How to handle java generics feature in taint analysis.
Spr1n9T1me opened this issue · 2 comments
Spr1n9T1me commented
Description
How should I handle java generics feature in taint analysis?
For example, if I want to use the extract()
method below as the sink method, how should I write in taint-config.yml?
public E extract(Object oTarget) {
ValueExtractor[] aExtractor = this.getExtractors();
int i = 0;
for(int c = aExtractor.length; i < c && oTarget != null; ++i) {
//...
}
The return type of extract()
is Java Generics E
, and relevant content in taint-config.yml might be like:
sinks:
- { method: "<com.tangosol.util.extractorChainedExtractor: E extract(java.lang.Object)>", index: 0 }
Is it reasonable for E
or we have some solutions for it ?
zhangt2333 commented
As a result of type erasure, you can use <com.tangosol.util.extractorChainedExtractor: java.lang.Object extract(java.lang.Object)>
instead.
Spr1n9T1me commented
It works! THX.