pyre-check icon indicating copy to clipboard operation
pyre-check copied to clipboard
verified publisher icon facebook

False positive with sanitization in method

Open draftyfrog opened this issue 9 months ago • 1 comments

Pysa Bug

Pre-submission checklist [x] I've checked the list of common issues and mine does not appear

I've reported a similar issue for Mariana Trench (Issue 179) so maybe that's just expected behavior.

Bug description Please consider the following code

my_instance = MyClass()
my_instance.attribute = source()
sanitize(my_instance)
sink(my_instance.attribute) # Reported by Pysa

using the following functions/classes

def sink(param: str): # Defined as sink in Pysa config
    pass

def source(): # Defined as source in Pysa config
    return "Secret"

def sanitize(a: MyClass):
    a.attribute = ""

class MyClass:
    attribute: str

Running Pysa on this code returns one issue (as annotated in the code above), but actually no taint is leaked in this code.

If we move the sanitizing inline like this:

my_instance = MyClass()
my_instance.attribute = source()
my_instance.attribute = ""
sink(my_instance.attribute) # Not reported by Pysa

Pysa correctly doesn't report the issue.

I call pysa via pyre analyze --save-results-to ./results/ and I'm using version 0.9.23.

draftyfrog avatar Mar 16 '25 16:03 draftyfrog

Hi,

please see my answer for Mariana Trench, which also applies here https://github.com/facebook/mariana-trench/issues/179

arthaud avatar Mar 17 '25 11:03 arthaud