Package com.h3xstream.findsecbugs.taintanalysis.extra

Class JstlExpressionWhiteLister

java.lang.Object

com.h3xstream.findsecbugs.injection.AbstractTaintDetector

com.h3xstream.findsecbugs.injection.AbstractInjectionDetector

com.h3xstream.findsecbugs.injection.BasicInjectionDetector

com.h3xstream.findsecbugs.taintanalysis.extra.JstlExpressionWhiteLister

All Implemented Interfaces:

TaintFrameAdditionalVisitor, edu.umd.cs.findbugs.Detector, edu.umd.cs.findbugs.Priorities

public class JstlExpressionWhiteLister
extends BasicInjectionDetector
implements TaintFrameAdditionalVisitor

This detector will set the return value of PageContextImpl.proprietaryEvaluate as safe for XSS is some very specific case. Because the most common false positive are similar, can use a whitelist of expression to ignored. Here are some patterns that, we considered safe: ${e:forHtmlContent(param.test_param)} OWASP Java Encoder being used ${e:forHtmlContent(someVariable1)} ${pageContext.request.contextPath} Not to be confused with the pathInfo. This information is not coming from the client. With Tomcat 5.5, their seems to be a different API with a 5th parameter (boolean). Ref Additional safe regular expression patterns can be added by specifying a file in the system property "findsecbugs.jstlsafe.customregexfile".

Field Summary

Fields inherited from class com.h3xstream.findsecbugs.injection.AbstractInjectionDetector

injectionSinks

Fields inherited from class com.h3xstream.findsecbugs.injection.AbstractTaintDetector

bugReporter

Fields inherited from interface edu.umd.cs.findbugs.Priorities

EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY

Constructor Summary

Constructors

Constructor	Description
JstlExpressionWhiteLister(edu.umd.cs.findbugs.BugReporter bugReporter)

Method Summary

Modifier and Type	Method	Description
void	visitField(org.apache.bcel.generic.FieldInstruction put, org.apache.bcel.generic.MethodGen methodGen, TaintFrame frameType, Taint taintFrame, int numProduced, org.apache.bcel.generic.ConstantPoolGen cpg)
void	visitInvoke(org.apache.bcel.generic.InvokeInstruction invoke, org.apache.bcel.generic.MethodGen methodGen, TaintFrame frameType, List<Taint> parameters, org.apache.bcel.generic.ConstantPoolGen cpg)	This method will be triggered for every method invocation (static, interface, special and virtual).
void	visitLoad(org.apache.bcel.generic.LoadInstruction load, org.apache.bcel.generic.MethodGen methodGen, TaintFrame frameType, int numProduced, org.apache.bcel.generic.ConstantPoolGen cpg)
void	visitReturn(org.apache.bcel.generic.MethodGen methodGen, Taint returnValue, org.apache.bcel.generic.ConstantPoolGen cpg)

Methods inherited from class com.h3xstream.findsecbugs.injection.BasicInjectionDetector

addParsedInjectionPoint, getInjectionPoint, loadConfiguredSinks, loadConfiguredSinks, loadCustomSinks, loadCustomSinksConfigFiles, loadSink, registerVisitor

Methods inherited from class com.h3xstream.findsecbugs.injection.AbstractInjectionDetector

analyzeLocation, getPriority, getPriorityFromTaintFrame, report

Methods inherited from class com.h3xstream.findsecbugs.injection.AbstractTaintDetector

analyzeMethod, shouldAnalyzeClass, visitClassContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JstlExpressionWhiteLister

public JstlExpressionWhiteLister(edu.umd.cs.findbugs.BugReporter bugReporter)

Method Detail

visitInvoke

public void visitInvoke(org.apache.bcel.generic.InvokeInstruction invoke,
                        org.apache.bcel.generic.MethodGen methodGen,
                        TaintFrame frameType,
                        List<Taint> parameters,
                        org.apache.bcel.generic.ConstantPoolGen cpg)
                 throws edu.umd.cs.findbugs.ba.DataflowAnalysisException

Description copied from interface: TaintFrameAdditionalVisitor

This method will be triggered for every method invocation (static, interface, special and virtual). The constant pool allowed the resolution of method name, field name, constant strings, etc. The taintframe

Specified by:

visitInvoke in interface TaintFrameAdditionalVisitor

methodGen - Method

frameType - Frame representation after the invoke (results)

parameters - Stack representation just before the invoke

Throws:

edu.umd.cs.findbugs.ba.DataflowAnalysisException

visitLoad

public void visitLoad(org.apache.bcel.generic.LoadInstruction load,
                      org.apache.bcel.generic.MethodGen methodGen,
                      TaintFrame frameType,
                      int numProduced,
                      org.apache.bcel.generic.ConstantPoolGen cpg)

Specified by:

visitLoad in interface TaintFrameAdditionalVisitor

visitField

public void visitField(org.apache.bcel.generic.FieldInstruction put,
                       org.apache.bcel.generic.MethodGen methodGen,
                       TaintFrame frameType,
                       Taint taintFrame,
                       int numProduced,
                       org.apache.bcel.generic.ConstantPoolGen cpg)
                throws Exception

Specified by:

visitField in interface TaintFrameAdditionalVisitor

Throws:

Exception

visitReturn

public void visitReturn(org.apache.bcel.generic.MethodGen methodGen,
                        Taint returnValue,
                        org.apache.bcel.generic.ConstantPoolGen cpg)
                 throws Exception

Specified by:

visitReturn in interface TaintFrameAdditionalVisitor

Parameters:

methodGen - Method

returnValue - State of the returned value.

Throws:

Exception