justan0th3rstud3nt
/
garble
mirror of https://github.com/burrowers/garble
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
release-v0.12
ci-test
literalRecheck
v0.12.1
v0.12.0
v0.11.0
v0.10.1
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.0
v0.7.2
v0.7.1
v0.7.0
v0.6.0
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ad2ecc7f2f'
${ noResults }
garble/testdata/script/reflect.txtar

606 lines
14 KiB
Plaintext
Raw Normal View History Unescape Escape

set testscript's RequireExplicitExec and RequireUniqueNames The first makes our test scripts more consistent, as all external program executions happen via "exec" and are not as easily confused with custom builtin commands like our "generate-literals". The second catches mistakes if any of our txtar files have duplicate files, where all but one of the contents would be ignored before.
1 year ago
exec garble build
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
exec ./main
cmp stdout main.stdout
add more reflect test cases and simplify logic A recent PR added a bigger regression test for go-spew, and fixed an issue where we would obfuscate local named types even if they were embedded into local structs used for reflection. This would effectively mean we were obfuscating one field name, the one derived from the embedding, which we didn't want to. The fix did this by searching for embedded objects with extra code. However, as far as I can tell, that isn't necessary; we can do the right thing by recording all local type names just like we already do for all field names. This results in less complicated code, and avoids needing special logic to handle embedding struct types, so I reckon it's a win. Add even more tests to convince myself that we're still obfuscating local types and field names which aren't used for reflection.
1 year ago
! binsubstr main$exe 'garble_main.go' 'test/main' 'importedpkg.' 'DownstreamObfuscated' 'SiblingObfuscated' 'IndirectObfuscated' 'IndirectNamedWithoutReflect' 'AliasIndirectNamedWithReflect' 'AliasIndirectNamedWithoutReflect' 'FmtTypeField' 'LocalObfuscated'
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
binsubstr main$exe 'ReflectInDefined' 'ExportedField2' 'unexportedField2' 'IndirectUnobfuscated' 'IndirectNamedWithReflect'
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
[short] stop # no need to verify this with -short
# Check that the program works as expected without garble.
go build
exec ./main
cmp stdout main.stdout
-- go.mod --
module test/main
drop Go 1.21 and start using go/version Needing to awkwardly treat Go versions as if they were semver is no longer necessary thanks to go/version being in Go 1.22.0 now.
5 months ago
go 1.22
testdata: use longer Go filenames for binsubstr Every now and then, a CI run would fail: FAIL: testdata/scripts/reflect.txt:7: unexpected match for ["main.go"] in main These were rare, and very hard to reproduce or debug. My best guess is that, since "main.go" is a short string and we use random eight-character obfuscated filenames ending with ".go", it was possible that the random filename happened to end in "main" in some cases. Given the base64 encoding, the chances of a single suffix collision are about 0.000006%. Note, however, that a single obfuscated build will most likely obfuscate many filenames, especially for the tests obfuscating multiple packages. For a single CI run with many tests across three OSs, the chances of any collision are likely very low, but realistic. All this has a simple fix: use longer filenames to match with. We choose "garble_main.go" since it's long enough, but also because it's still clear it's a "main" Go file, and it's very unlikely to cause conflicts with filenames in upstream Go given the "garble_" prefix.
3 years ago
-- garble_main.go --
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
package main
import (
fix encoding/asn1 marshaling of pkix types See the added comment and test, which failed before the fix when the encoded certificate was decoded. It took a while to find the culprit in asn1, but in hindsight it's easy: case reflect.Slice: if t.Elem().Kind() == reflect.Uint8 { return false, TagOctetString, false, true } if strings.HasSuffix(t.Name(), "SET") { return false, TagSet, true, true } return false, TagSequence, true, true Fixes #711.
1 year ago
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
track types used in make assigned to a reflected type Fixes #690.
7 months ago
"encoding/gob"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
"encoding/json"
"fmt"
fix encoding/asn1 marshaling of pkix types See the added comment and test, which failed before the fix when the encoded certificate was decoded. It took a while to find the culprit in asn1, but in hindsight it's easy: case reflect.Slice: if t.Elem().Kind() == reflect.Uint8 { return false, TagOctetString, false, true } if strings.HasSuffix(t.Name(), "SET") { return false, TagSet, true, true } return false, TagSequence, true, true Fixes #711.
1 year ago
"math/big"
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
"os"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
"reflect"
ignore embedded fields used in reflection (#768) Fixes #765.
1 year ago
"unsafe"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
"strings"
propagate "uses reflection" through SSA stores Up until now, the new SSA reflection detection relied on call sites to propagate which objects (named types, struct fields) used reflection. For example, given the code: json.Marshal(new(T)) we would first record that json.Marshal calls reflect.TypeOf, and then that the user's code called json.Marshal with the type *T. However, this would not catch a slight variation on the above: var t T reflect.TypeOf(t) t.foo = struct{bar int}{} Here, type T's fields such as "foo" and "bar" are not obfuscated, since our logic sees the call site and marks the type T recursively. However, the unnamed `struct{bar int}` type was still obfuscated, causing errors such as: cannot use struct{uKGvcJvD24 int}{} (value of type struct{uKGvcJvD24 int}) as struct{bar int} value in assignment The solution is to teach the analysis about *ssa.Store instructions in a similar way to how it already knows about *ssa.Call instructions. If we see a store where the destination type is marked for reflection, then we mark the source type as well, fixing the bug above. This fixes obfuscating github.com/gogo/protobuf/proto. A number of other Go modules fail with similar errors, and they look like very similar bugs, but this particular fix doesn't apply to them. Future incremental fixes will try to deal with those extra cases. Fixes #685.
11 months ago
"sync"
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
"text/template"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
"test/main/importedpkg"
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
"test/main/importedpkg2"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
)
default to GOGARBLE=*, stop using GOPRIVATE We can drop the code that kicked in when GOGARBLE was empty. We can also add the value in addGarbleToHash unconditionally, as we never allow it to be empty. In the tests, remove all GOGARBLE lines where it just meant "obfuscate everything" or "obfuscate the entire main module". cgo.txtar had "obfuscate everything" as a separate step, so remove it entirely. linkname.txtar started failing because the imported package did not import strings, so listPackage errored out. This wasn't a problem when strings itself wasn't obfuscated, as transformLinkname silently left strings.IndexByte untouched. It is a problem when IndexByte does get obfuscated. Make that kind of listPackage error visible, and fix it. reflect.txtar started failing with "unreachable method" runtime throws. It's not clear to me why; it appears that GOGARBLE=* makes the linker think that ExportedMethodName is suddenly unreachable. Work around the problem by making the method explicitly reachable, and leave a TODO as a reminder to investigate. Finally, gogarble.txtar no longer needs to test for GOPRIVATE. The rest of the test is left the same, as we still want the various values for GOGARBLE to continue to work just like before. Fixes #594.
2 years ago
var Sink interface{}
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
func main() {
// Fields still work fine when they are not obfuscated.
fmt.Println(importedpkg.ReflectInDefinedVar.ExportedField2)
fmt.Println(importedpkg.ReflectInDefined{ExportedField2: 5})
// Type names are not obfuscated either, when reflection is used.
printfWithoutPackage("%T\n", importedpkg.ReflectTypeOf(2))
printfWithoutPackage("%T\n", importedpkg.ReflectTypeOfIndirect(4))
// More complex use of reflect.
v := importedpkg.ReflectValueOfVar
printfWithoutPackage("%#v\n", v)
method := reflect.ValueOf(&v).MethodByName("ExportedMethodName")
if method.IsValid() {
fmt.Println(method.Call(nil))
} else {
fmt.Println("method not found")
}
// Use of a common library using reflect, encoding/json.
enc, _ := json.Marshal(EncodingT{Foo: 3})
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
fmt.Println(string(enc))
// Another common library, text/template.
tmpl := template.Must(template.New("").Parse("Hello {{.Name}}."))
_ = tmpl.Execute(os.Stdout, struct{Name string}{Name: "Dave"})
fmt.Println() // Always print a newline.
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
// Another complex case, involving embedding and another package.
outer := &importedpkg.EmbeddingOuter{}
outer.InnerField = 3
enc, _ = json.Marshal(outer)
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
fmt.Println(string(enc))
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
// An edge case; the struct type is defined in a different package.
// Note that the struct type is unnamed, but it still has named fields.
// We only use reflection on it here, not the declaring package.
// As such, we should obfuscate the field name.
// Simply using the field name here used to cause build failures.
_ = reflect.TypeOf(importedpkg.UnnamedWithDownstreamReflect{})
fmt.Printf("%v\n", importedpkg.UnnamedWithDownstreamReflect{
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
DownstreamObfuscated: "downstream",
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
})
// An edge case; the struct type is defined in package importedpkg2.
