False positive with sanitization in method

[draftyfrog]

Pysa Bug

Pre-submission checklist
[x] I've checked the list of common issues and mine does not appear

I've reported a similar issue for Mariana Trench (Issue 179) so maybe that's just expected behavior.

Bug description
Please consider the following code

my_instance = MyClass()
my_instance.attribute = source()
sanitize(my_instance)
sink(my_instance.attribute) # Reported by Pysa

using the following functions/classes

def sink(param: str): # Defined as sink in Pysa config
    pass

def source(): # Defined as source in Pysa config
    return "Secret"

def sanitize(a: MyClass):
    a.attribute = ""

class MyClass:
    attribute: str

Running Pysa on this code returns one issue (as annotated in the code above), but actually no taint is leaked in this code.

If we move the sanitizing inline like this:

my_instance = MyClass()
my_instance.attribute = source()
my_instance.attribute = ""
sink(my_instance.attribute) # Not reported by Pysa

Pysa correctly doesn't report the issue.

I call pysa via pyre analyze --save-results-to ./results/ and I'm using version 0.9.23.

[arthaud]

Hi,

please see my answer for Mariana Trench, which also applies here facebook/mariana-trench#179