Summary: Our default strategy for handling unknown code is to propagate taint from the actuals to the return value. But for commonly-used methods like `StringBuilder.append` (used every time you do `+` with a string in Java), this doesn't work. The taint should be propagated to both the receiver and the return value in these cases. I'm considering a solution where we always propagate taint to the receiver of unknown functions in the future, but I am concerned about the performance. So let's stick with a few special string cases for now. Reviewed By: cristianoc Differential Revision: D4124355 fbshipit-source-id: 5b2a232master
parent
ae5f8eff0d
commit
0b9727214d
@ -0,0 +1,66 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015 - present Facebook, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the BSD style license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree. An additional grant
|
||||||
|
* of patent rights can be found in the PATENTS file in the same directory.
|
||||||
|
*/
|
||||||
|
|
||||||
|
//package codetoanalyze.java.quandary;
|
||||||
|
|
||||||
|
import java.util.Formatter;
|
||||||
|
|
||||||
|
import com.facebook.infer.builtins.InferTaint;
|
||||||
|
|
||||||
|
/** a lot of tainted values are strings, so propagation through StringBuilder's and the like is very
|
||||||
|
* important. */
|
||||||
|
|
||||||
|
public class Strings {
|
||||||
|
|
||||||
|
void viaStringBuilderSugarBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
InferTaint.inferSensitiveSink(source + "");
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaStringBuilderBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
StringBuilder builder = new StringBuilder();
|
||||||
|
InferTaint.inferSensitiveSink(builder.append(source).append("").toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaStringBuilderIgnoreReturnBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
StringBuilder builder = new StringBuilder();
|
||||||
|
// builder should be tainted after this call even though we ignore the return value
|
||||||
|
builder.append(source);
|
||||||
|
InferTaint.inferSensitiveSink(builder.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaStringBufferBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
StringBuffer buffer = new StringBuffer();
|
||||||
|
InferTaint.inferSensitiveSink(buffer.append("").append(source).toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaStringBufferIgnoreReturnBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
StringBuffer buffer = new StringBuffer();
|
||||||
|
buffer.append(source);
|
||||||
|
InferTaint.inferSensitiveSink(buffer.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaFormatterBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
Formatter formatter = new Formatter();
|
||||||
|
InferTaint.inferSensitiveSink(formatter.format("%s", source).toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
void viaFormatterIgnoreReturnBad() {
|
||||||
|
Object source = InferTaint.inferSecretSource();
|
||||||
|
Formatter formatter = new Formatter();
|
||||||
|
formatter.format("%s", source);
|
||||||
|
InferTaint.inferSensitiveSink(formatter.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in new issue