// importedpkg2 does not use reflection on it, so it's not obfuscated there.
// importedpkg uses reflection on a type containing ReflectInSiblingImport.
// If our logic is incorrect, we might inconsistently obfuscate the type.
// We should not obfuscate it when building any package.
fmt.Printf("%v\n", importedpkg2.ReflectInSiblingImport{
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
SiblingObfuscated: "sibling",
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
})
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
// Using type aliases as both regular fields, and embedded fields.
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
var emb EmbeddingIndirect
emb.With.IndirectUnobfuscated = "indirect-with"
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
emb.With.DuplicateFieldName = 3
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
emb.Without.IndirectObfuscated = "indirect-without"
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
emb.Without.DuplicateFieldName = 4
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
fmt.Printf("%v\n", emb)
printfWithoutPackage("%#v\n", emb.With)
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
// TODO: don't obfuscate the embedded field name here
// printfWithoutPackage("%#v\n", importedpkg.ReflectEmbeddingAlias{})
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
indirectReflection(IndirectReflection{})
fmt.Println(FmtType{})
make KnownReflectAPIs aware of variadic funcs When a function definition is variadic, the number of parameters may not match the number of calling arguments. Our existing code was a bit naive with this edge case, leading to a panic when indexing call.Args. Keep track of that information, and properly handle all variadic arguments that may be used indirectly with reflection. We add a test case that used to panic, where 0 arguments are used for a variadic parameter, as well as a case where we need to disable obfuscation for a Go type used as the second variadic argument rather than the first. Finally, the old code in findReflectFunctions looked at Go function types from the point of view of go/ast.FuncType. Use go/types.Signature instead, where we don't need to deal with the grouping of variables in the original syntax, and which is more consistent with the rest of the garble codebase. Fixes #524.
2 years ago
// Variadic functions are a bit tricky as the number of parameters is variable.
// We want to notice indirect uses of reflection via all variadic arguments.
_ = importedpkg.VariadicReflect(0, 1, 2, 3)
_ = importedpkg.VariadicReflect(0)
variadic := VariadicReflection{ReflectionField: "variadic"}
_ = importedpkg.VariadicReflect("foo", 1, variadic, false)
printfWithoutPackage("%#v\n", variadic)
fix encoding/asn1 marshaling of pkix types See the added comment and test, which failed before the fix when the encoded certificate was decoded. It took a while to find the culprit in asn1, but in hindsight it's easy: case reflect.Slice: if t.Elem().Kind() == reflect.Uint8 { return false, TagOctetString, false, true } if strings.HasSuffix(t.Name(), "SET") { return false, TagSet, true, true } return false, TagSequence, true, true Fixes #711.
1 year ago
testx509()
ignore embedded fields used in reflection (#768) Fixes #765.
1 year ago
testGoSpew()
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
// Very complex reflection used by gorm
user := StatUser{}
find(&user)
// Similar to gorm with composite literals instead of direct assignments
userComp := StatCompUser{}
findComp(&userComp)
x := UnnamedStructInterface(importedpkg.ReflectUnnamedStruct(0))
x.UnnamedStructMethod(struct{ UnnamedStructField string }{UnnamedStructField: "field value"})
add more reflect test cases and simplify logic A recent PR added a bigger regression test for go-spew, and fixed an issue where we would obfuscate local named types even if they were embedded into local structs used for reflection. This would effectively mean we were obfuscating one field name, the one derived from the embedding, which we didn't want to. The fix did this by searching for embedded objects with extra code. However, as far as I can tell, that isn't necessary; we can do the right thing by recording all local type names just like we already do for all field names. This results in less complicated code, and avoids needing special logic to handle embedding struct types, so I reckon it's a win. Add even more tests to convince myself that we're still obfuscating local types and field names which aren't used for reflection.
1 year ago
// Local names not used in reflection should not be in the final binary,
// even if they are embedded in a struct and become a field name.
type unexportedLocalObfuscated struct { LocalObfuscatedA int }
type ExportedLocalObfuscated struct { LocalObfuscatedB int }
type EmbeddingObfuscated struct {
unexportedLocalObfuscated
ExportedLocalObfuscated
}
// Ensure the types are kept in the binary. Use an anonymous type too.
