use taint mode #61
use taint mode #61
Conversation
| mode: taint | ||
| pattern-sinks: | ||
| - pattern: $Y - $X | ||
| - pattern: $Y -= $X |
There was a problem hiding this comment.
Can we restrict this only to Solidity < 0.8 by matching pragma?
There was a problem hiding this comment.
Turns out not yet, pragma matching in semgrep needs enhancements
| - focus-metavariable: $X | ||
| - patterns: | ||
| - pattern-inside: | | ||
| function $F(..., $TYPE $X, ...) { ... } |
There was a problem hiding this comment.
I think this will match internal functions, should be removed
There was a problem hiding this comment.
Yes, it matches the internal functions.
When I deleted it, semgrep stopped matching functions without visibility. This may be critical for contracts with pragma solidity prior to version 0.5.0, since visibility is public by default. This should be known when testing old contracts.
| } | ||
|
|
||
| function sink(address _contract, uint256 _num) internal { | ||
| // intraprocedural tainting does not work for now... |
There was a problem hiding this comment.
delete this comment too, because it works now
| - pattern-either: | ||
| - pattern: $X == ... | ||
| - pattern: ... == $X | ||
| - pattern: $X >= ... && $X <= ... |
There was a problem hiding this comment.
I would leave only strict equality ==, other comparisons are not exact balance checks
There was a problem hiding this comment.
| - pattern-not-inside: | | ||
| function $F(...) { | ||
| ... | ||
| $VAR.withdraw_admin_fees(...); | ||
| ... | ||
| } |
There was a problem hiding this comment.
removed duplicate, check pls
No description provided.