pyre-check icon indicating copy to clipboard operation
pyre-check copied to clipboard
verified publisher icon facebook

How to use OS.enviorn as a taint source

Open jallen89 opened this issue 1 year ago • 2 comments

Hello, I have a question about Pysa's tainting.

Currently I am trying to test a small example that considers os.environ a source and exec as a sink (shown below). I expected Pysa to return that it found a dataflow from os.environ to exec. However, after running pyre analyze the results returns is an empty list (no dataflows). Is there any additional information I need to provide to Pysa so that it can track this dataflow?

def testFunction():
    result = os.environ['TEST_VAR']
    eval(result)

My source_sinks.pysa file has the following models.

def eval(__source: TaintSink[CodeExecution], __globals, __locals): ...
def os._Environ.__getitem__(self, key) -> TaintSource[CustomUserControlled]: ...

So far I have looked at the callgraph, and it identifies both the calls to os._Environ.__getitem__ and the call to exec. Do you all have any recommendations on what I should check next.

jallen89 avatar May 22 '24 17:05 jallen89

cc @alexkassil this question could use a Pysa expert

stroxler avatar May 29 '24 17:05 stroxler

Hi @jallen89, thanks for reaching out.

First of, make sure that you have defined a rule for flows of CustomUserControlled into CodeExecution.

Then, if the problem persists, could you please do the following:

  • Add a pyre_dump() inside testFunction() (anywhere). This will enable verbose logging for testFunction.
  • Run pyre -n analyze and send us the output.

arthaud avatar May 29 '24 18:05 arthaud