facebook / mariana-trench Goto Github PK
View Code? Open in Web Editor NEWA security focused static analysis tool for Android and Java applications.
Home Page: https://mariana-tren.ch/
License: MIT License
A security focused static analysis tool for Android and Java applications.
Home Page: https://mariana-tren.ch/
License: MIT License
Bug description
cannot find issue
Reproduction steps
source1:
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(android.os.Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
launchFallback();
}
public void launchFallback( ) {
final android.content.Intent intent = getIntent();
if (intent.getBooleanExtra("redirect", false)) {
android.content.Intent redirectIntent = new android.content.Intent();
redirectIntent.setData(intent.getData());
if (intent.hasExtra("component")) {
try {
java.lang.Class name = java.lang.Class.forName(intent.getStringExtra("component"));
redirectIntent.setClass(this, name);
} catch (java.lang.Exception e) {
}
}
startActivityInsecure(redirectIntent);
}
}
private void startActivityInsecure(Intent intent){
startActivity(intent);
}
}
source2:
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(android.os.Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
launchFallback();
}
public void launchFallback( ) {
final android.content.Intent intent = getIntent();
if (intent.getBooleanExtra("redirect", false)) {
android.content.Intent redirectIntent = new android.content.Intent();
redirectIntent.setData(intent.getData());
if (intent.hasExtra("component")) {
try {
java.lang.Class name = java.lang.Class.forName(intent.getStringExtra("component"));
redirectIntent.setClass(this, name);
} catch (java.lang.Exception e) {
}
}
startActivity(redirectIntent);
}
}
private void startActivityInsecure(Intent intent){
startActivity(intent);
}
}
mariana running arguments:
mariana-trench \
--binary mariana-trench/install/bin/mariana-trench-binary \
--system-jar-configuration-path=$ANDROID_SDK_ROOT/platforms/android-31/android.jar \
--model-generator-configuration-paths=configuration/default_generator_config.json \
--lifecycles-paths=configuration/lifecycles.json \
--rules-paths=configuration/rules.json \
--apk-path=MyApplication2/app/build/outputs/apk/debug/app-debug.apk \
--model-generator-search-paths=configuration/model-generators/ \
--verbosity 1 \
--maximum-source-sink-distance=7
Expected behavior
found issue for source1 or source2, but there is one issue for source2 and there is no issue for source1.
app-debug.apk.zip
Hi,
I was trying your tool out by following the Getting Started section in README.md, but got the following error. Any hint about how to resolve this issue?
(mariana-trench) linghuiluo@Linghuis-MacBook-Pro sample-app %mariana-trench --system-jar-configuration-path=$ANDROID_SDK/platforms/android-30/android.jar --apk-path=sample-app-debug.apk
Password:
INFO Extracting `/Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/sample-app-debug.apk`...
INFO Extracted APK into `/tmp/tmp1pzy08bd_apk` and DEX into `/tmp/tmptl0_emvd_dex`
INFO Running Mariana Trench: /Users/linghuiluo/.venvs/mariana-trench/bin/mariana-trench-binary --system-jar-paths /Users/linghuiluo/Library/Android/sdk/platforms/android-30/android.jar --apk-directory /tmp/tmp1pzy08bd_apk --dex-directory /tmp/tmptl0_emvd_dex --rules-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/rules.json --repository-root-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --source-root-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --apk-path /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/sample-app-debug.apk --output-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --maximum-source-sink-distance 7 --model-generator-configuration-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/default_generator_config.json --model-generator-search-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/model-generators
CRITICAL Unexpected error:
Traceback (most recent call last):
File "/Users/linghuiluo/.venvs/mariana-trench/lib/python3.8/site-packages/mariana_trench/shim/shim.py", line 576, in main
output = subprocess.run(command)
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 489, in run
with Popen(*popenargs, **kwargs) as process:
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 854, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1702, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/Users/linghuiluo/.venvs/mariana-trench/bin/mariana-trench-binary'
Issues are found within Kotlin code, but aren't matched to the corresponding Kotlin source file - SAPP just displays "No file found" for the class. Looks like the position entry in the models for any Kotlin methods is just being left as "{}". It'd be great to be able to look at Kotlin source as well as Java.
When trying to make an analysis on an APK the following error arraises:
INFO Generating models...
error: Model generator(s) join_override_generator do not exist.
CRITICAL Analysis binary exited with exit code 1.
Bug description
Failed to complied the mariana-trench
Reproduction steps
All the steps according to https://mariana-tren.ch/docs/contribution/
Expected behavior
Success to build mariana-trench by source
Logs
lzy@lzy:~/tools/mariana-trench/build$ make -j4
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/AnalysisEnvironment.cpp.o
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Access.cpp.o
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ArtificialMethods.cpp.o
[ 4%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CallGraph.cpp.o
[ 6%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CallPositionFrames.cpp.o
[ 8%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CalleeFrames.cpp.o
[ 8%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o
[ 9%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassHierarchies.cpp.o
[ 11%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o
[ 11%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Constants.cpp.o
[ 12%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o
[ 14%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Dependencies.cpp.o
[ 16%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/EventLogger.cpp.o
/home/lzy/tools/mariana-trench/source/EventLogger.cpp: In static member function ‘static void marianatrench::EventLogger::log_event(const string&, const string&, int)’:
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:14:24: warning: unused parameter ‘event’ [-Wunused-parameter]
14 | const std::string& event,
| ~~~~~~~~~~~~~~~~~~~^~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:15:24: warning: unused parameter ‘message’ [-Wunused-parameter]
15 | const std::string& message,
| ~~~~~~~~~~~~~~~~~~~^~~~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:16:15: warning: unused parameter ‘value’ [-Wunused-parameter]
16 | const int value) {}
| ~~~~~~~~~~^~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp: In function ‘void marianatrench::init_event_logger(const marianatrench::Options*)’:
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:18:39: warning: unused parameter ‘options’ [-Wunused-parameter]
18 | void init_event_logger(const Options* options) {}
| ~~~~~~~~~~~~~~~^~~~~~~
[ 16%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Feature.cpp.o
[ 17%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FeatureMayAlwaysSet.cpp.o
[ 19%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FeatureSet.cpp.o
[ 19%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o
[ 20%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Field.cpp.o
[ 22%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldCache.cpp.o
[ 24%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldModel.cpp.o
[ 24%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldSet.cpp.o
[ 25%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Fields.cpp.o
[ 27%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Frame.cpp.o
[ 27%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FrameSet.cpp.o
[ 29%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FulfilledPartialKindState.cpp.o
[ 30%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Highlights.cpp.o
[ 30%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Interprocedural.cpp.o
[ 32%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Issue.cpp.o
[ 33%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/JsonValidation.cpp.o
[ 35%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Kind.cpp.o
[ 35%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Kinds.cpp.o
[ 37%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LifecycleMethod.cpp.o
[ 38%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LifecycleMethods.cpp.o
[ 38%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LocalPositionSet.cpp.o
[ 40%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Log.cpp.o
[ 41%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MarianaTrench.cpp.o
[ 43%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MemoryLocation.cpp.o
[ 43%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Method.cpp.o
[ 45%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MethodContext.cpp.o
[ 46%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MethodSet.cpp.o
[ 46%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Methods.cpp.o
[ 48%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Model.cpp.o
[ 50%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ModelGeneration.cpp.o
