Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

taint-config files java-lang.txt and scala.txt propagate taint from character types #712

Merged
merged 4 commits into from
Jan 9, 2024
Merged

taint-config files java-lang.txt and scala.txt propagate taint from character types #712

merged 4 commits into from
Jan 9, 2024

Conversation

jbindel
Copy link
Contributor

@jbindel jbindel commented Aug 18, 2023

For Issue#711 the taint on StringBuilder and StringBuffer from character types is propagated, and Character class is no longer considered SAFE.

Because libraries may turn strings into character arrays and then rebuild the string, we cannot assume that adding characters individually to a string will be untainted.

for (char c : unsafe.toCharArray()) {
    // Maybe do other stuff but not necessarily remove unsafe sequences.
    buf.append(c);
}

// Later may build a stream from the characters that were in the unsafe string.
InputStream is = new FileInputStream("Hello" + buf);

This pull request changes the taint configuration for both the java-lang and scala classes that deal with individual characters.

John Bindel added 2 commits August 18, 2023 13:26
Issue#711 Appending char to StringBuilder or StringBuffer is not cons…
0ca18b5 
…idered taint-free.

Character types can convey taint because libraries sometimes create String values after converting one String into characters.
Issue#711 Appending char to Scala StringBuilder is not considered tai…
3dcb378 
…nt-free.
@jbindel jbindel mentioned this pull request Aug 18, 2023
Open
John Bindel added 2 commits August 18, 2023 15:49
Update invokedynamic workaround to check the size of parameters like …
7669015 
…long and double.

The long and double primitive type parameters occupy two stack registers so we check the locations of stack parameters that can modify taint status. Any reference types as well as primitive char will propagate taint to the resulting String.

Do not add a mutable stack index to the TaintMethodConfig because we don't have a mutable object on the stack in the case of the invokedynamic call.
Test cases for invokedynamic workaround for String concatenation.
1c7b5e8 
In order to test invokedynamic string concatenation handling, we need to build some sample code with a later JDK so use Java 11 for the compiler target in a new build submodule. We cannot currently switch the existing findsecbugs-samples-java to Java 11 without breaking tests, and a new module is added just for the Java 11 classes we want to test.

Added setter for FindSecBugsGlobalConfig.workaroundVisitInvokeDynamic that the unit test uses.
h3xstream
h3xstream approved these changes Jan 9, 2024
View reviewed changes
Copy link
Member

@h3xstream h3xstream left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't get the time to look at the changes in depth.
Thanks for contributing. I will try to do a release ASAP.

@h3xstream h3xstream merged commit aba3b5e into find-sec-bugs:master Jan 9, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h3xstream h3xstream h3xstream approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jbindel @h3xstream