False positive with sanitization in method #977
Description
Pysa Bug
Pre-submission checklist
[x] I've checked the list of common issues and mine does not appear
I've reported a similar issue for Mariana Trench (Issue 179) so maybe that's just expected behavior.
Bug description
Please consider the following code
my_instance = MyClass()
my_instance.attribute = source()
sanitize(my_instance)
sink(my_instance.attribute) # Reported by Pysausing the following functions/classes
def sink(param: str): # Defined as sink in Pysa config
pass
def source(): # Defined as source in Pysa config
return "Secret"
def sanitize(a: MyClass):
a.attribute = ""
class MyClass:
attribute: strRunning Pysa on this code returns one issue (as annotated in the code above), but actually no taint is leaked in this code.
If we move the sanitizing inline like this:
my_instance = MyClass()
my_instance.attribute = source()
my_instance.attribute = ""
sink(my_instance.attribute) # Not reported by PysaPysa correctly doesn't report the issue.
I call pysa via pyre analyze --save-results-to ./results/ and I'm using version 0.9.23.