Add a data structure for parameter and return sanitizers

Summary:
This patch adds parameter and return sanitizers in our model representation.
The follow-up diffs will update the model parser to properly parse those, and finally the analysis itself to take those into account.

Reviewed By: dkgi

Differential Revision: D30744484

fbshipit-source-id: 6f419af0d9aab17aea3fac3891d7b35fa2ec8ea3

Author: arthaud

source/interprocedural_analyses/taint/backwardAnalysis.ml

@@ -159,7 +159,7 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
           (Node.create_with_default_location call_expression)
           Model.pp
           taint_model;
-        let { TaintResult.backward; sanitize; modes; _ } = taint_model.model in
+        let { TaintResult.backward; sanitizers; modes; _ } = taint_model.model in
         let sink_taint = BackwardState.join backward.sink_taint triggered_taint in
         let sink_argument_matches =
           BackwardState.roots sink_taint |> AccessPath.match_actuals_to_formals arguments
@@ -302,7 +302,7 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
             |> BackwardState.Tree.join taint_in_taint_out
           in
           let taint_in_taint_out =
-            match sanitize with
+            match sanitizers.global with
             | { tito = Some AllTito; _ } -> BackwardState.Tree.bottom
             | { tito = Some (SpecificTito { sanitized_tito_sinks; _ }); _ } ->
                 BackwardState.Tree.partition

source/interprocedural_analyses/taint/domains.ml

@@ -895,3 +895,26 @@ module Sanitize = struct
     in
     `Assoc (sources_json @ sinks_json @ tito_json)
 end
+
+(** Map from parameters or return value to a sanitizer. *)
+module SanitizeRootMap = struct
+  include
+    Abstract.MapDomain.Make
+      (struct
+        let name = "sanitize"
+
+        include AccessPath.Root
+
+        let absence_implicitly_maps_to_bottom = true
+      end)
+      (Sanitize)
+
+  let to_json map =
+    map
+    |> to_alist
+    |> List.map ~f:(fun (root, sanitize) ->
+           let (`Assoc fields) = Sanitize.to_json sanitize in
+           let port = AccessPath.create root [] |> AccessPath.to_json in
+           `Assoc (("port", port) :: fields))
+    |> fun elements -> `List elements
+end

source/interprocedural_analyses/taint/forwardAnalysis.ml

@@ -132,7 +132,8 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
          sinks at the end. *)
       let triggered_sinks = String.Hash_set.create () in
       let apply_call_target state arguments_taint call_target =
-        let ({ Model.model = { TaintResult.forward; backward; sanitize; modes }; _ } as taint_model)
+        let ({ Model.model = { TaintResult.forward; backward; sanitizers; modes }; _ } as
+            taint_model)
           =
           Model.get_callsite_model ~resolution ~call_target ~arguments
         in
@@ -177,7 +178,7 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
             (argument_taint, ((argument, sink_matches), (_dup, tito_matches)))
           =
           let taint_to_propagate =
-            match sanitize with
+            match sanitizers.global with
             | { tito = Some AllTito; _ } -> ForwardState.Tree.bottom
             | { tito = Some (SpecificTito { sanitized_tito_sources; _ }); _ } ->
                 ForwardState.Tree.partition

source/interprocedural_analyses/taint/model.ml

@@ -107,7 +107,7 @@ let register_unknown_callee_model callable =
        {
          TaintResult.forward = Forward.empty;
          backward = { sink_taint; taint_in_taint_out };
-         sanitize = Sanitize.empty;
+         sanitizers = Sanitizers.empty;
          modes = ModeSet.singleton Mode.SkipAnalysis;
        })
 
