search

facebook / mariana-trench

A security focused static analysis tool for Android and Java applications.
https://mariana-tren.ch/
MIT License
1.1k stars 139 forks source link

[Test][FP] TaintTransform on Args #134

Closed the-storm closed 1 year ago

the-storm commented 1 year ago

Summary

Minimal test showing a FP on Transform for the following piece of code

void test_fp {
   Object source = Origin.source();
    transformT1OnArg(source);
    Origin.sink(source);
}

Expected to see only one flow which is Source -> T1 -> Sink Actual: 2 flows

arthaud commented 1 year ago

Discussed this offline. This is the expected outcome and not a false positive, since propagations are applied with "weak" updates by default, which means the resulting taint after a method call is the original taint joined with the effect of propagations. In this example, that means we end up with 2 flows: one with the transform and one without the transform. You could use the mode strong-write-on-propagation on transformT1OnArg to avoid this, but be careful as this could lead to false negatives.