[Patterns] Review all patterns

[compaluca]

Goal

Review, mature, extend our SAST testability patterns

Links

• Excel shared file
• Testability patterns documentation

Checklist

Please follow the process hereafter for each pattern that you review.

Phase 1: main json file complete?

• description available or md file (e.g., README.md) available
• family provided e.g., code_pattern_php
• some tags, e.g., ["sast", "php", "php_v7.4.9"]
• all the proper instances are specified

Phase 2: pattern instances

For each instance in the pattern

• json file is available and looks ok

2.1: instance is measurable?

• the "code" part (instance json) seems fine
• the code snippet seems fine (e.g., executable)
• if the standard injection_skeleton (source-tarpit-sink) is broken, please change the boolean value in the json
• the "expectation" part (instance json) seems fine
• if the target programming language is compilable, then the "compile" should be properly filled and "dependencies" (if any) should be provided. The framework uses standard compilation instructions. If something specific is required, this can be specified in the "instruction"

2.2: instance is discoverable?

• the "discovery" part (instance json) seems fine
• a discovery rule is specified and the rule looks good
• the "rule_accuracy" is correctly estimated
• "notes" is there any note I can add?
• if you do any change in the discovery rule, please check that rule works as expected (e.g., tpframework manual-discovery -h)

2.3: instance properties

• all the following were done for our papers and they may be obsolete or not fitting your patterns. We can add a new field "tags" in the instance to specify whatever we need

• "category": how dynamic this instance is?

  • "S0": not dynamic at all
  • "D1": dynamic functions are used but with constant values as params that make the dynamicity solvable at static time (e.g., call_user_func("foo",$x)
  • "D2": dynamic functions are used with some variables that can be however resolved at static time by simple constant propagation. E.g.,

    $f="foo";
    call_user_func($f,$x)

  • "D3": dynamic functions are used with some operators and variables that can be however partially resolved at static time by simple constant propagation. E.g.,

    $f="foo";
    call_user_func($f."_whatever",$x)

  • "D4": dynamic functions are used with variables and/or operators that cannot be resolved at static time

• "feature_vs_internal_api": is this capturing an internal API or not?

• "input_sanitizer": is the instance capturing an input sanitizer that may be not supported by SAST tools?

• "source_and_sink": is the instance capturing an source/sink that may be not supported by SAST tools?

• "negative_test_case": this is the not of "expectation"->"expectation" to test how big the over-approximation of a SAST tool could be wrt this instance

2.4: instance is remediable? (optional)

• this is optional for the time being, but if you see an easy way to remediate this pattern instance, add a note

Phase 3: test with the framework

• run the SAST measurement: tpframework measure -h
• run the pattern discovery: tpframework discovery -h

Phase 4: retrofit your review in the shared excel file

[compaluca]

PHP - Pattern review assignment - 1st and 2nd rounds

Review at least 15 each.

SAP

• [x] 1_static_variables
• [ ] 10_return_by_reference
• [ ] 11_foreach_with_reference
• [ ] 50_throw_exception
• [ ] 79_dynamic_include
• [ ] 80_callback_functions
• [ ] 8_simple_reference
• [ ] 12_make_ref
• [ ] 14_object_assigned_by_reference
• [ ] 17_get_arguments
• [ ] 19_closures
• [ ] 26_late_static_binding
• [ ] 39_serialize_unserialize
• [ ] 42_destructor
• [ ] 45_static_method_from_variable
• [ ] 51_catch_exceptions
• [ ] 52_try_catch_finally
• [ ] 53_track_error
• [ ] 56_exit
• [ ] 57_js_redirect
• [ ] 59_foreach_with_array
• [x] 2_global_variables

TUBS

• [x] 27_get_called_class
• [x] 31_static_method_variable
• [x] 33_get_overloading
• [x] 34_isset_overloading
• [x] 36_call_overloading
• [x] 37_callstatic_overloading
• [x] 60_array_walk
• [x] 61_array_map
• [x] 68_compact
• [x] 69_create_function
• [x] 70_extract
• [x] 71_array_functions
• [x] 74_dirname
• [x] 75_buffer
• [~] 76_function_variable
  • discovery rule untested
• [ ] 77_object_callable
• [ ] 81_new_from_variable
• [ ] 82_methods_variable
• [ ] 83_array_variable_key
• [ ] 84_variable_variables

[compaluca]

JS - Pattern review assignment - 1st and 2nd rounds

Review at least 15 each.

