feat(ssa): optimize branch condition handling via constant folding, enhance precision for taint analysis, and expand OWASP Benchmark support

2026-06-27 20:29:39 +02:00 · 2026-06-02 13:41:45 -05:00 · 2026-06-02 13:41:45 -05:00 · 9c99f6c6a9
commit 9c99f6c6a9
parent ec76c9e08f
22 changed files with 1020 additions and 17 deletions
--- a/tests/fixtures/real_world/java/taint/cmdi_deadbranch_const_safe.expect.json
+++ b/tests/fixtures/real_world/java/taint/cmdi_deadbranch_const_safe.expect.json
@ -0,0 +1,19 @@
+{
+  "description": "Dead-branch constant condition (OWASP Benchmark cmdi non-vulnerable shape). `(7*42) - num > 200` with num=86 is 208 > 200 — always true — so `bar` is the constant string and the `else bar = param` arm is statically dead. The constant-branch fold (src/ssa/const_prop.rs::fold_constant_branches) evaluates the captured CondArith tree, prunes the dead edge, and drops the tainted phi operand AND neutralises the dead block so copy-prop cannot alias `bar`<->`param`. Result: `r.exec(cmd + bar)` carries no taint. Asserts NO taint finding fires (strict_unexpected promotes any taint-unsanitised-flow to a hard failure).",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "runtime",
+    "dead-branch",
+    "const-fold",
+    "precision"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": []
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_deadbranch_const_safe.java
+++ b/tests/fixtures/real_world/java/taint/cmdi_deadbranch_const_safe.java
@ -0,0 +1,27 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+// Dead-branch constant condition (OWASP Benchmark cmdi non-vulnerable shape).
+// The guard `(7*42) - num > 200` is `294 - 86 = 208 > 200`, i.e. ALWAYS true,
+// so `bar` is provably the constant string and the tainted `else` arm
+// (`bar = param`) is unreachable. The constant-branch fold
+// (`fold_constant_branches`) must prune the dead edge and drop the tainted
+// phi operand so `r.exec(cmd + bar)` carries no attacker data — NO finding.
+public class DeadBranchConstSafe extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getHeader("vector");
+
+        String bar;
+        int num = 86;
+        if ((7 * 42) - num > 200) {
+            bar = "This_should_always_happen";
+        } else {
+            bar = param;
+        }
+
+        String cmd = "echo ";
+        Runtime r = Runtime.getRuntime();
+        Process p = r.exec(cmd + bar);
+    }
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_deadbranch_param_vuln.expect.json
+++ b/tests/fixtures/real_world/java/taint/cmdi_deadbranch_param_vuln.expect.json
@ -0,0 +1,32 @@
+{
+  "description": "Dead-branch constant condition with VULNERABLE polarity. `(500/42) + num > 200` is `11 + 196 = 207 > 200` (integer division) — always true — and the TRUE arm assigns the tainted `param`, so the reachable branch carries taint and only the `else bar = \"...\"` arm is dead. The constant-branch fold must prune the DEAD else edge while keeping the live `bar = param`, so the command-injection finding at `r.exec(cmd + bar)` MUST still fire. Zero-false-negative guard: it proves the fold never prunes the reachable (tainted) arm.",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "runtime",
+    "dead-branch",
+    "const-fold",
+    "no-false-negative"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": "HIGH",
+      "must_match": true,
+      "line_range": [
+        26,
+        26
+      ],
+      "evidence_contains": [],
+      "notes": "request.getHeader (line 15) flows into bar on the always-taken true arm (line 21), then into r.exec at line 26. Exactly one finding survives.",
+      "max_count": 1
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_deadbranch_param_vuln.java
+++ b/tests/fixtures/real_world/java/taint/cmdi_deadbranch_param_vuln.java
@ -0,0 +1,28 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+// Dead-branch constant condition, VULNERABLE polarity (OWASP Benchmark cmdi
+// vulnerable shape). The guard `(500/42) + num > 200` is `11 + 196 = 207 > 200`
+// using integer division — ALWAYS true — and the TRUE arm assigns the tainted
+// `param`. So the live branch carries taint and the `else bar = "never"` arm is
+// dead. The constant-branch fold must prune the DEAD (else) edge and keep the
+// reachable tainted `bar = param`, so `r.exec(cmd + bar)` MUST still fire. This
+// is the zero-false-negative guard: the fold must never prune the live arm.