[ 51%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MultiSourceMultiSinkRule.cpp.o
[ 51%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/NamedKind.cpp.o
[ 53%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/OperatingSystem.cpp.o
[ 54%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Options.cpp.o
[ 54%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Overrides.cpp.o
[ 56%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/PartialKind.cpp.o
[ 58%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Position.cpp.o
[ 59%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Positions.cpp.o
[ 59%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/PostprocessTraces.cpp.o
[ 61%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Propagation.cpp.o
[ 62%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/RE2.cpp.o
[ 62%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Redex.cpp.o
[ 64%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Registry.cpp.o
[ 66%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Rule.cpp.o
[ 66%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Rules.cpp.o
[ 67%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Sanitizer.cpp.o
[ 69%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Scheduler.cpp.o
[ 70%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/SourceSinkRule.cpp.o
[ 70%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Statistics.cpp.o
[ 72%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/StronglyConnectedComponents.cpp.o
[ 74%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TaintV1.cpp.o
[ 74%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TaintV2.cpp.o
[ 75%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Transfer.cpp.o
[ 77%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TriggeredPartialKind.cpp.o
[ 79%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Types.cpp.o
[ 79%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/UnusedKinds.cpp.o
[ 80%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/BuilderPatternGenerator.cpp.o
[ 82%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ContentProviderGenerator.cpp.o
[ 82%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/FieldConstraints.cpp.o
[ 83%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/FieldModelTemplate.cpp.o
[ 85%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/IntegerConstraint.cpp.o
/home/lzy/tools/mariana-trench/source/model-generator/FieldConstraints.cpp: In member function ‘virtual bool marianatrench::IsStaticFieldConstraint::satisfy(const marianatrench::Field*) const’:
/home/lzy/tools/mariana-trench/source/model-generator/FieldConstraints.cpp:17:74: warning: suggest parentheses around comparison in operand of ‘==’ [-Wparentheses]
17 | return (field->dex_field()->get_access() & DexAccessFlags::ACC_STATIC) > 0 ==
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
[ 87%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/JoinOverrideGenerator.cpp.o
[ 87%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/JsonModelGenerator.cpp.o
[ 88%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/MethodConstraints.cpp.o
[ 90%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelGenerator.cpp.o
[ 90%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelGeneratorConfiguration.cpp.o
[ 91%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelTemplates.cpp.o
[ 93%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ReturnsThisAnalyzer.cpp.o
[ 93%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ServiceSourceGenerator.cpp.o
[ 95%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TaintInTaintOutGenerator.cpp.o
[ 96%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TaintInTaintThisGenerator.cpp.o
[ 98%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TypeConstraints.cpp.o
[ 98%] Linking CXX static library libmariana-trench-library.a
[ 98%] Built target mariana-trench-library
[ 98%] Building CXX object CMakeFiles/mariana-trench-binary.dir/source/Main.cpp.o
[100%] Linking CXX executable mariana-trench-binary
/usr/bin/ld: libmariana-trench-library.a(MarianaTrench.cpp.o): in function `marianatrench::MarianaTrench::run(boost::program_options::variables_map const&)':
MarianaTrench.cpp:(.text+0x46c4): undefined reference to `marianatrench::EventLogger::init_event_logger(marianatrench::Options const*)'
collect2: error: ld returned 1 exit status
Additional context
Add any other context about the problem here.
Is it possible to define a sink model on a method which is not implemented inside the apk?
According to the documentation that method (let say the method foo from Service, not defined/implemented inside the apk) will have the default model, which corresponds to what I see on the verbose output:
INFO Instruction: INVOKE_VIRTUAL v0, v4, Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;
WARNING Unable to resolve call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Getting model for virtual call ``
INFO Callee model:
Model(method=``,
modes={ skip-analysis add-via-obscure-feature taint-in-taint-out})
But immediately after those lines I get:
INFO Processing sinks for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Processing propagations for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Processing generations for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
So, it seems that is trying to process sinks/propagations/generations for that method...
Is it possible to define sinks/propagations for that method? how can I do that?
Thanks!
Hello! Just a question on how to write flows for sanitizers. Have done some modifications and I want to sanitize the taint analysis and remove any explicit intents from the result set, instead of just added a feature to it. Tried doing it like so, but was unable to remove the finding that still had a setClass within the taint analysis. Appreciate any help to guide me on this issue, or any documentation about sanitizers that you might have!
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Landroid/content/Intent;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "setClass.*"
},
{
"constraint": "name",
"pattern": "setComponent"
},
{
"constraint": "name",
"pattern": "setPackage"
}
]
}
],
"model": {
"sanitizers": [
{"sanitize": "propagations"}
]
}
}
]
}
Just a quick question on how to write custom sanitizers and to get the engine to accept it. The documentations were not very verbose on how to do it. I want to write a sanitizer for a method that somehow was included in the taint analysis even though on closer inspection, I do not see any calls to the method from the smali code. Assume I have a custom class TestIntent that I do not want any taint analysis done on it. Why does this not work?
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Lcom/testing/TestIntent;"
}
}
],
"model": {
"sanitizers": [
{"sanitize": "sources"}
{"sanitize": "sinks"}
{"sanitize": "propogations"}
]
},
"verbosity" : 1
}
]
}
I put the filename in the default generator config file and got this error instead.
error: Model generator(s) TestIntentSanitiser do not exist
CRITICAL Unexpected error:
Traceback (most recent call last):
File "/.venvs/mariana-trench/lib/python3.8/site-packages/mariana_trench/shim/shim.py", line 582, in main
output = subprocess.run(command)
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 494, in run
with Popen(*popenargs, **kwargs) as process:
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 859, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1705, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/.venvs/mariana-trench/bin/mariana-trench-binary'
Hi there, I am currently trying to detect this flow in a program, where getIntent is the source, and endsWith is the sink.
Intent intent = getIntent();
Uri uri;
if((uri = intent.getData()) != null){
boolean check = uri.getHost().endsWith("sink");
finish();
}
The rules for source are from the default, whereas the sink definition is as below:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Ljava/lang/String;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "contains"
},
{
"constraint": "name",
"pattern": "endsWith"
}
]
}
],
"model": {
"for_all_parameters": [
{
"variable": "x",
"sinks": [
{
"kind": "BypassableHostCheck",
"port": "Argument(x)"
}
]
}]
}, "verbosity" : 1
}
]
}
I am able to find methods that have endsWith as its name, but unable to track the flow. Any advice would be greatly appreciated, thanks!
Bug description
Following the instructions on the home page to run but encountered issue.
Reproduction steps
Follow the manual on GitHub homepage.
Expected behavior
Give a clear and concise description of what you expected to happen.
SAPP isn't starting a server instead throwing an error :( did cut a issue to SAPP as well if anyone knows how to fix this it would be helpful
Logs
File "/usr/local/bin/sapp", line 8, in <module>
sys.exit(cli())
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/decorators.py", line 84, in new_func
return ctx.invoke(f, obj, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/sapp/cli_lib.py", line 236, in server
start_server(ctx.database, debug, static_resources, source_directory, editor_schema)
File "/usr/local/lib/python3.9/site-packages/sapp/ui/server.py", line 75, in start_server
scopefunc=_app_ctx_stack.__ident_func__,
AttributeError: 'LocalStack' object has no attribute '__ident_func__'
Additional context
Add any other context about the problem here.
