How can one view the sink points that are matched by the rules when there is no source point available?

[RATOR-codes]

Without a source point, Pyre cannot print out the sink point when analyzing the project. For example, in the following code file, how can one view the risk warning about the sink point caused by the 4th line in the log?

import os
def get_image(url):
      command = "wget -q https:{}".format(url)
      return os.system(command)
def convert():
      image_link = ""
      image = get_image(image_link)

Furthermore, when we use pyre to detect the sink points of third-party libraries, the following error will occur. And it has been confirmed that the library has been installed in the environment, but the error still occurred.

(pysa-env) root@8e8b830b1ad3:/data/vanna/stubs/taint/core_privacy_security# pyre analyze
ƛ Found 1 model verification error!
general.pysa:83:0 `django.template.Template.__init__` is not part of the environment, no module `django` in search path.

[BACMiao]

I have a similar requirement too

[arthaud]

Hello @RATOR-codes,

Without a source point, Pyre cannot print out the sink point when analyzing the project. For example, in the following code file, how can one view the risk warning about the sink point caused by the 4th line in the log?

(Assuming you meant Pysa here, which performs the taint analysis)

Pysa finds flows from sources to sinks. os.system should be a RCE sink, but here no source is flowing to it (since image_link = ""). I imagine this is just a snippet of real code. You need to check where in your real code the source comes from, and potentially annotate it as a source.
Pysa is not meant to find "dangerous sinks" only, which is a simpler task, and can easily be done with grep or similar tools.

Furthermore, when we use pyre to detect the sink points of third-party libraries, the following error will occur. And it has been confirmed that the library has been installed in the environment, but the error still occurred.

Which version of django are you using?
The reason I'm asking is: we have other models for django functions and classes, and since you only got 1 error, it means those models worked. So it might just be that your version of django doesn't have django.template.Template.__init__. Maybe this has been moved to a different module.

@BACMiao

I have a similar requirement too

I'm assuming you have the same problem with django? Is it exactly the same error? If not, please create a different issue.

[RATOR-codes]

Hello @arthaud,
The version of Django I am using is 4.2.25. I tried changing to several other versions, but the error still occurred.

(pysa-env) root@8e8b830b1ad3:/data/vanna# pyre analyze
ƛ Found 2 model verification errors!
stubs/taint/core_privacy_security/general.pysa:84:0 `django.template.Template.__init__` is not part of the environment, no module `django` in search path.
stubs/taint/core_privacy_security/general.pysa:85:0 `django.template.Engine.from_string` is not part of the environment, no module `django` in search path.

Furthermore, I noticed that the default.pyre_configuration file excludes the site-packages from the detection scope.

(pysa-env) root@8e8b830b1ad3:/data/vanna# cat .pyre_configuration
{
  "source_directories": ["."],
  "taint_models_path": "stubs/taint",
  "ignore_all_errors": ["google/", "site-packages/"],
  "exclude": [".*/site-packages/.*",".*/google/.*",".*/\\.venv/.*"]
}

And the "site-packages" is precisely the installation location for third-party libraries. I guess this might be the reason for the error. So I attempted to modify the configuration file to prevent the exclusion of this location from the search, but unfortunately, this still did not solve the problem.

[arthaud]

The error you are getting is misleading: it claims that no module django in search path but I'm pretty sure django was found, since you should have errors from stubs/taint/core_privacy_security/django_sources_sinks.pysa.

Those models are indeed invalid because django.template.Template was moved to django.template.base.Template and django.template.Engine was moved to django.template.engine.Engine.

What I don't understand is that our file stubs/taint/core_privacy_security/general.pysa on the master branch does not contain those models: https://github.com/facebook/pyre-check/blob/main/stubs/taint/core_privacy_security/general.pysa
However, we do have a file that has the right models: https://github.com/facebook/pyre-check/blob/main/stubs/taint/core_privacy_security/server_side_template_injection_sinks.pysa

Which version of pyre-check are you using? Are you using the taint model files packaged with the tool or are you using your own?

Note that you could simply run pyre analyze --no-verify to ignore those errors. That would just ignore those 2 sinks.