How to use OS.enviorn as a taint source

jallen89 commented 3 months ago

Hello, I have a question about Pysa's tainting.

Currently I am trying to test a small example that considers os.environ a source and exec as a sink (shown below). I expected Pysa to return that it found a dataflow from os.environ to exec. However, after running pyre analyze the results returns is an empty list (no dataflows). Is there any additional information I need to provide to Pysa so that it can track this dataflow?

def testFunction():
    result = os.environ['TEST_VAR']
    eval(result)

My source_sinks.pysa file has the following models.

def eval(__source: TaintSink[CodeExecution], __globals, __locals): ...
def os._Environ.__getitem__(self, key) -> TaintSource[CustomUserControlled]: ...

So far I have looked at the callgraph, and it identifies both the calls to os._Environ.__getitem__ and the call to exec. Do you all have any recommendations on what I should check next.

stroxler commented 3 months ago

cc @alexkassil this question could use a Pysa expert

arthaud commented 3 months ago

Hi @jallen89, thanks for reaching out.

First of, make sure that you have defined a rule for flows of CustomUserControlled into CodeExecution.

Then, if the problem persists, could you please do the following:

Add a pyre_dump() inside testFunction() (anywhere). This will enable verbose logging for testFunction.
Run pyre -n analyze and send us the output.

facebook / pyre-check

How to use OS.enviorn as a taint source #865