Quandary
The Quandary taint analysis detects flows of values between sources and sinks, except if the value went through a "sanitizer". In addition to some defaults, users can specify their own sources, sinks, and sanitizers functions.
***DEPRECATED*** Taint analysis is now supported by the Pulse checker and Quandary will be removed in the next release.
Activate with --quandary.
Supported languages:
- C/C++/ObjC: Yes
- C#/.Net: No
- Erlang: No
- Hack: No
- Java: Yes
- Python: No
Quandary is a static taint analyzer that identifies a variety of unsafe
information flows. It has a small list of built-in
sources
and
sinks,
and you can define custom sources and sinks in your .inferconfig file (see
example
here).
List of Issue Typesβ
The following issue types are reported by this checker:
- CREATE_INTENT_FROM_URI
- CROSS_SITE_SCRIPTING
- EXPOSED_INSECURE_INTENT_HANDLING
- INSECURE_INTENT_HANDLING
- JAVASCRIPT_INJECTION
- LOGGING_PRIVATE_DATA
- QUANDARY_TAINT_ERROR
- SHELL_INJECTION
- SHELL_INJECTION_RISK
- SQL_INJECTION
- SQL_INJECTION_RISK
- UNTRUSTED_BUFFER_ACCESS
- UNTRUSTED_DESERIALIZATION
- UNTRUSTED_DESERIALIZATION_RISK
- UNTRUSTED_ENVIRONMENT_CHANGE_RISK
- UNTRUSTED_FILE
- UNTRUSTED_FILE_RISK
- UNTRUSTED_HEAP_ALLOCATION
- UNTRUSTED_INTENT_CREATION
- UNTRUSTED_URL_RISK
- UNTRUSTED_VARIABLE_LENGTH_ARRAY
- USER_CONTROLLED_SQL_RISK