Add taint command (#12)

* Add initial implementation of `taint` command
* Add demo GIF using `vhs` and `make`
* Clarify internal naming within `taint.Check`

README.md

@@ -53,13 +53,33 @@ for _, result := range results {
 	if strings.HasPrefix(queryEdge.Site.Value().Call.Value.String(), "Context") {
 		queryArgs = queryArgs[1:]
 	}
+
+	// Get the query function parameter.
+	query := queryArgs[0]
+
+	// Ensure it is a constant (prepared statement), otherwise report
+	// potential SQL injection.
+	if _, isConst := query.(*ssa.Const); !isConst {
+		pass.Reportf(result.SinkValue.Pos(), "potential sql injection")
+	}
 }
 ```
 
+### `taint`
+
+The `taint` CLI is a an interactive tool to find potential security vulnerabilities. Can be used 
+to find potential SQL injections, log injections, and cross-site scripting (XSS) vulnerabilities, 
+among other types of vulnerabilities.
+
+```console
+$ go install github.com/picatz/taint/cmd/taint@latest
+```
+
+![demo](./cmd/taint/vhs/demo.gif)
+
 ### `sqli`
 
-The `sqli` analyzer is a CLI tool that demonstrates usage of the `taint` package to find
-potential SQL injections.
+The `sqli` [analyzer](https://pkg.go.dev/golang.org/x/tools/go/analysis#Analyzer) finds potential SQL injections.
 
 ```console
 $ go install github.com/picatz/taint/cmd/sqli@latest
@@ -100,8 +120,7 @@ $ sqli main.go
 
 ### `logi`
 
-The `logi` analyzer is a CLI tool that demonstrates usage of the `taint` package to find
-potential log injections.
+The `logi` [analyzer](https://pkg.go.dev/golang.org/x/tools/go/analysis#Analyzer) finds potential log injections.
 
 ```console
 $ go install github.com/picatz/taint/cmd/logi@latest
@@ -130,8 +149,7 @@ $ logi main.go
 
 ### `xss`
 
-The `xss` analyzer is a CLI tool that demonstrates usage of the `taint` package to find
-potential cross-site scripting (XSS) vulnerabilities.
+The `xss` [analyzer](https://pkg.go.dev/golang.org/x/tools/go/analysis#Analyzer) finds potential cross-site scripting (XSS) vulnerabilities.
 
 ```console
 $ go install github.com/picatz/taint/cmd/xss@latest

check.go

@@ -79,20 +79,22 @@ func Check(cg *callgraph.Graph, sources Sources, sinks Sinks) Results {
 				continue
 			}
 
-			// Check if query used any of the given sources (if it was "tainted").
+			// Check if the last edge (e.g. a SQL query) used any of the given
+			// sources (e.g. user input in an HTTP request) to identify if it
+			// was "tainted".
 			tainted, src, tv := checkPath(sinkPath, sources)
 			if tainted {
-				// Extract the query from the last part of the path
-				// to include in the results.
-				query := sinkPath.Last()
+				// Extract the last edge from the last part of the path
+				// to include the calle as the sink in the result.
+				lastEdge := sinkPath.Last()
 
 				// Add the result to the list of results.
 				results = append(results, Result{
 					Path:        sinkPath,
 					SourceType:  src,
 					SourceValue: tv,
-					SinkType:    query.Callee.String(),
-					SinkValue:   query.Site.Value(),
+					SinkType:    lastEdge.Callee.String(),
+					SinkValue:   lastEdge.Site.Value(),
 				})
 			}
 		}
@@ -124,7 +126,6 @@ func checkPath(path callgraph.Path, sources Sources) (bool, string, ssa.Value) {
 	// TODO: when non-function sinks are supported, we will need to handle
 	//       them differently here.
 	for _, lastCallArg := range lastCallArgs {
-		// fmt.Println(lastCallArg)
 		tainted, src, tv := checkSSAValue(path, sources, lastCallArg, visited)
 		if tainted {
 			return true, src, tv

cmd/taint/Makefile

@@ -0,0 +1,7 @@
+.PHONY: install
+install:
+	@go build -o $(shell go env GOPATH)/bin/taint .
+
+.PHONY: vhs
+vhs:
+	@vhs ./vhs/demo.tape

cmd/taint/example/main.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"database/sql"
+	"net/http"
+)
+
+func handle(db *sql.DB, q string) {
+	db.Query(q) // want "potential sql injection"
+}
+
+func business(db *sql.DB, q *string) error {
+	handle(db, *q)
+	return nil
+}
+
+func main() {
+	db, _ := sql.Open("sqlite3", ":memory:")
+
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		user := r.URL.Query()["query"]
+		userValue := user[0]
+		business(db, &userValue)
+	})
+
+	err := http.ListenAndServe(":8080", mux)
+	if err != nil {
+		panic(err)
+	}
+}