Merge pull request #690 from oxeye-gal/invokedynamic-workaround

Adding workaround for JDK > 8 invokedynamic tainting

findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/FindSecBugsGlobalConfig.java

@@ -32,6 +32,7 @@ public class FindSecBugsGlobalConfig {
     private boolean debugPrintInstructionVisited = false;
     private boolean debugPrintInvocationVisited = false;
     private boolean debugTaintState = false;
+    private boolean workaroundVisitInvokeDynamic = false;
     private boolean verboseLocationReport = false;
 
     // set through SystemProperties
@@ -48,6 +49,7 @@ protected FindSecBugsGlobalConfig() {
         taintedMainArgument = Boolean.parseBoolean(loadFromSystem("findsecbugs.taint.taintedmainargument", Boolean.TRUE.toString()));
         reportPotentialXssWrongContext = Boolean.parseBoolean(loadFromSystem("findsecbugs.taint.reportpotentialxsswrongcontext", Boolean.FALSE.toString()));
         debugTaintState = Boolean.parseBoolean(loadFromSystem("findsecbugs.taint.debugtaintstate", Boolean.FALSE.toString()));
+        workaroundVisitInvokeDynamic = Boolean.parseBoolean(loadFromSystem("findsecbugs.taint.workaroundvisitinvokedynamic", Boolean.FALSE.toString()));
         verboseLocationReport = Boolean.parseBoolean(loadFromSystem("findsecbugs.taint.verboselocationreport", Boolean.FALSE.toString()));
     }
 
@@ -96,6 +98,11 @@ public boolean isDebugOutputTaintConfigs() {
         return debugOutputTaintConfigs;
     }
 
+
+    public boolean isWorkaroundVisitInvokeDynamic() {
+        return workaroundVisitInvokeDynamic;
+    }
+
     public boolean isVerboseLocationReport() {
         return verboseLocationReport;
     }

findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintConfig.java

@@ -216,6 +216,12 @@ private boolean isFieldType(String typeSignature) {
         return typeSignature != null && typeSignature.length() > 2 && typeSignature.charAt(0) != 'L';
     }
 
+    public int getMethodIdParamCount(String methodId) {
+        String signature = methodId.substring(methodId.indexOf("("), methodId.length());
+        SignatureParser p = new SignatureParser(signature);
+        return p.getNumParameters();
+    }
+
     public TaintMethodConfig getMethodConfig(TaintFrame frame, MethodDescriptor methodDescriptor, String className, String methodId) {
         TaintMethodConfig taintMethodConfig = getTaintMethodConfigWithArgumentsAndLocation(frame, methodDescriptor, className, methodId);
 
@@ -227,6 +233,17 @@ public TaintMethodConfig getMethodConfig(TaintFrame frame, MethodDescriptor meth
             taintMethodConfig = getSuperMethodConfig(className, methodId);
         }
 
+        if (taintMethodConfig == null && methodId.indexOf("makeConcatWithConstants") > 0) {
+            taintMethodConfig = new TaintMethodConfig(true);
+            Taint t = new Taint(Taint.State.UNKNOWN);
+            int paramCount = getMethodIdParamCount(methodId);
+            for(int i=0; i < paramCount; i++) {
+                t.addParameter(i);
+            }
+            taintMethodConfig.setOuputTaint(t);
+            taintMethodConfig.addMutableStackIndex(1);
+        }
+
         return taintMethodConfig;
     }
 

findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintFrameModelingVisitor.java

@@ -398,6 +398,14 @@ public void visitINVOKEVIRTUAL(INVOKEVIRTUAL obj) {
         visitInvoke(obj);
     }
 
+    @Override
+    public void visitINVOKEDYNAMIC(INVOKEDYNAMIC obj) {
+        if(FindSecBugsGlobalConfig.getInstance().isWorkaroundVisitInvokeDynamic()) {
+            visitInvoke(obj);
+        } else {
+            handleNormalInstruction(obj);
+        }
+    }
     @Override
     public void visitANEWARRAY(ANEWARRAY obj) {
         try {