Skip to content

Java: model taint for java.util.Arrays #3894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 8, 2020
Merged

Java: model taint for java.util.Arrays #3894

merged 5 commits into from
Jul 8, 2020

Conversation

aibaars
Copy link
Contributor

@aibaars aibaars commented Jul 3, 2020

This pull request model taint propagation for the methods of the java.util.Arrays class.

@aibaars aibaars requested a review from a team as a code owner July 3, 2020 15:17
Marcono1234
Marcono1234 reviewed Jul 3, 2020
View reviewed changes
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll Outdated
or
method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
(
method.hasName(["copyOf", "copyOfRange", "deepToString", "spliterator", "stream", "toString"]) and
Copy link
Contributor

@Marcono1234 Marcono1234 Jul 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the general convention regarding Object.toString() of this project? It could be a taint step if it is overridden and includes the values of the fields of the object, but if it is not overridden or does not ouput the value of all fields or their values do not override toString() this would cause false positives.

So if this considers deepToString and toString as taint steps, Object.toString() should probably be considered as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's exclude "deepToString" and "toString" for now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@Marcono1234 Marcono1234 mentioned this pull request Jul 3, 2020
Closed
aschackmull
aschackmull reviewed Jul 7, 2020
View reviewed changes
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll Outdated
or
method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
(
method.hasName(["fill", "parallelPrefix", "parallelSetAll", "setAll"]) and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"parallelPrefix", "parallelSetAll", and "setAll" won't work like this. We have yet to set up a framework for data and taint flow in library methods designed to accept lambdas.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll remove them for now.

@aschackmull aschackmull merged commit c166fee into github:master Jul 8, 2020
@lcartey
Copy link
Contributor

lcartey commented Jul 9, 2020

@aibaars I think we're missing Arrays.toString from this list.

@aschackmull
Copy link
Contributor

@aibaars I think we're missing Arrays.toString from this list.

Has this sort of step come up? Including this suggests that we also include Object.toString() for all types, and I wasn't certain that was desirable? We currently only include this step for certain types, e.g. StringBuilder.toString().

@aibaars
Copy link
Contributor Author

aibaars commented Jul 9, 2020

@lcartey I got a little push back on toString in other places. Perhaps we should make an issue to track how/if we'd like to support toString without introducing too many false positives. Apart from Arrays.toString and deepToString there is also Object.toString, any map or collection toString, String.valueOf and probably many more.

@lcartey
Copy link
Contributor

lcartey commented Jul 9, 2020

@aschackmull I've seen this only in synthetic benchmarks so far. I do actually think Object.toString() is desirable, with certain caveats, but here we're talking about Arrays.toString(Object[] arg), which I think is a completely different API (these are static methods). We should be able to add this one without really introducing false positives.

@lcartey
Copy link
Contributor

lcartey commented Jul 9, 2020

Actually, on reflection, you're right - the cases are inextricably linked for arrays of Objects other than String, because it will call Object.toString. @aibaars suggested special casing String arrays, which I think would work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@Marcono1234 Marcono1234 Marcono1234 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aibaars @lcartey @aschackmull @Marcono1234