One can pass a configuration file to the checker with the following argument: -analyzer-config alpha.security.taint.TaintPropagation:Config=/path/to/the/file/taint-generic-config.yaml. The config file can contain:
- Propagations: One can define functions which propagate or create the taintedness. It has five fields:
- Name: The name of the function. Mandatory field.
- SrcArgs: A list of arguments. If any of them tainted, the destination arguments will be marked tainted. It's not defined, the destination arguments always will be marked as tainted.
- DstArgs: A list of arguments. Set the tainted flag for the arguments, if they are marked. The return value's index is 4294967294(it is temporary).
- VarType: It's an enum with three possible values: None, Src, Dst. The default value is None and do nothing.
- VarIndex: It's the first variadic argument for the function. If VarType == Src and any of them is tainted, the destination arguments will be marked ad tainted. If VarType == Dst and they are marked, all argument from the VarIndex will be marked as tainted.
- Filters: One can define function remove the tainted flag if it is passed to the proper argument.
- Name: The name of the function. Mandatory field.
- Args: A list of arguments. If a tainted value is passed to it, the tainted flag will be removed. Mandatory field.
- Sinks: A list of function which will give a warning if it gets a tainted value.
- Name: The name of the function. Mandatory field.
- Args: A list of arguments. If any of those arguments get a tainted value, it will give a warning. Mandatory field.
For the propagations, it uses the config to deduce the TaintPropagationRules from the function's name.
The filter functions are understandable as functions which mark their arguments not tainted. I improved the information flow from pre-visit to post-visit, therefore, the TaintTagType could be passed to the setTaint function. Currently, it only works if the argument is a pointer.
Interesting, isn't this predefined for std::pair?