mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
58f1794a4e
* feat: Enhance data exfiltration detection with source sensitivity gating for cookies and headers * feat: Implement cross-file data exfiltration detection with parameter-specific gate filters * feat: Add calibration tests and refine DATA_EXFIL severity scoring logic * feat: Introduce per-detector configuration for data exfiltration suppression * feat: Enhance DATA_EXFIL findings with destination field tracking in diagnostics and SARIF output * feat: Add tainted body and URL handling for data exfiltration detection * feat: Add integration tests and fixtures for DATA_EXFIL and SSRF detection in Go * feat: Add Java integration tests and fixtures for DATA_EXFIL detection across multiple HTTP clients * feat: Add synthetic externals handling for closure-captured variables in SSA * feat: Implement closure-based suppression for resource leak findings * feat: Add regression guards for shell-injection and taint propagation in for-of destructure patterns * feat: Implement constructor cap narrowing for data exfiltration detection in HTTP request builders * feat: Add gated sinks for data exfiltration detection in C and C++ using curl_easy_setopt * feat: Implement DATA_EXFIL cap parity for backwards analysis and add integration tests * feat: Add data exfiltration sinks for various languages and enhance documentation * refactor: Simplify formatting and improve readability in various files * refactor: Improve readability by simplifying conditional statements and adding clippy linting * docs: Update CHANGELOG and comments for data exfiltration features and configuration * docs: Clarify configuration instructions for data exfiltration trusted destinations * docs: Enhance comments for evidence routing logic in data exfiltration
212 lines
7.5 KiB
Rust
212 lines
7.5 KiB
Rust
//! Integration tests for the Go bindings of the `Cap::DATA_EXFIL`
|
|
//! detector class.
|
|
//!
|
|
//! Mirrors the JS `fetch_data_exfil_integration_tests` shape: a single
|
|
//! outbound HTTP callee carries an SSRF gate (URL flow) and a DATA_EXFIL
|
|
//! gate (body / payload flow), and per-position cap attribution must
|
|
//! keep a tainted URL from surfacing as data exfiltration and a tainted
|
|
//! body from surfacing as SSRF. Also validates the two-step
|
|
//! `http.NewRequest` → `http.DefaultClient.Do` idiom: NewRequest is
|
|
//! modeled as a body propagator (default arg → return propagation), so
|
|
//! body taint reaches the Do gate through the returned `*http.Request`.
|
|
|
|
mod common;
|
|
|
|
use common::{scan_fixture_dir, validate_expectations};
|
|
use nyx_scanner::commands::scan::Diag;
|
|
use nyx_scanner::utils::config::AnalysisMode;
|
|
use std::path::{Path, PathBuf};
|
|
|
|
fn go_fixture_dir() -> PathBuf {
|
|
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
|
|
.join("tests")
|
|
.join("fixtures")
|
|
.join("go")
|
|
}
|
|
|
|
fn diags_for(file: &str) -> Vec<Diag> {
|
|
let dir = go_fixture_dir();
|
|
let all = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
all.into_iter().filter(|d| d.path.ends_with(file)).collect()
|
|
}
|
|
|
|
#[test]
|
|
fn http_post_body_data_exfil_emits_data_exfil_not_ssrf() {
|
|
let diags = diags_for("data_exfil_http_post.go");
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
let plain_taint = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-unsanitised-flow"))
|
|
.count();
|
|
assert!(
|
|
exfil >= 1,
|
|
"expected at least one taint-data-exfiltration finding for cookie → http.Post body, got 0.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
assert_eq!(
|
|
plain_taint,
|
|
0,
|
|
"fixed-URL http.Post with tainted body must NOT emit SSRF \
|
|
(taint-unsanitised-flow), got {plain_taint}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn http_post_form_emits_data_exfil_not_ssrf() {
|
|
let diags = diags_for("data_exfil_post_form.go");
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
let plain_taint = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-unsanitised-flow"))
|
|
.count();
|
|
assert!(
|
|
exfil >= 1,
|
|
"expected at least one taint-data-exfiltration finding for header → http.PostForm data, got 0.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
assert_eq!(
|
|
plain_taint,
|
|
0,
|
|
"fixed-URL http.PostForm with tainted form data must NOT emit SSRF, got {plain_taint}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn new_request_do_two_step_emits_data_exfil() {
|
|
// The two-step idiom: `req, _ := http.NewRequest(_, fixedURL, body);
|
|
// http.DefaultClient.Do(req)`. NewRequest is modeled as a body
|
|
// propagator (default arg → return) so the request value carries
|
|
// body taint into the DATA_EXFIL gate at Do. SSRF must not fire
|
|
// because the URL position at NewRequest is a hardcoded string.
