mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-30 20:39:39 +02:00
149 lines
6.7 KiB
Rust
149 lines
6.7 KiB
Rust
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
// examples/cross-file/main.rs — The caller
|
||
|
|
//
|
||
|
|
// This file calls functions from config.rs, sanitize.rs, and exec.rs.
|
||
|
|
// It never directly touches std::env, std::fs, or std::process — every
|
||
|
|
// source, sanitiser, and sink lives in another file.
|
||
|
|
//
|
||
|
|
// Nyx's two-pass cross-file taint analysis should:
|
||
|
|
// • Pass 1: summarise config.rs, sanitize.rs, exec.rs
|
||
|
|
// • Pass 2: resolve calls in main.rs against those summaries
|
||
|
|
//
|
||
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
//
|
||
|
|
// EXPECTED NYX OUTPUT
|
||
|
|
// ===================
|
||
|
|
//
|
||
|
|
// examples/cross-file/main.rs
|
||
|
|
// 12:5 [High] taint-unsanitised-flow ← case_1_direct_source_to_sink
|
||
|
|
// 22:5 [High] taint-unsanitised-flow ← case_3_wrong_sanitiser
|
||
|
|
// 34:5 [High] taint-unsanitised-flow ← case_5_passthrough_preserves_taint
|
||
|
|
// 40:5 [High] taint-unsanitised-flow ← case_6_taint_through_branch
|
||
|
|
// 50:5 [High] taint-unsanitised-flow ← case_8_source_and_sink_same_fn
|
||
|
|
//
|
||
|
|
// examples/cross-file/exec.rs
|
||
|
|
// 30:5 [High] taint-unsanitised-flow ← log_and_execute internal vuln
|
||
|
|
//
|
||
|
|
// NO findings expected for:
|
||
|
|
// case_2 (correct sanitiser applied)
|
||
|
|
// case_4 (correct html sanitiser applied)
|
||
|
|
// case_7 (sanitised before branch)
|
||
|
|
//
|
||
|
|
// ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
// ─── Case 1: Direct source → sink (UNSAFE) ──────────────────────────────────
|
||
|
|
//
|
||
|
|
// get_user_command() returns tainted(ALL)
|
||
|
|
// run_command() is a sink(SHELL_ESCAPE)
|
||
|
|
// No sanitiser in between → FINDING
|
||
|
|
//
|
||
|
|
fn case_1_direct_source_to_sink() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL) via cross-file source
|
||
|
|
run_command(&cmd); // FINDING: taint reaches shell sink
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 2: Correctly sanitised (SAFE) ─────────────────────────────────────
|
||
|
|
//
|
||
|
|
// get_user_command() returns tainted(ALL)
|
||
|
|
// sanitize_shell() strips SHELL_ESCAPE
|
||
|
|
// run_command() sinks SHELL_ESCAPE → bit is gone → no finding
|
||
|
|
//
|
||
|
|
fn case_2_sanitised_before_sink() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
let safe = sanitize_shell(&cmd); // SHELL_ESCAPE bit stripped
|
||
|
|
run_command(&safe); // SAFE — no finding
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 3: Wrong sanitiser for the sink (UNSAFE) ──────────────────────────
|
||
|
|
//
|
||
|
|
// get_user_command() returns tainted(ALL)
|
||
|
|
// sanitize_html() strips HTML_ESCAPE — but NOT SHELL_ESCAPE
|
||
|
|
// run_command() sinks SHELL_ESCAPE → bit still set → FINDING
|
||
|
|
//
|
||
|
|
fn case_3_wrong_sanitiser() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
let wrong = sanitize_html(&cmd); // strips HTML_ESCAPE only
|
||
|
|
run_command(&wrong); // FINDING: SHELL_ESCAPE still set
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 4: Correct HTML sanitiser (SAFE) ──────────────────────────────────
|
||
|
|
//
|
||
|
|
// load_template() returns tainted(ALL) from file read
|
||
|
|
// sanitize_html() strips HTML_ESCAPE
|
||
|
|
// render_page() sinks HTML_ESCAPE → bit is gone → no finding
|
||
|
|
//
|
||
|
|
fn case_4_html_sanitised() {
|
||
|
|
let tpl = load_template("page.html"); // tainted(ALL) via cross-file source
|
||
|
|
let safe = sanitize_html(&tpl); // HTML_ESCAPE bit stripped
|
||
|
|
render_page(&safe); // SAFE — no finding
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 5: Passthrough preserves taint (UNSAFE) ───────────────────────────
|
||
|
|
//
|
||
|
|
// get_user_command() returns tainted(ALL)
|
||
|
|
// passthrough() propagates taint unchanged (propagates_taint = true)
|
||
|
|
// run_command() sinks SHELL_ESCAPE → still tainted → FINDING
|
||
|
|
//
|
||
|
|
fn case_5_passthrough_preserves_taint() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
let same = passthrough(&cmd); // taint flows through
|
||
|
|
run_command(&same); // FINDING: still tainted
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 6: Taint flows through only one branch (UNSAFE) ───────────────────
|
||
|
|
//
|
||
|
|
// One branch sanitises, the other does not.
|
||
|
|
// The unsanitised branch reaches the sink → FINDING on that path.
|
||
|
|
//
|
||
|
|
fn case_6_taint_through_branch() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
if cmd.len() > 10 {
|
||
|
|
run_command(&cmd); // FINDING: unsanitised path
|
||
|
|
} else {
|
||
|
|
let safe = sanitize_shell(&cmd);
|
||
|
|
run_command(&safe); // SAFE path
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 7: Sanitised before branch (SAFE) ─────────────────────────────────
|
||
|
|
//
|
||
|
|
// Sanitisation happens before the branch → both paths are clean.
|
||
|
|
//
|
||
|
|
fn case_7_sanitised_before_branch() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
let safe = sanitize_shell(&cmd); // SHELL_ESCAPE stripped
|
||
|
|
if safe.len() > 10 {
|
||
|
|
run_command(&safe); // SAFE
|
||
|
|
} else {
|
||
|
|
run_command(&safe); // SAFE
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Case 8: Source-and-sink function (UNSAFE) ──────────────────────────────
|
||
|
|
//
|
||
|
|
// log_and_execute() is both:
|
||
|
|
// • a SINK(SHELL_ESCAPE) on its cmd parameter
|
||
|
|
// • a SOURCE(ALL) in its return value (reads env var)
|
||
|
|
//
|
||
|
|
// Passing tainted data to it → FINDING for the sink.
|
||
|
|
// Its return value is freshly tainted, but we don't pass it anywhere
|
||
|
|
// dangerous here — so only one finding.
|
||
|
|
//
|
||
|
|
fn case_8_source_and_sink_same_fn() {
|
||
|
|
let cmd = get_user_command(); // tainted(ALL)
|
||
|
|
let _log = log_and_execute(&cmd); // FINDING: tainted arg hits shell sink
|
||
|
|
// _log is now tainted(ALL) from log_and_execute's source behaviour,
|
||
|
|
// but we don't use it — no second finding.
|
||
|
|
}
|
||
|
|
|
||
|
|
fn main() {
|
||
|
|
case_1_direct_source_to_sink();
|
||
|
|
case_2_sanitised_before_sink();
|
||
|
|
case_3_wrong_sanitiser();
|
||
|
|
case_4_html_sanitised();
|
||
|
|
case_5_passthrough_preserves_taint();
|
||
|
|
case_6_taint_through_branch();
|
||
|
|
case_7_sanitised_before_branch();
|
||
|
|
case_8_source_and_sink_same_fn();
|
||
|
|
}
|