EAS-2126 : FSRT's secret scanner is not detecting some secrets

atlassian-labs · May 23, 2024 · 5ff4eb6 · 5ff4eb6
1 parent 96b1345
commit 5ff4eb6
Show file tree

Hide file tree

Showing 5 changed files with 192 additions and 48 deletions.
diff --git a/crates/forge_analyzer/src/definitions.rs b/crates/forge_analyzer/src/definitions.rs
@@ -134,7 +134,7 @@ struct ModuleDefs {
 pub fn run_resolver(
     modules: &TiSlice<ModId, Module>,
     file_resolver: &ForgeResolver,
-    secret_packages: Vec<PackageData>,
+    secret_packages: &[PackageData],
 ) -> Environment {
     let mut environment = Environment::new();
 
@@ -207,7 +207,7 @@ pub fn run_resolver(
         let mut global_collector = GlobalCollector {
             res: &mut environment,
             global_id,
-            secret_packages: secret_packages.clone(), // remove the clone
+            secret_packages,
             module: curr_mod,
             parent: None,
         };
@@ -219,7 +219,7 @@ pub fn run_resolver(
             file_resolver,
             curr_class: None,
             curr_function: None,
-            secret_packages: secret_packages.clone(), // remove the clone
+            secret_packages,
             module: curr_mod,
             parent: None,
         };
@@ -536,7 +536,7 @@ struct GlobalCollector<'cx> {
     res: &'cx mut Environment,
     module: ModId,
     global_id: DefId,
-    secret_packages: Vec<PackageData>,
+    secret_packages: &'cx [PackageData],
     parent: Option<DefId>,
 }
 
@@ -803,7 +803,7 @@ struct FunctionCollector<'cx> {
     module: ModId,
     curr_class: Option<DefId>,
     curr_function: Option<DefId>,
-    secret_packages: Vec<PackageData>,
+    secret_packages: &'cx [PackageData],
     parent: Option<DefId>,
 }
 
@@ -814,7 +814,7 @@ struct FunctionAnalyzer<'cx> {
     assigning_to: Option<Variable>,
     pub body: Body,
     block: BasicBlockId,
-    secret_packages: Vec<PackageData>,
+    secret_packages: &'cx [PackageData],
     operand_stack: Vec<Operand>,
     in_lhs: bool,
 }
@@ -1022,7 +1022,9 @@ impl<'cx> FunctionAnalyzer<'cx> {
                                 && import_kind == *package_data.identifier
                                 && *method_name == *method
                         } else {
-                            false
+                            package_name == package_data.package_name
+                                && *method_name == *package_data.identifier
+                                && import_kind == ImportKind::Default
                         }
                     });
                     package_found.map(|package| Intrinsic::SecretFunction(package.clone()))
@@ -2228,7 +2230,7 @@ impl Visit for FunctionCollector<'_> {
                         module: self.module,
                         current_def: *owner,
                         assigning_to: None,
-                        secret_packages: self.secret_packages.clone(),
+                        secret_packages: self.secret_packages,
                         body,
                         block: BasicBlockId::default(),
                         operand_stack: vec![],
@@ -2274,7 +2276,7 @@ impl Visit for FunctionCollector<'_> {
                         res: self.res,
                         module: self.module,
                         current_def: *owner,
-                        secret_packages: self.secret_packages.clone(),
+                        secret_packages: self.secret_packages,
                         assigning_to: None,
                         body,
                         block: BasicBlockId::default(),
@@ -2327,7 +2329,7 @@ impl Visit for FunctionCollector<'_> {
             module: self.module,
             current_def: owner,
             assigning_to: None,
-            secret_packages: self.secret_packages.clone(),
+            secret_packages: self.secret_packages,
             body,
             block: BasicBlockId::default(),
             operand_stack: vec![],
@@ -2441,7 +2443,7 @@ impl Visit for FunctionCollector<'_> {
                                 module: self.module,
                                 current_def: owner,
                                 assigning_to: None,
-                                secret_packages: self.secret_packages.clone(),
+                                secret_packages: self.secret_packages,
                                 body: Body::with_owner(owner),
                                 block: BasicBlockId::default(),
                                 operand_stack: vec![],
@@ -2572,7 +2574,7 @@ impl FunctionCollector<'_> {
             current_def: owner,
             assigning_to: None,
             body,
-            secret_packages: self.secret_packages.clone(),
+            secret_packages: self.secret_packages,
             block: BasicBlockId::default(),
             operand_stack: vec![],
             in_lhs: false,
@@ -3099,7 +3101,7 @@ impl Visit for GlobalCollector<'_> {
             module: self.module,
             current_def: owner,
             assigning_to: None,
-            secret_packages: self.secret_packages.clone(),
+            secret_packages: self.secret_packages,
             body,
             block: BasicBlockId::default(),
             operand_stack: vec![],

