facebook/mariana-trench

Query on writing sanitizers

Opened this issue · 2 comments

Hello! Just a question on how to write flows for sanitizers. Have done some modifications and I want to sanitize the taint analysis and remove any explicit intents from the result set, instead of just added a feature to it. Tried doing it like so, but was unable to remove the finding that still had a setClass within the taint analysis. Appreciate any help to guide me on this issue, or any documentation about sanitizers that you might have!

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Landroid/content/Intent;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "setClass.*"
            },
            {
              "constraint": "name",
              "pattern": "setComponent"
            },
            {
              "constraint": "name",
              "pattern": "setPackage"
            }
          ]
        }
      ],
      "model": {
        "sanitizers": [
          {"sanitize": "propagations"}
        ]
      }
    }
  ]
}

Hi, sorry for the late reply and thank you for the question.

At a glance, I believe the issue is with the "name" constraint. This matches the full name of the method, which includes the class name as a prefix. Something like: Landroid/content/Intent;.setClass(<arg types>)V. This means the "pattern" constraint cannot treat the name as a prefix.

Specifically this part:

            {
              "constraint": "name",
              // "pattern": "setClass.*" --> change this to the following:
              "pattern": ".*setClass.*"
            },

If that still does not work, you can use the verbosity: 1 flag to debug the model generators. There should be output logs to indicate which methods were processed and which ones matched or didn't match.

    {
      "find": "methods",
      "where": [...]
        }
      ],
      "model": {...},
      "verbosity": 1
    }

Hello @yuhshin-oss, I tried applying your fix but it doesn't work, the sanitizier doesn't stop the taint. The verbosity says everything is satisfied. I cannot understand where the problem is. I tried also adding:
{"sanitize": "sources"},
{"sanitize": "sinks"},
{"sanitize": "propagations"}