### Set up a Python Project and Virtual Environment Source: https://pyre-check.org/docs/getting-started Creates a new project directory, sets up a Python virtual environment, activates it, and installs the pyre-check package. ```Shell mkdir my_project && cd my_project python3 -m venv ~/.venvs/venv source ~/.venvs/venv/bin/activate pip install pyre-check ``` -------------------------------- ### Install Watchman and Python (Ubuntu/Debian) Source: https://pyre-check.org/docs/getting-started Installs Python 3, pip, venv, and Watchman using apt-get on Ubuntu, Mint, or Debian systems. ```Shell sudo apt-get install python3 python3-pip python3-venv watchman ``` -------------------------------- ### Install Wheel and Setuptools Packages Source: https://pyre-check.org/docs/pysa-quickstart Installs the 'wheel' and upgrades 'setuptools' to resolve 'invalid command bdist_wheel' errors during installation. ```bash (pysa) $ pip3 install wheel (pysa) $ python3.8 -m pip install --upgrade setuptools ``` -------------------------------- ### Pyre Check Output Example Source: https://pyre-check.org/docs/installation This shows example output from the 'pyre check' command, indicating successful setup and no type errors found. ```Shell (tp) cooper@TESTFAC-1FMHLI2:/mnt/c/path/to/repo$ pyre --source-directory . check ƛ Setting up a `.pyre_configuration` with `pyre init` may reduce overhead. ƛ No type errors found ``` -------------------------------- ### Install Python Development Headers and Setuptools Source: https://pyre-check.org/docs/pysa-quickstart Installs necessary development headers for Python and upgrades setuptools to resolve compilation errors during package installation. ```bash $ sudo apt install python3.8-dev -y $ source ~/.venvs/pysa/bin/activate $ (pysa) python3.8 -m pip install --upgrade setuptools ``` -------------------------------- ### Install Watchman and Python (macOS) Source: https://pyre-check.org/docs/getting-started Installs Python 3 and Watchman using Homebrew on macOS, which are prerequisites for using Pyre. ```Shell brew install python3 watchman ``` -------------------------------- ### Start SAPP Server Source: https://pyre-check.org/docs/pysa-quickstart Spawns the SAPP web server, making the analysis results accessible via a web UI at http://localhost:5000. ```Bash (pysa) $ sapp server ``` -------------------------------- ### Install Pyre and SAPP Source: https://pyre-check.org/docs/pysa-quickstart Installs the pyre-check and fb-sapp Python packages within the activated virtual environment using pip. ```Bash (pysa) $ pip install pyre-check fb-sapp ``` -------------------------------- ### Install Python Packages Source: https://pyre-check.org/docs/pysa-quickstart Installs or upgrades the setuptools and wheel Python packages using pip. These are required dependencies for Pyre and Pysa. ```Bash $ python3.8 -m pip install --upgrade setuptools $ pip3 install wheel ``` -------------------------------- ### Initialize Pyre Configuration Source: https://pyre-check.org/docs/getting-started Initializes Pyre in the current project directory, creating the necessary configuration files (.pyre_configuration and .watchmanconfig). ```Shell pyre init ``` -------------------------------- ### Setup Pyre-check Development Environment Source: https://pyre-check.org/docs/installation Sets up the local development environment for Pyre-check, including compiling the binary and running unit tests. This script is part of the build-from-source process. ```bash $ cd pyre-check $ ./scripts/setup.sh --local ``` -------------------------------- ### Install Python Client Dependencies and Run Tests Source: https://pyre-check.org/docs/installation Installs the necessary dependencies for the Python client from a requirements file and executes the Python tests. This is used to verify the setup for testing Python client changes. ```bash $ cd /path/to/pyre-check $ pip install -r requirements.txt $ ./scripts/run-python-tests.sh ``` -------------------------------- ### Install pyre-check in Virtual Environment Source: https://pyre-check.org/docs/pysa-quickstart Ensures pyre-check is installed within the activated virtual environment to avoid permission errors. ```bash $ source ~/.venvs/pysa/bin/activate (pysa) $ pip install pyre-check ``` -------------------------------- ### Initialize Pysa and SAPP Source: https://pyre-check.org/docs/pysa-quickstart Initializes Pysa and SAPP for the current project, setting up the necessary environment and configuration for Pysa analysis. ```Bash (pysa) $ pyre