Skip to content

String builder taint tracking #3904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 16, 2022
Merged

String builder taint tracking #3904

merged 1 commit into from
Nov 16, 2022

Conversation

@manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Sep 27, 2022
edited
Loading

What Does This Do

Adds all the instrumentation needed to perform taint tacking in the tracer for common string operations.

Motivation

IAST requires to track all modifications that happen to strings in the code, this PR uses CSI to instrument the most common string operations.

Additional Notes

Future PR will complete the support with other operations and classes

@smola smola added the comp: asm iast Application Security Management (IAST) label Sep 27, 2022
@manuel-alvarez-alvarez manuel-alvarez-alvarez added the tag: no release notes Changes to exclude from release notes label Sep 27, 2022
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Malvarez/string builder taint tracking String builder taint tracking Sep 28, 2022
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 4 times, most recently from 8ef9993 to be1472a Compare September 30, 2022 15:31
@manuel-alvarez-alvarez manuel-alvarez-alvarez added the tag: do not merge Do not merge changes label Oct 3, 2022
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 6 times, most recently from 13140d4 to 74191bd Compare October 6, 2022 10:55
@manuel-alvarez-alvarez manuel-alvarez-alvarez mentioned this pull request Oct 7, 2022
Merged
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch from 74191bd to 5fd71b3 Compare October 10, 2022 09:39
@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review October 10, 2022 09:43
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team October 10, 2022 09:43
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team as a code owner October 10, 2022 09:43
@manuel-alvarez-alvarez manuel-alvarez-alvarez removed the tag: do not merge Do not merge changes label Oct 10, 2022
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 2 times, most recently from cda5a8a to 4c87cbc Compare October 10, 2022 11:38
@jandro996
Copy link
Member

jandro996 commented Oct 11, 2022
edited
Loading

Maybe we must discuss if we have to instrument this methods that are not available in this PR

append(char[])

append(char[] str, int offset, int len)

append(CharSequence s, int start, int end)

@manuel-alvarez-alvarez
Copy link
Member Author

manuel-alvarez-alvarez commented Oct 11, 2022

Maybe we must discuss if we have to instrument this methods that are not available in this PR

append(char[])

append(char[] str, int offset, int len)

append(CharSequence s, int start, int end)

Yep we should create new JIRAS for them.

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch from 4c87cbc to 542efb2 Compare October 11, 2022 10:37
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 3 times, most recently from 73668b4 to 96a496a Compare October 18, 2022 08:08
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 2 times, most recently from 42cede2 to bae3cac Compare October 21, 2022 08:17
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch 4 times, most recently from 7e80c3e to 376bc40 Compare October 31, 2022 15:21
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch from 376bc40 to 314c928 Compare November 9, 2022 16:44
smola
smola reviewed Nov 10, 2022
View reviewed changes
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch from 314c928 to 24c275e Compare November 11, 2022 12:06
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/string-builder-taint-tracking branch from 24c275e to b77d278 Compare November 14, 2022 11:33
@smola smola merged commit e128595 into master Nov 16, 2022
@smola smola deleted the malvarez/string-builder-taint-tracking branch November 16, 2022 13:58
@github-actions github-actions bot added this to the 1.1.0 milestone Nov 16, 2022
@bantonsson bantonsson modified the milestones: 1.0.1, 1.1.0 Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jandro996 jandro996 jandro996 approved these changes

@smola smola smola approved these changes

@DDJavierSantos DDJavierSantos Awaiting requested review from DDJavierSantos

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST) tag: no release notes Changes to exclude from release notes

Projects

None yet

Milestone

1.1.0

Development

Successfully merging this pull request may close these issues.

6 participants

@manuel-alvarez-alvarez @jandro996 @smola @DDJavierSantos @bantonsson