search

SAP / project-fontus

Dynamic tainting framework for Java applications leveraging on-the-fly bytecode rewriting.
Apache License 2.0
6 stars 2 forks source link

Fontus does not taint record classes #30

Closed leeN closed 2 weeks ago

leeN commented 2 weeks ago

Java 15+ has the Record class feature, which allows the creation of concise objects with default implementations of the standard methods.

The code would look like this, for example: 

public record Person (String name, String address) {}

This creates a class Person, inheriting from java.lang.Record. The compiler automatically generates accessor methods for the fields (i.e., name and address) and the default methods of Object, i.e., equals, hashcode, and toString. These are implemented as invokedynamic calls to java/lang/runtime/ObjectMethods.bootstrap. The bootstrap method seems sufficient straightforward.

The toString one seems to be the only problematic of the three, especially as we do some hacky stuff around toString by having two of them, which differ in the descriptor only.

leeN commented 2 weeks ago

Should be fixed with fe9259b475c8b4ba27d8868ce7baa81ba71b2ac3.