Skip to content

Handle gRPC requests as tainted sources #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 7, 2025
Merged

Handle gRPC requests as tainted sources #43

merged 3 commits into from
Jul 7, 2025

Conversation

@picatz
Copy link
Owner

@picatz picatz commented Jul 7, 2025
edited
Loading

This pull request introduces support for identifying google.golang.org/protobuf/proto.Message types as potential sources in taint analysis, particularly for gRPC-based services. It includes updates to the taint analysis logic, new helper functions, and additional test cases across multiple vulnerability categories like log injection and SQL injection.

Enhancements to taint analysis:

  • Added google.golang.org/protobuf/proto.Message as a source type in taint analysis for log injection and SQL injection vulnerabilities.
  • Updated checkSSAValue function to check if a type implements the ProtoMessage method, identifying protobuf message types as sources.
  • Introduced the hasProtoMessageMethod helper function to determine if a type implements the ProtoMessage method.

Miscellaneous updates:

  • Added go/types import to support type-checking logic for ProtoMessage method detection.

https://chatgpt.com/codex/tasks/task_e_686bf2bc49988331aedaf649cb8f59cd

@picatz picatz requested a review from Copilot July 7, 2025 16:41
@picatz picatz linked an issue Jul 7, 2025 that may be closed by this pull request
Consider adding gRPC specific tests #8
Closed

This comment was marked as resolved.

Sign in to view

@picatz picatz merged commit 548eea1 into main Jul 7, 2025
1 check passed
@picatz picatz deleted the codex/extend-taint-analysis-for-grpc-requests branch July 7, 2025 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Consider adding gRPC specific tests

2 participants

@picatz