CISPA

• [x] 13_function_declared_immediately_executed
• [x] 39_function_get_arguments
• [x] 1_unset_element_array
• [x] 25_weak_map
• [x] 32_array_shift
• [x] 38_while_break
• [x] 89_proxy
• [x] 64_assign_object
• [x] 76_reference_argument
• [x] 5_variadic
• [x] 28_closures
• [x] 30_generator_delegation
• [x] 35_async_methods
• [x] 37_generators
• [x] 42_anonymous_object
• [x] 65_proto
• [x] 67_symbol_to_string_tag
• [x] 71_named_class
• [x] 84_try_catch

ECM

• [x] 77_object_clone
• [x] 54_define_property
• [~] 86_type_juggling
• [x] 97_vulnerable_key_dictionary
• [x] 98_throw_exception
• [~] 6_callback_function
• [x] 31_generatorfunction_constructor
• [x] 34_bind
• [x] 55_inheritance
• [x] 56_weak_ref
• [x] 61_delete_properties
• [x] 62_static_variable
• [x] 70_reflect_get
• [~] 75_functions_in_object
• [x] 83_getattribute
• [x] 87_modules
• [x] 92_set_to_array
• [x] 15_reflect_delete

@SoheilKhodayari, @ManuManu97 for discovery rules do not hesitate to ping @pr0me

[compaluca]

JAVA - Pattern review assignment - 1st and 2nd rounds

We do not have reliable SAST measurement results, so for the moment we can proceed in the pattern alphabetical name order.

SAP

• [x] 1_throwable
• [ ] 2_skip_stream
• [ ] 3_copy_array
• [ ] 4_list_of
• [ ] 5_reflection

SHLT

• [x] 6_callable
• [x] 7_function_currying
• [x] 8_tomap_2dimarr
• [x] 9_beans_getvalue
• [x] 10_cast
• [x] 11_bytearrayinputstream
• [x] 12_chararrayreader
• [x] 13_runfinalization
• [x] 14_new_character
• [x] 15_binding
• [x] 16_type_inference
• [x] 18_socketpermission
• [x] 19_stringjoiner_add
• [x] 21_string_valueof_override_to_string
• [x] 22_addition_assignment_operator
• [x] 23_array
• [x] 24_arraylist
• [x] 25_assign_class_to_interface
• [x] 26_assign_object1_to_object2
• [x] 27_asynchronous
• [x] 28_bifunction
• [ ] 29_bounded_wildcard
• [x] 30_childclass_as_argument
• [ ] 31_class_implement_interface
• [x] 32_cloneable
• [x] 33_closeable

MSEC

• [x] 106_list_copyof
• [x] 32_cloneable
• [x] 20_inner_class_declaration
• [x] 76_session
• [x] 17_collections_ncopies
• [ ] 34_collectors
• [ ] 35_conditional_operator
• [ ] 36_cookies
• [ ] 37_decode_uri
• [ ] 38_deep_copy_constructor_object
• [ ] 39_final_collection
• [ ] 40_final_variables
• [ ] 41_finalize
• [ ] 42_finally
• [ ] 43_foreach
• [ ] 44_functional_interface
• [ ] 45_futuretask
• [ ] 46_inheritance
• [ ] 47_inheritance_from_abstract_static_class
• [ ] 48_inherited_object_as_argument
• [ ] 49_inner_class
• [ ] 50_inner_class_extends_outer_class
• [ ] 51_inter_class_communication
• [ ] 52_inter_packages_communication