Taint graph analysis for source code review

Bottom line up front

‘Tainted’ or unsafe data that flows into potentially exploitable sinks are threats that need to be identified and assessed in applications. Taint graphs are a great tool to visualize sources and sinks within code. We show a practical way to implement taint graph analysis for PHP code with Psalm and GitHub Actions.

image

Photo by FotosMalasPeroMias

It’s not that deep, just dive into the code

One of the most important things to understand when performing code review is that we need to be able to trace data flows within specific areas or components of our target application. But as much as we like to read and understand code, it can still be daunting to just deep dive into a codebase and manually trace line by line how some user supplied input ends up being processed by the application, especially in cases where we are not particularly familiar with the code and time restricted. We need to be able to iterate fast to speed up our code review workflow. But well, what can we do? Wouldn’t it be nice to have a GitHub Action do just that for us with a nice graph as output that sheds a glimmer of light on where to prioritize our precious manual efforts before diving all the way into the code ?

The Gist

You can use the following yaml to set up Psalm with Github Actions within the repo you're looking to target like this: .github/workflows/main.yml

Psalm will also need the psalm.xml and composer.json files:

In the end your repo should look like this once it's set up. When you push files ending in php they will be analyzed by Psalm.

image

Implementation Results

The vuln.php sample code written by The Orb

After a successful run. We can see that a SQL taint has been detected, it's up to us now to download the resulting taint graph and assess if it's a false positive or actually exploitable.

image

These are simple results, but it's a good sign that we are able to detect engineered vulnerabilities and have also succesfully implemented a GitHub Action to our code review workflow through automation. We can view the source and sink clearly in the output graph:

image

Conclusion

In this post, we learned how to implement a GitHub Action to automate and speed up an example PHP code review workflow by leveraging taint graph analysis.