Running Pysa
This page walks you through the basics of running Pysa. If you want exercises to walk you through using Pysa's more advanced features, check out this tutorial.
#
SetupThe setup requires the following 4 types of files.
- Source Code (
*.py
): This is your application's code. - Taint Config (
taint.config
): This file declares sources, sinks, features, and rules. - Taint Models (
.pysa
): These files link together the information in your source code andtaint.config
. They tell Pysa where in our code there exist sources and sinks. - Pysa Configuration (
.pyre_configuration
): Parts of this file are critical to using Pysa.source_directories
tells Pysa the directory containing the source code you want to analyze.taint_models_path
tells Pysa where to find the config and model files.
#
ExampleLet's look at a simple taint analysis example. To follow along, create a
directory static_analysis_example
and navigate to it. Paste the code snippets
into the appropriately named files.
#
1. Source CodeNotice the following:
- The
input
function is a taint source since it gets input directly from the user. - The
os.system
function is a taint sink, since we do not want user-controlled values to flow into it. - The return value of
input
is used as the URL for awget
call, which is executed byos.system
. Thewget
can therefore be doing anything, out of the programmer's control. - This data flow should be identified as a potential security issue.
#
2. Taint ConfigThis declares the valid sources and sinks that Pysa should recognize. We
also tell Pysa that data flowing from a UserControlled
source to a
RemoteCodeExecution
sink is a possible shell injection.
#
3. Taint ModelsThis file links together the information in source.py
and taint.config
. We
use it to tell Pysa where in our code there exist sources and sinks.
#
4. Pysa ConfigurationPysa needs to know what directory to analyze, as well as where to find the config and model files.
#
AnalysisNow let's run the static analysis:
Looking at the output, we see that pyre surfaces the tainted data flow that we expected.
Let's run it again and save the results:
The --save-results-to
option will save more detailed results to
./taint-output.json
.