RubyGems - tainted - Versions diffs - 0.1.0 → 0.3.0 - Mend

tainted 0.1.0 → 0.3.0

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b26e5de6db90715d8868475b14f828ee951472378e2ab3d751bb36e0ab570a1
-  data.tar.gz: 4e84f893cefc8c37f52b9b353ff80ea3a63eba096f625d6acb2061aefb83d299
+  metadata.gz: 278da9234147c4a8df18795ca9666877032253e8cb4409219ba0fd8e4420444b
+  data.tar.gz: 16e24fa14406e9755b3f631809a23a13fcf255605b5f6a2f66fc60d27ecee27a
 SHA512:
-  metadata.gz: 2a73d2e0c62366eb397b64c7f4cd8d78f643ba1179bafa4534664c901cadc683d3b1d375a205024e0716930d17634076de122e36e3f96c2c8f53f0310ac747c9
-  data.tar.gz: f1444e63ab1f1fa2cbb328b19d2676c5eabc5948ae6a4bc7af0167ce08c7dd898ea5ee203629ab30adec04c76d0ed652c1966ff008c4806775d8e4039726aaeb
+  metadata.gz: b1fdc6834f8e8727e6e7fa0328ddd4193d4a7433f3c020f16eacaa6d63ef61f96b682a7a7e8b34db7e39d28a4554c77373d96467bb3a9cab8b8b00348d4b0fd0
+  data.tar.gz: 96b9a1687308bed7f57317dd66ece9eca69a7d0e2a7544cc8e40861017911d447aa11244daf44d5e3d27620358e80150e117b008c3a7a97b76e633608ff73f31

data/README.md CHANGED Viewed

@@ -29,8 +29,13 @@ require 'tainted'
 file = "#{__dir__}/../fixtures/simple.rb"
 lint = Tainted::Lint.new(file, %i[tainted], %i[unsafe])
 lint.analyze
-# Method `unsafe()` consuming tainted variable `d`
-# Method `unsafe()` consuming tainted variable `c`
+=>
+[#<Tainted::Offense:0x0000000107caf690
+  @message="Method `unsafe()` consuming tainted variable `d`",
+  @node=(call nil nil (ident "unsafe") (arg_paren (args ((var_ref (ident "d"))))))>,
+ #<Tainted::Offense:0x0000000107caf5f0
+  @message="Method `unsafe()` consuming tainted variable `c`",
+  @node=(call nil nil (ident "unsafe") (arg_paren (args ((var_ref (ident "c"))))))>]
 ```
 ## Development

data/Rakefile CHANGED Viewed

@@ -9,4 +9,4 @@ require "rubocop/rake_task"
 RuboCop::RakeTask.new
-task default: %i[spec rubocop]
+task default: %i[spec]

data/lib/tainted/lint.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Tainted
     def initialize(filepath, sources, sinks)
       @filepath = filepath
-      t = Tainted::DataFlow.new(@filepath)
+      t = DataFlow.new(@filepath)
       t.generate
       var_dependencies = t.tainted
       State.instance.var_dependencies = var_dependencies
@@ -15,7 +15,7 @@ module Tainted
     def analyze
       @visitor.visit(SyntaxTree.parse_file(@filepath))
-      @visitor.result
+      @visitor.offenses
     end
   end
 end

data/lib/tainted/offense.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Tainted
+  class Offense
+    attr_reader :node, :message
+    def initialize(node, message)
+      @node = node
+      @message = message
+    end
+  end
+end

data/lib/tainted/static.rb CHANGED Viewed

@@ -2,13 +2,14 @@
 module Tainted
   class Static < SyntaxTree::Visitor
-    attr_reader :result
+    attr_reader :offenses
-    def initialize(sources, _sinks)
+    def initialize(sources, sinks)
       super()
       @sources = sources
-      @result = []
+      @sinks = sinks
+      @offenses = []
     end
     def visit(node)
@@ -29,10 +30,17 @@ module Tainted
     def parse_assign(node)
       variable_name = node.target.value.value
-      # pp node.value.class
-      return unless node.value.is_a?(SyntaxTree::CallNode)
-      method_name = node.value.message.value
+      method_name =
+        case node.value
+        when SyntaxTree::CallNode
+          node.value.message.value
+        when SyntaxTree::ARef
+          # (aref (vcall (ident "<method_name>")))
+          node.value.collection.value.value
+        end
+      return if method_name.nil?
       return unless @sources.include?(method_name&.to_sym)
       State.instance.var_dependencies[variable_name.to_sym][:tainted] = true
@@ -45,10 +53,12 @@ module Tainted
         arguments.map { |arg| [arg, taint_status(arg.value.value.to_sym)] }
       method_name = node.message.value
+      return unless @sinks.include?(method_name.to_sym)
       taint_statuses.each do |status|
         next unless status[1]
-        @result << "Method `#{method_name}()` consuming tainted variable `#{status[0].value.value}`"
+        @offenses << Offense.new(node, "Method `#{method_name}()` consuming tainted variable `#{status[0].value.value}`")
       end
     end

data/lib/tainted/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Tainted
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/tainted.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require_relative "tainted/state"
 require_relative "tainted/static"
 require_relative "tainted/lint"
 require_relative "tainted/dataflow"
+require_relative "tainted/offense"
 require_relative "tainted/version"
 module Tainted

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tainted
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Syed Faraaz Ahmad
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-23 00:00:00.000000000 Z
+date: 2023-11-09 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -23,10 +23,10 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- fixtures/simple.rb
 - lib/tainted.rb
 - lib/tainted/dataflow.rb
 - lib/tainted/lint.rb
+- lib/tainted/offense.rb
 - lib/tainted/state.rb
 - lib/tainted/static.rb
 - lib/tainted/version.rb

data/fixtures/simple.rb DELETED Viewed

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-a = tainted()
-b = a + 1
-c = b + 2
-d = b + c
-unsafe(d)
-unsafe(c)