Hello, I'm trying to write a rule to detect a flow from an external directory source to an outputstream.
String filePath = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS).toString() + "/" + userInputFile;
File f = new File(filePath);
InputStream is = new FileInputStream(f);
byte[] buffer = new byte[size];
while((n = is.read(buffer)) > 0) {
os.write(buffer, 0, n);
}
How do I propagate the taint from the inputstream to the buffer, such that when the outputstream uses the buffer, the ouputstream itself become tainted. I tried propagation and it didn't work. Is it possible to do such propagation?
Propagation:
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "extends",
"inner": {
"constraint": "name",
"pattern": "Ljava/io/InputStream"
}
}
},
{
"constraint": "name",
"pattern": "read.*"
}
],
"model": {
"propagation": [
{
"input": "Argument(0)",
"output": "Argument(1)"
}
]
}
}
Source:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": "getExternal.*"
}
],
"model": {
"generations": [{
"kind": "ExternalSource",
"port": "Return"
}]
}
}
]
}
Sink:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "extends",
"inner": {
"constraint": "name",
"pattern": "Ljava/io/OutputStream"
}
}
},
{
"constraint": "name",
"pattern": "write"
}
],
"model": {
"for_all_parameters": [
{
"variable": "x",
"where": [
{
"constraint": "name",
"pattern": "\\[B"
}
],
"sinks": [
{
"kind": "OutputWriteSink",
"port": "Argument(x)"
}
]
}
]
}
}
]
}
Edit: included the model for my source and sink
I also have another question regarding multi-source and partial sink as I see some of the default source/sink has it but it is not documented. I would like to enquire about the use case.
Bug description
I found a false negative can be reproduced stably.
When a taint is passed into a static field variable, it is not stored efficiently, causing the scanner to fail to detect this efficient propagation path when this taint variable is referenced again.
I create a demo to show this issue. I tried to read the code and imagine how to solve this problem. Details are all in the attachment.
Reproduction steps
test case:
public class Test {
// a taint source method, regard its return as a taint;
public String source() {
return "taint";
}
// a taint sink method, regard its first parameter as the sink;
public void sink(String s) {
Log.e("N1rv0us","I see "+s);
}
// merge 2
public void merge2() {
String foo = source();
MyCls c = new MyCls();
c.deviceId = foo;
sink(c.deviceId);
}
}
public class MyCls {
// public String deviceId;
public static String deviceId;
}
Expected behavior
I expect mariana could find an issue but failed;
Logs
pls get logs from the attachment;
Additional context
It is interesting to note that when the propagation path in the field is non-static, mariana could find an issue. I try to compare these two cases. I hope these can help you to locate and solve this issue.
Files in Attachment
Hi there! Was looking at this to try and do security assessments on apk files, but unsure of how to debug on whether the sources/sinks are being identified accurately. Any advice would be greatly appreciated.
I checked defult rules.json and found multi_sources and partial_sinks. This feature is not reflected in the documentation. Can you help explain this concept? In addition, I don’t know if I understand code3, right?
I got a false positive here
{
"name": "User input flows into implicitly launched intent",
"code": 3,
"description": "Values from user-controlled source may eventually flow into an implicit intent and intent launcher",
"multi_sources": {
"a": [
"IntentCreation"
],
"b": [
"FragmentUserInput",
"ActivityUserInput",
"ReceiverUserInput",
"ServiceUserInput"
]
},
"partial_sinks": [
"LaunchingComponent"
]
},
public class FiveActivity extends Activity {
private TextView textView;
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_five);
// IntentCreation
Intent newIntent = new Intent();
// if newIntent = null , only one false positive
//Intent newIntent = null;
// ActivityUserInput
Intent getIntent = getIntent();
String test = getIntent.getStringExtra("test");
// I test this must set extra data from getIntent in newIntent
newIntent.putExtra("test",test);
newIntent.setClass(FiveActivity.this, ThirdActivity.class);
// Partial:LaunchingComponent:b
startActivity(newIntent);
initView();
}
private void initView() {
textView = findViewById(R.id.textView2);
textView.setOnTouchListener(new View.OnTouchListener() {
@SuppressLint("ClickableViewAccessibility")
@Override
public boolean onTouch(View v, MotionEvent event) {
Intent intent = new Intent();
intent.setClass(FiveActivity.this, MainActivity.class);
// Got a false positive here
// Partial:LaunchingComponent:b too !
startActivity(intent);
return false;
}
});
}
}
// 0 . Data of type ActivityUserInputflowing up to void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.
Intent getIntent = getIntent();
// 1. Source and sink traces meet at void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.
initView();
// 2. Data of type ActivityUserInputflowing from void FiveActivit.onCreate(Bundle) into sinks of type Partial:LaunchingComponent:bin com/h/vulnerability_test/FiveActivity.java.
textView = findViewById(R.id.textView2);
textView.setOnTouchListener(new View.OnTouchListener() {
intent.setClass(FiveActivity.this, MainActivity.class);
// 3. sink
startActivity(intent);
If "Intent newIntent =new Intent();" is replaced with "Intent newIntent = null;" ,There will be no issue here.
// 0.Data of type ActivityUserInputflowing up to void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.
Intent getIntent = getIntent();
// 1. Source and sink traces meet at void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.
// 2. Data of type ActivityUserInputflowing from void FiveActivit.onCreate(Bundle) into sinks of type Partial:LaunchingComponent:bin com/h/vulnerability_test/FiveActivity.java.
startActivity(newIntent);
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_five);
// IntentCreation
Intent newIntent = new Intent();
// if newIntent = null , only one false positive
//Intent newIntent = null;
// ActivityUserInput
Intent getIntent = getIntent();
String test = getIntent.getStringExtra("test");
// I test this must set extra data from getIntent in newIntent
newIntent.putExtra("test",test);
newIntent.setClass(FiveActivity.this, ThirdActivity.class);
// Partial:LaunchingComponent:b
startActivity(newIntent);
initView();
}
Hello good people !
Is your feature request related to a problem? Please describe.
I am trying to run mariana-trench on an application that contains its source code in multiple directories and an external package. I ran into this problem while trying to integrate mariana trench into a build pipeline for mobile applications, but I think this feature also makes sense for scanning non-Android projects.
Repository structure example:
./app
├── config
├── docs
├── gradle
├── app-common
│ └── src
├── app-external
│ └── src
├── externalSDK.java
├── app-login
│ └── src
└── app-test
└── src
Describe the solution you'd like
I would like to execute something similar to:
(mariana-trench)$ mariana-trench \
--system-jar-configuration-path=$ANDROID_SDK/platforms/android-30/android.jar
--apk-path=app-debug.apk \
--source-root-directory=./app/app-common/src/main/java
--source-root-directory=./app/app-external/src/main/java
--source-root-directory=./app/app-login/src/main/java
--source-root-directory=./app/externalSDK.java/src/main/java
Additional context
I discussed this issue with some people from Facebook's bounty team, who presented Mariana Trench during BountyConEdu and it was suggested, that I open an issue here so that it gets handled by the software team responsible.
Any clarification required, let me know.
Regards,
Giannis
Hello, Dear Developer
I want to use --lifecycles-paths
feature to define some special callees. I referenced the example in mariana-trench/configuration/lifecycles.json
and wrote the following
[
{
"base_class_name": "Landroid/os/AsyncTask;",
"method_name": "asynctask_lifecycle_wrapper",
"callees": [
{
"method_name": "onPreExecute",
"return_type": "V",
"argument_types": []
}
]
}
]
Obviously, I want to add a method with the signature "Landroid/os/AsyncTask;->onPreExecute()V";
Also, in my target apk, there are subclasses that override this method.
