pascal-lab/Tai-e

Missed in Inter-taint analysis

SolLupus opened this issue · 0 comments

SolLupus commented

Description

These are the code i want to analysis.
`public String getImageSec(String filepath) throws IOException {
if (SecurityUtil.pathFilter(filepath) == null) {
logger.info("Illegal file path: " + filepath);
return "Bad boy. Illegal file path.";
}
return getImgBase64(filepath);
}

private String getImgBase64(String imgFile) throws IOException {

    logger.info("Working directory: " + System.getProperty("user.dir"));
    logger.info("File path: " + imgFile);

    File f = new File(imgFile);
    if (f.exists() && !f.isDirectory()) {
        byte[] data = Files.readAllBytes(Paths.get(imgFile));
        return new String(Base64.encodeBase64(data));
    } else {
        return "File doesn't exist or is not a file.";
    }
}`

and these are my taint-config
`sources:

  • {kind: param, method: "<org.joychou.controller.PathTraversal: java.lang.String getImageSec(java.lang.String)>", index: 0}
    sinks:
  • { method: "<java.nio.file.Files: byte[] readAllBytes(java.nio.file.Path)>", index: result}
    transfers:
  • { method: "<java.lang.String: java.lang.String concat(java.lang.String)>", from: base, to: result }
  • { method: "<java.lang.String: java.lang.String concat(java.lang.String)>", from: 0, to: result }
  • { method: "<java.lang.String: char[] toCharArray()>", from: base, to: result }
  • { method: "<java.lang.String: void (char[])>", from: 0, to: base }
  • { method: "<java.lang.String: void getChars(int,int,char[],int)>", from: base, to: 2 }
  • { method: "<java.lang.String: java.lang.String format(java.lang.String,java.lang.Object[])>", from: "1[*]", to: result }
  • { method: "<java.lang.StringBuffer: void (java.lang.String)>", from: 0, to: base }
  • { method: "<java.lang.StringBuffer: java.lang.StringBuffer append(java.lang.String)>", from: 0, to: base }
  • { method: "<java.lang.StringBuffer: java.lang.StringBuffer append(java.lang.String)>", from: 0, to: result }
  • { method: "<java.lang.StringBuffer: java.lang.StringBuffer append(java.lang.String)>", from: base, to: result }
  • { method: "<java.lang.StringBuffer: java.lang.String toString()>", from: base, to: result }
  • { method: "<java.lang.StringBuilder: void (java.lang.String)>", from: 0, to: base }
  • { method: "<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>", from: 0, to: base }
  • { method: "<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>", from: 0, to: result }
  • { method: "<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>", from: base, to: result }
  • { method: "<java.lang.StringBuilder: java.lang.String toString()>", from: base, to: result }

call-site-mode: true
`
And the expected output i wanted about it is a flow from getImageSec to readAllBytes. Howerver, tai-e didn't detect it.Could you tell me the reason?Thank a lot.