_ = fmt.Sprintf("%#v", EmbeddingObfuscated{})
_ = fmt.Sprintf("%#v", struct{ExportedLocalObfuscated}{})
add a regression test for type names and reflect We were recently altering the logic in reflect.go for type names, which could have broken this kind of valid use of reflection. Add a regression test, which I verified would break before my last change to "simplify" the logic, which actually changed the logic, as xuannv112 correctly pointed out. After thinking about the change in behavior for a little while, I realised that the new behavior is more correct, hence the test.
1 year ago
// reflection can see all type names, even local ones, so they cannot be obfuscated.
{
type TypeOfNamedField struct { NamedReflectionField int }
type TypeOfEmbeddedField struct { EmbeddedReflectionField int }
type TypeOfParent struct {
ReflectionField TypeOfNamedField
TypeOfEmbeddedField
}
t := reflect.TypeOf(TypeOfParent{})
fmt.Println("TypeOfParent's own name:", t.Name())
namedField, _ := t.FieldByName("ReflectionField")
namedFieldField, _ := namedField.Type.FieldByName("NamedReflectionField")
fmt.Println("TypeOfParent named:",
namedField.Type.Name(),
namedFieldField.Name,
)
embedField, _ := t.FieldByName("TypeOfEmbeddedField")
embedFieldField, _ := embedField.Type.FieldByName("EmbeddedReflectionField")
fmt.Println("TypeOfParent embedded:",
embedField.Type.Name(),
embedFieldField.Name,
)
}
propagate "uses reflection" through SSA stores Up until now, the new SSA reflection detection relied on call sites to propagate which objects (named types, struct fields) used reflection. For example, given the code: json.Marshal(new(T)) we would first record that json.Marshal calls reflect.TypeOf, and then that the user's code called json.Marshal with the type *T. However, this would not catch a slight variation on the above: var t T reflect.TypeOf(t) t.foo = struct{bar int}{} Here, type T's fields such as "foo" and "bar" are not obfuscated, since our logic sees the call site and marks the type T recursively. However, the unnamed `struct{bar int}` type was still obfuscated, causing errors such as: cannot use struct{uKGvcJvD24 int}{} (value of type struct{uKGvcJvD24 int}) as struct{bar int} value in assignment The solution is to teach the analysis about *ssa.Store instructions in a similar way to how it already knows about *ssa.Call instructions. If we see a store where the destination type is marked for reflection, then we mark the source type as well, fixing the bug above. This fixes obfuscating github.com/gogo/protobuf/proto. A number of other Go modules fail with similar errors, and they look like very similar bugs, but this particular fix doesn't apply to them. Future incremental fixes will try to deal with those extra cases. Fixes #685.
11 months ago
y := UnnamedStructFields{}
y.unexportedGoGoProto = new(struct {
mu sync.Mutex
extensionMap map[int32]EncodingT
})
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
}
type EmbeddingIndirect struct {
// With field names, to test selectors above.
With importedpkg.AliasIndirectNamedWithReflect
Without importedpkg.AliasIndirectNamedWithoutReflect
// Embedding used to crash garble, too.
importedpkg.AliasIndirectNamedWithReflect
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
}
all: drop support for Go 1.17 Now that we've released v0.6.0, that will be the last feature release to feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+. Code-wise, the cleanup here isn't super noticeable, but it will be easier to work on features like VCS-aware version information and generics support without worrying about Go 1.17. Plus, now CI is back to being much faster. Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
2 years ago
func printfWithoutPackage(format string, v any) {
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
s := fmt.Sprintf(format, v)
slightly improve code thanks to Go 1.18 APIs strings.Cut makes some string handling code more intuitive. Note that we can't use it everywhere, as some places need LastIndexByte. Start using x/exp/slices, too, which is our first use of generics. Note that its API is experimental and may still change, but since we are not a library, we can control its version updates. I also noticed that we were using TrimSpace for importcfg files. It's actually unnecessary if we swap strings.SplitAfter for Split, as the only whitespace present was the trailing newline. While here, I noticed an unused copy of printfWithoutPackage.
