Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix OpcodeStack to handle propagation of taints properly in case of string concatenation in Java 11 and above #2195

Merged
merged 5 commits into from Oct 11, 2022
Merged

Fix OpcodeStack to handle propagation of taints properly in case of string concatenation in Java 11 and above #2195

merged 5 commits into from Oct 11, 2022

Conversation

baloghadamsoftware
Copy link
Contributor

Instead of using StringBuffer or StringBuilder internally, Java 11 and above uses a dynamic call to makeConcatWithConstants() to append strings. Previously, OpcodeStackDetector did not handle the taint propagation properly in case of this dyanamic call which led to false negative such as the one described in issue #2184. This PR fixes such issues by adding code to OpcodeStackDetector to handle this case as well.

Make sure these boxes are checked before submitting your PR -- thank you!

  • Added an entry into CHANGELOG.md if you have changed SpotBugs code

Ádám Balogh added 2 commits September 27, 2022 15:47
Test for Issue 2184
8c5e193
Fix OpcodeStack to handle propagation of taints properly in case of s…
6a6e870 
…tring concatenation in Java 9 and above

Instead of using StringBuffer or StringBuilder internally, Java 11 and above uses a dynamic call to makeConcatWithConstants() to append strings. Previously, `OpcodeStackDetector` did not handle the taint propagation properly in case of this dyanamic call which led to false negative such as the one described in issue [spotbugs#2184](spotbugs#2184). This PR fixes such issues by adding code to `OpcodeStackDetector` to handle this case as well.
@baloghadamsoftware
Copy link
Contributor Author

No false positives and no crashes on some open-source projects we used to test our PRs.

@baloghadamsoftware
Copy link
Contributor Author

A side remark: I put the tests into the java14 directory because the java11 requires modules to set up and I failed to put module javax.servlet.api there. Javac claims that is is missing. I also tried to put it as a Gradle dependency but still without success.

ThrawnCA
ThrawnCA previously approved these changes Sep 27, 2022
View reviewed changes
spotbugs/src/main/java/edu/umd/cs/findbugs/OpcodeStack.java Outdated
servletRequestParameterTainted = true;
}
Object sVal = i.getConstant();
if (sVal != null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"if not...else" is a double negative, could refactor.

ThrawnCA
ThrawnCA previously approved these changes Oct 4, 2022
View reviewed changes
KengoTODA
KengoTODA approved these changes Oct 11, 2022
View reviewed changes
Copy link
Member

@KengoTODA KengoTODA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed that new test fails on the commit 8c5e193. Thanks for your contribution!

@KengoTODA KengoTODA merged commit 77b7da7 into spotbugs:master Oct 11, 2022
@JuditKnoll JuditKnoll mentioned this pull request Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KengoTODA KengoTODA KengoTODA approved these changes

@ThrawnCA ThrawnCA ThrawnCA approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@baloghadamsoftware @KengoTODA @ThrawnCA