Closed XuHuo closed 2 months ago
aTaintCase0158 code:
@PostMapping(value = "case0158")
public Map<String, Object> aTaintCase0158(@RequestParam String cmd) {
Map<String, Object> modelMap = new HashMap<>();
try {
cmd= "ls";
Runtime.getRuntime().exec(cmd);
modelMap.put("status", "success");
} catch (Exception e) {
modelMap.put("status", "error");
}
return modelMap;
}
One scenario used to test risk release, for example, for a detection engine that does not detect assignment operations, it will consider the taint propagation process of this case: It will detect a vulnerability, but in reality, this assignment operation:
cmd= "ls";
When assigning the constant string "ls" to the variable cmd, it is equivalent to releasing the tainted variable cmd once, which falls under context-sensitive detection. So, the actual propagation process: In summary, for this case, the scanner may yield two types of results:
This case is designed to differentiate between these two scenarios.
Thank you for your answer. I understand now, this is a point that should not be reported. I made a mistake, I thought the "AstTaintCase001.java" file was filled with points that should be reported.
AstTaintCase001.java case0158