But from the log output, it looks like I didn't succeed in adding lifecycle-methods
INFO Building source index...
INFO Built source index in 0.02s.
INFO Inferring types...
INFO Inferred types in 0.03s.
INFO Created class properties in 0.00s.
INFO Building class hierarchies...
INFO Built class hierarchies in 0.01s.
INFO Building fields cache...
INFO Built fields cache in 0.02s.
INFO Creating life-cycle wrapper methods...
INFO Created 0 life-cycle methods for classes inheriting from `Landroid/os/AsyncTask;`
INFO Created lifecycle methods in 0.00s.
INFO Building override graph...
INFO Built override graph in 0.10s.
Unfortunately, I didn't find any documentation on the use of the lifecycle-method, so I hope you can add some, or tell me how to add it.
linux run ?
I set the source and sink as shown in the code below, but Mariana-trench found 0, it looks like doInBackground
is not in the flow.
Can Mariana-trench deal with scenarios where taint flowed into AsyncTask
? Or how can i write config for this?
public void foo(Source source) {
String txt = source.getText(); // Source here
MyAsyncTask myTask = new MyAsyncTask(txt);
myTask.execute(1000);
}
public class MyAsyncTask extends AsyncTask<Integer, Integer, Void> {
private String txt;
public MyAsyncTask(String txt)
{
super();
this.txt = txt;
}
@Override
protected Void doInBackground(Integer... params) {
Intent intent = new Intent();
intent.putExtra("txt",this.txt); // Sink here
sendBroadcast(intent);
return null;
}
@Override
protected void onPreExecute() {
Log.i("test","onPreExecute");
}
}
There are two files in the source code directory, which seem to be used to filter exportable components, but where to use this function
configuration/filters/3-intent-redirect-filter.json
configuration/filters/exported-component-filter.json
name:
Input in exported components flows into implicit intent launcher
Input in exported components flows into injection sink
I have the same problem:
@Securee
I used the mariana-trench to analyze my apk, and the mariana-trench find many issues, but most of the issues did not filter the soures which conponents(Activity,Provider)are not exported writed in manifest.xml(Android:Exported = False).
How can I filter the False positive issues ?
Dear Team,
I am trying to apply this tool for normal java existing projects and it says it needs apk mandatorily. Any help on this would be grateful.
Looking forward to hearing from you.
Regards,
Akshay Prasad
Hello guys, I would like to know if there are any public repo where users can share his own sources and sinks generators. It would be very useful to share custom generators among the community, beyond those already provided by Meta in this repo. Obviously, even custom rules would be nice!
Hello, I have gone through https://mariana-tren.ch/docs and read all the documents in the code, but I still want to know more about Mariana's design architecture and theory. Is there any other paper or presentation about that which may give more insights? Really appreciate that.
Ubuntu20.04 Python3.8.10
➜ ~ python3 -m venv mariana-trench
➜ ~ source mariana-trench/bin/activate
(mariana-trench) ➜ ~ pip install mariana-trench
Collecting mariana-trench
Using cached mariana_trench-1.0.1-py3-none-manylinux1_x86_64.whl (4.8 MB)
Collecting pyre-extensions
Using cached pyre_extensions-0.0.23-py3-none-any.whl (11 kB)
Collecting fb-sapp
Using cached fb_sapp-0.5.1-py3-none-any.whl (2.0 MB)
Collecting typing-extensions
Using cached typing_extensions-4.0.0-py3-none-any.whl (22 kB)
Collecting typing-inspect
Using cached typing_inspect-0.7.1-py3-none-any.whl (8.4 kB)
Collecting pygments
Using cached Pygments-2.10.0-py3-none-any.whl (1.0 MB)
Collecting prompt-toolkit
Using cached prompt_toolkit-3.0.22-py3-none-any.whl (374 kB)
Collecting graphene
Using cached graphene-3.0-py2.py3-none-any.whl (112 kB)
Collecting flask-graphql
Using cached Flask-GraphQL-2.0.1.tar.gz (6.1 kB)
Collecting ujson
Using cached ujson-4.2.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (216 kB)
Collecting SQLAlchemy<1.4
Using cached SQLAlchemy-1.3.24-cp38-cp38-manylinux2010_x86_64.whl (1.3 MB)
Collecting flask
Using cached Flask-2.0.2-py3-none-any.whl (95 kB)
Collecting click
Using cached click-8.0.3-py3-none-any.whl (97 kB)
Collecting flask-cors
Using cached Flask_Cors-3.0.10-py2.py3-none-any.whl (14 kB)
Collecting traitlets
Using cached traitlets-5.1.1-py3-none-any.whl (102 kB)
Collecting munch
Using cached munch-2.5.0-py2.py3-none-any.whl (10 kB)
Collecting ipython
Using cached ipython-7.29.0-py3-none-any.whl (790 kB)
Collecting click-log
Using cached click_log-0.3.2-py2.py3-none-any.whl (4.6 kB)
Collecting graphene-sqlalchemy
Using cached graphene_sqlalchemy-2.3.0-py2.py3-none-any.whl (38 kB)
Collecting xxhash
Using cached xxhash-2.0.2-cp38-cp38-manylinux2010_x86_64.whl (243 kB)
Collecting mypy-extensions>=0.3.0
Using cached mypy_extensions-0.4.3-py2.py3-none-any.whl (4.5 kB)
Collecting wcwidth
Using cached wcwidth-0.2.5-py2.py3-none-any.whl (30 kB)
Collecting graphql-relay<4,>=3.0
Using cached graphql_relay-3.1.0-py3-none-any.whl (16 kB)
Collecting graphql-core~=3.1.2
Downloading graphql_core-3.1.6-py3-none-any.whl (189 kB)
|████████████████████████████████| 189 kB 898 kB/s
Collecting aniso8601<10,>=8
Using cached aniso8601-9.0.1-py2.py3-none-any.whl (52 kB)
Collecting graphql-server-core<2,>=1.1
Using cached graphql-server-core-1.2.0.tar.gz (7.0 kB)
Collecting itsdangerous>=2.0
Using cached itsdangerous-2.0.1-py3-none-any.whl (18 kB)
Collecting Werkzeug>=2.0
Using cached Werkzeug-2.0.2-py3-none-any.whl (288 kB)
Collecting Jinja2>=3.0
Using cached Jinja2-3.0.3-py3-none-any.whl (133 kB)
Collecting Six
Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting matplotlib-inline
Using cached matplotlib_inline-0.1.3-py3-none-any.whl (8.2 kB)
Collecting decorator
Using cached decorator-5.1.0-py3-none-any.whl (9.1 kB)
Collecting backcall
Using cached backcall-0.2.0-py2.py3-none-any.whl (11 kB)
Collecting jedi>=0.16
Using cached jedi-0.18.1-py2.py3-none-any.whl (1.6 MB)
Requirement already satisfied: setuptools>=18.5 in ./mariana-trench/lib/python3.8/site-packages (from ipython->fb-sapp->mariana-trench) (44.0.0)
Collecting pexpect>4.3; sys_platform != "win32"
Using cached pexpect-4.8.0-py2.py3-none-any.whl (59 kB)
Collecting pickleshare
Using cached pickleshare-0.7.5-py2.py3-none-any.whl (6.9 kB)
Collecting singledispatch<4,>=3.4.0.3
Using cached singledispatch-3.7.0-py2.py3-none-any.whl (9.2 kB)
Collecting promise>=2.3
Using cached promise-2.3.tar.gz (19 kB)
Collecting MarkupSafe>=2.0
Using cached MarkupSafe-2.0.1-cp38-cp38-manylinux2010_x86_64.whl (30 kB)
Collecting parso<0.9.0,>=0.8.0
Using cached parso-0.8.2-py2.py3-none-any.whl (94 kB)
Collecting ptyprocess>=0.5
Using cached ptyprocess-0.7.0-py2.py3-none-any.whl (13 kB)
Building wheels for collected packages: flask-graphql, graphql-server-core, promise
Building wheel for flask-graphql (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/flask-graphql/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/flask-graphql/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-k3xtjv3x
cwd: /tmp/pip-install-n1qnas3n/flask-graphql/
Complete output (6 lines):
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: setup.py --help [cmd1 cmd2 ...]
