RootLUG
commented
1 year ago Hello @KarthickRaja2002 ,
yes, the taint flow is available as part of the "extra" data for the TaintAnomaly detection. You can test this for example on some files from the built-in unittests like aura scan tests/files/flask_app.py (add -f json for json output) and the output would look like this (snippet of a specific taint detection):
{
"score": 10,
"type": "TaintAnomaly",
"slug": "taintanomaly",
"severity": "critical",
"hash": 2205937520,
"tags": [
"misc:test_code",
"vuln:taint"
],
"extra": {
"taint_log": [
{
"line_no": 34,
"message": "AST node marked as sink using semantic rules",
"path": "/Users/blah/aura/tests/files/flask_app.py"
},
{
"line_no": 36,
"message": "Taint propagated by return/yield statement",
"path": "/Users/blah/aura/tests/files/flask_app.py",
"taint_level": "TAINTED"
}
]
},
"line": "return resp",
"line_no": 36,
"signature": "taint_anomaly#tests/files/flask_app.py#36",
"message": "Tainted input is passed to the sink",
"location": "tests/files/flask_app.py"
}The extra.taint_log json path here contains a log of how the taint was propagated from source to the sink.
It is possible that in some cases this taint_log is not fully complete or missing as it is not yet fully supported in all cases, especially if there are some generators or complicated if conditions with recursive calls as it's difficult to fully track the log of propagation in these cases. If you find such case then just open an issue and attach a sample with a code to reproduce it
KarthickRaja2002
@RootLUG
I haven't got any source and Tainted path in the output file. Is there any possibility to get the tainted path (flow) from the tainted source to sink? So that It may be easier to find the vulnerability and fix that issue.