Skip to content

Commit

Permalink
Add test case for sanitizer of this variable
Browse files Browse the repository at this point in the history
  • Loading branch information
@silverbullettt
silverbullettt committed Jun 12, 2024
1 parent c65a7a4 commit 3aaeae9
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 19 deletions.
4 changes: 4 additions & 0 deletions src/test/resources/pta/taint/Sanitizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,8 @@ class Sanitizer {
static String sanitize(String input) {
return input;
}

Sanitizer sanitize() {
return this;
}
}
30 changes: 19 additions & 11 deletions src/test/resources/pta/taint/SimpleTaint-pta-expected.txt
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,30 @@
Points-to sets of all variables
[]:<Sanitizer: Sanitizer sanitize()>/%this -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<Sanitizer: java.lang.String sanitize(java.lang.String)>/input -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<Sanitizer: void <init>()>/%this -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SimpleTaint: void main(java.lang.String[])>/args -> [[]:EntryPointObj{alloc=MethodParam{<SimpleTaint: void main(java.lang.String[])>/0},type=java.lang.String[] in <SimpleTaint: void main(java.lang.String[])>}]
[]:<SimpleTaint: void main(java.lang.String[])>/s1 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s2 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s3 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s4 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SimpleTaint: void main(java.lang.String[])>/s5 -> [[]:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [23@L18] s5 = <SourceSink: java.lang.String tainted1>,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s6 -> []
[]:<SimpleTaint: void main(java.lang.String[])>/s7 -> [[]:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [29@L24] s7 = temp$5.<SourceSink: java.lang.String tainted2>,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s4 -> [[]:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [20@L15] s4 = <SourceSink: java.lang.String tainted1>,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s5 -> []
[]:<SimpleTaint: void main(java.lang.String[])>/s6 -> [[]:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [26@L21] s6 = temp$4.<SourceSink: java.lang.String tainted2>,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/s7 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SimpleTaint: void main(java.lang.String[])>/s8 -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$0 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$1 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$2 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$3 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$4 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$5 -> [[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[27@L24] new SourceSink}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$4 -> [[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[24@L21] new SourceSink}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$5 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$6 -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SimpleTaint: void main(java.lang.String[])>/temp$7 -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SourceSink: Sanitizer sourceS()>/temp$0 -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SourceSink: java.lang.String source()>/temp$0 -> [[]:MergedObj{<Merged java.lang.String>}]
[]:<SourceSink: void <init>()>/%this -> [[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[27@L24] new SourceSink}]
[]:<SourceSink: void sink(java.lang.String)>/s -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [23@L18] s5 = <SourceSink: java.lang.String tainted1>,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [29@L24] s7 = temp$5.<SourceSink: java.lang.String tainted2>,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SourceSink: void <init>()>/%this -> [[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[24@L21] new SourceSink}]
[]:<SourceSink: void sink(Sanitizer)>/s -> [[]:NewObj{<SourceSink: Sanitizer sourceS()>[0@L13] new Sanitizer}]
[]:<SourceSink: void sink(java.lang.String)>/s -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [20@L15] s4 = <SourceSink: java.lang.String tainted1>,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])> [26@L21] s6 = temp$4.<SourceSink: java.lang.String tainted2>,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SourceSink: void sink(java.lang.String,int)>/n -> []
[]:<SourceSink: void sink(java.lang.String,int)>/s -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SourceSink: void sink(java.lang.String,java.lang.String)>/s1 -> [[]:MergedObj{<Merged java.lang.String>}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}]
[]:<SourceSink: void sink(java.lang.String,java.lang.String)>/s2 -> [[]:MergedObj{<Merged java.lang.String>}]
Expand All @@ -26,7 +34,7 @@ Points-to sets of all static fields
<SourceSink: java.lang.String untainted> -> []

Points-to sets of all instance fields
[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[27@L24] new SourceSink}.tainted2 -> []
[]:NewObj{<SimpleTaint: void main(java.lang.String[])>[24@L21] new SourceSink}.tainted2 -> []

