[Fall 2021] Step 2: Coverage Improvement - Add coverage for AWS libraries (botocore/boto3)

[onionymous]

boto3 and its lower-level counterpart botocore provide a programmatic interface to AWS services. We should identify what functions in these libraries are sensitive in these libraries and add new models and rules for them.

Some areas to think about:

• User-controlled data flowing to functions that perform sensitive actions
• Functions that return keys or secrets shouldn't be logged
• Hardcoded AWS keys being used (we already have a rule for this here at https://github.com/facebook/pyre-check/blob/main/stubs/taint/core_privacy_security/taint.config#L85, but there might be more authentication sinks we haven't found)

This is a bit more open-ended project that will require some research and thinking about potential vulnerabilities that can occur.

Submitting a PR

We use the following linters internally, so to save everyone's time, please make sure you run the following linters locally and fix errors related to the files you modified before submitting a PR:

black && usort format . && flake8

To install the linters, you can run the following command:

pip install flake8 usort black==21.4b2

[abishekvashok]

I can do this :)

[r0rshark]

@abishekvashok @0xedward Thanks for working on this! The library is very big. Let's focus only on high impact issues like SQLi and RemoteCode execution for common services. Otherwise we risk to end up defining a lot of models which are not practically used :)

[abishekvashok]

@r0rshark okay! That's indeed a great suggestion