hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Track taint for String.valueOf(..)

Browse Source
This commit is contained in:
Benjamin Muskalla
2021-07-29 09:10:38 +02:00
parent d900fcaf42
commit b7b74b51a3
3 changed files with 30 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/test/library-tests/dataflow/taint/B.java
View File

@@ -34,6 +34,9 @@ public class B {
// tainted - data preserving constructors
String constructed = new String(complex);
sink(constructed);
// tainted - data preserving method
String valueOf = String.valueOf(complex.toCharArray());
sink(valueOf);
// tainted - unsafe escape
String badEscape = constructed.replaceAll("(<script>)", "");
sink(badEscape);

49
java/ql/test/library-tests/dataflow/taint/test.expected
View File

@@ -10,31 +10,32 @@
| B.java:15:21:15:27 | taint(...) | B.java:30:10:30:15 | method |
| B.java:15:21:15:27 | taint(...) | B.java:33:10:33:16 | complex |
| B.java:15:21:15:27 | taint(...) | B.java:36:10:36:20 | constructed |
| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:18 | badEscape |
| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:14 | token |
| B.java:15:21:15:27 | taint(...) | B.java:55:10:55:13 | cond |
| B.java:15:21:15:27 | taint(...) | B.java:58:10:58:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:60:10:60:39 | endsWith(...) |
| B.java:15:21:15:27 | taint(...) | B.java:63:10:63:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:16 | valueOf |
| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:18 | badEscape |
| B.java:15:21:15:27 | taint(...) | B.java:45:10:45:14 | token |
| B.java:15:21:15:27 | taint(...) | B.java:58:10:58:13 | cond |
| B.java:15:21:15:27 | taint(...) | B.java:61:10:61:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:63:10:63:39 | endsWith(...) |
| B.java:15:21:15:27 | taint(...) | B.java:66:10:66:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:74:10:74:16 | trimmed |
| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | split |
| B.java:15:21:15:27 | taint(...) | B.java:78:10:78:14 | lower |
| B.java:15:21:15:27 | taint(...) | B.java:80:10:80:14 | upper |
| B.java:15:21:15:27 | taint(...) | B.java:82:10:82:14 | bytes |
| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:17 | toString |
| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:13 | subs |
| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:13 | repl |
| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:16 | replAll |
| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:18 | replFirst |
| B.java:15:21:15:27 | taint(...) | B.java:105:12:105:25 | serializedData |
| B.java:15:21:15:27 | taint(...) | B.java:117:12:117:27 | deserializedData |
| B.java:15:21:15:27 | taint(...) | B.java:126:10:126:21 | taintedArray |
| B.java:15:21:15:27 | taint(...) | B.java:128:10:128:22 | taintedArray2 |
| B.java:15:21:15:27 | taint(...) | B.java:130:10:130:22 | taintedArray3 |
| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:44 | toURL(...) |
| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:37 | toPath(...) |
| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:46 | toFile(...) |
| B.java:15:21:15:27 | taint(...) | B.java:69:10:69:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:77:10:77:16 | trimmed |
| B.java:15:21:15:27 | taint(...) | B.java:79:10:79:14 | split |
| B.java:15:21:15:27 | taint(...) | B.java:81:10:81:14 | lower |
| B.java:15:21:15:27 | taint(...) | B.java:83:10:83:14 | upper |
| B.java:15:21:15:27 | taint(...) | B.java:85:10:85:14 | bytes |
| B.java:15:21:15:27 | taint(...) | B.java:87:10:87:17 | toString |
| B.java:15:21:15:27 | taint(...) | B.java:89:10:89:13 | subs |
| B.java:15:21:15:27 | taint(...) | B.java:91:10:91:13 | repl |
| B.java:15:21:15:27 | taint(...) | B.java:93:10:93:16 | replAll |
| B.java:15:21:15:27 | taint(...) | B.java:95:10:95:18 | replFirst |
| B.java:15:21:15:27 | taint(...) | B.java:108:12:108:25 | serializedData |
| B.java:15:21:15:27 | taint(...) | B.java:120:12:120:27 | deserializedData |
| B.java:15:21:15:27 | taint(...) | B.java:129:10:129:21 | taintedArray |
| B.java:15:21:15:27 | taint(...) | B.java:131:10:131:22 | taintedArray2 |
| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:22 | taintedArray3 |
| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:44 | toURL(...) |
| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:37 | toPath(...) |
| B.java:15:21:15:27 | taint(...) | B.java:142:10:142:46 | toFile(...) |
| MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
| MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
| MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |