com.h3xstream.findsecbugs.taintanalysis

Class TaintClassConfig

java.lang.Object

com.h3xstream.findsecbugs.taintanalysis.TaintClassConfig

All Implemented Interfaces:

TaintTypeConfig

public class TaintClassConfig
extends Object
implements TaintTypeConfig

Summary of information about a class related to taint analysis, allows to configure default behavior for return types and type casts. Default configuration is mutable class with null taint state.

Author:

Tomas Polesovsky (Liferay, Inc.)

Field Summary

Fields

Modifier and Type	Field and Description
static Taint.State	DEFAULT_TAINT_STATE

Constructor Summary

Constructors

Constructor and Description
TaintClassConfig()

Method Summary

Modifier and Type	Method and Description
static boolean	accepts(String typeSignature, String taintConfig)
Taint.State	getTaintState()
Taint.State	getTaintState(Taint.State defaultState)
boolean	isImmutable()
TaintClassConfig	load(String taintConfig) Loads class summary from String The summary should have the following syntax: defaultTaintState #IMMUTABLE, where defaultTaintState means the Taint state for type casting and return types.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TAINT_STATE

public static final Taint.State DEFAULT_TAINT_STATE

Constructor Detail

TaintClassConfig

public TaintClassConfig()

Method Detail

accepts

public static boolean accepts(String typeSignature,
                              String taintConfig)

load

public TaintClassConfig load(String taintConfig)
                      throws IOException

Loads class summary from String

The summary should have the following syntax:
defaultTaintState #IMMUTABLE, where

1. defaultTaintState means the Taint state for type casting and return types. Usually SAFE is used to specify classes that cannot contain injection escape characters
2. #IMMUTABLE flags is used for classes that cannot be subject to taint state mutation during taint analysis
3. at least one of two above are required

Example:
Ljava/lang/Boolean;:SAFE#IMMUTABLE

• Here the summary is: SAFE#IMMUTABLE
• When a object is casted to Boolean or Boolean is a method result type, the taint state will be always SAFE
• When applying taint mutation to method arguments, Boolean arguments cannot change taint state
• Practically, Booleans cannot transfer characters that could cause injections and thus are SAFE as return types and casts

Example:
Ljava/lang/String;:#IMMUTABLE

• String is immutable class and therefore String method arguments cannot change taint state
• Practically, String can carry injection sensitive characters but is always immutable

Example:
Ljava/util/concurrent/atomic/AtomicBoolean;:SAFE

• AtomicBoolean value can be changed but cannot carry injection sensitive value

Specified by:

load in interface TaintTypeConfig

Parameters:

taintConfig - state#IMMUTABLE, where state is one of Taint.STATE or empty

Returns:

initialized object with taint class summary

Throws:

IOException - for bad format of parameter

NullPointerException - if argument is null

getTaintState

public Taint.State getTaintState()

isImmutable

public boolean isImmutable()

getTaintState

public Taint.State getTaintState(Taint.State defaultState)