or: setup.py --help-commands
or: setup.py cmd --help
error: invalid command 'bdist_wheel'
----------------------------------------
ERROR: Failed building wheel for flask-graphql
Running setup.py clean for flask-graphql
Building wheel for graphql-server-core (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/graphql-server-core/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/graphql-server-core/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-lr3nv8tm
cwd: /tmp/pip-install-n1qnas3n/graphql-server-core/
Complete output (6 lines):
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: setup.py --help [cmd1 cmd2 ...]
or: setup.py --help-commands
or: setup.py cmd --help
error: invalid command 'bdist_wheel'
----------------------------------------
ERROR: Failed building wheel for graphql-server-core
Running setup.py clean for graphql-server-core
Building wheel for promise (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/promise/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/promise/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-w0vbeoy2
cwd: /tmp/pip-install-n1qnas3n/promise/
Complete output (6 lines):
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: setup.py --help [cmd1 cmd2 ...]
or: setup.py --help-commands
or: setup.py cmd --help
error: invalid command 'bdist_wheel'
----------------------------------------
ERROR: Failed building wheel for promise
Running setup.py clean for promise
Failed to build flask-graphql graphql-server-core promise
ERROR: graphql-server-core 1.2.0 has requirement graphql-core<3,>=2.3, but you'll have graphql-core 3.1.6 which is incompatible.
ERROR: flask-graphql 2.0.1 has requirement graphql-core<3,>=2.1, but you'll have graphql-core 3.1.6 which is incompatible.
ERROR: graphene-sqlalchemy 2.3.0 has requirement graphene<3,>=2.1.3, but you'll have graphene 3.0 which is incompatible.
Installing collected packages: typing-extensions, mypy-extensions, typing-inspect, pyre-extensions, pygments, wcwidth, prompt-toolkit, graphql-core, graphql-relay, aniso8601, graphene, itsdangerous, Werkzeug, MarkupSafe, Jinja2, click, flask, Six, promise, graphql-server-core, flask-graphql, ujson, SQLAlchemy, flask-cors, traitlets, munch, matplotlib-inline, decorator, backcall, parso, jedi, ptyprocess, pexpect, pickleshare, ipython, click-log, singledispatch, graphene-sqlalchemy, xxhash, fb-sapp, mariana-trench
Running setup.py install for promise ... done
Running setup.py install for graphql-server-core ... done
Running setup.py install for flask-graphql ... done
Successfully installed Jinja2-3.0.3 MarkupSafe-2.0.1 SQLAlchemy-1.3.24 Six-1.16.0 Werkzeug-2.0.2 aniso8601-9.0.1 backcall-0.2.0 click-8.0.3 click-log-0.3.2 decorator-5.1.0 fb-sapp-0.5.1 flask-2.0.2 flask-cors-3.0.10 flask-graphql-2.0.1 graphene-3.0 graphene-sqlalchemy-2.3.0 graphql-core-3.1.6 graphql-relay-3.1.0 graphql-server-core-1.2.0 ipython-7.29.0 itsdangerous-2.0.1 jedi-0.18.1 mariana-trench-1.0.1 matplotlib-inline-0.1.3 munch-2.5.0 mypy-extensions-0.4.3 parso-0.8.2 pexpect-4.8.0 pickleshare-0.7.5 promise-2.3 prompt-toolkit-3.0.22 ptyprocess-0.7.0 pygments-2.10.0 pyre-extensions-0.0.23 singledispatch-3.7.0 traitlets-5.1.1 typing-extensions-4.0.0 typing-inspect-0.7.1 ujson-4.2.0 wcwidth-0.2.5 xxhash-2.0.2
Likely should be rewritten in HTML5 + CSS.
In windows platform, I have installed mariana-trench by:
1 install python 3.8
2 install sapp: pip install fb-sapp
3 install mariana-trench: pip install mariana-trench
when I want to analyze one apk, it says : CRITICAL Could not find mariana-trench-binary
in PATH
I searched mariana-trench-binary.exe, but failed to find it.
does mariana trench support windows or not ?
While trying to run MT on an application, MT crashed halfway and exited with exit code -6.
libc++abi: terminating with uncaught exception of type std::out_of_range: vector 0 mariana-trench-binary 0x0000000102f9b681 _Z23crash_backtrace_handleri + 81 1 libsystem_platform.dylib 0x00007ff80f70ee2d _sigtramp + 29 2 libc++abi.dylib 0x00007ff80f6b8f4c libc++abi.dylib + 77644 3 libsystem_c.dylib 0x00007ff80f645d10 abort + 123 4 libc++abi.dylib 0x00007ff80f6b60b2 abort_message + 241 5 libc++abi.dylib 0x00007ff80f6a71e5 _ZL28demangling_terminate_handlerv + 242 6 libobjc.A.dylib 0x00007ff80f5a4511 _ZL15_objc_terminatev + 104 7 libc++abi.dylib 0x00007ff80f6b54d7 _ZSt11__terminatePFvvE + 8 8 libc++abi.dylib 0x00007ff80f6b7d55 __cxa_get_exception_ptr + 0 9 libc++abi.dylib 0x00007ff80f6b7d1c _ZN10__cxxabiv1L22exception_cleanup_funcE19_Unwind_Reason_CodeP17_Unwind_Exception + 0 10 libc++.1.dylib 0x00007ff80f65bbd4 _ZNSt3__120__throw_out_of_rangeEPKc + 56 11 libc++.1.dylib 0x00007ff80f66345a _ZNKSt3__120__vector_base_commonILb1EE20__throw_out_of_rangeEv + 16 12 mariana-trench-binary 0x0000000102df3789 _ZN13marianatrench8Transfer14analyze_invokeEPNS_13MethodContextEPK13IRInstructionPNS_19AnalysisEnvironmentE + 13673 13 mariana-trench-binary 0x0000000102d011de _ZNK13marianatrench12_GLOBAL__N_116FixpointIterator12analyze_nodeERKPN3cfg5BlockEPNS_19AnalysisEnvironmentE + 286 14 mariana-trench-binary 0x0000000102d141d3 _ZN6sparta7fp_impl29MonotonicFixpointIteratorBaseIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS2_5BlockEEEE14analyze_vertexEPNS0_32MonotonicFixpointIteratorContextIS9_S5_SA_EERKS9_ + 1331 15 mariana-trench-binary 0x0000000102d12f38 _ZZN6sparta25MonotonicFixpointIteratorIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS1_5BlockEEEE3runERKS4_ENKUljE_clEj + 648 16 mariana-trench-binary 0x0000000102cfd77e _ZN6sparta25MonotonicFixpointIteratorIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS1_5BlockEEEE3runERKS4_ + 622 17 mariana-trench-binary 0x0000000102cfcbdd _ZN5boost6detail11thread_dataINSt3__18__bind_rIvRZN6sparta15SpartaWorkQueueIPKN13marianatrench6MethodENS4_14workqueue_impl22NoStateWorkQueueHelperIS9_ZNS6_15Interprocedural12run_analysisERNS6_7ContextERNS6_8RegistryEE3$_0EEE7run_allEvEUlPNS4_17SpartaWorkerStateIS9_EEmE_JSM_RmEEEE3runEv + 3181 18 mariana-trench-binary 0x0000000102e8b818 _ZN5boost12_GLOBAL__N_112thread_proxyEPv + 120 19 libsystem_pthread.dylib 0x00007ff80f6f94f4 _pthread_start + 125 20 libsystem_pthread.dylib 0x00007ff80f6f500f thread_start + 15 CRITICAL Analysis binary exited with exit code -6.
Is there like any error page or documentation on troubleshooting error on MT?
I run different android apk's even with the officially provided one with the tool, I am getting 0 issues. It should have flagged 1 default RCE issue as per the documentation/getting started guide.
Please look into it. Or any thing I am evaluation different than it should be, let me know.
Bug description
When I try to run Mariana Trench I keep getting this error for some reason. I've even tried running the sample application from the repo and the problem keeps persisting. Is there anyway around it or am I doing something wrong?
Logs
CRITICAL Unexpected error:
Traceback (most recent call last):
File "/opt/homebrew/lib/python3.9/site-packages/mariana_trench/shim/shim.py", line 583, in main
output = subprocess.run(command)
File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 505, in run
with Popen(*popenargs, **kwargs) as process:
File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 951, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 1821, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/opt/homebrew/bin/mariana-trench-binary'
Hi,
I'm getting the following issue when running with APK's
INFO Initializing Redex...
error: /tmp/mt-static-cnhs17k0/build/redex-master/libredex/DexLoader.cpp:49: void validate_dex_header(const dex_header*, size_t, int): assertion `supported' failed.
Bad dex magic dex
039 for support_dex_version 37
Any help here would be great.
Thanks
Just wondering if it would be possible to analyse the android manifest as well, or if the feature is being planned in the pipelines!
I have problems trying to write a propogation that can detect this flow of data from the initialisation of the implicit intent to calling it in an activity.
invoke-direct {v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
const/16 v2, 0xd5
invoke-virtual {v0, v1, v2}, Landroid/app/Activity;->startActivityForResult(Landroid/content/Intent;I)V
goto/16 :goto_2f
I can define the source to be the method that inits the intent, and sink to be the startActivityForResult, but when I write in the rules to link the source to the sink, no issues come up.
INFO Method `Landroid/content/Intent;.<init>:(Ljava/lang/String;)V` satisfies all constraints in json model generator ImplicitIntentAsSource
INFO Method `Landroid/app/Activity;.startActivityForResult:(Landroid/content/Intent;I)V` satisfies all constraints in json model generator ImplicitIntentAsSink
Is there any further way I can debug this? Not sure how to proceed
Read the docs.
Could not find how to export findings in JSON format.
Only found and tried this using filters
Tried this:
sapp --tool=mariana-trench analyze .
sapp --tool=mariana-trench filter import ../../configuration/filters/
Then:
sapp --database-name sapp.db filter issues 1 ../../configuration/filters/ --output-format sarif
2022-01-03 15:36:09,958 [INFO] Applying `Input in exported components flows into injection sink` to run `1` resulted in 1 issues
2022-01-03 15:36:09,974 [INFO] Applying `Input in exported components flows into implicit intent launcher` to run `1` resulted in 1 issues
2022-01-03 15:36:09,988 [INFO] Applying `test` to run `1` resulted in 1 issues
2022-01-03 15:36:09,988 [INFO] Total number of issues after filtering: 2
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "Pysa",
"informationUri": "https://github.com/facebook/pyre-check/",
"rules": []
}
},
"results": [
{
"ruleId": "1",
"level": "warning",
"message": {
"text": "User input flows into code execution sink (RCE): Values from user-controlled source may eventually flow into code execution sink"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "com/example/myapplication/MainActivity.java"
},
"region": {
"startLine": 25,
"startColumn": 1,
"endColumn": 2
}
}
}
]
},
{
"ruleId": "3",
"level": "warning",
"message": {
"text": "User input flows into implicitly launched intent: Values from user-controlled source may eventually flow into an implicit intent and intent launcher"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "com/example/myapplication/MainActivity.java"
},
"region": {
"startLine": 35,
"startColumn": 1,
"endColumn": 2
}
}
}
]
}
]
}
]
}
However, this does not export all the 6 issues found.
Questions
Why the tool is "Pysa" not "mariana-trench"? Little bit confused here
How do I make a filter to show all the 6 issues (in the app), always show all the issues in the sample-app-debug.apk or other apks?
Thanks,
Hello everyone, I need some help because I cannot detect a simple data flow (doing it just as an exercise to learn Mariana-trench).
I have this piece of source code:
@Override // android.support.v4.app.FragmentActivity, android.app.Activity
public void onActivityResult(int i, int i2, Intent intent) {
super.onActivityResult(i, i2, intent);
if (i == LOAD_CONTENT_ACTIVITY_REQUEST_CODE && i2 == -1) {
Boolean valueOf = Boolean.valueOf(intent.getBooleanExtra("use_base_url", false));
String stringExtra = intent.getStringExtra("base_url");
String stringExtra2 = intent.getStringExtra("html_content");
if (valueOf.booleanValue()) {
this.webview.loadDataWithBaseURL(stringExtra, stringExtra2, "text/html", "UTF-8", stringExtra);
} else {
this.webview.loadData(stringExtra2, "text/html", "UTF-8");
}
}
}
What i am trying to do is creating a source as the first parameter of the getStringExtra method and a sink as the loadDataWithBaseURL method. So, I created two file, the following for the source and the other one for the sink:
IntentSourceGenerator.json:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": "getStringExtra"
}
],
"model": {
"sources": [
{
"kind": "TestSensitiveUserInput",
"port": "Argument(1)"
}
]
}
}]
}
TestWebViewLoadGenerator.json :
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": "loadDataWithBaseURL"
}
],
"model": {
"sinks": [
{
"kind": "WebViewLoadContent",
"port": "Argument(1)"
}
]
}
}]
}
Here the rule added to the rules.json file:
{
"name": "Test",
"code": 9,
"description": "test",
"sources": [
"TestSensitiveUserInput"
],
"sinks": [
"WebViewLoadContent"
]
}
I don't know what I am doing wrong, but I got the following results. Can someone explain me what I should do?
...
...
