How to config to result[*] rule for return array type in taint analysis
Closed this issue · 0 comments
Raul1718 commented
Description
Hi,
When I test some cases that return type is array and as transfer, such as String.split. I doubt how to correct config the rule.
My test sample:
class ArgToResultStringSplit {
public static void main(String[] args) {
String taint = SourceSink.source();
String[] taints = taint.split(",");
String s2 = taints[1]; // no taint now!
SourceSink.sink(s2); // taint
}
}
The transfer rule configured below.
- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: result, type: "java.lang.String[]" }
could transfer to "String[] taints", but var s2 is not tainted after get taints[1].
or
- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: "result[*]", type: "java.lang.String[]" }
I also tested, but could not transfer to "String[] taints".
Could you provide guidance on how to configure correctly to detect this ArgToResultStringSplit case.
Thanks!