@@ -121,7 +121,7 @@ let get_callsite_model ~resolution ~call_target ~arguments =
           {
             forward = { source_taint };
             backward = { sink_taint; taint_in_taint_out };
-            sanitize;
+            sanitizers;
             modes;
           }
         =
@@ -176,7 +176,7 @@ let get_callsite_model ~resolution ~call_target ~arguments =
         {
           forward = { source_taint };
           backward = { sink_taint; taint_in_taint_out };
-          sanitize;
+          sanitizers;
           modes;
         }
       in
@@ -312,7 +312,10 @@ module GlobalModel = struct
 
 
   let get_sanitize { models; _ } =
-    let get_sanitize existing { model = { TaintResult.sanitize; _ }; _ } =
+    let get_sanitize
+        existing
+        { model = { TaintResult.sanitizers = { global = sanitize; _ }; _ }; _ }
+      =
       Sanitize.join sanitize existing
     in
     List.fold ~init:Sanitize.empty ~f:get_sanitize models
@@ -324,7 +327,7 @@ module GlobalModel = struct
 
 
   let is_sanitized { models; _ } =
-    let is_sanitized_model { model = { TaintResult.sanitize; _ }; _ } =
+    let is_sanitized_model { model = { TaintResult.sanitizers = { global = sanitize; _ }; _ }; _ } =
       match sanitize with
       | {
        sources = Some Sanitize.AllSources;
@@ -395,7 +398,7 @@ let infer_class_models ~environment =
             List.foldi ~f:fold_taint ~init:BackwardState.empty attributes;
           sink_taint = BackwardState.empty;
         };
-      sanitize = Sanitize.empty;
+      sanitizers = Sanitizers.empty;
       modes = ModeSet.empty;
     }
   in
@@ -422,7 +425,7 @@ let infer_class_models ~environment =
               List.foldi ~f:fold_taint ~init:BackwardState.empty attributes;
             sink_taint = BackwardState.empty;
           };
-        sanitize = Sanitize.empty;
+        sanitizers = Sanitizers.empty;
         modes = ModeSet.empty;
       }
   in

source/interprocedural_analyses/taint/modelParser.ml

@@ -1967,10 +1967,15 @@ let adjust_sanitize_and_modes_and_skipped_override
       | "SkipObscure" -> Ok (sanitize, ModeSet.remove Obscure modes, Some define_name)
       | _ -> Ok (sanitize, modes, skipped_override)
     in
-    List.fold_result top_level_decorators ~f:adjust ~init:(model.sanitize, model.modes, None)
+    List.fold_result
+      top_level_decorators
+      ~f:adjust
+      ~init:(model.sanitizers.global, model.modes, None)
   in
   sanitize_and_modes_and_skipped_override
-  >>| fun (sanitize, modes, skipped_override) -> { model with sanitize; modes }, skipped_override
+  >>| fun (sanitize, modes, skipped_override) ->
+  let sanitizers = { model.sanitizers with global = sanitize } in
+  { model with sanitizers; modes }, skipped_override
 
 
 let compute_sources_and_sinks_to_keep ~configuration ~rule_filter =

source/interprocedural_analyses/taint/taintAnalysis.ml

@@ -303,7 +303,7 @@ include Taint.Result.Register (struct
     Interprocedural.AnalysisResult.InitializedModels.create get_taint_models
 
 
-  let analyze ~environment ~callable ~qualifier ~define ~sanitize ~modes existing_model =
+  let analyze ~environment ~callable ~qualifier ~define ~sanitizers ~modes existing_model =
     let call_graph_of_define =
       Interprocedural.CallGraph.SharedMemory.get_or_compute
         ~callable
@@ -331,7 +331,7 @@ include Taint.Result.Register (struct
     let model =
       let open Domains in
       let forward =
-        match sanitize.Sanitize.sources with
+        match sanitizers.Sanitizers.global.sources with
         | Some Sanitize.AllSources -> empty_model.forward
         | Some (Sanitize.SpecificSources sanitized_sources) ->
             let { Forward.source_taint } = forward in
@@ -348,12 +348,12 @@ include Taint.Result.Register (struct
         | None -> forward
       in
       let taint_in_taint_out =
-        match sanitize.Sanitize.tito with
+        match sanitizers.Sanitizers.global.tito with
         | Some AllTito -> empty_model.backward.taint_in_taint_out
         | _ -> backward.taint_in_taint_out
       in
       let sink_taint =
-        match sanitize.Sanitize.sinks with
+        match sanitizers.Sanitizers.global.sinks with
         | Some Sanitize.AllSinks -> empty_model.backward.sink_taint
         | Some (Sanitize.SpecificSinks sanitized_sinks) ->
             let { Backward.sink_taint; _ } = backward in
@@ -367,7 +367,7 @@ include Taint.Result.Register (struct
                  ~f:(fun ~key:_ ~data:source_state state -> BackwardState.join source_state state)
         | None -> backward.sink_taint
       in
-      { forward; backward = { sink_taint; taint_in_taint_out }; sanitize; modes }
+      { forward; backward = { sink_taint; taint_in_taint_out }; sanitizers; modes }
     in
     result, model
 