2 years ago
if _, without, found := strings.Cut(s, "."); found {
s = without
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
}
fmt.Print(s)
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
}
type EncodingT struct {
Foo int
}
type RecursiveStruct struct {
*RecursiveStruct
list []RecursiveStruct
}
// This could crash or hang if we don't deal with loops.
var _ = reflect.TypeOf(RecursiveStruct{})
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
type IndirectReflection struct {
ReflectionField string
}
all: drop support for Go 1.17 Now that we've released v0.6.0, that will be the last feature release to feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+. Code-wise, the cleanup here isn't super noticeable, but it will be easier to work on features like VCS-aware version information and generics support without worrying about Go 1.17. Plus, now CI is back to being much faster. Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
2 years ago
func indirectReflection(v any) {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
fmt.Println(reflect.TypeOf(v).Field(0).Name)
}
make KnownReflectAPIs aware of variadic funcs When a function definition is variadic, the number of parameters may not match the number of calling arguments. Our existing code was a bit naive with this edge case, leading to a panic when indexing call.Args. Keep track of that information, and properly handle all variadic arguments that may be used indirectly with reflection. We add a test case that used to panic, where 0 arguments are used for a variadic parameter, as well as a case where we need to disable obfuscation for a Go type used as the second variadic argument rather than the first. Finally, the old code in findReflectFunctions looked at Go function types from the point of view of go/ast.FuncType. Use go/types.Signature instead, where we don't need to deal with the grouping of variables in the original syntax, and which is more consistent with the rest of the garble codebase. Fixes #524.
2 years ago
type VariadicReflection struct {
ReflectionField string
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
type FmtType struct {
FmtTypeField int
}
avoid breaking github.com/davecgh/go-spew It assumes that reflect.Value has a field named "flag", which wasn't the case with obfuscated builds as we obfuscated it. We already treated the reflect package as special, for instance when not obfuscating Method or MethodByName. In a similar fashion, mark reflect's rtype and Value types to not be obfuscated alongside their field names. Note that rtype is the implementation behind the reflect.Type interface. This fix is fairly manual and repetitive. transformCompile, transformLinkname, and transformAsm should all use the same mechanism to tell if names should be obfuscated. However, they do not do that right now, and that refactor feels too risky for a bugfix release. We add more TODOs instead. We're not adding go-spew to scripts/check-third-party.sh since the project is largely abandoned. It's not even a Go module yet. The only broken bit from it is what we've added to our tests. Fixes #676.
1 year ago
// copied from github.com/davecgh/go-spew, which reaches into reflect's internals
ignore embedded fields used in reflection (#768) Fixes #765.
1 year ago
func testGoSpew() {
flagValOffset := func() uintptr {
field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag")
if !ok {
panic("reflect.Value has no flag field")
}
return field.Offset
}()
type flag uintptr
flagField := func(v *reflect.Value) *flag {
return (*flag)(unsafe.Pointer(uintptr(unsafe.Pointer(v)) + flagValOffset))
}
type t0 int
var t struct {
A t0
t0
a t0
}
vA := reflect.ValueOf(t).FieldByName("A")
va := reflect.ValueOf(t).FieldByName("a")
vt0 := reflect.ValueOf(t).FieldByName("t0")
flagvA := *flagField(&vA)
flagva := *flagField(&va)
flagvt0 := *flagField(&vt0)
if flagvA&flagva&flagvt0 == 0 {
panic("reflect.Value read-only flag has changed semantics")
avoid breaking github.com/davecgh/go-spew It assumes that reflect.Value has a field named "flag", which wasn't the case with obfuscated builds as we obfuscated it. We already treated the reflect package as special, for instance when not obfuscating Method or MethodByName. In a similar fashion, mark reflect's rtype and Value types to not be obfuscated alongside their field names. Note that rtype is the implementation behind the reflect.Type interface. This fix is fairly manual and repetitive. transformCompile, transformLinkname, and transformAsm should all use the same mechanism to tell if names should be obfuscated. However, they do not do that right now, and that refactor feels too risky for a bugfix release. We add more TODOs instead. We're not adding go-spew to scripts/check-third-party.sh since the project is largely abandoned. It's not even a Go module yet. The only broken bit from it is what we've added to our tests. Fixes #676.
1 year ago
}
ignore embedded fields used in reflection (#768) Fixes #765.
