Can the configuration of source and sink support wildcard characters, such as using * to match?
SEC-fsq opened this issue · 4 comments
Clear and concise description of the problem
Can the configuration of source and sink support wildcard characters, such as using * to match
Impact Analysis
No response
Suggested Solution
No response
Alternative
No response
Intention to submit PR
No
Additional Context
No response
Oh, it is a very valuable and funny issue.
As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.
Anyway, we will support it. Stay tuned for next release milestone.
Oh, it is a very valuable and funny issue.
As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.
Anyway, we will support it. Stay tuned for next release milestone.
哦,这是一个非常有价值和有趣的问题。
碰巧的是,我们正在研究一种更方便和专用的机制来描述污点配置中的类/方法/字段;困难的部分是我们在设计“隐藏”表达式机制时试图平衡可读性和功能性。例如,正则表达式很强大,但可读性较差;也许我们需要更多的功能,比如描述子类,但更多并不是更好,这取决于。
无论如何,我们将支持它。请继续关注下一个版本里程碑。
Can we consider opening up an inheritable abstract class that can use Java to write rules, so that users can override and implement the logic in DeserializeSources, DeserializeSinks, DeserializeSanitizers, and DeserializeTransfers according to their needs?
Can we consider opening up an inheritable abstract class that can use Java to write rules
Writing taint configuration programmatically is our future plan. It's being incubated.
Support for signature wildcards is now available. Documentation is currently in progress.
Here's a preview: 96fde4b