search

AppThreat / atom

Atom is a novel intermediate representation for applications and a standalone tool that is powered by chen.
https://appthreat.com
Apache License 2.0
52 stars 2 forks source link

Question about reachables-slices.json result #152

Open 0x456de opened 3 months ago

0x456de commented 3 months ago

Hi! I try to understand how exactly reachables slices are created. So, I use following dummy sample code.

import fs from 'fs';
import path from 'path';
import http from 'http';

let server;

function pipeFileToMyResponse(res, file, type) {
  fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res);
}

server = http.createServer(function (req, res) { 
  //url.parse(req.url,
  pipeFileToMyResponse(res, './client.html'); 
});

Next, I generate bom.json in deep mode within cdxgen and get reachables. Result for my sample code:

{
    "reachables": [
        {
            "flows": [
                {
                    "id": 93,
                    "label": "IDENTIFIER",
                    "name": "http",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "http.createServer(function (req, res) { \n  //url.parse(req.url,\n  pipeFileToMyResponse(res, './client.html'); \n})",
                    "typeFullName": "",
                    "parentMethodName": ":program",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 9,
                    "tags": "pkg:npm/http@0.0.1-security"
                },
                {
                    "id": 54,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 42,
                    "tags": ""
                },
                {
                    "id": 59,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "pipeFileToMyResponse(res, './client.html')",
                    "typeFullName": "",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 13,
                    "columnNumber": 23,
                    "tags": ""
                },
                {
                    "id": 17,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 7,
                    "columnNumber": 30,
                    "tags": ""
                },
                {
                    "id": 44,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res)",
                    "typeFullName": "",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 8,
                    "columnNumber": 70,
                    "tags": "pkg:npm/fs@0.0.1-security, pkg:npm/path@0.12.7"
                }
            ],
            "purls": [
                "pkg:npm/path@0.12.7",
                "pkg:npm/http@0.0.1-security",
                "pkg:npm/fs@0.0.1-security"
            ]
        },
        {
            "flows": [
                {
                    "id": 93,
                    "label": "IDENTIFIER",
                    "name": "http",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "http.createServer(function (req, res) { \n  //url.parse(req.url,\n  pipeFileToMyResponse(res, './client.html'); \n})",
                    "typeFullName": "",
                    "parentMethodName": ":program",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 9,
                    "tags": "pkg:npm/http@0.0.1-security"
                },
                {
                    "id": 54,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 42,
                    "tags": ""
                },
                {
                    "id": 59,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "pipeFileToMyResponse(res, './client.html')",
                    "typeFullName": "",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 13,
                    "columnNumber": 23,
                    "tags": ""
                },
                {
                    "id": 17,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 7,
                    "columnNumber": 30,
                    "tags": ""
                },
                {
                    "id": 44,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res)",
                    "typeFullName": "",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 8,
                    "columnNumber": 70,
                    "tags": "pkg:npm/fs@0.0.1-security, pkg:npm/path@0.12.7"
                }
            ],
            "purls": [
                "pkg:npm/path@0.12.7",
                "pkg:npm/http@0.0.1-security",
                "pkg:npm/fs@0.0.1-security"
            ]
        }
    ]
}

However, when I change code to this one:

import fs from 'fs';
import path from 'path';
import http from 'http';

let server;

function pipeFileToMyResponse(res, file, type) {
  fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res);
}

server = http.createServer(function (req, res) { 
  pipeFileToMyResponse(res, './client.html'); 
});

I have empty results. It's strange behaviour as for me. And I can't understands reasons of it. Could u explain, please?

prabhu commented 3 months ago

Reachables slicing requires a valid application. So there must be a package.json, lock file, and deep mode bom.json file to be present in the same directory. Can you check if all these exists?

0x456de commented 3 months ago

So, I spend some hours for deep diving in it

I have this js-code

import http from 'http';

let server;

function myfunc(u) {
  sandbox(u); 
}

server = http.createServer(function (req, res) 
{ 
  myfunc(req.url); 
});

And, I notice that "url" and "sanbox" identediers are maked as framework-in and framework-our correspondanly. As I understand, algorightma use this tags for building full paths.

If u know, why exactly this identifiers, please, explain me :)

By the way, all attempts (last one and this one) were made whith deep bom.json, package, package-lock files. And, I removed before operation last *.atom file.

prabhu commented 3 months ago

It's a lengthy explanation. Can you join one of our office hour? It will resume in September.

0x456de commented 3 months ago

Do you mean return to this question in September?