mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
89 lines
3.1 KiB
Rust
89 lines
3.1 KiB
Rust
|
//! Dangerous-local sink detection.
|
||
|
|
//!
|
||
|
|
//! Walks the post-pass-2 [`GlobalSummaries`] looking for functions
|
||
|
|
//! that themselves consume `Cap::CODE_EXEC`, `Cap::DESERIALIZE`,
|
||
|
|
//! `Cap::SSTI`, or `Cap::FMT_STRING` (the canonical "no externally
|
||
|
|
//! observable side effect" sinks) and emits one
|
||
|
|
//! [`SurfaceNode::DangerousLocal`] per such function.
|
||
|
|
//!
|
||
|
|
//! The cap bits are taken straight from the existing label-rule
|
||
|
|
//! registry — every Phase 22 sink class continues to land on the same
|
||
|
|
//! `sink_caps` field downstream rules already populate. No new
|
||
|
|
//! detection pass is added here; the surface layer just lifts the
|
||
|
|
//! cap-bit information out of the summary.
|
||
|
|
|
||
|
|
use super::{DangerousLocal, SourceLocation, SurfaceNode};
|
||
|
|
use crate::labels::Cap;
|
||
|
|
use crate::summary::GlobalSummaries;
|
||
|
|
|
||
|
|
/// Cap bits that indicate the function is a *local* sink — code exec,
|
||
|
|
/// unsafe deserialisation, server-side template injection, format
|
||
|
|
/// string injection. Other sink caps (SQL_QUERY → DataStore;
|
||
|
|
/// SSRF → ExternalService) live elsewhere in the surface layer so the
|
||
|
|
/// node taxonomy matches the chain composer's expectations.
|
||
|
|
fn dangerous_caps() -> Cap {
|
||
|
|
Cap::CODE_EXEC | Cap::DESERIALIZE | Cap::SSTI | Cap::FMT_STRING
|
||
|
|
}
|
||
|
|
|
||
|
|
pub fn detect_dangerous_locals(summaries: &GlobalSummaries) -> Vec<SurfaceNode> {
|
||
|
|
let mask = dangerous_caps();
|
||
|
|
let mut out: Vec<SurfaceNode> = Vec::new();
|
||
|
|
for (key, summary) in summaries.iter() {
|
||
|
|
let caps = summary.sink_caps() & mask;
|
||
|
|
if caps.is_empty() {
|
||
|
|
continue;
|
||
|
|
}
|
||
|
|
out.push(SurfaceNode::DangerousLocal(DangerousLocal {
|
||
|
|
location: SourceLocation {
|
||
|
|
file: summary.file_path.clone(),
|
||
|
|
line: 0,
|
||
|
|
col: 0,
|
||
|
|
},
|
||
|
|
function_name: key.qualified_name(),
|
||
|
|
cap_bits: caps.bits(),
|
||
|
|
}));
|
||
|
|
}
|
||
|
|
out
|
||
|
|
}
|
||
|
|
|
||
|
|
#[cfg(test)]
|
||
|
|
mod tests {
|
||
|
|
use super::*;
|
||
|
|
use crate::summary::FuncSummary;
|
||
|
|
use crate::symbol::{FuncKey, Lang};
|
||
|
|
|
||
|
|
fn summary_with_caps(name: &str, file: &str, caps: Cap) -> (FuncKey, FuncSummary) {
|
||
|
|
let key = FuncKey::new_function(Lang::Python, file, name, None);
|
||
|
|
let summary = FuncSummary {
|
||
|
|
name: name.to_string(),
|
||
|
|
file_path: file.to_string(),
|
||
|
|
lang: "python".to_string(),
|
||
|
|
sink_caps: caps.bits(),
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
(key, summary)
|
||
|
|
}
|
||
|
|
|
||
|
|
#[test]
|
||
|
|
fn detects_eval_sink() {
|
||
|
|
let mut gs = GlobalSummaries::new();
|
||
|
|
let (k, s) = summary_with_caps("run", "danger.py", Cap::CODE_EXEC);
|
||
|
|
gs.insert(k, s);
|
||
|
|
let nodes = detect_dangerous_locals(&gs);
|
||
|
|
assert_eq!(nodes.len(), 1);
|
||
|
|
let SurfaceNode::DangerousLocal(d) = &nodes[0] else {
|
||
|
|
panic!()
|
||
|
|
};
|
||
|
|
assert_eq!(d.cap_bits & Cap::CODE_EXEC.bits(), Cap::CODE_EXEC.bits());
|
||
|
|
}
|
||
|
|
|
||
|
|
#[test]
|
||
|
|
fn ignores_sql_only() {
|
||
|
|
let mut gs = GlobalSummaries::new();
|
||
|
|
let (k, s) = summary_with_caps("query", "data.py", Cap::SQL_QUERY);
|
||
|
|
gs.insert(k, s);
|
||
|
|
let nodes = detect_dangerous_locals(&gs);
|
||
|
|
assert!(nodes.is_empty());
|
||
|
|
}
|
||
|
|
}
|