-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False negative PT_RELATIVE_PATH_TRAVERSAL for Java 11 and higher #2184
Comments
baloghadamsoftware
pushed a commit
to baloghadamsoftware/spotbugs
that referenced
this issue
Sep 27, 2022
…tring concatenation in Java 9 and above Instead of using StringBuffer or StringBuilder internally, Java 11 and above uses a dynamic call to makeConcatWithConstants() to append strings. Previously, `OpcodeStackDetector` did not handle the taint propagation properly in case of this dyanamic call which led to false negative such as the one described in issue [spotbugs#2184](spotbugs#2184). This PR fixes such issues by adding code to `OpcodeStackDetector` to handle this case as well.
1 task
KengoTODA
added a commit
that referenced
this issue
Oct 11, 2022
…tring concatenation in Java 11 and above (#2195) * Test for Issue 2184 * Fix OpcodeStack to handle propagation of taints properly in case of string concatenation in Java 9 and above Instead of using StringBuffer or StringBuilder internally, Java 11 and above uses a dynamic call to makeConcatWithConstants() to append strings. Previously, `OpcodeStackDetector` did not handle the taint propagation properly in case of this dyanamic call which led to false negative such as the one described in issue [#2184](#2184). This PR fixes such issues by adding code to `OpcodeStackDetector` to handle this case as well. * Refactored double negatives Co-authored-by: Kengo TODA <skypencil@gmail.com>
It seems like this one is solved by #2195. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given the following code (from bugIdeas.Ideas_2010_12_06.java):
In Java 8 this translates to bytecode:
The bug is caught by the
CrossSiteScripting
detector.However, in Java 11 the byte code is totally different:
Therefore, the bug is missed by the detector.
The reason for the issue is exactly the same as for #2182 and #2183, but in another detector.
The text was updated successfully, but these errors were encountered: