Taint analysis
Taint analysis lets you trace the flow of potentially harmful or tainted data through a program. It identifies paths where untrusted input or sources might reach sensitive operations or sinks without proper validation or sanitization, which helps prevent security vulnerabilities like SQL injections, cross-site scripting (XSS), command injections, and path traversal.
The core goal of taint analysis is to determine if unanticipated input can affect program execution in malicious ways.
Taint analysis is supported by the Qodana for PHP and Qodana for JVM linters under the Ultimate Plus license.
How it works
Tainted data is called a source, while a vulnerable function that may contain a source is called a sink. In this case, tainted data travels to sinks via propagators, such as function calls or assignments.
To prevent such propagation, the taint analysis applies several approaches like data sanitization or data transformation to a safe state. Here, tags are removed to resolve the taint:
Data validation conforms to a required pattern. In this sample, validation for the $email variable is enabled:
Before you start
This section explains how you can run taint analysis in IntelliJ IDEA and CI/CD pipelines.
IntelliJ IDEA
Before you run taint analysis in IntelliJ IDEA, install the Security Analysis by Qodana plugin. To do it, navigate to the Problems tool window and click the Security Analysis tab. On this tab, click the Install plugin button.
Alternatively, navigate to File | Settings | Plugins and install the Security Analysis by Qodana plugin.
CI/CD
Taint analysis is available by default once you enable the qodana.recommended inspection profile.
Run taint analysis
IntelliJ IDEA
Navigate to the Problems tool window and then click the Security Analysis tab. On this tab, click the Run Taint Analysis button.
Alternatively, you can navigate to Tools | Security Analysis | Run Taint Analysis.
On the dialog that opens configure taint analysis.
Here you can configure the scope of files that you would like to analyze using taint analysis, as well as file masks for the analyzed files.
The Inspection options group contains several tabs:
Options applied to an opened file in real time.
The field configures analysis depth using the
Current file -> File 1 (Low) -> File 2 (Medium) -> File 3 (High)reference pattern. For example, the setting configures the reference toFile 2from this pattern.The field configures the amount of time that can be allocated for a specific file. The default value is 5000 ms.
Configuration of batch analysis over an entire project.
The field configures analysis depth using the
Current file -> File 1 (Low) -> File 2 (Medium) -> File 3 (High)reference pattern. For example, the setting configures the reference toFile 2from this pattern.The field lets you use caching. While consuming disk space, it can improve analysis performance.
If enabled, the checkbox involves additional analysis techniques that can improve output but will significantly impact performance.
Explore results
In your IDE, point to a suspicious code fragment and then click the link to open the Security Analysis tab.
The left part of the tab contains all steps of a source-to-sink track. The right part shows the code fragments corresponding to a specific step. You can click any step to see the source trace to the sink.
Configure the Security Analysis tab
Configure the Security Analysis tab by navigating to File | Settings | Advanced settings. Here, find the Security Analysis section and then configure the Show Problem Tab checkbox.
CI/CD
In the qodana.yaml file, include the PhpVulnerablePathsInspection inspection into the analysis scope:
Alternatively, you can use the inspections section of qodana.yaml:
In the qodana.yaml file, include the JvmTaintAnalysis inspection into the analysis scope:
Alternatively, you can use the inspections section of qodana.yaml: