第十九屆D2終端技術大會：鴻蒙ArkTS代碼安全風險檢測

鴻蒙ArkTS代碼安全風險檢測——盛錦辰（幻貓）盛錦辰盛錦辰（幻貓/fantasycat）34鴻蒙原生應用開發(fā)與安全典型案例-JSAPI實現(xiàn)不當-任意文件上傳function:upload(pathfunction:upload(path,url)bundle1\ bundle2callsitecallsite:upload(file,url)C++C++module2.技術實現(xiàn)7代碼數(shù)據(jù)抽取TypeScriptCompilerDatal/openharmony/third_party_typescript/codefuse-ai/CodeFuse-Query語言語言編譯器AST節(jié)點數(shù)C++/Objective-CArkTSohos-typescript387bb11.學習語言:bb2bbbb2bb3e.g.let/var/assign/operatorbb4Function1Function2分析方向Function3Function4Function5代碼數(shù)據(jù)抽取-函數(shù)間數(shù)據(jù)流-TraceSlot function1 function2 function3 function4function5/doi/10.1145/3632743《Octopus:ScalingValue-FlowAnalysisviaParallelCollectionofRealizablePathConditions》 Basicblock1 Basicblock2 Basicblock3bundle集成app發(fā)布集成掃描與變更分析bundle集成app發(fā)布Bundle開發(fā)變更分析流程commitlatestdevelopcommitgitdiffbuildAst變更節(jié)點變更節(jié)點diffanalysis鏈路分析結果2.技術實現(xiàn)代碼知識圖譜架構代碼知識圖譜架構跨bundle節(jié)點relationkey設計-顯式調用基于relationkey來表達/連接bundle間調用關系Bundle1代碼Bundle1代碼bundle1Bundle2代碼Bundle2代碼bundle2[filePath]signature#index@alipay/mediaflow/src/main/ets/mediaflow/MFNetcache]MFNetcache.SetErrorCallback(t4:(what:number,arg1:number,arg2:number,extra:string)=>void):void;#0跨bundle節(jié)點relationkey設計-隱式調用[[bundleName.abilityName]signature1#index->signature2#index基于relationkey來表達/連接bundle間調用關系bundleName:bundleName:bundle2,abilityName:testAbility2bundle1};engine/frameworkabilityDelegator.startAbility(want,(err,data)=>engine/frameworkonCreate(want:Want,launchParam:AbilityConstant.LaunchParam):voidbundlebundle2[bundle2.testability]startAbility#1->onCreate#1完整的知識圖譜架構當前完整的知