INFO Running model generator `taint_in_taint_out` (15/21)
INFO Running model generator `taint_in_taint_this` (16/21)
INFO Running model generator `WebViewLoadGenerator` (17/21)
INFO Running model generator `TestWebViewLoadGenerator` (18/21)
INFO Running model generator `BypassableHostCheckSinkGenerator` (19/21)
INFO Method `Ljava/lang/String;.contains:(Ljava/lang/CharSequence;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Method `Ljava/lang/String;.endsWith:(Ljava/lang/String;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Running model generator `ReflectionSinkGenerator` (20/21)
INFO Running model generator `IntentSourceGenerator` (21/21)
INFO Generated 74062 models and 0 field models in 0.84s.
INFO Initializing models...
INFO Initialized 67126 models and 0 field models in 0.09s.
INFO Initializing rules...
INFO Initialized 9 rules in 0.00s.
INFO Removing unused Kinds
WARNING Kind `SQLMutation` is not used in any rule! You may want to add one for it.
WARNING Kind `ArrayAllocation` is not used in any rule! You may want to add one for it.
INFO Removed 2 kinds in 0.02s.
....
....
INFO Analyzed 67126 models in 3.02s. Found 0 issues!
....
When clicking on SAPP UI Trace view, I get a blank screen and the below errors (x2) in the JS console.
I dont get any errors in the CLI tool output (except for in debug mode, see below). For reference I built mariana-trench from source to bump dex ver to 38 from 37 (38 is supported by redex, tho 39 not supported so its pretty limited), and everything appears to work fine except this Trace view.
Tool was run in a directory with decompiled (d2j and procyon) .java files. When tool is run outside of the directory with the decompiled output, the Trace template view renders fine (though naturally empty as lacking source). Please let me know if you need extra info.
Source.js:40
Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'slice')
at main.455a0275.chunk.js:1
at main.455a0275.chunk.js:1
at Array.map (<anonymous>)
at te (main.455a0275.chunk.js:1)
at ne (main.455a0275.chunk.js:1)
at $i (2.2d91596b.chunk.js:2)
at Ia (2.2d91596b.chunk.js:2)
at mc (2.2d91596b.chunk.js:2)
at ls (2.2d91596b.chunk.js:2)
at cs (2.2d91596b.chunk.js:2)
2021-10-06 14:42:18,211 [ERROR] Traceback (most recent call last):
File "/home/usr/.local/lib/python3.9/site-packages/graphql/execution/executor.py", line 452, in resolve_or_error
return executor.execute(resolve_fn, source, info, **args)
File "/home/usr/.local/lib/python3.9/site-packages/graphql/execution/executors/sync.py", line 16, in execute
return fn(*args, **kwargs)
File "/home/usr/.local/lib/python3.9/site-packages/graphene/relay/connection.py", line 136, in connection_resolver
resolved = resolver(root, info, **args)
File "/home/usr/.local/lib/python3.9/site-packages/sapp/ui/schema.py", line 243, in resolve_next_trace_frames
return trace.next_frames(
File "/home/usr/.local/lib/python3.9/site-packages/sapp/ui/trace.py", line 290, in next_frames
session.query(
File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2391, in join
return self._join(
File "<string>", line 2, in _join
File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/base.py", line 227, in generate
fn(self, *args[1:], **kw)
File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2587, in _join
self._join_left_to_right(
File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2611, in _join_left_to_right
) = self._join_determine_implicit_left_side(left, right, onclause)
File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2747, in _join_determine_implicit_left_side
raise sa_exc.InvalidRequestError(
graphql.error.located_error.GraphQLLocatedError: Can't determine which FROM clause to join from, there are multiple FROMS which can join to this entity. Please use the .select_from() method to establish an explicit left side, as well as providing an explcit ON clause if not present already to help resolve the ambiguity.
For reference, I am trying my hand at writing a rule to detect PendingIntents used dangerously, as noted in https://www.researchgate.net/publication/325818237_PIAnalyzer_A_Precise_Approach_for_PendingIntent_Vulnerability_Analysis, and I have a rule that can detect implicit intents being initialised as its source, and something like this for its sink.
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Landroid/app/PendingIntent;"
}
},
{
"constraint": "any_of",
"inners": [
{
"constraint": "name",
"pattern": "getB.*"
},
{
"constraint": "name",
"pattern": "getA.*"
},
{
"constraint": "name",
"pattern": "getS.*"
}
]
}
],
"model": {
"for_all_parameters": [
{
"variable": "x",
"sinks": [
{
"kind": "PendingIntentSink",
"port": "Argument(x)"
}
]
}]
}
}
]
}
However, I am unable to abstract this flow as its own standalone source/sink. Would like to develop this further to detect instances of PendingIntents being initialised with implicit intents, and then sent off as another Intent's extraData. How should I link these 2 use cases up? Appreciate any advice regarding this!
Is it possible for mariana trench to detect if the data is being casted into (Intent) for example? How would the source definition look like in that case?
Hi,
I'm trying to install the python package using pip and I'm getting the following error ->
ERROR: Could not build wheels for mariana-trench which use PEP 517 and cannot be installed directly
.
Here are the following details ->
Bug description
Failed to complied the mariana-trench
Reproduction steps
All the steps according to https://mariana-tren.ch/docs/contribution/
Expected behavior
Success to build mariana-trench by source
Logs
👻 ~/S/A/m/build> make -j4
Consolidate compiler generated dependencies of target mariana-trench-library
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o
[ 3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o
[ 7%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o
/Users/x/tmpp/mariana-trench/source/Features.cpp:31:39: error: invalid operands to binary expression ('const char [11]' and 'const std::string_view')
return factory_.create("via-value:" + via_value);
~~~~~~~~~~~~ ^ ~~~~~~~~~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/wrap_iter.h:278:21: note: candidate template ignored: could not match '__wrap_iter' against 'basic_string_view'
__wrap_iter<_Iter1> operator+(typename __wrap_iter<_Iter1>::difference_type __n, __wrap_iter<_Iter1> __x) _NOEXCEPT
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/move_iterator.h:172:1: note: candidate template ignored: could not match 'move_iterator' against 'basic_string_view'
operator+(typename move_iterator<_Iter>::difference_type __n, const move_iterator<_Iter>& __x)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/reverse_iterator.h:221:1: note: candidate template ignored: could not match 'reverse_iterator' against 'basic_string_view'
operator+(typename reverse_iterator<_Iter>::difference_type __n, const reverse_iterator<_Iter>& __x)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4269:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs,
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4282:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(const _CharT* __lhs , const basic_string<_CharT,_Traits,_Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4294:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(_CharT __lhs, const basic_string<_CharT,_Traits,_Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4306:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, const _CharT* __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4318:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, _CharT __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4332:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, const basic_string<_CharT, _Traits, _Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4340:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, basic_string<_CharT, _Traits, _Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4348:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, basic_string<_CharT, _Traits, _Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4356:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(const _CharT* __lhs , basic_string<_CharT,_Traits,_Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4364:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(_CharT __lhs, basic_string<_CharT,_Traits,_Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4373:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, const _CharT* __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4381:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, _CharT __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:527:1: note: candidate template ignored: could not match 'complex<type-parameter-0-0>' against 'char const[11]'
operator+(const complex<_Tp>& __x, const complex<_Tp>& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:537:1: note: candidate template ignored: could not match 'complex<type-parameter-0-0>' against 'char const[11]'
operator+(const complex<_Tp>& __x, const _Tp& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:547:1: note: candidate template ignored: could not match 'complex' against 'basic_string_view'
operator+(const _Tp& __x, const complex<_Tp>& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:728:1: note: candidate function template not viable: requires single argument '__x', but 2 arguments were provided
operator+(const complex<_Tp>& __x)
^
/Users/x/tmpp/mariana-trench/source/CanonicalName.cpp:61:32: error: use of undeclared identifier 'str_copy'
std::string class_name = str_copy(
^
/Users/x/tmpp/mariana-trench/source/CanonicalName.cpp:65:33: error: use of undeclared identifier 'str_copy'
std::string method_name = str_copy(method->get_name());
^
1 error generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
2 errors generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o] Error 1
In file included from /Users/x/tmpp/mariana-trench/source/Context.cpp:11:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:3: error: unknown type name 'StringStorage'
StringStorage strings_;
^
In file included from /Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:17:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:3: error: unknown type name 'StringStorage'
StringStorage strings_;
^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:60:68: error: member reference type 'DexEncodedValue *const' is a pointer; did you mean to use '->'?
