After Pysa's analysis is complete, the tool will output a detailed JSON with its final view of the taint of callables in addition to the issues it finds. We provide a script to explore these taint models called
explore_pysa_models.py, which can give you insight into why Pysa thinks there might or might not be taint for a given callable.
Before using the explore script, you should already have run Pysa on your codebase. For the purposes of this page, we will assume you stored it in
After the analysis succeeds, Pysa will write a file,
/tmp/output_dir/taint-output.json, containing the taint of each callable in addition to the issues found. Let's load this JSON into our explore script:
Once we've indexed our taint JSON, we're good to go! Let's investigate what models Pysa finds for HttpRequest. First, we'll need to get the full name of the relevant callables:
This (hard-to-parse) JSON is all that Pysa knows about the
HttpRequest.__init__ function. If you squint, you'll see that the model doesn't introduce any sources or sinks (as expected), but has taint-in-taint-out for the
Let's take a look at
body, a slightly more interesting function. We'll also swap to using the
print_model() function which will pretty print the output:
Much easier to read! This model shows that the
body property of HttpRequests returns a UserControlled source.
You can also use the
get_issues, and corresponding pretty-printing
print_issues functions to see all issues in a given callable.
Note that the
get_models functions return Python objects that you can manipulate: