pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '93ffa826a7'
${ noResults }
infer_clone/infer/tests/codetoanalyze/java/quandary/Strings.java

80 lines
2.4 KiB
Raw Normal View History Unescape

[quandary] support `StringBuilder`'s and other methods for propagating `String` taint Summary: Our default strategy for handling unknown code is to propagate taint from the actuals to the return value. But for commonly-used methods like `StringBuilder.append` (used every time you do `+` with a string in Java), this doesn't work. The taint should be propagated to both the receiver and the return value in these cases. I'm considering a solution where we always propagate taint to the receiver of unknown functions in the future, but I am concerned about the performance. So let's stick with a few special string cases for now. Reviewed By: cristianoc Differential Revision: D4124355 fbshipit-source-id: 5b2a232
8 years ago
/*
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD | xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a
7 years ago
* Copyright (c) 2015-present, Facebook, Inc.
[quandary] support `StringBuilder`'s and other methods for propagating `String` taint Summary: Our default strategy for handling unknown code is to propagate taint from the actuals to the return value. But for commonly-used methods like `StringBuilder.append` (used every time you do `+` with a string in Java), this doesn't work. The taint should be propagated to both the receiver and the return value in these cases. I'm considering a solution where we always propagate taint to the receiver of unknown functions in the future, but I am concerned about the performance. So let's stick with a few special string cases for now. Reviewed By: cristianoc Differential Revision: D4124355 fbshipit-source-id: 5b2a232
8 years ago
*
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD | xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a
7 years ago
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
[quandary] support `StringBuilder`'s and other methods for propagating `String` taint Summary: Our default strategy for handling unknown code is to propagate taint from the actuals to the return value. But for commonly-used methods like `StringBuilder.append` (used every time you do `+` with a string in Java), this doesn't work. The taint should be propagated to both the receiver and the return value in these cases. I'm considering a solution where we always propagate taint to the receiver of unknown functions in the future, but I am concerned about the performance. So let's stick with a few special string cases for now. Reviewed By: cristianoc Differential Revision: D4124355 fbshipit-source-id: 5b2a232
8 years ago
*/
//package codetoanalyze.java.quandary;
import java.util.Formatter;
import com.facebook.infer.builtins.InferTaint;
/** a lot of tainted values are strings, so propagation through StringBuilder's and the like is very
* important. */
public class Strings {
void viaStringBuilderSugarBad() {
Object source = InferTaint.inferSecretSource();
InferTaint.inferSensitiveSink(source + "");
}
void viaStringBuilderBad() {
Object source = InferTaint.inferSecretSource();
StringBuilder builder = new StringBuilder();
InferTaint.inferSensitiveSink(builder.append(source).append("").toString());
}
void viaStringBuilderIgnoreReturnBad() {
Object source = InferTaint.inferSecretSource();
StringBuilder builder = new StringBuilder();
// builder should be tainted after this call even though we ignore the return value
builder.append(source);
InferTaint.inferSensitiveSink(builder.toString());
}
void viaStringBufferBad() {
Object source = InferTaint.inferSecretSource();
StringBuffer buffer = new StringBuffer();
InferTaint.inferSensitiveSink(buffer.append("").append(source).toString());
}
void viaStringBufferIgnoreReturnBad() {
Object source = InferTaint.inferSecretSource();
StringBuffer buffer = new StringBuffer();
buffer.append(source);
InferTaint.inferSensitiveSink(buffer.toString());
}
void viaFormatterBad() {
Object source = InferTaint.inferSecretSource();
Formatter formatter = new Formatter();
InferTaint.inferSensitiveSink(formatter.format("%s", source).toString());
}
void viaFormatterIgnoreReturnBad() {
Object source = InferTaint.inferSecretSource();
Formatter formatter = new Formatter();
formatter.format("%s", source);
InferTaint.inferSensitiveSink(formatter.toString());
}
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc
8 years ago
void viaStringFormatVarArgsDirectBad() {
Object source = InferTaint.inferSecretSource();
String tainted = String.format("%s%s", "hi", source);
InferTaint.inferSensitiveSink(tainted);
}
void viaStringFormatVarArgsIndirect(Object param) {
String tainted = String.format("%s%s", "hi", param);
InferTaint.inferSensitiveSink(tainted);
}
[quandary] don't add callee-local state to the caller Summary: If we couldn't project the callee access path into the caller during summary application, we still added the corresponding trace to the caller state. This was wasteful; it just bloats the caller with state it will never look at. Fixed it by making `get_caller_ap_node` return `None` when the state won't be visible in the caller. Reviewed By: jeremydubreil Differential Revision: D4727937 fbshipit-source-id: 87665e9
8 years ago
void viaStringFormatVarArgsIndirectBad() {
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc
8 years ago
viaStringFormatVarArgsIndirect(InferTaint.inferSecretSource());
}
[quandary] support `StringBuilder`'s and other methods for propagating `String` taint Summary: Our default strategy for handling unknown code is to propagate taint from the actuals to the return value. But for commonly-used methods like `StringBuilder.append` (used every time you do `+` with a string in Java), this doesn't work. The taint should be propagated to both the receiver and the return value in these cases. I'm considering a solution where we always propagate taint to the receiver of unknown functions in the future, but I am concerned about the performance. So let's stick with a few special string cases for now. Reviewed By: cristianoc Differential Revision: D4124355 fbshipit-source-id: 5b2a232
8 years ago
}