Address bug in piped functions

GriffinMB · GriffinMB · commit 826b5972a65e · 2018-02-05T18:08:12.000-05:00
diff --git a/lib/sobelow/utils.ex b/lib/sobelow/utils.ex
@@ -407,21 +407,21 @@ defmodule Sobelow.Utils do
   defp get_funs_from_pipe(fun, type, nil) do
     get_pipe_funs(fun)
     |> Enum.map(fn {_, _, opts} -> Enum.at(opts, 1) end)
-    |> Enum.flat_map(&get_funs_of_type(&1, type))
+    |> Enum.flat_map(&get_piped_funs_of_type(&1, type))
     |> Enum.uniq()
   end
 
   defp get_funs_from_pipe(fun, type, module) do
     get_pipe_funs(fun)
     |> Enum.map(fn {_, _, opts} -> Enum.at(opts, 1) end)
-    |> Enum.flat_map(&get_aliased_funs_of_type(&1, type, module))
+    |> Enum.flat_map(&get_piped_aliased_funs_of_type(&1, type, module))
     |> Enum.uniq()
   end
 
   def get_erlang_funs_from_pipe(fun, type, module) do
     get_pipe_funs(fun)
     |> Enum.map(fn {_, _, opts} -> Enum.at(opts, 1) end)
-    |> Enum.flat_map(&get_erlang_aliased_funs_of_type(&1, type, module))
+    |> Enum.flat_map(&get_piped_erlang_aliased_funs_of_type(&1, type, module))
     |> Enum.uniq()
   end
 
@@ -483,6 +483,16 @@ defmodule Sobelow.Utils do
     acc
   end
 
+  def get_piped_erlang_aliased_funs_of_type(ast, type, module) do
+    case ast do
+      {{:., _, [^module, ^type]}, _, _} ->
+        [ast]
+
+      _ ->
+        []
+    end
+  end
+
   def get_funs_by_module(ast, module) do
     {_, acc} = Macro.prewalk(ast, [], &contains_module(&1, &2, module))
     acc
@@ -579,6 +589,30 @@ defmodule Sobelow.Utils do
     {ast, acc}
   end
 
+  def get_piped_aliased_funs_of_type(ast, type, module) when is_list(module) do
+    case ast do
+      {{:., _, [{:__aliases__, _, ^module}, ^type]}, _, _} ->
+        [ast]
+
+      _ ->
+        []
+    end
+  end
+
+  def get_piped_aliased_funs_of_type(ast, type, module) do
+    case ast do
+      {{:., _, [{:__aliases__, _, aliases}, ^type]}, _, _} ->
+        if List.last(aliases) === module do
+          [ast]
+        else
+          []
+        end
+
+      _ ->
+        []
+    end
+  end
+
   def get_funs_of_type(ast, type) do
     {_, acc} = Macro.prewalk(ast, [], &get_funs_of_type(&1, &2, type))
     acc
@@ -603,6 +637,16 @@ defmodule Sobelow.Utils do
 
   def get_funs_of_type(ast, acc, _type), do: {ast, acc}
 
+  def get_piped_funs_of_type(ast, type) do
+    case ast do
+      {^type, _, _} ->
+        [ast]
+
+      _ ->
+        []
+    end
+  end
+
   defp create_fun_cap(fun, meta, idx) do
     opts = Enum.map(1..idx, fn i -> {:&, [], [i]} end)
     {fun, meta, opts}
diff --git a/test/pipe_test.exs b/test/pipe_test.exs
@@ -2,6 +2,7 @@ defmodule SobelowTest.PipeTest do
   use ExUnit.Case
   import Sobelow, only: [is_vuln?: 1]
   alias Sobelow.DOS.StringToAtom
+  alias Sobelow.Misc.BinToTerm
 
   test "Simple Pipe" do
     func = """
@@ -66,4 +67,68 @@ defmodule SobelowTest.PipeTest do
 
     assert StringToAtom.parse_def(ast) |> is_vuln?
   end
+
+  test "Unpiped in piped function" do
+    func = """
+    def show(conn, %{"page" => page}) do
+      conn
+      |> render(String.to_atom(page))
+    end
+    """
+
+    {_, ast} = Code.string_to_quoted(func)
+
+    assert StringToAtom.parse_def(ast) |> is_vuln?
+  end
+
+  test "Unpiped anonymous function in piped function" do
+    func = """
+    def show(conn, %{"pages" => pages}) do
+      pages
+      |> Enum.each(&String.to_atom/1)
+    end
+    """
+
+    {_, ast} = Code.string_to_quoted(func)
+
+    assert StringToAtom.parse_def(ast) |> is_vuln?
+  end
+
+  test "Pipe to erlang module" do
+    func = """
+    def show(conn, %{"data" => data}) do
+      data |> :erlang.binary_to_term()
+    end
+    """
+
+    {_, ast} = Code.string_to_quoted(func)
+
+    assert BinToTerm.parse_def(ast) |> is_vuln?
+  end
+
+  test "Unpiped erlang module in piped function" do
+    func = """
+    def show(conn, %{"page" => page}) do
+      conn
+      |> func(:erlang.binary_to_term(page))
+    end
+    """
+
+    {_, ast} = Code.string_to_quoted(func)
+
+    assert BinToTerm.parse_def(ast) |> is_vuln?
+  end
+
+  test "Safe unpiped in piped function" do
+    func = """
+    def show(conn, %{"page" => page}) do
+      conn
+      |> render(String.to_atom("index"))
+    end
+    """
+
+    {_, ast} = Code.string_to_quoted(func)
+
+    refute StringToAtom.parse_def(ast) |> is_vuln?
+  end
 end
