nyx/examples/cross-file/exec.rs

// ─────────────────────────────────────────────────────────────────────────────
// examples/cross-file/exec.rs — Sinks
//
// Functions that perform dangerous operations.  Passing tainted data to
// these without the matching sanitiser is a vulnerability.
//
// ┌─────────────────────────────────────────────────────────────────────────┐
// │  FuncSummary produced by pass 1:                                       │
// │                                                                        │
// │  run_command      → sink_caps: SHELL_ESCAPE, tainted_sink_params: [0]  │
// │  render_page      → sink_caps: HTML_ESCAPE,  tainted_sink_params: [0]  │
// │  log_and_execute  → sink_caps: SHELL_ESCAPE, source_caps: ALL          │
// │                     (both a source AND a sink!)                         │
// └─────────────────────────────────────────────────────────────────────────┘
// ─────────────────────────────────────────────────────────────────────────────

use std::env;
use std::process::Command;

/// Executes a shell command.
/// Taint: SINK(SHELL_ESCAPE) on `cmd` (param 0).
pub fn run_command(cmd: &str) {
    Command::new("sh").arg(cmd).status().unwrap();
}

/// Renders user content into an HTML page.
/// Taint: SINK(HTML_ESCAPE) on `body` (param 0).
pub fn render_page(body: &str) {
    println!("<html><body>{body}</body></html>");
}

/// Reads an env var *and* shells out — a function that is simultaneously
/// a source (return value) and a sink (cmd parameter).
///
/// This exercises the "independent caps" design: source_caps and sink_caps
/// are both non-zero on the same summary.
pub fn log_and_execute(cmd: &str) -> String {
    let log_path = env::var("LOG_PATH").unwrap_or_default();
    Command::new("sh").arg(cmd).status().unwrap();
    log_path
}
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`// ─────────────────────────────────────────────────────────────────────────────`
			`// examples/cross-file/exec.rs — Sinks`
			`//`
			`// Functions that perform dangerous operations. Passing tainted data to`
			`// these without the matching sanitiser is a vulnerability.`
			`//`
			`// ┌─────────────────────────────────────────────────────────────────────────┐`
			`// │ FuncSummary produced by pass 1: │`
			`// │ │`
			`// │ run_command → sink_caps: SHELL_ESCAPE, tainted_sink_params: [0] │`
			`// │ render_page → sink_caps: HTML_ESCAPE, tainted_sink_params: [0] │`
			`// │ log_and_execute → sink_caps: SHELL_ESCAPE, source_caps: ALL │`
			`// │ (both a source AND a sink!) │`
			`// └─────────────────────────────────────────────────────────────────────────┘`
			`// ─────────────────────────────────────────────────────────────────────────────`

			`use std::env;`
			`use std::process::Command;`

			`/// Executes a shell command.`
			/// Taint: SINK(SHELL_ESCAPE) on `cmd` (param 0).
			`pub fn run_command(cmd: &str) {`
			`Command::new("sh").arg(cmd).status().unwrap();`
			`}`

			`/// Renders user content into an HTML page.`
			/// Taint: SINK(HTML_ESCAPE) on `body` (param 0).
			`pub fn render_page(body: &str) {`
			`println!("<html><body>{body}</body></html>");`
			`}`

			`/// Reads an env var and shells out — a function that is simultaneously`
			`/// a source (return value) and a sink (cmd parameter).`
			`///`
			`/// This exercises the "independent caps" design: source_caps and sink_caps`
			`/// are both non-zero on the same summary.`
			`pub fn log_and_execute(cmd: &str) -> String {`
			`let log_path = env::var("LOG_PATH").unwrap_or_default();`
			`Command::new("sh").arg(cmd).status().unwrap();`
			`log_path`
			`}`