init-pysa ``` -------------------------------- ### Set Up Virtual Environment Source: https://pyre-check.org/docs/pysa-quickstart Creates a Python virtual environment named 'pysa' in the user's home directory and activates it for isolated package management. ```Bash $ python3.8 -m venv ~/.venvs/pysa $ source ~/.venvs/pysa/bin/activate ``` -------------------------------- ### Install Pyre-check (Non-Nightly) Source: https://pyre-check.org/docs/pysa-quickstart If Pysa is not working, ensure you are not using a nightly version of Pyre. Uninstall `pyre-check-nightly` and install the stable `pyre-check` package. ```Shell (pysa) $ pip uninstall pyre-check-nightly (pysa) $ pip install pyre-check ``` -------------------------------- ### Update Python on Ubuntu Source: https://pyre-check.org/docs/pysa-quickstart Updates the system package list and installs Python 3.8, its virtual environment package, development headers, and pip on Ubuntu systems. ```Bash $ sudo apt-get update $ sudo apt install python3.8 python3.8-venv python3.8-dev python3-pip -y ``` -------------------------------- ### Example Pyre Configuration Structure Source: https://pyre-check.org/docs/configuration An example of the .pyre_configuration JSON file. It specifies source directories and search paths for Pyre to analyze Python code and external libraries. ```JSON { "source_directories": [ "." ], "search_path": [ "/external/library", {"site-package": "foo"} ] } ``` -------------------------------- ### Create Virtual Environment with Python 3.8 Source: https://pyre-check.org/docs/pysa-quickstart Creates a virtual environment for Pysa using Python 3.8, ensuring the 'ensurepip' module is available. ```bash $ sudo apt install python3.8-venv python3.8-dev -y $ rm -rf ~/.venvs/pysa $ python3.8 -m venv ~/.venvs/pysa ``` -------------------------------- ### Install Pyre-check on Ubuntu with venv Source: https://pyre-check.org/docs/installation This sequence of commands demonstrates setting up a Python virtual environment on Ubuntu, installing pyre-check using pip, and activating the environment. ```Bash $ sudo apt install python3-venv build-essential python3-dev libpython3-dev $ python3 -m venv /tmp/tp $ /tmp/tp/bin/pip install --upgrade pip setuptools wheel $ /tmp/tp/bin/pip install pyre-check $ source /tmp/tp/bin/activate ``` -------------------------------- ### Configure Pyre for External Libraries Source: https://pyre-check.org/docs/pysa-quickstart Add the path to an external library to your `.pyre_configuration` if it wasn't installed with pip and is being used via `module.path.function_name`. ```JSON { "source_directories": [ "." ], "search_path": [ "path/to/external/library" ], "taint_models_path": "~/.venvs/pysa/lib" } ``` -------------------------------- ### Run Pyre Type Checker Source: https://pyre-check.org/docs/getting-started Creates a Python file with a type error and then runs Pyre to detect and report the type checking issues. ```Shell echo "i: int = 'string'" > test.py pyre ``` -------------------------------- ### Clone Pyre-check Repository Source: https://pyre-check.org/docs/installation Clones the Pyre-check source code repository from GitHub. This is the first step for building from source. ```bash $ git clone https://github.com/facebook/pyre-check ``` -------------------------------- ### Run Pysa Analysis Source: https://pyre-check.org/docs/pysa-quickstart Executes Pysa analysis on the project without verification and saves the results to a specified directory './pysa-runs'. ```Bash (pysa) $ pyre analyze --no-verify --save-results-to ./pysa-runs ``` -------------------------------- ### Analyze Project with SAPP Source: https://pyre-check.org/docs/pysa-quickstart Run the `sapp analyze` command to import issues and traces into SAPP. This output indicates if the analysis is proceeding correctly. ```Shell (pysa) $ sapp analyze ``` -------------------------------- ### Pyre Command Line Examples Source: https://pyre-check.org/docs/configuration Demonstrates how to run Pyre commands with common flags, such as specifying the source directory and running in non-interactive mode. ```bash $ pyre --source-directory "." --noninteractive check $ pyre --source-directory "." restart ``` -------------------------------- ### Install Pyre-check via Pip Source: https://pyre-check.org/docs/installation Installs the Pyre-check tool using pip within a virtual environment. This is the recommended method for macOS and Linux users. ```bash (venv) $ pip install pyre-check ``` -------------------------------- ### Python