@@ -397,15 +397,15 @@ include Taint.Result.Register (struct
     | Some ({ modes; _ } as model) when ModeSet.contains Mode.SkipAnalysis modes ->
         let () = Log.info "Skipping taint analysis of %a" Target.pretty_print callable in
         [], model
-    | Some ({ sanitize; modes; _ } as model) ->
-        analyze ~callable ~environment ~qualifier ~define ~sanitize ~modes model
+    | Some ({ sanitizers; modes; _ } as model) ->
+        analyze ~callable ~environment ~qualifier ~define ~sanitizers ~modes model
     | None ->
         analyze
           ~callable
           ~environment
           ~qualifier
           ~define
-          ~sanitize:Domains.Sanitize.empty
+          ~sanitizers:Sanitizers.empty
           ~modes:ModeSet.empty
           empty_model
 

source/interprocedural_analyses/taint/taintResult.ml

@@ -109,6 +109,41 @@ module Backward = struct
     && BackwardState.less_or_equal ~left:tito_next ~right:tito_previous
 end
 
+module Sanitizers = struct
+  type model = {
+    (* Sanitizers applying to all parameters and the return value. *)
+    global: Sanitize.t;
+    (* Map from parameter or return value to sanitizers. *)
+    roots: SanitizeRootMap.t;
+  }
+
+  let pp_model formatter { global; roots } =
+    Format.fprintf
+      formatter
+      "  Global Sanitizer: %s\n  Sanitizers: %s"
+      (json_to_string ~indent:"    " (Sanitize.to_json global))
+      (json_to_string ~indent:"    " (SanitizeRootMap.to_json roots))
+
+
+  let show_model = Format.asprintf "%a" pp_model
+
+  let empty = { global = Sanitize.empty; roots = SanitizeRootMap.bottom }
+
+  let is_empty_model { global; roots } = Sanitize.is_empty global && SanitizeRootMap.is_bottom roots
+
+  let join
+      { global = global_left; roots = roots_left }
+      { global = global_right; roots = roots_right }
+    =
+    {
+      global = Sanitize.join global_left global_right;
+      roots = SanitizeRootMap.join roots_left roots_right;
+    }
+
+
+  let widen ~iteration:_ ~previous ~next = join previous next
+end
+
 module Mode = struct
   let name = "modes"
 
@@ -150,19 +185,20 @@ end
 type call_model = {
   forward: Forward.model;
   backward: Backward.model;
-  sanitize: Sanitize.t;
+  sanitizers: Sanitizers.model;
   modes: ModeSet.t;
 }
 
-let pp_call_model formatter { forward; backward; sanitize; modes } =
+let pp_call_model formatter { forward; backward; sanitizers; modes } =
   Format.fprintf
     formatter
-    "%a\n%a\n  Sanitize: %s\n%a"
+    "%a\n%a\n%a\n%a"
     Forward.pp_model
     forward
     Backward.pp_model
     backward
-    (Sanitize.to_json sanitize |> json_to_string ~indent:"    ")
+    Sanitizers.pp_model
+    sanitizers
     ModeSet.pp_model
     modes
 
@@ -175,7 +211,7 @@ let empty_skip_model =
   {
     forward = Forward.empty;
     backward = Backward.empty;
-    sanitize = Sanitize.empty;
+    sanitizers = Sanitizers.empty;
     modes = ModeSet.singleton SkipAnalysis;
   }
 
