Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Add taint steps for InputStream wrappers #13772

Open
wants to merge 12 commits into
base: main
Choose a base branch
from

Conversation

atorralba
Copy link
Contributor

Adds taint steps for two situations:

  • When an anonymous instantiation of InputStream is tainted by a variable captured in its read(bytes[]) (and similar) methods, e.g.
InputStream in = source();
InputStream wrapper = new InputStream() {
    @Override
    public int read() throws IOException {
        return 0;
    }

    @Override
    public int read(byte[] b) throws IOException {
        return in.read(b);

    }
};
sink(wrapper);
  • When a subtype of InputStream is instantiated with a tainted InputStream that gets assigned to a class field, e.g.
static class MyStream extends InputStream {
    private InputStream wrapped;

    MyStream(InputStream wrapped) {
        this.wrapped = wrapped;
    }

    @Override
    public int read() throws IOException {
        return 0;
    }

    @Override
    public int read(byte[] b) throws IOException {
        return wrapped.read(b);
    }
}

public static void test() {
  InputStream src = source();
  InputStream wrapper1 = new MyStream(src);
  InputStream wrapper2 = new MyStream(wrapper1);
  InputStream wrapper3 = new MyStream(wrapper2);
  sink(wrapper3);
}

Note that this doesn't overlap with TaintTrackingUtils::inputStreamWrapper, because that predicate only affects InputStreams that are not from source.

These steps surfaced some weird virtual dispatch from InputStream.read method calls to unrelated implementations. #13769 improves precision in that regard.

@atorralba atorralba force-pushed the atorralba/java/inputstream-wrapper-read-step branch from 02de8bc to 8af5f86 Compare July 21, 2023 11:55
@aschackmull
Copy link
Contributor

One minor comment, otherwise this LGTM.

@aschackmull
Copy link
Contributor

Let's see what DCA has to say!

atorralba and others added 12 commits July 24, 2023 08:48
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Note that this has FNs in the test cases where the source is used locally in the nested classes' methods
Note that this causes FP flow in the call context test cases
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
@atorralba atorralba force-pushed the atorralba/java/inputstream-wrapper-read-step branch from a5670d5 to 6c0d47f Compare July 24, 2023 06:49
@atorralba
Copy link
Contributor Author

Spot-checking DCA results, the only changes in alerts are "duplicated" paths for pre-existing alerts that had enough fieldFlowBranchLimit to keep track of taint through constructors and fields (and so this PR adds a new edge that bypasses them, creating a new path). It's not ideal, but I don't think we have a way of avoiding it, do we?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants