Taint analysis
Taint analysis lets you trace the flow of potentially harmful or tainted data through a program. It identifies paths where untrusted input or sources might reach sensitive operations or sinks without proper validation or sanitization, which helps prevent security vulnerabilities like SQL injections, cross-site scripting (XSS), command injections, and path traversal.
The core goal of taint analysis is to determine if unanticipated input can affect program execution in malicious ways.
Taint analysis is supported by the Qodana for PHP and Qodana for JVM linters under the Ultimate Plus license.
Tainted data is called a source, while a vulnerable function that may contain a source is called a sink. In this case, tainted data travels to sinks via propagators, such as function calls or assignments.
To prevent such propagation, the taint analysis applies several approaches like data sanitization or data transformation to a safe state. Here, tags are removed to resolve the taint:
<?php
$taint = $_GET['some_key'];
$taint = strip_tags($taint);
Data validation conforms to a required pattern. In this sample, validation for the $email
variable is enabled:
<?php
$email = $_GET['email'];
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo $email;
}
This section explains how you can run taint analysis in IntelliJ IDEA and CI/CD pipelines.
Before you run taint analysis in IntelliJ IDEA, install the Security Analysis by Qodana plugin. To do it, navigate to the Problems tool window and click the Security Analysis tab. On this tab, click the Install plugin button.
Alternatively, navigate to File | Settings | Plugins and install the Security Analysis by Qodana plugin.
Taint analysis is available by default once you enable the qodana.recommended
inspection profile.
Navigate to the Problems tool window and then click the Security Analysis tab. On this tab, click the Run Taint Analysis button.
Alternatively, you can navigate to Tools | Security Analysis | Run Taint Analysis.
On the dialog that opens configure taint analysis.
Here you can configure the scope of files that you would like to analyze using taint analysis, as well as file masks for the analyzed files.
The Inspection options group contains several tabs:
Settings for in-Editor AnalysisSettings for Batch AnalysisCommon SettingsOptions applied to an opened file in real time.
The Analysis depth (from a current file) field configures analysis depth using the
Current file -> File 1 (Low) -> File 2 (Medium) -> File 3 (High)
reference pattern. For example, the Medium setting configures the reference toFile 2
from this pattern.The Analysis time limit for in-editor analysis (ms) field configures the amount of time that can be allocated for a specific file. The default value is 5000 ms.
Configuration of batch analysis over an entire project.
The Analysis depth (from a current file) field configures analysis depth using the
Current file -> File 1 (Low) -> File 2 (Medium) -> File 3 (High)
reference pattern. For example, the Medium setting configures the reference toFile 2
from this pattern.The Use caches during analysis field lets you use caching. While consuming disk space, it can improve analysis performance.
If enabled, the Enable computation expensive configurations checkbox involves additional analysis techniques that can improve output but will significantly impact performance.
In your IDE, point to a suspicious code fragment and then click the Show DFA trace 1 link to open the Security Analysis tab.
The left part of the Security Analysis tab contains all steps of a source-to-sink track. The right part shows the code fragments corresponding to a specific step. You can click any step to see the source trace to the sink.
Configure the Security Analysis tab by navigating to File | Settings | Advanced settings. Here, find the Security Analysis section and then configure the Show Problem Tab checkbox.
In the qodana.yaml
file, include the PhpVulnerablePathsInspection
inspection into the analysis scope:
include:
- name: PhpVulnerablePathsInspection
Alternatively, you can use the inspections
section of qodana.yaml
:
inspections:
- inspection: PhpVulnerablePathsInspection
enabled: true
In the qodana.yaml
file, include the JvmTaintAnalysis
inspection into the analysis scope:
include:
- name: JvmTaintAnalysis
Alternatively, you can use the inspections
section of qodana.yaml
:
inspections:
- inspection: JvmTaintAnalysis
enabled: true
Thanks for your feedback!