1 year ago
type T0 int
var T struct {
A T0
T0
a T0
}
vA = reflect.ValueOf(T).FieldByName("A")
va = reflect.ValueOf(T).FieldByName("a")
vt0 = reflect.ValueOf(T).FieldByName("T0")
flagvA = *flagField(&vA)
flagva = *flagField(&va)
flagvt0 = *flagField(&vt0)
if flagvA&flagva&flagvt0 == 0 {
panic("reflect.Value read-only flag has changed semantics")
}
}
avoid breaking github.com/davecgh/go-spew It assumes that reflect.Value has a field named "flag", which wasn't the case with obfuscated builds as we obfuscated it. We already treated the reflect package as special, for instance when not obfuscating Method or MethodByName. In a similar fashion, mark reflect's rtype and Value types to not be obfuscated alongside their field names. Note that rtype is the implementation behind the reflect.Type interface. This fix is fairly manual and repetitive. transformCompile, transformLinkname, and transformAsm should all use the same mechanism to tell if names should be obfuscated. However, they do not do that right now, and that refactor feels too risky for a bugfix release. We add more TODOs instead. We're not adding go-spew to scripts/check-third-party.sh since the project is largely abandoned. It's not even a Go module yet. The only broken bit from it is what we've added to our tests. Fixes #676.
1 year ago
fix encoding/asn1 marshaling of pkix types See the added comment and test, which failed before the fix when the encoded certificate was decoded. It took a while to find the culprit in asn1, but in hindsight it's easy: case reflect.Slice: if t.Elem().Kind() == reflect.Uint8 { return false, TagOctetString, false, true } if strings.HasSuffix(t.Name(), "SET") { return false, TagSet, true, true } return false, TagSequence, true, true Fixes #711.
1 year ago
// encoding/x509 uses encoding/asn1, which uses reflect.
// In one place it depends on field names; that used to be broken by garble.
func testx509() {
priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
panic(err)
}
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{Organization: []string{"Acme Co"}},
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
panic(err)
}
_, err = x509.ParseCertificate(derBytes)
if err != nil {
panic(err)
}
}
track converted types when recording reflection usage Fixes #763. Fixes #782. Fixes #785. Fixes #807.
8 months ago
type pingMsg struct {
Data string `sshtype:"192"`
}
type pongMsg struct {
Data string `sshtype:"193"`
}
// golang.org/x/crypto/ssh converts a reflected type to another type
func testSSH() {
var msg = pingMsg{
Data: "data",
}
json.Marshal(msg)
_ = pongMsg(msg)
}
// variations similar to ssh
type reflectedMsg struct {
Data string
}
type convertedMsg struct {
Data string
}
func reflectConvert() {
msg := reflectedMsg(convertedMsg{})
json.Marshal(msg)
}
type reflectedMsg2 struct {
Data string
}
type convertedMsg2 struct {
Data string
}
func unrelatedConvert() {
// only discoverable by rechecking the package
_ = convertedMsg2(reflectedMsg2{})
}
func reflectUnrelatedConv() {
var msg = reflectedMsg2{
Data: "data",
}
json.Marshal(msg)
}
avoid breaking github.com/davecgh/go-spew It assumes that reflect.Value has a field named "flag", which wasn't the case with obfuscated builds as we obfuscated it. We already treated the reflect package as special, for instance when not obfuscating Method or MethodByName. In a similar fashion, mark reflect's rtype and Value types to not be obfuscated alongside their field names. Note that rtype is the implementation behind the reflect.Type interface. This fix is fairly manual and repetitive. transformCompile, transformLinkname, and transformAsm should all use the same mechanism to tell if names should be obfuscated. However, they do not do that right now, and that refactor feels too risky for a bugfix release. We add more TODOs instead. We're not adding go-spew to scripts/check-third-party.sh since the project is largely abandoned. It's not even a Go module yet. The only broken bit from it is what we've added to our tests. Fixes #676.
1 year ago
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
type StatUser struct {
Id int64 `gorm:"primaryKey"`
User_Id int64
}
type StatCompUser struct {
Id int64 `gorm:"primaryKey"`
User_Id int64
}
type Transaction struct {
Statement Statement
}
type Statement struct {
Dest interface{}
Model string
}
func find(dest interface{}) {
tx := Transaction{}
tx.Statement.Dest = dest
execute(tx)
}
func findComp(dest interface{}) {
tx := Transaction{
Statement: Statement{
Dest: dest,
},
}
execute(tx)
}
func execute(db Transaction) {
stmt := db.Statement
v := reflect.TypeOf(stmt.Dest)
fmt.Println(v)
}
type UnnamedStructInterface interface {
UnnamedStructMethod(struct{ UnnamedStructField string })
}
propagate "uses reflection" through SSA stores Up until now, the new SSA reflection detection relied on call sites to propagate which objects (named types, struct fields) used reflection. For example, given the code: json.Marshal(new(T)) we would first record that json.Marshal calls reflect.TypeOf, and then that the user's code called json.Marshal with the type *T. However, this would not catch a slight variation on the above: var t T reflect.TypeOf(t) t.foo = struct{bar int}{} Here, type T's fields such as "foo" and "bar" are not obfuscated, since our logic sees the call site and marks the type T recursively. However, the unnamed `struct{bar int}` type was still obfuscated, causing errors such as: cannot use struct{uKGvcJvD24 int}{} (value of type struct{uKGvcJvD24 int}) as struct{bar int} value in assignment The solution is to teach the analysis about *ssa.Store instructions in a similar way to how it already knows about *ssa.Call instructions. If we see a store where the destination type is marked for reflection, then we mark the source type as well, fixing the bug above. This fixes obfuscating github.com/gogo/protobuf/proto. A number of other Go modules fail with similar errors, and they look like very similar bugs, but this particular fix doesn't apply to them. Future incremental fixes will try to deal with those extra cases. Fixes #685.