Source Summary Example Source: https://pyre-check.org/docs/pysa-implementation-details Demonstrates how Pysa infers a source summary for a function that returns tainted data. It starts with a model for a 'source' function and shows how Pysa analyzes 'returns_source' and 'wraps_source' to infer their respective source summaries. ```Python def source() -> TaintSource[UserControlled]: ... ``` ```Python def returns_source(): return source() ``` ```Python def returns_source() -> TaintSource[UserControlled]: ... ``` ```Python def wraps_source(): return returns_source() ``` ```Python def wraps_source() -> TaintSource[UserControlled] ``` -------------------------------- ### Recreate Virtual Environment Source: https://pyre-check.org/docs/pysa-quickstart Provides steps to delete and recreate the virtual environment to fix issues related to corrupted type stubs, such as the 'zlib.pyi is not a directory' error. ```bash (pysa) $ deactivate $ rm -rf ~/.venvs/pysa ``` -------------------------------- ### Clone Pyre-check Repository Source: https://pyre-check.org/docs/installation This snippet shows how to clone the pyre-check repository from GitHub and navigate to its root directory using Git. ```Bash git clone https://github.com/facebook/pyre-check.git cd pyre-check ``` -------------------------------- ### Analyze Pysa Results with SAPP Source: https://pyre-check.org/docs/pysa-quickstart Ingests the Pysa analysis results (taint-output.json) into SAPP for further processing and analysis. ```Bash (pysa) $ sapp analyze ./pysa-runs/taint-output.json ``` -------------------------------- ### Start Pyre Server with External Source Analysis Source: https://pyre-check.org/docs/querying-pyre Provides commands to stop existing Pyre servers and start a new one with specific flags to ensure external sources are analyzed, which is crucial for accurate Pysa analysis. ```Shell $ pyre servers stop # Stop existing pyre servers $ pyre --no-saved-state start --wait-on-initialization --analyze-external-sources ``` -------------------------------- ### Resolve Pyre Client Not Found Error Source: https://pyre-check.org/docs/pysa-quickstart Demonstrates how to resolve the 'Could not find a pyre client' error by ensuring the pyre executable is in the PATH of the activated virtual environment. ```bash (pysa) $ pip install pyre-check (pysa) $ cd demo-project (pysa) $ pyre analyze --no-verify ƛ Error: Could not find a pyre client. (pysa) $ which pyre /usr/local/bin/pyre (pysa) $ deactivate (pysa) $ zsh $ source ~/.venvs/pysa/bin/activate (pysa) $ which pyre /Users/unixname/.venvs/pysa/bin/ ``` -------------------------------- ### Serve SAPP with Source Directory Source: https://pyre-check.org/docs/pysa-quickstart When SAPP Web UI shows 'No file found for filename.py', use the `--source-directory` flag with `sapp server` to provide the path to your project's source code. ```Shell (pysa) $ sapp server --source-directory path/to/project_source_code ``` -------------------------------- ### Initialize Pyre inside Docker Container Source: https://pyre-check.org/docs/installation These commands show the manual input required when initializing Pyre inside the Docker container, specifying paths for the pyre binary and typeshed. ```Shell ƛ No `pyre.bin` found, enter the path manually: /home/opam/pyre-check/source/_build/default/main.exe ƛ Unable to locate typeshed, please enter its root: /home/opam/pyre-check/stubs/typeshed/typeshed-master ``` -------------------------------- ### Run Pyre Check on WSL Source: https://pyre-check.org/docs/installation This snippet shows how to navigate to a local repository directory within the activated WSL environment and run the pyre check command. ```Bash $ cd /mnt/c/path/to/repo $ pyre --source-directory . check ``` -------------------------------- ### Build Pyre-check Docker Image Source: https://pyre-check.org/docs/installation This command builds a Docker image with the tag 'pyre-check' from the current directory, which contains the pyre-check source code. ```Shell docker build -t pyre-docker . ``` -------------------------------- ### Check for Pysa Issues in taint-output.json Source: https://pyre-check.org/docs/pysa-quickstart Confirm if Pysa has identified any issues in your project by checking the `taint-output.json` file for the presence of the 'issue' keyword. ```Shell (pysa) $ cat taint-output.json | grep "issue" ``` -------------------------------- ### Format String Examples for Cache Keys Source: https://pyre-check.org/docs/pysa-model-dsl Provides examples of