Missed leak with class attribute assignment

[draftyfrog]

Pysa Bug

Pre-submission checklist [x] I've checked the list of common issues and mine does not appear

Bug description Please consider the following code

def source(): # Defined as taint source
    return "Secret"

def sink(param: str): # Defined as taint sink
    pass

class MainClass:
    string_attribute: str

    def main_function(self):
        self.taint_it(source())
        sink(self.string_attribute) # NOT reported by pysa

    def taint_it(self, arg0: str):
        self.string_attribute = arg0

Pysa does not report the sink in MainClass.main_function.

My sources_sinks.pysa:

def test.source() -> TaintSource[TestSource]: ...
def test.sink(param: TaintSink[TestSink]): ...

I've tested this with pyre-check Version 0.9.22 and Version 0.9.23.

[arthaud]

Hi @draftyfrog, thanks for reaching out.

This is expected behavior and documented in https://pyre-check.org/docs/pysa-advanced/#taint-propagation-from-arguments-to-self Using the flag --infer-self-tito should allow Pysa to find the flow here.

We are still considering making this the default, but it is quite costly on big codebases.