Skip to content

Commit 91dd27f

Browse files
ambrishrawatambrishrawat
committed
updated taint analysis dev docs
Signed-off-by: Ambrish Rawat <[email protected]>
1 parent aa452aa commit 91dd27f

File tree

1 file changed

+1
-31
lines changed

1 file changed

+1
-31
lines changed

docs/dev/taint_analysis.md

Lines changed: 1 addition & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -172,37 +172,7 @@ Backends ensure security metadata flows through the generation pipeline:
172172

173173
1. **Input analysis** → taint sources identified as actual CBlocks/Components
174174
2. **MOT creation** → security metadata set using `SecLevel.tainted_by(source)` or `SecLevel.none()`
175-
3. **Formatter parsing** → security metadata preserved on parsed output
176-
4. **Context addition** → tainted outputs propagate to future generations
177-
178-
### Formatter Security Preservation
179-
180-
The `TemplateFormatter` has been enhanced to preserve security metadata during parsing:
181-
182-
```python
183-
def _parse(self, source_component: Component | CBlock, result: ModelOutputThunk) -> CBlock | Component:
184-
"""Parses the output from a model."""
185-
# Helper function to preserve security metadata
186-
def preserve_security_metadata(parsed_obj):
187-
"""Preserve security metadata from result to parsed object."""
188-
if hasattr(result, '_meta') and '_security' in result._meta:
189-
if hasattr(parsed_obj, '_meta'):
190-
if parsed_obj._meta is None:
191-
parsed_obj._meta = {}
192-
parsed_obj._meta['_security'] = result._meta['_security']
193-
elif isinstance(parsed_obj, CBlock):
194-
# For CBlocks, we can directly set the meta
195-
if parsed_obj._meta is None:
196-
parsed_obj._meta = {}
197-
parsed_obj._meta['_security'] = result._meta['_security']
198-
return parsed_obj
199-
200-
# Parse the output and preserve security metadata
201-
parsed = self._parse_content(result)
202-
return preserve_security_metadata(parsed)
203-
```
204-
205-
This ensures that when model outputs are parsed into `CBlock`s or `Component`s, the security metadata (including taint sources) is preserved on the parsed objects, maintaining the security chain through the entire pipeline.
175+
3. **Context addition** → tainted outputs propagate to future generations
206176

207177
## Capability-Based Access Control
208178

0 commit comments

Comments
 (0)