How to config to result[*] rule for return array type in taint analysis

[Raul1718]

Description

Hi,

When I test some cases that return type is array and as transfer, such as String.split. I doubt how to correct config the rule.

My test sample:

class ArgToResultStringSplit {
    public static void main(String[] args) {
        String taint = SourceSink.source();
        String[] taints = taint.split(",");
        String s2 = taints[1]; // no taint now!
        SourceSink.sink(s2); // taint
    }
} 

The transfer rule configured below.

- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: result, type: "java.lang.String[]" } could transfer to "String[] taints", but var s2 is not tainted after get taints[1].

or

- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: "result[*]", type: "java.lang.String[]" }

I also tested, but could not transfer to "String[] taints".

Could you provide guidance on how to configure correctly to detect this ArgToResultStringSplit case. Thanks!

[zhangt2333]

TL;DR: Use - { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: "result[*]", type: "java.lang.String[]" }, and set pointer analysis option to only-app:false;.

---

For your given code snippet, with a static analysis perspective, the expectation is as follows:

flowchart LR
    A[taints]
    B["NewObj ... newarray java.lang.String[...]"]
    C["NewObj ... newarray java.lang.String[...][*]"]
    D["TaintObj"]

    A --> |points-to| B
    C --> |points-to| D

Intuitively, configuring the pointer analysis option with only-app:true; results in the method split not being processed. As a result, the arrayObj NewObj...newarray java.lang.String[...] will not be pointed to by the taints variable.