Create .inferconfig (#157)

* Create .inferconfig * Update .inferconfig
2022-09-02 14:02:54 -07:00 · 2022-09-02 14:02:54 -07:00 · 909cf6472b
--- a/.inferconfig
+++ b/.inferconfig
@ -0,0 +1,87 @@
+{
+  "force-delete-results-dir": true,
+  "siof-safe-methods": ["getGlobalNonPODAllowListed", "allow_listed::getGlobalNonPOD",
+                        "allow_listed::TemplatedObject::getGlobalNonPOD"],
+  "skip-translation": [
+    {
+      "language": "Java",
+      "source_contains": "_SHOULD_BE_SKIPPED_"
+    }
+  ],
+  "enable-issue-type" : [ "PULSE_RESOURCE_LEAK",  "TAINT_ERROR", "NULLPTR_DEREFERENCE", "THREAD_SAFETY_VIOLATION" ],
+
+  "pulse-taint-policies": [
+    { "short_description": "SQL injection risk",
+      "taint_flows": [
+        { "source_kinds": ["UserControlledURI", "UserControlledString"],
+          "sink_kinds": ["SQLInjection"]  }
+      ]
+    },
+    {
+      "short_description": "Remote data to unsafe deserializer",
+      "taint_flows": [
+        { "source_kinds": ["UserControlledURI", "UserControlledString"],
+          "sink_kinds": ["Deserialization"] }
+      ]
+    }
+  ],
+  "pulse-taint-sources": [
+    { "method_with_annotation" : "HttpGetAttribute",
+      "kinds": ["UserControlledURI"],
+      "taint_target": "AllArguments"},
+    { "method_with_annotation" : "HttpPutAttribute",
+      "kinds": ["UserControlledURI"],
+      "taint_target": "AllArguments"},
+    { "method_with_annotation" : "HttpPostAttribute",
+      "kinds": ["UserControlledURI"],
+      "taint_target": "AllArguments"},
+    { "method_with_annotation" : "HttpDeleteAttribute",
+      "kinds": ["UserControlledURI"],
+      "taint_target": "AllArguments"},
+    { "class_names": ["System.Web.UI.Page"],
+      "method_names": ["get_Request"],
+      "kinds": ["UserControlledURI"]},
+    { "class_names": ["System.Web.UI.WebControls.TextBox", "System.Windows.Forms.TextBox"],
+      "method_names": ["get_Text"],
+      "kinds": ["UserControlledString"]
+    }
+  ],
+  "pulse-taint-sinks": [
+    { "class_names": ["System.Data.Common.DbCommand"],
+      "method_names": ["set_CommandText"],
+      "kinds": ["SQLInjection"]
+    },
+    { "class_names": ["System.Data.SqlClient.SqlCommand"],
+      "method_names": [".ctor"],
+      "kinds": ["SQLInjection"],
+      "taint_target": ["ArgumentPositions", [1]]
+    } ,
+    { "class_names": ["System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
+                      "System.Runtime.Deserialization.Formatters.Soap.SoapFormatter",
+                      "System.Web.UI.ObjectStateFormatter",
+                      "System.Runtime.Serialization.NetDataContractSerializer",
+                      "System.Web.UI.LosFormatter",
+                      "YamlDotNet.Serialization.Deserializer"],
+      "method_names": ["Deserialize"],
+      "kinds": ["Deserialization"]
+    },
+    { "class_names": ["System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"],
+      "method_names": ["UnsafeDeserialize", "UnsafeDeserializeMethodResponse"],
+      "kinds": ["Deserialization"]
+    },
+    { "class_names": ["System.Runtime.Serialization.NetDataContractSerializer"],
+      "method_names": ["ReadObject"],
+      "kinds": ["Deserialization"]
+    },
+    { "class_names": ["System.Windows.Markup.XamlReader",
+                      "System.Workflow.ComponentModel.Activity"],
+      "method_names": ["Load", "LoadAsync", "Parse"],
+      "kinds": ["Deserialization"]
+    },
+    { "class_names": ["System.Data.DataSet",
+                      "System.Data.DataTable"],
+      "method_names": ["ReadXmlSchema", "ReadXml"],
+      "kinds": ["Deserialization"]
+    }
+  ]
+}