using format strings with variables like class_name and function_name to construct dynamic cache keys for WriteToCache and CrossRepositoryTaintAnchor clauses. ```Python WriteToCache(kind="cache_name", name=f"{class_name}:{function_name}") ``` ```Python CrossRepositoryTaintAnchor[TaintSink[Thrift], f"{class_name}:{function_mame}", f"formal({parameter_position + 1})"] ``` -------------------------------- ### Compile and Test Pyre-check Changes Source: https://pyre-check.org/docs/installation Compiles the Pyre-check source code and runs all unit tests after making code modifications. This is done within the 'source' directory of the cloned repository. ```bash $ cd source $ make $ make test ``` -------------------------------- ### Pysa Model Annotation Example Source: https://pyre-check.org/docs/pysa-tips Provides an example of how to add taint annotations to stubbed external code, specifically marking HttpRequest.COOKIES and HttpRequest.GET as TaintSource[UserControlled]. ```Python django.http.request.HttpRequest.COOKIES: TaintSource[UserControlled] django.http.request.HttpRequest.GET: TaintSource[UserControlled] ``` -------------------------------- ### Check Python Version for SAPP Source: https://pyre-check.org/docs/pysa-quickstart Verify that your Python version is 3.8 or later to resolve `SyntaxError: future feature annotations is not defined` when running `sapp` commands. ```Shell $ python3 --version ``` -------------------------------- ### Python Examples for String Combine Rule Source: https://pyre-check.org/docs/pysa-advanced These Python code examples illustrate scenarios where user-controlled data ('uc') flows into strings that are formatted or concatenated, potentially leading to SQL injection. The examples cover f-strings, string concatenation, the '%' operator, and `str.format`, all of which can be detected by the string combine rule. ```Python def issue(): uc = user_controlled() f"SELECT {uc} FROM async_query" "SELECT " + uc + " FROM async_query" "SELECT %s FROM async_query" % uc "SELECT {} FROM async_query".format(uc) ``` -------------------------------- ### Taint Analysis Configuration Options Source: https://pyre-check.org/docs/pysa-advanced Provides an example of the `options` section in `taint.config` for setting analysis thresholds. This includes parameters like `maximum_model_source_tree_width`. ```JSON { "sources": [], "sinks": [], "features": [], "rules": [], "options": { "maximum_model_source_tree_width": 10, "maximum_model_sink_tree_width": 10, "maximum_model_tito_tree_width": 10 } } ``` -------------------------------- ### Run Pyre-check Docker Container Source: https://pyre-check.org/docs/installation This command runs a new Docker container named 'pyre-container' from the 'pyre-docker' image. It mounts a local directory to '/src' inside the container and runs interactively. ```Shell docker run \ --name pyre-container \ -v /path/to/your/directory:/src \ -t -i \ pyre-check ``` -------------------------------- ### Reactivate Pyre Environment (zsh) Source: https://pyre-check.org/docs/pysa-quickstart For shells like zsh, after uninstalling a nightly version, you may need to deactivate the current environment, source the Pyre environment script, and then reinstall the stable version. ```Shell (pysa) $ pip uninstall pyre-check-nightly (pysa) $ deactivate $ zsh (pysa) $ source ~/.venvs/pysa/bin/activate (pysa) $ pip install pyre-check ``` -------------------------------- ### Run Pysa Analysis Source: https://pyre-check.org/docs/pysa-explore This command initiates Pysa's static analysis on your codebase and saves the results to a specified directory. Ensure Pysa is installed and configured for your project. ```Shell $ pyre analyze --save-results-to /tmp/output_dir ``` -------------------------------- ### Model urllib.request.urlopen Signature - Full Match Source: https://pyre-check.org/docs/pysa-basics Provides an example of a Pysa model for the `urllib.request.urlopen` function, matching its full signature including keyword-only arguments. ```Python def urllib.request.urlopen(url: TaintSink[HTTPClientRequest], data, timeout, *, cafile, capath, cadefault, context): ... ``` -------------------------------- ### Get Function and Method Definitions with Pyre Query Source: https://pyre-check.org/docs/querying-pyre The `defines` command lists all function and method definitions within a given module or class. It returns the name, parameters, and return annotation for each definition. ```shell $ pyre query "defines(a.C)" ``` ```shell $ pyre query "defines(a)" ``` -------------------------------- ### ModelQuery with fully_qualified_name.matches Source: https://pyre-check.org/docs/pysa-model-dsl Demonstrates a `ModelQuery` using the `fully_qualified_name.matches` predicate to find entities whose fully qualified names start with 'foo'. ```Python ModelQuery( name = "get_starting_with_foo", find = ..., where = [ fully_qualified_name.matches("foo.