diff --git a/crates/forge_analyzer/src/reporter.rs b/crates/forge_analyzer/src/reporter.rs
@@ -22,6 +22,12 @@ pub struct Vulnerability {
     pub(crate) date: Date,
 }
 
+impl Vulnerability {
+    pub fn check_name(&self) -> &str {
+        &self.check_name
+    }
+}
+
 pub trait IntoVuln {
     fn into_vuln(self, reporter: &Reporter) -> Vulnerability;
 }
@@ -104,7 +110,8 @@ impl Reporter {
 }
 
 impl Report {
-    pub fn into_vulns(&self) -> &Vec<Vulnerability> {
+    #[inline]
+    pub fn into_vulns(&self) -> &[Vulnerability] {
         &self.vulns
     }
 }

diff --git a/crates/fsrt/src/forge_project.rs b/crates/fsrt/src/forge_project.rs
@@ -23,7 +23,7 @@ pub(crate) trait ForgeProjectTrait<'a> {
         &self,
         src: P,
         iter: I,
-        secret_packages: Vec<PackageData>,
+        secret_packages: &[PackageData],
     ) -> ForgeProject<'_> {
         let sm = Arc::<SourceMap>::default();
         let target = EsVersion::latest();

diff --git a/crates/fsrt/src/main.rs b/crates/fsrt/src/main.rs
@@ -26,7 +26,7 @@ use forge_analyzer::{
         PermissionVuln, SecretChecker,
     },
     ctx::ModId,
-    definitions::DefId,
+    definitions::{DefId, PackageData},
     interp::Interp,
     reporter::{Report, Reporter},
     resolver::resolve_calls,
@@ -129,10 +129,12 @@ pub(crate) fn scan_directory<'a>(
     dir: PathBuf,
     opts: &Args,
     project: impl ForgeProjectTrait<'a> + std::fmt::Debug,
+    secret_packages: &[PackageData],
 ) -> Result<Report> {
     let paths = project.get_paths();
     let manifest = project.get_manifest();
-    let mut proj = project.with_files_and_sourceroot(Path::new("src"), paths.clone(), vec![]);
+    let mut proj =
+        project.with_files_and_sourceroot(Path::new("src"), paths.clone(), secret_packages);
 
     let name = manifest.app.name.unwrap_or_default();
 
@@ -356,6 +358,10 @@ fn main() -> Result<()> {
         .init();
     let dirs = std::mem::take(&mut args.dirs);
 
+    let secret_packages: Vec<PackageData> = std::fs::File::open("secretdata.yaml")
+        .map(|f| serde_yaml::from_reader(f).expect("Failed to deserialize packages"))
+        .unwrap_or_else(|_| vec![]);
+
     for dir in dirs {
         let mut manifest_file = dir.join("manifest.yaml");
         if !manifest_file.exists() {
@@ -371,7 +377,7 @@ fn main() -> Result<()> {
         };
 
         debug!(?dir);
-        let reporter_result = scan_directory(dir, &args, forge_project_from_dir);
+        let reporter_result = scan_directory(dir, &args, forge_project_from_dir, &secret_packages);
         match reporter_result {
             Result::Ok(report) => {
                 let report = serde_json::to_string(&report)?;