Description
Attack paths today infer flow from file-locality (route + database in the same file → likely reachable). This is a defensible heuristic but misses the common case where the handler in routes/orders.py calls a service in services/orders.py that touches the database in db/orders.py. Even a lightweight data-flow / taint model would improve attack-path specificity substantially.
Scoping questions to resolve before implementation
- Static call-graph or regex + import-graph heuristic? Full static call graph needs one parser per language (
ast for Python, TypeScript compiler API, etc.) — expensive. A heuristic that follows import/require edges to same-project modules would get 60% of the value at 10% of the cost.
- Taint sources: request handler parameters (
req.body, req.query, req.headers, request.json()) are the obvious ones. Which else?
- Taint sinks: DB
.execute() with an interpolated value, subprocess.run(shell=True), eval, exec, open(user_path). Which set to seed?
- Cross-file resolution scope: single repo? Single service (bounded by
services/* subdirectory)?
- Report shape: emit as a new signal (
TaintChain)? Fold into AttackPath.steps? Both?
Suggested first slice (if we pick heuristic path)
- Build per-file import graph (imports/exports for Python + JS/TS)
- For each route handler, walk imports 2 hops deep collecting
.execute/.query/open/subprocess sink calls in the same repo
- Emit a
TaintChain(route, sink, hops, files) per hit; feed into _build_probable_chains as additional evidence
Not blocking
Priority-3 because it's a big design surface and current chain builders already produce useful narratives without it. Deferred until a clear driver appears (a validation run where taint would clearly beat file-locality).
Description
Attack paths today infer flow from file-locality (route + database in the same file → likely reachable). This is a defensible heuristic but misses the common case where the handler in
routes/orders.pycalls a service inservices/orders.pythat touches the database indb/orders.py. Even a lightweight data-flow / taint model would improve attack-path specificity substantially.Scoping questions to resolve before implementation
astfor Python, TypeScript compiler API, etc.) — expensive. A heuristic that followsimport/requireedges to same-project modules would get 60% of the value at 10% of the cost.req.body,req.query,req.headers,request.json()) are the obvious ones. Which else?.execute()with an interpolated value,subprocess.run(shell=True),eval,exec,open(user_path). Which set to seed?services/*subdirectory)?TaintChain)? Fold intoAttackPath.steps? Both?Suggested first slice (if we pick heuristic path)
.execute/.query/open/subprocess sink calls in the same repoTaintChain(route, sink, hops, files)per hit; feed into_build_probable_chainsas additional evidenceNot blocking
Priority-3 because it's a big design surface and current chain builders already produce useful narratives without it. Deferred until a clear driver appears (a validation run where taint would clearly beat file-locality).