*") ], model = ... ) ``` -------------------------------- ### Skip Model Validation in Pyre Analyze Source: https://pyre-check.org/docs/pysa-quickstart Instructs to use the '--no-verify' flag with 'pyre analyze' to skip model validation and potentially resolve analysis errors. ```bash $ pyre analyze --no-verify ``` -------------------------------- ### Pyre Model Query Example Source: https://pyre-check.org/docs/querying-pyre Demonstrates how to use the ModelQuery feature in Pyre to find functions matching specific criteria and apply taint models. It shows the Pyre query syntax and the expected JSON response. ```Python ModelQuery( name = "get_foo_sources", find = "functions", where = [ name.matches("foo") ], model = [ Parameters(TaintSource[Test]) ] ) ``` -------------------------------- ### Model File Annotations Example Source: https://pyre-check.org/docs/pysa-basics Illustrates how annotations are applied in model files (e.g., `.pysa`) to combine inferred models with declared models, allowing multiple annotations for a single property. ```Python django.http.request.HttpRequest.COOKIES: TaintSource[UserControlled] django.http.request.HttpRequest.COOKIES: TaintSource[Cookies] ``` -------------------------------- ### Class Attribute Example Source: https://pyre-check.org/docs/pysa-model-dsl Illustrates how attributes, including constructor-initialized ones like `self.y`, are handled when using the `attributes` find clause. ```Python class C: x = ... def __init__(self): self.y = ... ``` -------------------------------- ### Batch Multiple Pyre Queries Source: https://pyre-check.org/docs/querying-pyre This example illustrates how to use the `batch` command to execute multiple Pyre queries simultaneously. It shows a batch query combining `less_or_equal` and `join` operations and the resulting list of responses. ```Shell $ pyre query "batch(less_or_equal(int, str), join(int, str))" ``` -------------------------------- ### Python Stub File Example Source: https://pyre-check.org/docs/types-in-python Demonstrates a Python stub file (`.pyi`) with a function signature and a `__getattr__` definition. This shows how Pyre handles partially complete stub files, where undefined attributes are treated as `Any`. ```Python # my_dynamic_module.pyi def dynamic_function() -> int: ... ``` ```Python # my_stub.pyi from typing import Any foo: int = 42 # Parameter needs to be typed as `str` and return type needs to be `Any` def __getattr__(name: str) -> Any: ... ``` ```Python # my_source.py import my_stub reveal_type(my_stub.foo) # Reveals `int` reveal_type(my_stub.undefined) # Reveals `Any` ``` -------------------------------- ### Query Types in a Python File Source: https://pyre-check.org/docs/querying-pyre This example demonstrates how to query the types of expressions within a Python file using Pyre. It shows the command to execute and the expected JSON output detailing the types and their locations. ```Shell $ pyre query "types(path='a.py')" ``` -------------------------------- ### Python Source Code for Pysa Analysis Source: https://pyre-check.org/docs/pysa-running This Python code defines functions to get an image from a URL and convert it, demonstrating user input as a taint source and os.system as a taint sink. ```Python # static_analysis_example/source.py import os def get_image(url): command = "wget -q https:{}".format(url) return os.system(command) def convert(): image_link = input("image link: ") image = get_image(image_link) ``` -------------------------------- ### Evaluate Expression Type using Pyre Query Source: https://pyre-check.org/docs/querying-pyre Demonstrates the `type` Pyre query command, which evaluates and returns the type of a given expression. Includes an example query for a list containing an integer and an empty string. ```Shell $ pyre query "type([1 + 2, ''])" ``` -------------------------------- ### Pysa Feature Annotation Non-Contagious Example Source: https://pyre-check.org/docs/pysa-advanced This example demonstrates that `@AddFeatureToState` is not contagious. The feature is not propagated when `security_check` is called via a wrapper function. ```Python def