|
|
let diags = diags_for("data_exfil_new_request_do.go");
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
let plain_taint = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-unsanitised-flow"))
|
|
.count();
|
|
assert!(
|
|
exfil >= 1,
|
|
"expected at least one taint-data-exfiltration finding for cookie → NewRequest → Do, got 0.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
assert_eq!(
|
|
plain_taint,
|
|
0,
|
|
"two-step NewRequest → Do with hardcoded URL must NOT emit SSRF, got {plain_taint}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn map_assign_data_exfil_emits_through_url_values() {
|
|
// Container-taint DATA_EXFIL: cookies populate a `url.Values` map
|
|
// across multiple keys, then the map flows into `http.PostForm`'s
|
|
// form-data channel. The Elements heap slot must round-trip the
|
|
// cap from each `form.Set(k, v)` write to the sink-side load so
|
|
// DATA_EXFIL fires on the body channel even though `form` itself is
|
|
// not directly tainted by an Assign. SSRF must NOT fire because
|
|
// the destination URL is a hardcoded literal.
|
|
let diags = diags_for("data_exfil_map_assign.go");
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
let plain_taint = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-unsanitised-flow"))
|
|
.count();
|
|
assert!(
|
|
exfil >= 1,
|
|
"expected at least one taint-data-exfiltration finding for map_assign cookies → http.PostForm, got 0.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
assert_eq!(
|
|
plain_taint,
|
|
0,
|
|
"fixed-URL http.PostForm with tainted map must NOT emit SSRF, got {plain_taint}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn ssrf_url_tainted_emits_ssrf_not_data_exfil() {
|
|
// Tainted query param flows into NewRequest's URL position with a
|
|
// hardcoded body; SSRF must fire on the URL flow and DATA_EXFIL
|
|
// must NOT fire (no Sensitive source reaches the body).
|
|
let diags = diags_for("ssrf_url_tainted.go");
|
|
let ssrf = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-unsanitised-flow"))
|
|
.count();
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
assert!(
|
|
ssrf >= 1,
|
|
"expected at least one taint-unsanitised-flow (SSRF) finding, got 0.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
assert_eq!(
|
|
exfil,
|
|
0,
|
|
"tainted-URL NewRequest → Do must NOT emit DATA_EXFIL, got {exfil}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn http_post_plain_user_input_does_not_emit_data_exfil() {
|
|
// Plain attacker-controlled input (`r.FormValue`) flowing into a
|
|
// fixed-URL `http.Post` body must NOT fire `Cap::DATA_EXFIL` after
|
|
// the source-sensitivity gate strips the cap for Plain sources.
|
|
let diags = diags_for("data_exfil_user_input_silenced.go");
|
|
let exfil = diags
|
|
.iter()
|
|
.filter(|d| d.id.starts_with("taint-data-exfiltration"))
|
|
.count();
|
|
assert_eq!(
|
|
exfil,
|
|
0,
|
|
"plain user input echoed into a Go http.Post body must NOT emit \
|
|
taint-data-exfiltration, got {exfil}.\n\
|
|
Diags: {:#?}",
|
|
diags.iter().map(|d| &d.id).collect::<Vec<_>>(),
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn cross_file_go_data_exfil_split() {
|
|
// A wrapper whose two parameters target distinct gated-sink classes
|
|
// on a single inner two-step (`url` flows to NewRequest's SSRF gate;
|
|
// `body` flows through NewRequest → Do's DATA_EXFIL gate). Each
|
|
// caller taints exactly one parameter and must surface only the cap
|
|
// class corresponding to that parameter's gate.
|
|
let dir = Path::new(env!("CARGO_MANIFEST_DIR"))
|
|
.join("tests")
|
|
.join("fixtures")
|
|
.join("cross_file_go_data_exfil");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|