Feat/full cfg (#30)

* feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel>
2026-06-09 19:45:13 +02:00 · 2026-02-24 23:44:07 -05:00 · 2026-02-24 23:44:07 -05:00 · f96a89e7c1
commit f96a89e7c1
parent 8cbbec7d90
87 changed files with 11505 additions and 1099 deletions
--- a/tests/fixtures/java_service/Service.java
+++ b/tests/fixtures/java_service/Service.java
@ -0,0 +1,127 @@
+import java.io.*;
+import java.sql.*;
+import java.util.Random;
+
+/**
+ * Simulates a Java backend service handling HTTP requests.
+ * Contains realistic vulnerability patterns found in enterprise Java code.
+ */
+public class Service {
+
+    private Connection dbConn;
+
+    public Service(Connection dbConn) {
+        this.dbConn = dbConn;
+    }
+
+    // ───── Command execution from environment ─────
+
+    /**
+     * POST /admin/maintenance
+     * Runs a maintenance command from environment config.
+     * VULN: System.getenv flows into Runtime.exec (command injection)
+     */
+    public String handleMaintenance() throws IOException {
+        String cmd = System.getenv("MAINTENANCE_CMD");
+        Process proc = Runtime.getRuntime().exec(cmd);
+        BufferedReader reader = new BufferedReader(
+            new InputStreamReader(proc.getInputStream())
+        );
+        StringBuilder output = new StringBuilder();
+        String line;
+        while ((line = reader.readLine()) != null) {
+            output.append(line).append("\n");
+        }
+        return output.toString();
+    }
+
+    /**
+     * POST /admin/deploy
+     * Constructs a deploy command from multiple env vars.
+     * VULN: System.getenv flows into Runtime.exec
+     */
+    public void handleDeploy() throws IOException {
+        String target = System.getenv("DEPLOY_HOST");
+        String artifact = System.getenv("ARTIFACT_PATH");
+        String command = "scp " + artifact + " " + target + ":/opt/app/";
+        Runtime.getRuntime().exec(command);
+    }
+
+    // ───── SQL injection via string concatenation ─────
+
+    /**
+     * GET /api/users/search
+     * Searches users with a query parameter concatenated into SQL.
+     * VULN: System.getenv flows into executeQuery (SQL injection)
+     */
+    public ResultSet searchUsers(String searchTerm) throws SQLException {
+        String table = System.getenv("USERS_TABLE");
+        String sql = "SELECT * FROM " + table + " WHERE name LIKE '%" + searchTerm + "%'";
+        Statement stmt = dbConn.createStatement();
+        return stmt.executeQuery(sql);
+    }
+
+    /**
+     * POST /api/audit/log
+     * Writes an audit log entry using concatenated SQL.
+     * VULN: String concatenation in executeUpdate (SQL injection)
+     */
+    public void logAuditEvent(String event, String userId) throws SQLException {
+        String sql = "INSERT INTO audit_log (event, user_id, ts) VALUES ('"
+            + event + "', '" + userId + "', NOW())";
+        Statement stmt = dbConn.createStatement();
+        stmt.executeUpdate(sql);
+    }
+
+    // ───── Deserialization ─────
+
+    /**
+     * POST /api/session/restore
+     * Deserializes a session object from a byte stream.
+     * VULN: ObjectInputStream.readObject on untrusted data
+     */
+    public Object restoreSession(InputStream sessionData) throws Exception {
+        ObjectInputStream ois = new ObjectInputStream(sessionData);
+        Object session = ois.readObject();
+        ois.close();
+        return session;
+    }
+
+    // ───── Reflection ─────
+
+    /**
+     * POST /api/plugins/load
+     * Dynamically loads a class by name from environment config.
+     * VULN: System.getenv flows into Class.forName (unsafe reflection)
+     */
+    public Object loadPlugin() throws Exception {
+        String className = System.getenv("PLUGIN_CLASS");
+        Class<?> pluginClass = Class.forName(className);
+        return pluginClass.getDeclaredConstructor().newInstance();
+    }
+
+    // ───── Weak randomness ─────
+
+    /**
+     * Generates a session token using java.util.Random.
+     * VULN: insecure random — should use SecureRandom for tokens
+     */
+    public String generateSessionToken() {
+        Random rng = new Random();
+        long tokenValue = rng.nextLong();
+        return Long.toHexString(tokenValue);
+    }
+
+    // ───── Safe patterns ─────
+
+    /**
+     * SAFE: uses PreparedStatement (parameterized query).
+     */
+    public ResultSet safeSearch(String term) throws SQLException {
+        PreparedStatement pstmt = dbConn.prepareStatement(
+            "SELECT * FROM users WHERE name LIKE ?"
+        );
+        pstmt.setString(1, "%" + term + "%");
+        return pstmt.executeQuery();
+    }
+}