security_check_wrapper(): return security_check() x = some_source() if security_check_wrapper(): some_sink(x) ``` -------------------------------- ### Pysa Sanitizer Example Source: https://pyre-check.org/docs/pysa-advanced This example demonstrates the use of a Pysa sanitizer to prevent taint propagation. The `@Sanitize` decorator marks a function as a sanitizer for a specific taint type. ```Python @Sanitize(TaintInTaintOut[TaintSink[RemoteCodeExecution]]) def shlex.quote(x): ... ``` -------------------------------- ### Pysa Feature Annotation Example Source: https://pyre-check.org/docs/pysa-advanced This example shows how `@AddFeatureToState` annotates data flow. When `security_check()` is called, the `via:security_check` feature is added to local variables, enabling filtering. ```Python x = some_source() if security_check(): some_sink(x) ``` -------------------------------- ### Pysa Call Graph Filtering Example Source: https://pyre-check.org/docs/pysa-advanced This example illustrates how Pysa's `@Entrypoint` decorator filters the call graph. Only functions called directly or indirectly by an entrypoint are analyzed. ```Python @Entrypoint def my_file.MyClass.class_entrypoint(): ... @Entrypoint def func_entrypoint(): ... ``` -------------------------------- ### Sanitize HttpRequest GET Attribute Source: https://pyre-check.org/docs/pysa-basics This Python code demonstrates sanitizing the 'GET' attribute of an `HttpRequest` object. The `Sanitize` annotation indicates that all taint passing through `HttpRequest.GET` will be removed. ```Python django.http.request.HttpRequest.GET: Sanitize ``` -------------------------------- ### Model Django HttpRequest GET Taint Source Source: https://pyre-check.org/docs/pysa-basics Demonstrates how to specify a taint source for the 'GET' attribute of Django's HttpRequest object using its fully qualified name. ```Python django.http.request.HttpRequest.GET: TaintSource[UserControlled] ``` -------------------------------- ### Pysa Issue Broadening Example Source: https://pyre-check.org/docs/pysa-advanced Demonstrates how Pysa flags issues even when only a part of an object is tainted. In this example, a dictionary `d` has one tainted key-value pair, and Pysa correctly identifies this as a valid flow to the sink. ```Python d = {"a": source(), "b": "foo"} sink(d) # `d` itself is not tainted, but `d["a"]` is, thus we emit an issue. ``` -------------------------------- ### Configure Pyre Command Alias and Binary Path Source: https://pyre-check.org/docs/installation Sets up bash aliases and environment variables to run the Pyre command from anywhere and point to the compiled binary. This is crucial for making the 'pyre' command accessible after building from source. ```bash $ echo "alias pyre='PYTHONPATH="/path/to/pyre-check/..:$PYTHONPATH" python -m pyre_check.client.pyre'" >> ~/.bashrc $ echo "export PYRE_BINARY=/path/to/pyre-check/source/_build/default/main.exe" >> ~/.bashrc $ source ~/.bashrc ``` -------------------------------- ### Python Tito Propagation Example Source: https://pyre-check.org/docs/pysa-advanced Illustrates a 'Taint In Taint Out' (TITO) scenario in Python where taint propagates through multiple function calls. This example demonstrates how Pysa might track taint through chained function calls like `baz` calling `bar` which calls `foo`. ```python def foo(x): return x def bar(x): return foo(x) def baz(x): return bar(x) ``` -------------------------------- ### Create Executable Script for VSCode Plugin Development Source: https://pyre-check.org/docs/installation Creates a bash script to act as the 'pyre' executable for VSCode plugin development. This bypasses shell aliases, allowing VSCode to find the correct Pyre client. ```bash #!/bin/bash PYTHONPATH="/path/to/pyre-check/..:$PYTHONPATH" python -m pyre_check.client.pyre "$@" ``` -------------------------------- ### Initialize Pyre Configuration Source: https://pyre-check.org/docs/configuration Command to generate an initial Pyre configuration file in the project directory. This sets up the basic structure for Pyre's type checking. ```Shell pyre init ``` -------------------------------- ### Save Pyre Server State Source: https://pyre-check.org/docs/querying-pyre Illustrates how to save the current state of a Pyre server for later use and how to load it to start a new server without re-analyzing project files. Includes commands for saving, stopping, and loading. ```Shell $ pyre query "save_server_state('my_saved_state')" $ pyre stop $ pyre --load-initial-state-from my_saved_state