search

facebook / infer

A static analyzer for Java, C, C++, and Objective-C
http://fbinfer.com/
MIT License
14.91k stars 2.01k forks source link

Using quandary-endpoints in .inferconfig results in no taint #1216

Open js-musedev opened 4 years ago

js-musedev commented 4 years ago

infer --version: 0.17.0 Debian 4.19.67-2 mvn clean && infer run --quandary-only -g -- mvn compile

Hello, I'm trying to run Quandary on code where the input comes from the API endpoint. I tried specifying the endpoint class rather than quandary-sources in the config but nothing in the debug output mentions taint (grep -irl taint infer-out/ returns nothing). I am specifying the endpoint as I see it in the examples in the infer repo:

{
  "quandary-endpoints": [
    "mblog.web.controller.site.posts.PostController"
  ],
  "quandary-sanitizers": [
    {
      "procedure": "org.jsoup.Jsoup.clean"
    }
  ],
  "quandary-sinks": [
    {
      "procedure": "org.springframework.data.jpa.repository.JpaRepository.save",
      "kind": "Other"
    },
    {
      "procedure": "mblog.modules.blog.dao.PostAttributeDao.save",
      "kind": "Other"
    },
    {
      "procedure": "mblog.modules.blog.dao.PostDao.save",
      "kind": "Other"
    }
  ]
}

It's possible I made mistakes in the rest of the config (I tried a few things for the sinks) but shouldn't the endpoint specification at least result in the debug output identifying as tainted any parameters of it? That is my understanding from looking at the conversation in issue 1038.

js-musedev commented 4 years ago

If it helps, the code I'm trying to analyze is here.