11 months ago
// Some projects declare types with unnamed struct fields,
// and the entire type is used via reflection and cannot be obfuscated.
// However, when assigning to these fields, the use of inline anonymous struct types
// confused garble, and it did not obfuscate those inline structs as well.
// That resulted in "cannot use X as Y value in assignment" build errors.
var _ = reflect.TypeOf(UnnamedStructFields{})
type UnnamedStructFields struct {
// As seen in github.com/gogo/protobuf/proto.
unexportedGoGoProto *struct {
mu sync.Mutex
extensionMap map[int32]EncodingT
}
}
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
track types used in make assigned to a reflected type Fixes #690.
7 months ago
func gobStruct() {
type gobAlias struct {
Security []map[string]struct {
List []string
Pad bool
}
}
alias := gobAlias{}
gob.NewEncoder(os.Stdout).Encode(alias)
alias.Security = make([]map[string]struct {
List []string
Pad bool
}, 0, len([]string{}))
}
func gobMap() {
type gobAlias struct {
Security map[string]struct {
List []string
Pad bool
}
}
alias := gobAlias{}
gob.NewEncoder(os.Stdout).Encode(alias)
alias.Security = make(map[string]struct {
List []string
Pad bool
}, len([]string{}))
}
func gobChan() {
type gobAlias struct {
Security chan struct {
List []string
Pad bool
}
}
alias := gobAlias{}
gob.NewEncoder(os.Stdout).Encode(alias)
alias.Security = make(chan struct {
List []string
Pad bool
}, len([]string{}))
}
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
-- importedpkg/imported.go --
package importedpkg
import (
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
"fmt"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
"reflect"
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
"test/main/importedpkg/indirect"
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
"test/main/importedpkg2"
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
)
type ReflectTypeOf int
var _ = reflect.TypeOf(ReflectTypeOf(0))
type ReflectTypeOfIndirect int
var _ = reflect.TypeOf(new([]*ReflectTypeOfIndirect))
type ReflectValueOf struct {
ExportedField string
unexportedField string
}
func (r *ReflectValueOf) ExportedMethodName() string { return "method: " + r.ExportedField }
var ReflectValueOfVar = ReflectValueOf{ExportedField: "abc"}
var _ = reflect.TypeOf(ReflectValueOfVar)
type ReflectInDefined struct {
ExportedField2 int
unexportedField2 int
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
importedpkg2.ReflectInSiblingImport
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
}
var ReflectInDefinedVar = ReflectInDefined{ExportedField2: 9000}
var _ = reflect.TypeOf(ReflectInDefinedVar)
var _ = reflect.TypeOf([]*struct{EmbeddingOuter}{})
type EmbeddingOuter struct {
EmbeddingInner
Anon struct {
AnonField int
}
}
type EmbeddingInner struct {
InnerField int
}
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
type UnnamedWithDownstreamReflect = struct {
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
DownstreamObfuscated string
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
}
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
type (
AliasIndirectNamedWithReflect = indirect.IndirectNamedWithReflect
AliasIndirectNamedWithoutReflect = indirect.IndirectNamedWithoutReflect
)
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
var _ = reflect.TypeOf(ReflectEmbeddingAlias{})
type ReflectEmbeddingAlias struct {
ReflectEmbeddedAlias
}
type ReflectEmbeddedAlias = ReflectEmbeddingNamed
type ReflectEmbeddingNamed struct{}
fix support with the latest Go master version It added packages which are only built with the boringcrypto build tag, so trying to `go list` them will fail even though it doesn't matter. While here, a few more minor cleanups: 1) Hide GarbleActionID and ToObfuscate from encoding/json, so that they can't possibly collide with the fields consumed from `go list -json`. 2) Add test cases for `garble build` with packages that fail to load. Note that this requires GOGARBLE=* to avoid its "does not match any package to be built" error. 3) Remove the last use of interface{}, in a testdata file. Fixes #531.