start ``` -------------------------------- ### Get Issues for a Callable Source: https://pyre-check.org/docs/pysa-explore Retrieves all security issues associated with a specific callable. This function returns a list of issue objects. ```Python >>> get_issues('foo.bar.log_errors') ``` -------------------------------- ### Execute Pyre Query Source: https://pyre-check.org/docs/querying-pyre Shows how to execute a Pyre query from the command line, specifically querying for a model defined by 'get_foo_sources' within a specified directory. Includes the command and its JSON output. ```Shell $ pyre query "model_query(path='/absolute/path/to/test_pysa/directory', query_name='get_foo_sources')" ``` -------------------------------- ### Pyre Error: Unexpected Keyword Argument Source: https://pyre-check.org/docs/errors Shows an example of Pyre flagging an unexpected keyword argument passed during a function call. ```Python def foo(integer: int, string: str) -> None: ... foo(1, "one") # no error foo(string="one", integer=1) # no error foo(integer=1, undefined="one") # type error ``` -------------------------------- ### Python Sink Summary Example Source: https://pyre-check.org/docs/pysa-implementation-details Illustrates Pysa's inference of sink summaries, tracking how function arguments flow into sinks. It shows an initial model for a 'sink' function and how Pysa analyzes 'calls_sink' and 'wraps_sink' to infer their sink summaries. ```Python def sink(arg: TaintSink[RemoteCodeExecution]): ... ``` ```Python def calls_sink(arg): sink(arg) ``` ```Python def calls_sink(arg: TaintSink[RemoteCodeExecution]): ... ``` ```Python def wraps_sink(arg): calls_sink(arg) ``` ```Python def wraps_sink(arg: TaintSink[RemoteCodeExecution]): ... ``` -------------------------------- ### Start Pysa Model Explorer Source: https://pyre-check.org/docs/pysa-explore Launches the interactive Pysa Model Explorer script. This script requires Pysa analysis results to be generated beforehand. It provides a command-line interface for querying taint models. ```Python python3 -i scripts/explore_pysa_models.py ``` -------------------------------- ### Get Types in File using Pyre Query Source: https://pyre-check.org/docs/querying-pyre Explains the `types` Pyre query command, which returns all resolved types for specified files. Notes that paths must be relative to the `pyre_configuration`. ```Shell $ pyre query "types('path1', 'path2', ...)" ``` -------------------------------- ### Get Global Leaks with Pyre Query Source: https://pyre-check.org/docs/querying-pyre The `global_leaks` command identifies mutations to global variables and class attributes within specified functions or methods. If no callables are provided, it performs no operation. ```shell # a.py class A: my_class_variable: int = 3 def foo(self) -> None: pass ``` -------------------------------- ### Get Attributes of a Class with Pyre Query Source: https://pyre-check.org/docs/querying-pyre The `attributes` command retrieves a list of attributes for a given class. It requires the class name as an argument. The output includes the annotation and name of each attribute. ```shell $ pyre query "attributes(a.C)" ``` -------------------------------- ### Source/Sink Sanitizer Example Source: https://pyre-check.org/docs/pysa-basics Demonstrates how Source/Sink sanitizers are used to sanitize functions belonging to the source/sink trace. It shows a scenario where user input is passed through a safe rendering function, and how Pysa issues are avoided by modeling taint flow. ```Python def render_string_safe(string: str): safe_strings_list = ["safe", "string", "list"] if string in safe_strings_list: return render(string) def render_input_view(request: HttpRequest): user_input = request.GET["user_input"] return render_string_safe(user_input) ``` ```Python def render_string_safe(string: Sanitize[TaintSink[XSS]]): ... ``` -------------------------------- ### Pysa Configuration File Source: https://pyre-check.org/docs/pysa-running This configuration file tells Pysa which directories contain the source code to analyze and where to find the taint model files. ```JSON # static_analysis_example/.pyre_configuration { "source_directories": ["."], "taint_models_path": "stubs/taint" } ``` -------------------------------- ### Add Scripts Directory to PATH for VSCode Development Source: https://pyre-check.org/docs/installation Adds the directory containing the custom 'pyre' executable script to the system's PATH environment variable. This ensures that the 'pyre' command can be found and executed by VSCode. ```bash $ echo 'PATH="/path/to/pyre-check/scripts:$PATH"' >> ~/.bashrc $ source ~/.bashrc ``` -------------------------------- ### Constructor and Property Setter Modeling Source: https://pyre-check.org/docs/pysa-basics Shows how to use `LocalReturn` instead of `Updates[self]` for constructors and property setters, as they are treated as returning `self` by Pysa. ```Python def MyClass.