Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regarding Taint Analysis Report in output file #19

Open
KarthickRaja2002 opened this issue Sep 23, 2022 · 2 comments
Open

Regarding Taint Analysis Report in output file #19

KarthickRaja2002 opened this issue Sep 23, 2022 · 2 comments

Comments

@KarthickRaja2002
Copy link

@RootLUG

I haven't got any source and Tainted path in the output file. Is there any possibility to get the tainted path (flow) from the tainted source to sink? So that It may be easier to find the vulnerability and fix that issue.
@RootLUG
Copy link
Contributor

RootLUG commented Oct 21, 2022
edited

Hello @KarthickRaja2002 ,
yes, the taint flow is available as part of the "extra" data for the TaintAnomaly detection. You can test this for example on some files from the built-in unittests like aura scan tests/files/flask_app.py (add -f json for json output) and the output would look like this (snippet of a specific taint detection):

{
          "score": 10,
          "type": "TaintAnomaly",
          "slug": "taintanomaly",
          "severity": "critical",
          "hash": 2205937520,
          "tags": [
            "misc:test_code",
            "vuln:taint"
          ],
          "extra": {
            "taint_log": [
              {
                "line_no": 34,
                "message": "AST node marked as sink using semantic rules",
                "path": "/Users/blah/aura/tests/files/flask_app.py"
              },
              {
                "line_no": 36,
                "message": "Taint propagated by return/yield statement",
                "path": "/Users/blah/aura/tests/files/flask_app.py",
                "taint_level": "TAINTED"
              }
            ]
          },
          "line": "return resp",
          "line_no": 36,
          "signature": "taint_anomaly#tests/files/flask_app.py#36",
          "message": "Tainted input is passed to the sink",
          "location": "tests/files/flask_app.py"
        }

The extra.taint_log json path here contains a log of how the taint was propagated from source to the sink.
It is possible that in some cases this taint_log is not fully complete or missing as it is not yet fully supported in all cases, especially if there are some generators or complicated if conditions with recursive calls as it's difficult to fully track the log of propagation in these cases. If you find such case then just open an issue and attach a sample with a code to reproduce it

@KarthickRaja2002
Copy link
Author

@RootLUG ,
How did you find the taint flow only for Taint Anomaly Detection? What are the ways to find the taint flow(log) for other detections like SQL Injection, Function Call and so on...?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RootLUG @KarthickRaja2002