RubyGems - tainted - Versions diffs - 0.1.0 → 0.3.0 - Mend

tainted 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b26e5de6db90715d8868475b14f828ee951472378e2ab3d751bb36e0ab570a1
-  data.tar.gz: 4e84f893cefc8c37f52b9b353ff80ea3a63eba096f625d6acb2061aefb83d299
+  metadata.gz: 278da9234147c4a8df18795ca9666877032253e8cb4409219ba0fd8e4420444b
+  data.tar.gz: 16e24fa14406e9755b3f631809a23a13fcf255605b5f6a2f66fc60d27ecee27a
 SHA512:
-  metadata.gz: 2a73d2e0c62366eb397b64c7f4cd8d78f643ba1179bafa4534664c901cadc683d3b1d375a205024e0716930d17634076de122e36e3f96c2c8f53f0310ac747c9
-  data.tar.gz: f1444e63ab1f1fa2cbb328b19d2676c5eabc5948ae6a4bc7af0167ce08c7dd898ea5ee203629ab30adec04c76d0ed652c1966ff008c4806775d8e4039726aaeb
+  metadata.gz: b1fdc6834f8e8727e6e7fa0328ddd4193d4a7433f3c020f16eacaa6d63ef61f96b682a7a7e8b34db7e39d28a4554c77373d96467bb3a9cab8b8b00348d4b0fd0
+  data.tar.gz: 96b9a1687308bed7f57317dd66ece9eca69a7d0e2a7544cc8e40861017911d447aa11244daf44d5e3d27620358e80150e117b008c3a7a97b76e633608ff73f31

data/README.md CHANGED Viewed

@@ -29,8 +29,13 @@ require 'tainted'
 file = "#{__dir__}/../fixtures/simple.rb"
 lint = Tainted::Lint.new(file, %i[tainted], %i[unsafe])
 lint.analyze
-# Method `unsafe()` consuming tainted variable `d`
-# Method `unsafe()` consuming tainted variable `c`
+=>
+[#<Tainted::Offense:0x0000000107caf690
+  @message="Method `unsafe()` consuming tainted variable `d`",
+  @node=(call nil nil (ident "unsafe") (arg_paren (args ((var_ref (ident "d"))))))>,
+ #<Tainted::Offense:0x0000000107caf5f0
+  @message="Method `unsafe()` consuming tainted variable `c`",
+  @node=(call nil nil (ident "unsafe") (arg_paren (args ((var_ref (ident "c"))))))>]
 ```
 ## Development

data/Rakefile CHANGED Viewed

@@ -9,4 +9,4 @@ require "rubocop/rake_task"
 RuboCop::RakeTask.new
-task default: %i[spec rubocop]
+task default: %i[spec]

data/lib/tainted/lint.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Tainted
     def initialize(filepath, sources, sinks)
       @filepath = filepath
-      t = Tainted::DataFlow.new(@filepath)
+      t = DataFlow.new(@filepath)
       t.generate
       var_dependencies = t.tainted
       State.instance.var_dependencies = var_dependencies
@@ -15,7 +15,7 @@ module Tainted
     def analyze
       @visitor.visit(SyntaxTree.parse_file(@filepath))
-      @visitor.result
+      @visitor.offenses
     end
   end
 end

data/lib/tainted/offense.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Tainted
+  class Offense
+    attr_reader :node, :message
+    def initialize(node, message)
+      @node = node
+      @message = message
+    end
+  end
+end

data/lib/tainted/static.rb CHANGED Viewed

@@ -2,13 +2,14 @@
 module Tainted
   class Static < SyntaxTree::Visitor
-    attr_reader :result
+    attr_reader :offenses
-    def initialize(sources, _sinks)
+    def initialize(sources, sinks)
       super()
       @sources = sources
-      @result = []
+      @sinks = sinks
+      @offenses = []
     end
     def visit(node)
@@ -29,10 +30,17 @@ module Tainted
     def parse_assign(node)
       variable_name = node.target.value.value
-      # pp node.value.class
-      return unless node.value.is_a?(SyntaxTree::CallNode)
-      method_name = node.value.message.value
+      method_name =
+        case node.value
+        when SyntaxTree::CallNode
+          node.value.message.value
+        when SyntaxTree::ARef
+          # (aref (vcall (ident "<method_name>")))
+          node.value.collection.value.value
+        end
+      return if method_name.nil?
       return unless @sources.include?(method_name&.to_sym)
       State.instance.var_dependencies[variable_name.to_sym][:tainted] = true
@@ -45,10 +53,12 @@ module Tainted
         arguments.map { |arg| [arg, taint_status(arg.value.value.to_sym)] }
       method_name = node.message.value
+      return unless @sinks.include?(method_name.to_sym)
       taint_statuses.each do |status|
         next unless status[1]
-        @result << "Method `#{method_name}()` consuming tainted variable `#{status[0].value.value}`"
+        @offenses << Offense.new(node, "Method `#{method_name}()` consuming tainted variable `#{status[0].value.value}`")
       end
     end

data/lib/tainted/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Tainted
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/tainted.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require_relative "tainted/state"
 require_relative "tainted/static"
 require_relative "tainted/lint"
 require_relative "tainted/dataflow"
+require_relative "tainted/offense"
 require_relative "tainted/version"
 module Tainted

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tainted
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Syed Faraaz Ahmad
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-23 00:00:00.000000000 Z
+date: 2023-11-09 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -23,10 +23,10 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- fixtures/simple.rb
 - lib/tainted.rb
 - lib/tainted/dataflow.rb
 - lib/tainted/lint.rb
+- lib/tainted/offense.rb
 - lib/tainted/state.rb
 - lib/tainted/static.rb
 - lib/tainted/version.rb

data/fixtures/simple.rb DELETED Viewed

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-a = tainted()
-b = a + 1
-c = b + 2
-d = b + c
-unsafe(d)
-unsafe(c)