__init__(self, argument: TaintInTaintOut[LocalReturn]): ... ``` ```Python @foo.setter def MyClass.foo(self, value: TaintInTaintOut[LocalReturn]): ... ``` -------------------------------- ### Python Annotation for Class Attribute Source Source: https://pyre-check.org/docs/pysa-basics Illustrates annotating a class attribute in Python to be recognized as a taint source. This example marks the `COOKIES` attribute of `HttpRequest` as a 'Cookies' source. ```Python django.http.request.HttpRequest.COOKIES: TaintSource[Cookies] ``` -------------------------------- ### Pyre Query: Less or Equal Type Comparison Source: https://pyre-check.org/docs/querying-pyre Demonstrates the usage of the 'less_or_equal' Pyre query command to check type compatibility between classes. It shows examples of checking if a subclass is compatible with a superclass. ```Shell $ pyre query "less_or_equal(a.D, a.C)" {"response":{"boolean":true}} $ pyre query "less_or_equal(a.C, a.D)" {"response":{"boolean":true}} ``` -------------------------------- ### Initial Django Code for Taint Analysis Source: https://pyre-check.org/docs/pysa-false-positives-negatives This Python code snippet shows an initial Django application structure where user input is processed and potentially executed. It serves as the baseline for demonstrating taint analysis. ```Python from django.http import HttpRequest, HttpResponse class Runner: def run(self, command: str) -> None: eval(command) def get_command(request: HttpRequest) -> str: command = request.GET["command"] return command def execute_command(runner: Runner, command): runner.run(command) def start(request: HttpRequest): command = get_command(request) runner = Runner() execute_command(runner, command) ``` -------------------------------- ### Using via-type on Attributes and Globals Source: https://pyre-check.org/docs/pysa-features This Python example illustrates applying `via-type` to class attributes or global variables. A standalone `ViaTypeOf` is a shorthand for `TaintInTaintOut[ViaTypeOf]`, simplifying the annotation process. ```Python my_module.MyClass.source: TaintSource[Test, ViaTypeOf] = ... ``` ```Python my_module.MyClass.sink: TaintSource[Test, ViaTypeOf] = ... ``` ```Python my_module.MyClass.my_attribute: ViaTypeOf = ... ``` -------------------------------- ### Example: GraphQLSourceGenerator for Graphene Resolvers Source: https://pyre-check.org/docs/pysa-model-generators The GraphQLSourceGenerator generates models for graphene-style GraphQL resolver functions, annotating them with UserControlled and ReturnedToUser. It mirrors the functionality of RESTApiSourceGenerator and ExitNodeGenerator for GraphQL contexts. ```Python from typing import Any, Callable, List from pysa.model_generators.model_generator import ModelGenerator from pysa.model_generators.utils import CallableModel class GraphQLSourceGenerator(ModelGenerator): def __init__(self): super().__init__(name="GraphQLSourceGenerator") def _get_graphql_resolvers(self) -> List[Callable[..., Any]]: # Placeholder for logic to find and return all graphene resolver functions pass def _get_models(self) -> List[CallableModel]: models: List[CallableModel] = [] for resolver in self._get_graphql_resolvers(): # Annotate resolvers with UserControlled for arguments and ReturnedToUser for return values models.append( CallableModel( callable=resolver, parameter_names=ParameterSpec.from_callable(resolver), taint_in=[("UserControlled", "*")], taint_out=[("ReturnedToUser", "return")], ) ) return models def generate_models(self) -> List[str]: return [model.to_string() for model in self._get_models()] ``` -------------------------------- ### Pysa Taint Models Source: https://pyre-check.org/docs/pysa-running These Pysa model files link source code to taint configuration, defining 'input' as a UserControlled source and 'os.system' as a RemoteCodeExecution sink. ```Python # static_analysis_example/stubs/taint/core_privacy_security/general.pysa # model for raw_input def input(__prompt) -> TaintSource[UserControlled]: ... # model for os.system def os.system(command: TaintSink[RemoteCodeExecution]): ... ```