Metastatic.Analysis.Taint (Metastatic v0.10.4)

View Source

Taint analysis at the MetaAST level.

Tracks data flow from untrusted sources (taint sources) to dangerous operations (taint sinks), identifying potential security vulnerabilities. Works across all supported languages.

Taint Sources

  • User input functions (input, gets, argv)
  • File reads
  • Network requests
  • Environment variables

Taint Sinks

  • Code execution (eval, exec, system)
  • SQL queries
  • File operations
  • Shell commands

Usage

alias Metastatic.{Document, Analysis.Taint}

# Analyze for taint flows
ast = {:function_call, [name: "eval"], [{:function_call, [name: "input"], []}]}
doc = Document.new(ast, :python)
{:ok, result} = Taint.analyze(doc)

result.has_taint_flows?  # => true

Examples

# No taint flows
iex> ast = {:binary_op, [category: :arithmetic, operator: :+], [{:literal, [subtype: :integer], 1}, {:literal, [subtype: :integer], 2}]}
iex> doc = Metastatic.Document.new(ast, :python)
iex> {:ok, result} = Metastatic.Analysis.Taint.analyze(doc)
iex> result.has_taint_flows?
false

# Tainted data to sink
iex> ast = {:function_call, [name: "eval"], [{:function_call, [name: "input"], []}]}
iex> doc = Metastatic.Document.new(ast, :python)
iex> {:ok, result} = Metastatic.Analysis.Taint.analyze(doc)
iex> result.has_taint_flows?
true

Summary

Functions

analyze(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

Analyzes a document for taint flows.

analyze!(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

Analyzes a document for taint flows.

Functions

analyze(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

@spec analyze(Metastatic.language(), term(), keyword()) ::
  {:ok, map()} | {:error, term()}

Analyzes a document for taint flows.

Returns {:ok, result} where result is a Metastatic.Analysis.Taint.Result struct.

Examples

iex> ast = {:literal, [subtype: :integer], 42}
iex> doc = Metastatic.Document.new(ast, :elixir)
iex> {:ok, result} = Metastatic.Analysis.Taint.analyze(doc)
iex> result.has_taint_flows?
false

analyze!(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

@spec analyze!(Metastatic.language(), term(), keyword()) :: map()

Analyzes a document for taint flows.

Returns {:ok, result} where result is a Metastatic.Analysis.Taint.Result struct.

Examples

iex> ast = {:literal, [subtype: :integer], 42}
iex> doc = Metastatic.Document.new(ast, :elixir)
iex> {:ok, result} = Metastatic.Analysis.Taint.analyze(doc)
iex> result.has_taint_flows?
false

Unlike not-banged version, this one either returns a result or raises