2 years ago
func VariadicReflect(x any, ys ...any) int {
make KnownReflectAPIs aware of variadic funcs When a function definition is variadic, the number of parameters may not match the number of calling arguments. Our existing code was a bit naive with this edge case, leading to a panic when indexing call.Args. Keep track of that information, and properly handle all variadic arguments that may be used indirectly with reflection. We add a test case that used to panic, where 0 arguments are used for a variadic parameter, as well as a case where we need to disable obfuscation for a Go type used as the second variadic argument rather than the first. Finally, the old code in findReflectFunctions looked at Go function types from the point of view of go/ast.FuncType. Use go/types.Signature instead, where we don't need to deal with the grouping of variables in the original syntax, and which is more consistent with the rest of the garble codebase. Fixes #524.
2 years ago
_ = reflect.TypeOf(x)
for _, y := range ys {
_ = reflect.TypeOf(y)
}
return len(ys)
}
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
type ReflectUnnamedStruct int
func (ReflectUnnamedStruct) UnnamedStructMethod(s struct{ UnnamedStructField string }) {
fmt.Println(reflect.TypeOf(s))
}
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
-- importedpkg2/imported2.go --
package importedpkg2
type ReflectInSiblingImport struct {
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
SiblingObfuscated string
}
-- importedpkg/indirect/indirect.go --
package indirect
import "reflect"
var _ = reflect.TypeOf(IndirectNamedWithReflect{})
type IndirectNamedWithReflect struct {
IndirectUnobfuscated string
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
DuplicateFieldName int
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
}
type IndirectNamedWithoutReflect struct {
IndirectObfuscated string
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
DuplicateFieldName int
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
}
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
-- main.stdout --
9000
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
{5 0 {}}
testdata: split reflection test cases into reflect.txt The detection of reflection usage is tricky and there are plenty of edge cases to test for. We definitely want one script for it, rather than splitting those cases between other scripts like imports.txt and syntax.txt. Moreover, those two were rather generic and large, so this helps keep a balance.
3 years ago
ReflectTypeOf
ReflectTypeOfIndirect
ReflectValueOf{ExportedField:"abc", unexportedField:""}
[method: abc]
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
{"Foo":3}
Hello Dave.
{"InnerField":3,"Anon":{"AnonField":0}}
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
{downstream}
{sibling}
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
{{indirect-with 3} {indirect-without 4} { 0}}
IndirectNamedWithReflect{IndirectUnobfuscated:"indirect-with", DuplicateFieldName:3}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
ReflectionField
{0}
make KnownReflectAPIs aware of variadic funcs When a function definition is variadic, the number of parameters may not match the number of calling arguments. Our existing code was a bit naive with this edge case, leading to a panic when indexing call.Args. Keep track of that information, and properly handle all variadic arguments that may be used indirectly with reflection. We add a test case that used to panic, where 0 arguments are used for a variadic parameter, as well as a case where we need to disable obfuscation for a Go type used as the second variadic argument rather than the first. Finally, the old code in findReflectFunctions looked at Go function types from the point of view of go/ast.FuncType. Use go/types.Signature instead, where we don't need to deal with the grouping of variables in the original syntax, and which is more consistent with the rest of the garble codebase. Fixes #524.
2 years ago
VariadicReflection{ReflectionField:"variadic"}
rework reflection detection with ssa (#732) This is significantly more robust, than the ast based detection and can record very complex cases of indirect parameter reflection. Fixes #554
1 year ago
*main.StatUser
*main.StatCompUser
struct { UnnamedStructField string }
add a regression test for type names and reflect We were recently altering the logic in reflect.go for type names, which could have broken this kind of valid use of reflection. Add a regression test, which I verified would break before my last change to "simplify" the logic, which actually changed the logic, as xuannv112 correctly pointed out. After thinking about the change in behavior for a little while, I realised that the new behavior is more correct, hence the test.
1 year ago
TypeOfParent's own name: TypeOfParent
TypeOfParent named: TypeOfNamedField NamedReflectionField
TypeOfParent embedded: TypeOfEmbeddedField EmbeddedReflectionField