)) { + if ($stmt instanceof PhpParser\Node\Stmt\ClassMethod) { + if ($stmt->isPublic() && !$stmt->isMagic()) { + foreach ($stmt->params as $i => $param) { + $expr_type = new Psalm\Type\Union([new Psalm\Type\Atomic\TString()]); + $expr_identifier = (strtolower($statements_source->getFQCLN()) . '::' . strtolower($classlike_storage->cased_name) . '#' . ($i+1)); + + if ($expr_type) { + $codebase->addTaintSource( + $expr_type, + $expr_identifier, + TaintKindGroup::ALL_INPUT, + new CodeLocation($statements_source, $param) + ); + } + } + } + } + } + } + return null; + } +} -- cgit v1.2.3