Skip to content

Data-flow / taint analysis (lite) #45

Description

@mdavistffhrtporg

Description

Attack paths today infer flow from file-locality (route + database in the same file → likely reachable). This is a defensible heuristic but misses the common case where the handler in routes/orders.py calls a service in services/orders.py that touches the database in db/orders.py. Even a lightweight data-flow / taint model would improve attack-path specificity substantially.

Scoping questions to resolve before implementation

  • Static call-graph or regex + import-graph heuristic? Full static call graph needs one parser per language (ast for Python, TypeScript compiler API, etc.) — expensive. A heuristic that follows import/require edges to same-project modules would get 60% of the value at 10% of the cost.
  • Taint sources: request handler parameters (req.body, req.query, req.headers, request.json()) are the obvious ones. Which else?
  • Taint sinks: DB .execute() with an interpolated value, subprocess.run(shell=True), eval, exec, open(user_path). Which set to seed?
  • Cross-file resolution scope: single repo? Single service (bounded by services/* subdirectory)?
  • Report shape: emit as a new signal (TaintChain)? Fold into AttackPath.steps? Both?

Suggested first slice (if we pick heuristic path)

  • Build per-file import graph (imports/exports for Python + JS/TS)
  • For each route handler, walk imports 2 hops deep collecting .execute/.query/open/subprocess sink calls in the same repo
  • Emit a TaintChain(route, sink, hops, files) per hit; feed into _build_probable_chains as additional evidence

Not blocking

Priority-3 because it's a big design surface and current chain builders already produce useful narratives without it. Deferred until a clear driver appears (a validation run where taint would clearly beat file-locality).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions