Pysa#

The Python Static Analyzer Pysa performs taint analysis to identify potential security problems. Pysa traces data streams from their origin to their endpoint and identifies vulnerable code.

Configuration#

Pysa uses two file types for configuration:

  • a taint.config file in JSON format, in which sources, sinks, features and rules are defined.

    {
      "comment": "UserControlled, Test, Demo sources are predefined. Same for Demo, Test and RemoteCodeExecution sinks",
      "sources": [],
      "sinks": [],
      "features": [],
      "rules": []
    }
    
  • files with the extension .pysa in a directory configured with taint_models_path in your .pyre_configuration file.

You can find practical examples in the Pyre repository.

Use#

Pyre can be called, for example with

$ $ pipenv run pyre analyze --save-results-to ./

The --save-results-to option stores detailed results in ./taint-output.json.

Pysa postprozessor#

Installation#

$ pipenv install fb-sapp

Use#

  1. Parsing the JSON file, for example with

    $ pipenv run sapp --database-name sapp.db analyze ./taint-output.json
    

    The results are stored in the local SQLite file sapp.db.

  2. Exploring the problems with

    $ pipenv run sapp --database-name sapp.db explore
    

    This starts an IPython interface connected to the SQLite database:

    issues

    lists all issues

    issue 1

    selects the first issue

    trace

    shows the data flow from source to sink

    n

    jumps to the next call

    list

    shows the source code of the call

    jump 1

    jumps to the first call and shows the source code

Further commands can be found in the SAPP Command-Line Interface.