Points-to sets of all array indexes
[]:EntryPointObj{alloc=MethodParam{<SimpleTaint: void main(java.lang.String[])>/0},type=java.lang.String[] in <SimpleTaint: void main(java.lang.String[])>}[*] -> [[]:EntryPointObj{alloc=MethodParam{<SimpleTaint: void main(java.lang.String[])>/0}[*],type=java.lang.String in <SimpleTaint: void main(java.lang.String[])>}]
Expand All @@ -36,6 +44,6 @@ TaintFlow{<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestat
TaintFlow{<SimpleTaint: void main(java.lang.String[])>[0@L4] temp$0 = invokestatic SourceSink.source()/result -> <SimpleTaint: void main(java.lang.String[])>[16@L11] invokestatic SourceSink.sink(s3, %intconst0)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result -> <SimpleTaint: void main(java.lang.String[])>[5@L8] invokestatic SourceSink.sink(s2)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])>[3@L7] temp$1 = invokestatic SourceSink.source()/result -> <SimpleTaint: void main(java.lang.String[])>[16@L11] invokestatic SourceSink.sink(s3, %intconst0)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])> [23@L18] s5 = <SourceSink: java.lang.String tainted1> -> <SimpleTaint: void main(java.lang.String[])>[24@L19] invokestatic SourceSink.sink(s5)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])> [29@L24] s7 = temp$5.<SourceSink: java.lang.String tainted2> -> <SimpleTaint: void main(java.lang.String[])>[30@L25] invokestatic SourceSink.sink(s7)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])> [20@L15] s4 = <SourceSink: java.lang.String tainted1> -> <SimpleTaint: void main(java.lang.String[])>[21@L16] invokestatic SourceSink.sink(s4)/0}
TaintFlow{<SimpleTaint: void main(java.lang.String[])> [26@L21] s6 = temp$4.<SourceSink: java.lang.String tainted2> -> <SimpleTaint: void main(java.lang.String[])>[27@L22] invokestatic SourceSink.sink(s6)/0}

19 changes: 11 additions & 8 deletions src/test/resources/pta/taint/SimpleTaint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,19 @@ public static void main(String[] args) {

SourceSink.sink(s3, new String()); // no taint

String s4 = Sanitizer.sanitize(s1);
SourceSink.sink(s4); // no taint
String s4 = SourceSink.tainted1;
SourceSink.sink(s4); // taint

String s5 = SourceSink.tainted1;
SourceSink.sink(s5); // taint
String s5 = SourceSink.untainted;
SourceSink.sink(s5); // no taint

String s6 = SourceSink.untainted;
SourceSink.sink(s6); // no taint
String s6 = new SourceSink().tainted2;
SourceSink.sink(s6); // taint

String s7 = new SourceSink().tainted2;
SourceSink.sink(s7); // taint
String s7 = Sanitizer.sanitize(s1);
SourceSink.sink(s7); // no taint

Sanitizer s8 = SourceSink.sourceS();
SourceSink.sink(s8.sanitize()); // no taint
}
}
7 changes: 7 additions & 0 deletions src/test/resources/pta/taint/SourceSink.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ static String source() {
return new String();
}

static Sanitizer sourceS() {
return new Sanitizer();
}

static void sink(String s) {
}

Expand All @@ -19,6 +23,9 @@ static void sink(String s, int n) {
static void sink(String s1, String s2) {
}

static void sink(Sanitizer s) {
}

static String sourceAndSink(String s1, String s2) {
return new String();
}
Expand Down
1 change: 1 addition & 0 deletions src/test/resources/pta/taint/taint-config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ transfers:

sanitizers:
- { kind: param, method: "<Sanitizer: java.lang.String sanitize(java.lang.String)>", index: 0 }
- { kind: param, method: "<Sanitizer: Sanitizer sanitize()>", index: base }

0 comments on commit 3aaeae9

Please sign in to comment.