sight/ssa_taint_test.go at main · GrayCodeAI/sight · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package sight

import (
	"os"
	"path/filepath"
	"strings"
	"testing"
)

// fixtureEnv returns the process environment with workspace mode disabled so
// the nested testdata module is treated as its own main module.
func fixtureEnv() []string {
	return append(os.Environ(), "GOWORK=off")
}

func TestSSATaint_CrossFunctionFlows(t *testing.T) {
	dir, err := filepath.Abs("testdata/crossfunc")
	if err != nil {
		t.Fatal(err)
	}
	a := NewSSATaintAnalyzer()
	a.Env = fixtureEnv()
	findings, err := a.AnalyzePackages(dir, ".")
	if err != nil {
		t.Fatalf("analyze: %v", err)
	}
	if len(findings) == 0 {
		t.Fatalf("expected cross-function taint findings, got none")
	}

	kinds := map[string]int{}
	for _, f := range findings {
		if f.Concern != "taint:ssa-data-flow" {
			t.Errorf("unexpected concern %q", f.Concern)
		}
		for _, want := range []string{"SQL_INJECTION", "COMMAND_INJECTION", "PATH_TRAVERSAL"} {
			if strings.Contains(f.Message, want) {
				kinds[want]++
			}
		}
	}

	// Source in handler() reaches sinks in runQuery/runCmd/readConfig — flows
	// the function-scoped regex analyzer cannot see.
	for _, want := range []string{"SQL_INJECTION", "COMMAND_INJECTION", "PATH_TRAVERSAL"} {
		if kinds[want] == 0 {
			t.Errorf("expected a %s finding from cross-function flow; findings=%v", want, summarize(findings))
		}
	}

	// The filepath.Clean-sanitized os.ReadFile must NOT be flagged: exactly one
	// path-traversal finding (readConfig), not two.
	if kinds["PATH_TRAVERSAL"] != 1 {
		t.Errorf("sanitizer suppression failed: expected exactly 1 PATH_TRAVERSAL finding, got %d", kinds["PATH_TRAVERSAL"])
	}
}

func TestSSATaint_CleanPackageNoFindings(t *testing.T) {
	dir, err := filepath.Abs("testdata/clean")
	if err != nil {
		t.Fatal(err)
	}
	a := NewSSATaintAnalyzer()
	a.Env = fixtureEnv()
	findings, err := a.AnalyzePackages(dir, ".")
	if err != nil {
		t.Fatalf("analyze: %v", err)
	}
	if len(findings) != 0 {
		t.Errorf("expected no findings in clean package, got %v", summarize(findings))
	}
}

func summarize(fs []Finding) []string {
	var out []string
	for _, f := range fs {
		out = append(out, f.Message)
	}
	return out
}