Query on writing sanitizers
Opened this issue · 2 comments
Hello! Just a question on how to write flows for sanitizers. Have done some modifications and I want to sanitize the taint analysis and remove any explicit intents from the result set, instead of just added a feature to it. Tried doing it like so, but was unable to remove the finding that still had a setClass within the taint analysis. Appreciate any help to guide me on this issue, or any documentation about sanitizers that you might have!
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Landroid/content/Intent;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "setClass.*"
},
{
"constraint": "name",
"pattern": "setComponent"
},
{
"constraint": "name",
"pattern": "setPackage"
}
]
}
],
"model": {
"sanitizers": [
{"sanitize": "propagations"}
]
}
}
]
}
Hi, sorry for the late reply and thank you for the question.
At a glance, I believe the issue is with the "name" constraint. This matches the full name of the method, which includes the class name as a prefix. Something like: Landroid/content/Intent;.setClass(<arg types>)V
. This means the "pattern" constraint cannot treat the name as a prefix.
Specifically this part:
{
"constraint": "name",
// "pattern": "setClass.*" --> change this to the following:
"pattern": ".*setClass.*"
},
If that still does not work, you can use the verbosity: 1
flag to debug the model generators. There should be output logs to indicate which methods were processed and which ones matched or didn't match.
{
"find": "methods",
"where": [...]
}
],
"model": {...},
"verbosity": 1
}
Hello @yuhshin-oss, I tried applying your fix but it doesn't work, the sanitizier doesn't stop the taint. The verbosity says everything is satisfied. I cannot understand where the problem is. I tried also adding:
{"sanitize": "sources"},
{"sanitize": "sinks"},
{"sanitize": "propagations"}