+public class DeadBranchParamVuln extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getHeader("vector");
+
+        String bar;
+        int num = 196;
+        if ((500 / 42) + num > 200) {
+            bar = param;
+        } else {
+            bar = "This_should_never_happen";
+        }
+
+        String cmd = "echo ";
+        Runtime r = Runtime.getRuntime();
+        Process p = r.exec(cmd + bar);
+    }
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_processbuilder_command.expect.json
+++ b/tests/fixtures/real_world/java/taint/cmdi_processbuilder_command.expect.json
@ -0,0 +1,29 @@
+{
+  "description": "HttpServletRequest parameter flows through a List into ProcessBuilder.command(argList) — command injection via the setter form (list attached separately from the constructor, then pb.start()). This is the dominant OWASP Benchmark cmdi shape; resolved via type-qualified ProcessBuilder.command sink on the typed receiver plus container-element taint on the argument list.",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "container"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": "HIGH",
+      "must_match": true,
+      "line_range": [
+        16,
+        16
+      ],
+      "evidence_contains": [],
+      "notes": "request.getParameter (line 8) is concatenated into a list element (argList.add at line 13), the list is attached to ProcessBuilder via pb.command(argList) at line 16, and executed by pb.start() at line 17. The type-qualified ProcessBuilder.command sink fires at line 16 on the tainted container argument. Exactly one finding survives.",
+      "max_count": 1
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_processbuilder_command.java
+++ b/tests/fixtures/real_world/java/taint/cmdi_processbuilder_command.java
@ -0,0 +1,19 @@
+import java.io.*;
+import java.util.*;
+import javax.servlet.http.*;
+
+public class ProcessCommandHandler extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getParameter("vector");
+
+        List<String> argList = new ArrayList<String>();
+        argList.add("sh");
+        argList.add("-c");
+        argList.add("echo " + param);
+
+        ProcessBuilder pb = new ProcessBuilder();
+        pb.command(argList);
+        pb.start();
+    }
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_runtime_split_receiver.expect.json
+++ b/tests/fixtures/real_world/java/taint/cmdi_runtime_split_receiver.expect.json
@ -0,0 +1,30 @@
+{
+  "description": "HttpServletRequest header flows into a String[] env array passed to a split-receiver Runtime.exec — command injection via the `Runtime r = Runtime.getRuntime(); ... r.exec(cmd, argsEnv)` shape (the dominant remaining OWASP Benchmark cmdi form). The callee text at the sink is `r.exec`, which does not suffix-match the flat `Runtime.exec` rule; resolution depends on the receiver `r` carrying TypeKind::Runtime (from the `Runtime.getRuntime()` factory / the `Runtime` declared type) so the type-qualified resolver rewrites `r.exec` → `Runtime.exec`. Taint is in the env array (arg 1), so no payload-arg restriction may be applied.",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "runtime",
+    "split-receiver"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": "HIGH",
+      "must_match": true,
+      "line_range": [
+        16,
+        16
+      ],
+      "evidence_contains": [],
+      "notes": "request.getHeader (line 7) flows into the env array element argsEnv (line 15), which is passed as arg 1 of r.exec at line 16. The receiver r is typed Runtime via Runtime.getRuntime() (line 13), so the type-qualified Runtime.exec sink fires at the split-receiver call. Exactly one finding survives.",
+      "max_count": 1
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/taint/cmdi_runtime_split_receiver.java
+++ b/tests/fixtures/real_world/java/taint/cmdi_runtime_split_receiver.java
@ -0,0 +1,18 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+public class RuntimeSplitReceiverHandler extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getHeader("vector");
+
+        // Split-receiver Runtime.exec: the receiver is bound to a local in
+        // one statement, then exec is called on it in another. The OWASP
+        // Benchmark cmdi shape places the tainted data in the environment
+        // array (arg 1), not the command (arg 0).
+        Runtime r = Runtime.getRuntime();
+        String[] args = { "/bin/sh", "-c", "echo nyx" };
+        String[] argsEnv = { "TAINT=" + param };
+        r.exec(args, argsEnv);
+    }
+}