From 3aaeae986fb4a04b7c1daf062b407d826f779918 Mon Sep 17 00:00:00 2001 From: Tian Tan Date: Wed, 12 Jun 2024 21:20:11 +0800 Subject: [PATCH] Add test case for sanitizer of this variable --- src/test/resources/pta/taint/Sanitizer.java | 4 +++ .../pta/taint/SimpleTaint-pta-expected.txt | 30 ++++++++++++------- src/test/resources/pta/taint/SimpleTaint.java | 19 +++++++----- src/test/resources/pta/taint/SourceSink.java | 7 +++++ src/test/resources/pta/taint/taint-config.yml | 1 + 5 files changed, 42 insertions(+), 19 deletions(-) diff --git a/src/test/resources/pta/taint/Sanitizer.java b/src/test/resources/pta/taint/Sanitizer.java index 62730632e..b792b7e04 100644 --- a/src/test/resources/pta/taint/Sanitizer.java +++ b/src/test/resources/pta/taint/Sanitizer.java @@ -3,4 +3,8 @@ class Sanitizer { static String sanitize(String input) { return input; } + + Sanitizer sanitize() { + return this; + } } diff --git a/src/test/resources/pta/taint/SimpleTaint-pta-expected.txt b/src/test/resources/pta/taint/SimpleTaint-pta-expected.txt index 7f5176041..6cadff645 100644 --- a/src/test/resources/pta/taint/SimpleTaint-pta-expected.txt +++ b/src/test/resources/pta/taint/SimpleTaint-pta-expected.txt @@ -1,22 +1,30 @@ Points-to sets of all variables +[]:/%this -> [[]:NewObj{[0@L13] new Sanitizer}] []:/input -> [[]:MergedObj{}] +[]:()>/%this -> [[]:NewObj{[0@L13] new Sanitizer}] []:/args -> [[]:EntryPointObj{alloc=MethodParam{/0},type=java.lang.String[] in }] []:/s1 -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/s2 -> [[]:MergedObj{}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/s3 -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] -[]:/s4 -> [[]:MergedObj{}] -[]:/s5 -> [[]:TaintObj{alloc= [23@L18] s5 = ,type=java.lang.String}] -[]:/s6 -> [] -[]:/s7 -> [[]:TaintObj{alloc= [29@L24] s7 = temp$5.,type=java.lang.String}] +[]:/s4 -> [[]:TaintObj{alloc= [20@L15] s4 = ,type=java.lang.String}] +[]:/s5 -> [] +[]:/s6 -> [[]:TaintObj{alloc= [26@L21] s6 = temp$4.,type=java.lang.String}] +[]:/s7 -> [[]:MergedObj{}] +[]:/s8 -> [[]:NewObj{[0@L13] new Sanitizer}] []:/temp$0 -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/temp$1 -> [[]:MergedObj{}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/temp$2 -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/temp$3 -> [[]:MergedObj{}] -[]:/temp$4 -> [[]:MergedObj{}] -[]:/temp$5 -> [[]:NewObj{[27@L24] new SourceSink}] +[]:/temp$4 -> [[]:NewObj{[24@L21] new SourceSink}] +[]:/temp$5 -> [[]:MergedObj{}] +[]:/temp$6 -> [[]:NewObj{[0@L13] new Sanitizer}] +[]:/temp$7 -> [[]:NewObj{[0@L13] new Sanitizer}] +[]:/temp$0 -> [[]:NewObj{[0@L13] new Sanitizer}] []:/temp$0 -> [[]:MergedObj{}] -[]:()>/%this -> [[]:NewObj{[27@L24] new SourceSink}] -[]:/s -> [[]:MergedObj{}, []:TaintObj{alloc= [23@L18] s5 = ,type=java.lang.String}, []:TaintObj{alloc= [29@L24] s7 = temp$5.,type=java.lang.String}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] +[]:()>/%this -> [[]:NewObj{[24@L21] new SourceSink}] +[]:/s -> [[]:NewObj{[0@L13] new Sanitizer}] +[]:/s -> [[]:MergedObj{}, []:TaintObj{alloc= [20@L15] s4 = ,type=java.lang.String}, []:TaintObj{alloc= [26@L21] s6 = temp$4.,type=java.lang.String}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] +[]:/n -> [] []:/s -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/s1 -> [[]:MergedObj{}, []:TaintObj{alloc=[0@L4] temp$0 = invokestatic SourceSink.source()/result,type=java.lang.String}, []:TaintObj{alloc=[3@L7] temp$1 = invokestatic SourceSink.source()/result,type=java.lang.String}] []:/s2 -> [[]:MergedObj{}] @@ -26,7 +34,7 @@ Points-to sets of all static fields -> [] Points-to sets of all instance fields -[]:NewObj{[27@L24] new SourceSink}.tainted2 -> [] +[]:NewObj{[24@L21] new SourceSink}.tainted2 -> [] Points-to sets of all array indexes []:EntryPointObj{alloc=MethodParam{/0},type=java.lang.String[] in }[*] -> [[]:EntryPointObj{alloc=MethodParam{/0}[*],type=java.lang.String in }] @@ -36,6 +44,6 @@ TaintFlow{[0@L4] temp$0 = invokestat TaintFlow{[0@L4] temp$0 = invokestatic SourceSink.source()/result -> [16@L11] invokestatic SourceSink.sink(s3, %intconst0)/0} TaintFlow{[3@L7] temp$1 = invokestatic SourceSink.source()/result -> [5@L8] invokestatic SourceSink.sink(s2)/0} TaintFlow{[3@L7] temp$1 = invokestatic SourceSink.source()/result -> [16@L11] invokestatic SourceSink.sink(s3, %intconst0)/0} -TaintFlow{ [23@L18] s5 = -> [24@L19] invokestatic SourceSink.sink(s5)/0} -TaintFlow{ [29@L24] s7 = temp$5. -> [30@L25] invokestatic SourceSink.sink(s7)/0} +TaintFlow{ [20@L15] s4 = -> [21@L16] invokestatic SourceSink.sink(s4)/0} +TaintFlow{ [26@L21] s6 = temp$4. -> [27@L22] invokestatic SourceSink.sink(s6)/0} diff --git a/src/test/resources/pta/taint/SimpleTaint.java b/src/test/resources/pta/taint/SimpleTaint.java index d016e1572..074ef3b3c 100644 --- a/src/test/resources/pta/taint/SimpleTaint.java +++ b/src/test/resources/pta/taint/SimpleTaint.java @@ -12,16 +12,19 @@ public static void main(String[] args) { SourceSink.sink(s3, new String()); // no taint - String s4 = Sanitizer.sanitize(s1); - SourceSink.sink(s4); // no taint + String s4 = SourceSink.tainted1; + SourceSink.sink(s4); // taint - String s5 = SourceSink.tainted1; - SourceSink.sink(s5); // taint + String s5 = SourceSink.untainted; + SourceSink.sink(s5); // no taint - String s6 = SourceSink.untainted; - SourceSink.sink(s6); // no taint + String s6 = new SourceSink().tainted2; + SourceSink.sink(s6); // taint - String s7 = new SourceSink().tainted2; - SourceSink.sink(s7); // taint + String s7 = Sanitizer.sanitize(s1); + SourceSink.sink(s7); // no taint + + Sanitizer s8 = SourceSink.sourceS(); + SourceSink.sink(s8.sanitize()); // no taint } } diff --git a/src/test/resources/pta/taint/SourceSink.java b/src/test/resources/pta/taint/SourceSink.java index cd0f64b61..0f23d7b63 100644 --- a/src/test/resources/pta/taint/SourceSink.java +++ b/src/test/resources/pta/taint/SourceSink.java @@ -10,6 +10,10 @@ static String source() { return new String(); } + static Sanitizer sourceS() { + return new Sanitizer(); + } + static void sink(String s) { } @@ -19,6 +23,9 @@ static void sink(String s, int n) { static void sink(String s1, String s2) { } + static void sink(Sanitizer s) { + } + static String sourceAndSink(String s1, String s2) { return new String(); } diff --git a/src/test/resources/pta/taint/taint-config.yml b/src/test/resources/pta/taint/taint-config.yml index 5a836654b..b30fe9e01 100644 --- a/src/test/resources/pta/taint/taint-config.yml +++ b/src/test/resources/pta/taint/taint-config.yml @@ -25,3 +25,4 @@ transfers: sanitizers: - { kind: param, method: "", index: 0 } + - { kind: param, method: "", index: base }