@@ -195,7 +231,7 @@ module ResultArgument = struct
     {
       forward = Forward.obscure;
       backward = Backward.obscure;
-      sanitize = Sanitize.empty;
+      sanitizers = Sanitizers.empty;
       modes = ModeSet.singleton Obscure;
     }
 
@@ -204,29 +240,29 @@ module ResultArgument = struct
     {
       forward = Forward.empty;
       backward = Backward.empty;
-      sanitize = Sanitize.empty;
+      sanitizers = Sanitizers.empty;
       modes = ModeSet.empty;
     }
 
 
-  let is_empty_model ~with_modes { forward; backward; sanitize; modes } =
+  let is_empty_model ~with_modes { forward; backward; sanitizers; modes } =
     Forward.is_empty_model forward
     && Backward.is_empty_model backward
-    && Sanitize.is_empty sanitize
+    && Sanitizers.is_empty_model sanitizers
     && ModeSet.equal with_modes modes
 
 
-  let should_externalize_model { forward; backward; sanitize; _ } =
+  let should_externalize_model { forward; backward; sanitizers; _ } =
     (not (Forward.is_empty_model forward))
     || (not (Backward.is_empty_model backward))
-    || not (Sanitize.is_empty sanitize)
+    || not (Sanitizers.is_empty_model sanitizers)
 
 
   let join ~iteration:_ left right =
     {
       forward = Forward.join left.forward right.forward;
       backward = Backward.join left.backward right.backward;
-      sanitize = Sanitize.join left.sanitize right.sanitize;
+      sanitizers = Sanitizers.join left.sanitizers right.sanitizers;
       modes = ModeSet.join left.modes right.modes;
     }
 
@@ -235,7 +271,7 @@ module ResultArgument = struct
     {
       forward = Forward.widen ~iteration ~previous:previous.forward ~next:next.forward;
       backward = Backward.widen ~iteration ~previous:previous.backward ~next:next.backward;
-      sanitize = Sanitize.join previous.sanitize next.sanitize;
+      sanitizers = Sanitizers.widen ~iteration ~previous:previous.sanitizers ~next:next.sanitizers;
       modes = ModeSet.widen ~iteration ~prev:previous.modes ~next:next.modes;
     }
 
@@ -246,7 +282,12 @@ module ResultArgument = struct
 
 
   let strip_for_callsite
-      { forward = { source_taint }; backward = { sink_taint; taint_in_taint_out }; sanitize; modes }
+      {
+        forward = { source_taint };
+        backward = { sink_taint; taint_in_taint_out };
+        sanitizers;
+        modes;
+      }
     =
     (* Remove positions and other info that are not needed at call site *)
     let source_taint =
@@ -279,13 +320,18 @@ module ResultArgument = struct
            Map
            ~f:Domains.TraceInfo.strip_for_callsite
     in
-    { forward = { source_taint }; backward = { sink_taint; taint_in_taint_out }; sanitize; modes }
+    { forward = { source_taint }; backward = { sink_taint; taint_in_taint_out }; sanitizers; modes }
 
 
   let model_to_json
       ~filename_lookup
       callable
-      { forward = { source_taint }; backward = { sink_taint; taint_in_taint_out }; sanitize; modes }
+      {
+        forward = { source_taint };
+        backward = { sink_taint; taint_in_taint_out };
+        sanitizers = { global = global_sanitizer; roots = root_sanitizers };
+        modes;
+      }
     =
     let callable_name = Interprocedural.Target.external_target_name callable in
     let model_json = ["callable", `String callable_name] in
@@ -308,8 +354,14 @@ module ResultArgument = struct
         model_json
     in
     let model_json =
-      if not (Sanitize.is_empty sanitize) then
-        model_json @ ["sanitize", Sanitize.to_json sanitize]
+      if not (Sanitize.is_empty global_sanitizer) then
+        model_json @ ["global_sanitizer", Sanitize.to_json global_sanitizer]
+      else
+        model_json
+    in
+    let model_json =
+      if not (SanitizeRootMap.is_bottom root_sanitizers) then
+        model_json @ ["sanitizers", SanitizeRootMap.to_json root_sanitizers]
       else
         model_json
     in