Package com.h3xstream.findsecbugs.taintanalysis

Class TaintMethodConfig

    • Field Detail

      • fullMethodPattern

        protected static final Pattern fullMethodPattern

      • configPattern

        protected static final Pattern configPattern

    • Constructor Detail

      • TaintMethodConfig

        public TaintMethodConfig​(boolean isConfigured)
        Constructs an empty summary
        Parameters:
        isConfigured - true for configured summaries, false for derived

      • TaintMethodConfig

        public TaintMethodConfig​(TaintMethodConfig config)
        Creates a copy of the summary (output taint and output parameters taint not copied)
        Parameters:
        config - Original taint config to copy

    • Method Detail

      • getMutableStackIndices

        public Collection<Integer> getMutableStackIndices()
        Returns all stack indices modified by method if there are any
        Returns:
        unmodifiable collection of indices
        Throws:
        IllegalStateException - if there are not indices set

      • hasMutableStackIndices

        public boolean hasMutableStackIndices()
        Checks if there are any indices modified by method
        Returns:
        true if some index is set, false otherwise

      • addMutableStackIndex

        public void addMutableStackIndex​(int mutableStackIndex)
        Adds a stack index modified by method
        Parameters:
        mutableStackIndex - index to add
        Throws:
        IllegalArgumentException - if index is negative

      • getOutputTaint

        public Taint getOutputTaint()
        Returns the output taint of the method describing the taint transfer
        Returns:
        a copy of the output taint or null if not set

      • setOuputTaint

        public void setOuputTaint​(Taint taint)
        Sets the output taint of the method describing the taint transfer, copy of the parameter is made and variable index is invalidated
        Parameters:
        taint - output taint to set

      • getDefaultConstructorConfig

        public static TaintMethodConfig getDefaultConstructorConfig​(int stackSize)
        Constructs a default constructor summary (modifies 2 stack items with UNKNOWN taint state)
        Parameters:
        stackSize - size of the parameter stack (including instance)
        Returns:
        new instance of default summary
        Throws:
        IllegalArgumentException - for stackSize < 1

      • isInformative

        public boolean isInformative()
        Checks if the summary needs to be saved or has no information value
        Returns:
        true if summary should be saved, false otherwise

      • isConfigured

        public boolean isConfigured()
        Checks if the summary is configured or derived
        Returns:
        true if configured, false if derived

      • accepts

        public static boolean accepts​(String typeSignature,
                              String config)

      • load

        public TaintMethodConfig load​(String taintConfig)
                       throws IOException
        Loads method summary from String.

        The summary should have the following syntax:
        resultTaintState |resultTaintTags #stackMutationIndexes, where
        • resultTaintState are stack indexes or Taint.State enums separated by comma, e.g. 1,2 or TAINTED
        • resultTaintTags are Taint.Tag enums separated by comma, started with plus or minus sign, e.g. +CR_ENCODED,-XSS_SAFE
        • stackMutationIndexes are stack indexes separated by comma, e.g. 3,4
        Example:
        org/owasp/esapi/Encoder.encodeForHTML(Ljava/lang/String;)Ljava/lang/String;:0|+XSS_SAFE,+CR_ENCODED,+LF_ENCODED
        • Here the summary is: 0|+XSS_SAFE,+CR_ENCODED,+LF_ENCODED
        • The result taint will be merged with the first method argument, index 0
        • The result taint will have XSS_SAFE, CR_ENCODED and CR_ENCODED tags set
        • Practically, the result string will keep the taint but will receive XSS_SAFE tags which are processed by XssJspDetector
        Example:
        org/owasp/esapi/Encoder.decodeForHTML(Ljava/lang/String;)Ljava/lang/String;:0|-XSS_SAFE,-CR_ENCODED,-LF_ENCODED
        • Here the result taint will be merged with the first method argument, index 0
        • The framework removes XSS_SAFE, CR_ENCODED and CR_ENCODED tags
        • Practically, the result string will keep the taint but XSS_SAFE tag is removed again
        Example:
        java/lang/StringBuilder.(Ljava/lang/String;)V:0#1,2
        • Here the result taint will be merged with the first constructor argument, index 0
        • Framework also mutates taint of the StringBuilder object itself with the result taint, index 1
        • Because we are in a constructor, we need to specify one more taint index => 2
        • Practically, when the original String is tainted then StringBuilder will be tainted too
        Example:
        java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lang/StringBuilder;:0,1#1
        • Here the result taint will be merged with the method argument and the taint of the StringBuilder, index 0 and 1
        • Framework also mutates taint of the StringBuilder object itself with the result taint, index 1
        • Practically, the result taint is a merge of the String argument and previous taint of StringBuilder, on top propagates the result into StringBuilder's taint state again
        Important notes about stack indexes:
        • long and double types take two slots on stack and need two subsequent indexes, i.e. index of the String parameter in method(Ljava/lang/String;D) is 2, not 1 as one would expect
        • taint analysis adds two Taint objects on stack for constructors, don't forget to specify both
        Specified by:
        load in interface TaintTypeConfig
        Parameters:
        taintConfig - (state or parameter indices to merge separated by comma)#mutable position
        Returns:
        initialized object with taint method summary
        Throws:
        IOException - for bad format of parameter
        NullPointerException - if argument is null

      • setTypeSignature

        public void setTypeSignature​(String typeSignature)
        Set full class and method signature for the analyzed method
        Parameters:
        typeSignature - method signature

      • getTypeSignature

        public String getTypeSignature()
        Returns the analyzed method full signature
        Returns:
        signature of the method

      • setParameterOutputTaint

        public void setParameterOutputTaint​(int stackIndex,
                                    Taint taint)
        Stores output taint for method parameters to be used for back-propagation.

        Please note the stackIndex is in reverse order compared to the method parameters (and frame local variables), i.e. the last method parameter has index 0.
        Parameters:
        stackIndex - Index of the parameter on the stack
        taint - Output taint of the parameter

      • getParametersOutputTaints

        public Map<Integer,​Taint> getParametersOutputTaints()
        Returns computed output taints for method parameters for back-propagation.

        Please note the stackIndex is in reverse order compared to the method parameters (and frame local variables), i.e. the last parameter has index 0.
        Returns:
        Unmodifiable copy of parameters' taints, indexed by parameter position on the stack

      • setParametersOutputTaintsProcessed

        public void setParametersOutputTaintsProcessed​(boolean parametersOutputTaintsProcessed)

      • isParametersOutputTaintsProcessed

        public boolean isParametersOutputTaintsProcessed()