com.h3xstream.findsecbugs.taintanalysis

Class TaintMethodConfig

java.lang.Object

com.h3xstream.findsecbugs.taintanalysis.TaintMethodConfig

All Implemented Interfaces:

TaintTypeConfig

Direct Known Subclasses:

TaintMethodConfigWithArgumentsAndLocation

public class TaintMethodConfig
extends Object
implements TaintTypeConfig

Summary of information about a method related to taint analysis.

For loading sinks files please see SinksLoader

Author:

David Formanek (Y Soft Corporation, a.s.)

Field Summary

Fields

Modifier and Type	Field and Description
protected static Pattern	configPattern
protected static Pattern	fullMethodPattern
static TaintMethodConfig	SAFE_CONFIG

Constructor Summary

Constructors

Constructor and Description
TaintMethodConfig(boolean isConfigured) Constructs an empty summary
TaintMethodConfig(TaintMethodConfig config) Creates a copy of the summary (output taint not copied)

Method Summary

Modifier and Type	Method and Description
static boolean	accepts(String typeSignature, String config)
void	addMutableStackIndex(int mutableStackIndex) Adds a stack index modified by method
static TaintMethodConfig	getDefaultConstructorConfig(int stackSize) Constructs a default constructor summary (modifies 2 stack items with UNKNOWN taint state)
Collection<Integer>	getMutableStackIndices() Returns all stack indices modified by method if there are any
Taint	getOutputTaint() Returns the output taint of the method describing the taint transfer
boolean	hasMutableStackIndices() Checks if there are any indices modified by method
boolean	isConfigured() Checks if the summary is configured or derived
boolean	isInformative() Checks if the summary needs to be saved or has no information value
TaintMethodConfig	load(String taintConfig) Loads method summary from String.
void	setOuputTaint(Taint taint) Sets the output taint of the method describing the taint transfer, copy of the parameter is made and variable index is invalidated
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SAFE_CONFIG

public static final TaintMethodConfig SAFE_CONFIG

fullMethodPattern

protected static final Pattern fullMethodPattern

configPattern

protected static final Pattern configPattern

Constructor Detail

TaintMethodConfig

public TaintMethodConfig(boolean isConfigured)

Constructs an empty summary

Parameters:

isConfigured - true for configured summaries, false for derived

TaintMethodConfig

public TaintMethodConfig(TaintMethodConfig config)

Creates a copy of the summary (output taint not copied)

Parameters:

config - Original taint config to copy

Method Detail

getMutableStackIndices

public Collection<Integer> getMutableStackIndices()

Returns all stack indices modified by method if there are any

Returns:

unmodifiable collection of indices

Throws:

IllegalStateException - if there are not indices set

hasMutableStackIndices

public boolean hasMutableStackIndices()

Checks if there are any indices modified by method

Returns:

true if some index is set, false otherwise

addMutableStackIndex

public void addMutableStackIndex(int mutableStackIndex)

Adds a stack index modified by method

Parameters:

mutableStackIndex - index to add

Throws:

IllegalArgumentException - if index is negative

getOutputTaint

public Taint getOutputTaint()

Returns the output taint of the method describing the taint transfer

Returns:

a copy of the output taint or null if not set

setOuputTaint

public void setOuputTaint(Taint taint)

Sets the output taint of the method describing the taint transfer, copy of the parameter is made and variable index is invalidated

Parameters:

taint - output taint to set

getDefaultConstructorConfig

public static TaintMethodConfig getDefaultConstructorConfig(int stackSize)

Constructs a default constructor summary (modifies 2 stack items with UNKNOWN taint state)

Parameters:

stackSize - size of the parameter stack (including instance)

Returns:

new instance of default summary

Throws:

IllegalArgumentException - for stackSize < 1

isInformative

public boolean isInformative()

Checks if the summary needs to be saved or has no information value

Returns:

true if summary should be saved, false otherwise

isConfigured

public boolean isConfigured()

Checks if the summary is configured or derived

Returns:

true if configured, false if derived

toString

public String toString()

Overrides:

toString in class Object

accepts

public static boolean accepts(String typeSignature,
                              String config)

load

public TaintMethodConfig load(String taintConfig)
                       throws IOException

Loads method summary from String.

The summary should have the following syntax:
resultTaintState |resultTaintTags #stackMutationIndexes, where

• resultTaintState are stack indexes or Taint.State enums separated by comma, e.g. 1,2 or TAINTED
• resultTaintTags are Taint.Tag enums separated by comma, started with plus or minus sign, e.g. +CR_ENCODED,-XSS_SAFE
• stackMutationIndexes are stack indexes separated by comma, e.g. 3,4

Example:
org/owasp/esapi/Encoder.encodeForHTML(Ljava/lang/String;)Ljava/lang/String;:0|+XSS_SAFE,+CR_ENCODED,+LF_ENCODED

• Here the summary is: 0|+XSS_SAFE,+CR_ENCODED,+LF_ENCODED
• The result taint will be merged with the first method argument, index 0
• The result taint will have XSS_SAFE, CR_ENCODED and CR_ENCODED tags set
• Practically, the result string will keep the taint but will receive XSS_SAFE tags which are processed by XssJspDetector

Example:
org/owasp/esapi/Encoder.decodeForHTML(Ljava/lang/String;)Ljava/lang/String;:0|-XSS_SAFE,-CR_ENCODED,-LF_ENCODED

• Here the result taint will be merged with the first method argument, index 0
• The framework removes XSS_SAFE, CR_ENCODED and CR_ENCODED tags
• Practically, the result string will keep the taint but XSS_SAFE tag is removed again

Example:
java/lang/StringBuilder.(Ljava/lang/String;)V:0#1,2

• Here the result taint will be merged with the first constructor argument, index 0
• Framework also mutates taint of the StringBuilder object itself with the result taint, index 1
• Because we are in a constructor, we need to specify one more taint index => 2
• Practically, when the original String is tainted then StringBuilder will be tainted too

Example:
java/lang/StringBuilder.append(Ljava/lang/String;)Ljava/lang/StringBuilder;:0,1#1

• Here the result taint will be merged with the method argument and the taint of the StringBuilder, index 0 and 1
• Framework also mutates taint of the StringBuilder object itself with the result taint, index 1
• Practically, the result taint is a merge of the String argument and previous taint of StringBuilder, on top propagates the result into StringBuilder's taint state again

Important notes about stack indexes:

• long and double types take two slots on stack and need two subsequent indexes, i.e. index of the String parameter in method(Ljava/lang/String;D) is 2, not 1 as one would expect
• taint analysis adds two Taint objects on stack for constructors, don't forget to specify both

Specified by:

load in interface TaintTypeConfig

Parameters:

taintConfig - (state or parameter indices to merge separated by comma)#mutable position

Returns:

initialized object with taint method summary

Throws:

IOException - for bad format of parameter

NullPointerException - if argument is null