How can I tell if an element in a Map is tainted?
Closed this issue · 7 comments
Description
When I am doing taint analysis, if I set Map.get() as the propagation point, this time what I want to determine is whether the element taken out by get() is tainted or not, but the way provided by Tai-e based on the parameter index or base/result can't achieve this, is there a solution for this please?
Another question, when I don't consider whether the specific object in the Map contains a taint or not, but only the Map object itself, after I put a parameter into the Map and then use get to retrieve it, the taint disappears as well, but when I try to go and add HashMap.put() with HashMap.get() to the propagation point, the put method can't be found, is it a problem with myHaving trouble using it?Is there a problem with the usage?
## HashMap.get()
- { method: "<java.util.HashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }
## HashMap.put()
- { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 0, to: base }
- { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 1, to: base }
When I am doing taint analysis, if I set Map.get() as the propagation point, this time what I want to determine is whether the element taken out by get() is tainted or not, but the way provided by Tai-e based on the parameter index or base/result can't achieve this, is there a solution for this please?
I didn't understand your question clearly. Could you provide more information (Current Behavior/Expected Behavior/Reproducible Case/...)?
Is there a problem with the usage?
Redundant spaces between parameter types should be removed, such as:
- - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 1, to: base }
+ - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 1, to: base }
Thank you very much, I solved my problem!
After removing the extra spaces my code worked, but my other query is that when I use the request.getParameterMap() method in tomcat, it doesn't seem to pass the taint correctly.
The actual map implementation class that request.getParameterMap() gets is org.apache.catalina.util.ParameterMap which extends HashMap, what should I do?
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value="/cmdi-00/BenchmarkTest00016")
public class BenchmarkTest00016 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
java.util.Map<String,String[]> map = request.getParameterMap();
String param = "";
if (!map.isEmpty()) {
String[] values = map.get("BenchmarkTest00016");
if (values != null) param = values[0];
}
String bar = doSomething(request, param);
String cmd = "";
String osName = System.getProperty("os.name");
if (osName.indexOf("Windows") != -1) {
cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo");
}
Runtime r = Runtime.getRuntime();
try {
Process p = r.exec(cmd + bar);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter().println(
org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())
);
return;
}
} // end doPost
private static String doSomething(HttpServletRequest request, String param) throws ServletException, IOException {
String bar = param;
return bar;
}
}
Here's my code, I'm using some testcase to refine the taint propagation points .
And my taint-config is:
- { method: "<javax.servlet.ServletRequestWrapper: java.util.Map getParameterMap()>", from: base, to: result }
## HashMap.get()
- { method: "<java.util.HashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }
## HashMap.put()
- { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 0, to: base }
- { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 1, to: base }
Thank you for providing this example code; it's incredibly helpful.
I would suggest examining the Points-to Set of the return value of request.getParameterMap()
in the Points-to Result to determine its actual object (and class). Then, consider using its own method signature (if it overrides the method Map::put
/Map::get
) to write taint-config.yml
, e.g.
- { method: "<org.apache.catalina.util.ParameterMap: java.lang.Object get(java.lang.Object)>", from: base, to: result }
...
When I try to do this, the following problem arises:
Even though I have added the directory where the corresponding class is located.
As far as I can see, ParamaterMap does not override the get method.
I tried to add:
- { method: "<java.util.LinkedHashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }
Although this get method was added successfully, it still fails to capture the taint.
Even though I have added the directory where the corresponding class is located.
If the class ParamaterMap
is not found in reference analysis beinning from entrypoint (main method), you should use option --input-classes
manually to add this class to the analyzed program P.
As far as I can see, ParamaterMap does not override the get method.
It doesn't seem like that: https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/util/ParameterMap.java#L204-L207
尽管我已经添加了对应类所在的目录。
ParamaterMap
如果在从入口点(主方法)开始的引用分析中没有找到该类,则应手动使用选项--input-classes
将该类添加到分析的程序_P_中。据我所知,ParamaterMap 不会重写 get 方法。
Even though I have added the directory where the corresponding class is located.
If the class
ParamaterMap
is not found in reference analysis beinning from entrypoint (main method), you should use option--input-classes
manually to add this class to the analyzed program P.As far as I can see, ParamaterMap does not override the get method.
It doesn't seem like that: https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/util/ParameterMap.java#L204-L207
Thank you very much, this was solved when I analysed the tomcat9 jar packages together!