Enhance support for array taint obj in taint config

Question

Enhance support for array taint obj in taint config

75ACOL opened this issue 10 months ago · 3 comments

Description

import java.io.IOException;

public class TestTaiE2 {
    public static void main(String[] args) throws IOException {
        TestTaiE2 testTaiE2 = new TestTaiE2(args[0]);
        testTaiE2.sink();
    }
    private final String source;
    public TestTaiE2(String source) {
        this.source = source;
    }
    public void sink() throws IOException {
        Runtime.getRuntime().exec(source);
    }
}

Expected vs. Actual Behavior: The data flow from args to Runtime.getRuntime().exec(source) is to be found.
Steps to Reproduce: My taint-config.yml Configuration

sources:
  - { kind: param, method: "<org.example.test.TestTaiE2: void main(java.lang.String[])>", index: 0 }
sinks:
  - { kind: call,  method: "<java.lang.Runtime: java.lang.Process exec(java.lang.String)>", index: 0 }

Your Attempts to Resolve the Issue: I'm not sure if it's supported, or if it's going to be used Taint Analysis
Runtime Environment: java19
Tai-e Version: 0.2.2

Answer 1 · 2023-11-29T14:56:17.000Z

Hello,

Thank you for bringing this issue to our attention. To help us address your concern more effectively, we would greatly appreciate additional details. Specifically, could you provide:

Steps to Reproduce: Please detail the specific steps that lead to the issue. If possible, include a minimal reproducible example.

If you're unsure about any of these details, feel free to ask for guidance. We're here to assist you. For your convenience, you can also use our issue templates and the example of how to write a reproducible case, which help in organizing and submitting the required information efficiently.

We appreciate your contribution to our project and look forward to your response. With the additional details, we aim to resolve this matter promptly and effectively.

Thank you for your cooperation and understanding.

Answer 2 · 2023-12-13T03:10:24.000Z

I did it myself. 😇

We will support it recently! Stay tuned.😉

Answer 3 · 2023-12-20T11:44:25.000Z

Supported in latest commits ebab214...ca8e180!

Try to use this taint configuration:

sources:
-  - { kind: param, method: "<org.example.test.TestTaiE2: void main(java.lang.String[])>", index:  0     }
+  - { kind: param, method: "<org.example.test.TestTaiE2: void main(java.lang.String[])>", index: "0[*]" }