Taint Flow Tracer
Purpose
Provide deterministic source-to-sink traces for exploitability decisions.
Inputs
code_pathcandidate_sourcecandidate_sinkexecution_context
Trace Method
Step 1: Source Definition
- Define exact taint origin.
- Classify taint trust level and attacker influence.
Step 2: Propagation Tracking
- Follow variable flow through wrappers and helpers.
- Track type conversion, serialization, and parsing boundaries.
- Track async/task boundary hops.
Step 3: Checkpoint Evaluation
- Record validation and canonicalization points.
- Determine context fitness of each sanitizer.
- Identify alternate branches that skip checks.
Step 4: Sink Reachability
- Confirm sink invocation path is executable.
- Confirm attacker control survives to sink-relevant bytes.
- Note control granularity (full, partial, none).
Step 5: Verdict
tainted_reachabletainted_blockedpath_unknown
Required Trace Fields
sourcepath_nodescheckpointssinkcontrol_levelverdict
Output Contract
{
"trace_id": "",
"source": {},
"path_nodes": [],
"checkpoints": [],
"sink": {},
"verdict": ""
}
Failure Modes
- Stopping at static reference without runtime-feasible path.
- Treating generic sanitization as context-safe by default.
Quality Checklist
- Cross-file and cross-layer flow included.
- Checkpoints evaluated for bypassability.
- Control level at sink is explicit.
Detailed Operator Notes
Cross-Layer Trace Requirements
- Include controller, service, data access, and sink layers.
- Include serialization/deserialization boundary handling.
- Include async boundaries (queue/job/event) where data crosses trust zones.
Access-Control Audit Rules
- Verify policy check location relative to resource fetch.
- Verify policy check occurs on every variant path.
- Verify tenant scoping is enforced at data query layer.
Sanitization Audit Rules
- Context-match sanitizer to sink type.
- Confirm canonicalization happens before validation.
- Check for alternate branch paths that skip sanitizer.
Reporting Rules
- Include function-level path with file and symbol names.
- Include bypass narrative for missing or weak control.
- Include a precise fix location and test recommendation.
Quick Scenarios
Scenario A: Access Check Placement
- Trace data fetch point.
- Trace policy check point.
- Determine whether check occurs before use.
- Identify alternate path without check.
Scenario B: Sanitization Mismatch
- Map sink execution context.
- Map sanitizer type and location.
- Validate context compatibility.
- Find branch that bypasses sanitizer.
Scenario C: Adjacent Pattern Sweep
- Identify sibling handlers/sinks.
- Compare guard and validation parity.
- Flag inconsistent control patterns.
- Prioritize high-impact siblings.
Conditional Decision Matrix
| Condition | Action | Evidence Requirement |
|---|---|---|
| Source passes through helper wrappers | inline helper logic into trace | wrapper-expanded path |
| Policy check exists after data fetch | test prefetch exposure and side-effects | order-of-operations trace |
| Sanitizer exists but context mismatch | craft context-correct exploit hypothesis | sink-context mismatch proof |
| Async boundary carries tainted data | trace serialization and consumer validation | producer-consumer trace |
| Sibling route has weaker guards | run parity scan across sibling handlers | guard parity matrix |
Advanced Coverage Extensions
- Compare DTO/schema validation between create and update paths.
- Scan migration scripts and admin tasks for latent unsafe operations.
- Validate cache-layer authorization consistency.
- Validate feature-flagged code paths for missing controls.
- Validate error handling paths for secret leakage.