dynamic_cast<DexEncodedValueArray*>(element.encoded_value.get());
~~~~~~~~~~~~~~~~~~~~~^
->
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:60:69: error: no member named 'get' in 'DexEncodedValue'
dynamic_cast<DexEncodedValueArray*>(element.encoded_value.get());
~~~~~~~~~~~~~~~~~~~~~ ^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:126:10: error: no matching function for call to 'get_privacy_decision_number_from_annotations'
return get_privacy_decision_number_from_annotations(
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:99:28: note: candidate function not viable: no known conversion from 'const vector<DexAnnotation *>' to 'const vector<std::unique_ptr<DexAnnotation>>' for 1st argument
std::optional<std::string> get_privacy_decision_number_from_annotations(
^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:340:31: error: no matching function for call to 'get_privacy_decision_number_from_annotations'
privacy_decision_number = get_privacy_decision_number_from_annotations(
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:99:28: note: candidate function not viable: no known conversion from 'const vector<DexAnnotation *>' to 'const vector<std::unique_ptr<DexAnnotation>>' for 1st argument
std::optional<std::string> get_privacy_decision_number_from_annotations(
^
1 error generated.
In file included from /Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:17:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:17: warning: private field 'strings_' is not used [-Wunused-private-field]
StringStorage strings_;
^
1 warning and 5 errors generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o] Error 1
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o] Error 1
make[1]: *** [CMakeFiles/mariana-trench-library.dir/all] Error 2
make: *** [all] Error 2
Additional context
MacOS 12.3.1
The model attribute of model_generators in the document only provides sources, sinks, and propagation, and the value of generations is not found.
But in ImplicitIntentSourceGenerator.json, generations are used. I want to know what is the difference between generations and sources, or what generations means, is it to initialize a class as a source, or...
ImplicitIntentSourceGenerator.json ->
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Landroid/content/Intent;"
}
},
{
"constraint": "name",
"pattern": "\\<init\\>"
},
{
"constraint": "not",
"inner": {
"constraint": "signature",
"pattern": ".*Ljava/lang/Class;.*"
}
}
],
"model": {
"**generations**": [
{
"kind": "IntentCreation",
"port": "Argument(0)"
}
]
}
}
]
}
I found that there are many functions in use that are not reflected in the document.
For example model's key = generations,The relationship between multi_sources and partial_sinks in rules.json is And or or, for example, User input flows into implicitly launched intent rule, the text means that external input is passed to new Intent(...) and then launched intent.
I think the process should be
1, User Input -> Intent test = this.getIntent();
2, Intent ha = new Intent(test);
3, startActivity(ha);
But multi_sources seems to be an or relationship,
1, User Input-> Intent test = this.getIntent();
3, startActivity(ha);
or
2, Intent ha = new Intent(test);
3, startActivity(ha);
{
"name": "User input flows into implicitly launched intent",
"code": 3,
"description": "Values from user-controlled source may eventually flow into an implicit intent and intent launcher",
"multi_sources": {
"a": [
"IntentCreation"
],
"b": [
"FragmentUserInput",
"ActivityUserInput",
"ReceiverUserInput",
"ServiceUserInput"
]
},
"partial_sinks": [
"LaunchingComponent"
]
},
Hi, all,
I was trying to write custom rule scan for hardcoded crypto key like:
new SecretKeySpec("some-key".getBytes(), "AES");
However I can't find any resources in the document about defining Source from constant (literal string, static fields, etc.), Is it possible to scan for such issues with MT anyway?
i cannot run it on mac m1
@OverRide
protected void onCreate(@nullable Bundle savedInstanceState) {
Intent data = getIntent();
Handler handler = this.y;
Message message = Message.obtain(handler, 1);
message.obj = data;
this.y.sendMessageDelayed(message, 100L);
}
private Handler y = new Handler(Looper.getMainLooper()) {
@OverRide
public final void handleMessage(Message message) {
super.handleMessage(message);
Object obj = message.obj;
ShareTransActivity.this.startActivity((Intent) obj);
}
};
Hey, can I increase the “Propagation” or sth. to check out this path?
Currently I'm trying to detect intent redirection, using this as a example code to test for.
Intent redirectIntent = (Intent) getIntent().getParcelableExtra("redirect_intent");
...
startActivity(redirectIntent);
I defined the sink to be the default for launching components, and for sources, I defined it to be
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": ".*getParcelableExtra.*"
}
],
"model": {
"modes": [
"taint-in-taint-out"
],
"generations": [
{
"kind": "IntentRedirectSource",
"port": "Argument(0)"
}
]
}
}
]
}
The models do not detect the flow of data, a little curious as to why that would be the case. Do I need to write a method to detect that it was casted as an Intent, or is there something wrong with my interpretation of the modeled source and sink?
Is your feature request related to a problem? Please describe.
I want to build from source instead of using pip. But there are missing informations and the build fails.
Describe the solution you'd like
Clear instructions on how to replicate a functioning build from source in the readme or in an Install.md
Bug description
Using mariana on com.facebook.katana results in CRITICAL Analysis binary exited with exit code -6.
Reproduction steps
apktool d com.facebook.katana
mariana-trench --system-jar-configuration-path=/home/philippe/Android/Sdk/platforms/android-32/android.jar --apk-path=/media/phwd/Facebook/APKs/build-fb4a-fbandroid.279448010.apk --source-root-directory=/media/phwd/Facebook/APKs/build-fb4a-fbandroid.279448010/build-fb4a-fbandroid.279448010/sources/com
Expected behavior
Files created for analysis
Logs
INFO Analyzed 1369761 models in 6493.68s. Found 557 issues!
INFO Augmenting positions...
INFO Augmented positions in 0.58s.
INFO Writing models to `/media/phwd/Facebook/mariana/`.
free(): invalid pointer
[0x75b676]
[0xa34080]
[0xa3267b]
[0x459fa7]
[0xa6c5b6]
[0xa730ac]
[0xa7487c]
[0x6ad499]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6aad35]
[0x6aadc2]
[0x6ad489]
[0x6ad47c]
[0x6aad35]
[0x6aadc2]
[0x6ad489]
[0x6aad35]
[0x6aadc2]
[0x612b27]
[0x61399a]
[0x4fc211]
[0x4fc70f]
[0x694e1b]
[0xa2cc39]
[0xaca993]
CRITICAL Analysis binary exited with exit code -6.
Additional context
Add any other context about the problem here.
Ubuntu 20.04
64GB
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.