apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/examples/cross-file/main.rs
Eli Peter f96a89e7c1
Feat/full cfg (#30) 
* feat: Enhance control flow analysis with function summaries and taint analysis

* feat: Update taint analysis to utilize function summaries for enhanced tracking

* Refactor `walk.rs` batch processing and override handling:

- Renamed `Batcher` to `BatchSender` for clarity.
- Added `BatchSender::new` constructor for cleaner initialization.
- Simplified batch size management in `BatchSender`.
- Extracted `build_overrides` function for reusable override construction.
- Improved error handling and validation in override building.
- Enhanced performance with directory and file type filtering in `walk`.

* Improve logging and streamline directory walk process:

- Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion.
- Optimized and simplified `filter_entry` logic for directory and file type filters.
- Improved metadata checks and max file size enforcement during the scan.

* Refactor and optimize taint tracking, label rules, and directory walk process:

- Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing.
- Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency.
- Removed unused `set_hash` function and redundant imports across files.
- Improved batch sender logic in `walk.rs`, renaming key components for clarity.
- Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return.
- Expanded label rules with additional matchers for sources, sanitizers, and sinks.
- Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup.

* fix: fixed let chains error in walk.rs

* fix: updated dependencies

* fix: updated dependencies

* chore: Remove standard error in scan.rs

* feat: Introduce function summaries for enhanced taint and control flow analysis

* feat: Enhance taint analysis with interop support and function summaries

* feat: Add configuration analysis module and enhance matcher rules

* feat: Add arity column to function_summaries and handle schema migration

* fix: fixed clippy &PathBuf warnings

* chore: Update dependencies and versioning in Cargo files

* docs: Update README to enhance clarity and detail on features and analysis modes

* chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes

* docs: Update SECURITY.md to clarify version support status

---------

Co-authored-by: elipeter <eli.peter@es.fcm.travel>
2026-02-24 23:44:07 -05:00

148 lines
6.7 KiB
Rust
Raw Blame History

// ─────────────────────────────────────────────────────────────────────────────
// examples/cross-file/main.rs — The caller
//
// This file calls functions from config.rs, sanitize.rs, and exec.rs.
// It never directly touches std::env, std::fs, or std::process — every
// source, sanitiser, and sink lives in another file.
//
// Nyx's two-pass cross-file taint analysis should:
// • Pass 1: summarise config.rs, sanitize.rs, exec.rs
// • Pass 2: resolve calls in main.rs against those summaries
//
// ─────────────────────────────────────────────────────────────────────────────
//
// EXPECTED NYX OUTPUT
// ===================
//
// examples/cross-file/main.rs
// 12:5 [High] taint-unsanitised-flow ← case_1_direct_source_to_sink
// 22:5 [High] taint-unsanitised-flow ← case_3_wrong_sanitiser
// 34:5 [High] taint-unsanitised-flow ← case_5_passthrough_preserves_taint
// 40:5 [High] taint-unsanitised-flow ← case_6_taint_through_branch
// 50:5 [High] taint-unsanitised-flow ← case_8_source_and_sink_same_fn
//
// examples/cross-file/exec.rs
// 30:5 [High] taint-unsanitised-flow ← log_and_execute internal vuln
//
// NO findings expected for:
// case_2 (correct sanitiser applied)
// case_4 (correct html sanitiser applied)
// case_7 (sanitised before branch)
//
// ─────────────────────────────────────────────────────────────────────────────
// ─── Case 1: Direct source → sink (UNSAFE) ──────────────────────────────────
//
// get_user_command() returns tainted(ALL)
// run_command() is a sink(SHELL_ESCAPE)
// No sanitiser in between → FINDING
//
fn case_1_direct_source_to_sink() {
let cmd = get_user_command(); // tainted(ALL) via cross-file source
run_command(&cmd); // FINDING: taint reaches shell sink
}
// ─── Case 2: Correctly sanitised (SAFE) ─────────────────────────────────────
//
// get_user_command() returns tainted(ALL)
// sanitize_shell() strips SHELL_ESCAPE
// run_command() sinks SHELL_ESCAPE → bit is gone → no finding
//
fn case_2_sanitised_before_sink() {
let cmd = get_user_command(); // tainted(ALL)
let safe = sanitize_shell(&cmd); // SHELL_ESCAPE bit stripped
run_command(&safe); // SAFE — no finding
}
// ─── Case 3: Wrong sanitiser for the sink (UNSAFE) ──────────────────────────
//
// get_user_command() returns tainted(ALL)
// sanitize_html() strips HTML_ESCAPE — but NOT SHELL_ESCAPE
// run_command() sinks SHELL_ESCAPE → bit still set → FINDING
//
fn case_3_wrong_sanitiser() {
let cmd = get_user_command(); // tainted(ALL)
let wrong = sanitize_html(&cmd); // strips HTML_ESCAPE only
run_command(&wrong); // FINDING: SHELL_ESCAPE still set
}
// ─── Case 4: Correct HTML sanitiser (SAFE) ──────────────────────────────────
//
// load_template() returns tainted(ALL) from file read
// sanitize_html() strips HTML_ESCAPE
// render_page() sinks HTML_ESCAPE → bit is gone → no finding
//
fn case_4_html_sanitised() {
let tpl = load_template("page.html"); // tainted(ALL) via cross-file source
let safe = sanitize_html(&tpl); // HTML_ESCAPE bit stripped
render_page(&safe); // SAFE — no finding
}
// ─── Case 5: Passthrough preserves taint (UNSAFE) ───────────────────────────
//
// get_user_command() returns tainted(ALL)
// passthrough() propagates taint unchanged (propagates_taint = true)
// run_command() sinks SHELL_ESCAPE → still tainted → FINDING
//
fn case_5_passthrough_preserves_taint() {
let cmd = get_user_command(); // tainted(ALL)
let same = passthrough(&cmd); // taint flows through
run_command(&same); // FINDING: still tainted
}
// ─── Case 6: Taint flows through only one branch (UNSAFE) ───────────────────
//
// One branch sanitises, the other does not.
// The unsanitised branch reaches the sink → FINDING on that path.
//
fn case_6_taint_through_branch() {
let cmd = get_user_command(); // tainted(ALL)
if cmd.len() > 10 {
run_command(&cmd); // FINDING: unsanitised path
} else {
let safe = sanitize_shell(&cmd);
run_command(&safe); // SAFE path
}
}
// ─── Case 7: Sanitised before branch (SAFE) ─────────────────────────────────
//
// Sanitisation happens before the branch → both paths are clean.
//
fn case_7_sanitised_before_branch() {
let cmd = get_user_command(); // tainted(ALL)
let safe = sanitize_shell(&cmd); // SHELL_ESCAPE stripped
if safe.len() > 10 {
run_command(&safe); // SAFE
} else {
run_command(&safe); // SAFE
}
}
// ─── Case 8: Source-and-sink function (UNSAFE) ──────────────────────────────
//
// log_and_execute() is both:
// • a SINK(SHELL_ESCAPE) on its cmd parameter
// • a SOURCE(ALL) in its return value (reads env var)
//
// Passing tainted data to it → FINDING for the sink.
// Its return value is freshly tainted, but we don't pass it anywhere
// dangerous here — so only one finding.
//
fn case_8_source_and_sink_same_fn() {
let cmd = get_user_command(); // tainted(ALL)
let _log = log_and_execute(&cmd); // FINDING: tainted arg hits shell sink
// _log is now tainted(ALL) from log_and_execute's source behaviour,
// but we don't use it — no second finding.
}
fn main() {
case_1_direct_source_to_sink();
case_2_sanitised_before_sink();
case_3_wrong_sanitiser();
case_4_html_sanitised();
case_5_passthrough_preserves_taint();
case_6_taint_through_branch();
case_7_sanitised_before_branch();
case_8_source_and_sink_same_fn();
}
Reference in a new issue View git blame Copy permalink