Open KarthickRaja2002 opened 1 year ago
Hello @KarthickRaja2002 ,
yes, the taint flow is available as part of the "extra" data for the TaintAnomaly detection. You can test this for example on some files from the built-in unittests like aura scan tests/files/flask_app.py
(add -f json for json output) and the output would look like this (snippet of a specific taint detection):
{
"score": 10,
"type": "TaintAnomaly",
"slug": "taintanomaly",
"severity": "critical",
"hash": 2205937520,
"tags": [
"misc:test_code",
"vuln:taint"
],
"extra": {
"taint_log": [
{
"line_no": 34,
"message": "AST node marked as sink using semantic rules",
"path": "/Users/blah/aura/tests/files/flask_app.py"
},
{
"line_no": 36,
"message": "Taint propagated by return/yield statement",
"path": "/Users/blah/aura/tests/files/flask_app.py",
"taint_level": "TAINTED"
}
]
},
"line": "return resp",
"line_no": 36,
"signature": "taint_anomaly#tests/files/flask_app.py#36",
"message": "Tainted input is passed to the sink",
"location": "tests/files/flask_app.py"
}
The extra.taint_log json path here contains a log of how the taint was propagated from source to the sink.
It is possible that in some cases this taint_log is not fully complete or missing as it is not yet fully supported in all cases, especially if there are some generators or complicated if conditions
with recursive calls as it's difficult to fully track the log of propagation in these cases. If you find such case then just open an issue and attach a sample with a code to reproduce it
@RootLUG , How did you find the taint flow only for Taint Anomaly Detection? What are the ways to find the taint flow(log) for other detections like SQL Injection, Function Call and so on...?
@RootLUG
I haven't got any source and Tainted path in the output file. Is there any possibility to get the tainted path (flow) from the tainted source to sink? So that It may be easier to find the vulnerability and fix that issue.