Open Raul1718 opened 3 months ago
TL;DR:
Use - { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: "result[*]", type: "java.lang.String[]" }
, and set pointer analysis option to only-app:false;
.
For your given code snippet, with a static analysis perspective, the expectation is as follows:
flowchart LR
A[taints]
B["NewObj ... newarray java.lang.String[...]"]
C["NewObj ... newarray java.lang.String[...][*]"]
D["TaintObj"]
A --> |points-to| B
C --> |points-to| D
Intuitively, configuring the pointer analysis option with only-app:true;
results in the method split
not being processed. As a result, the arrayObj
NewObj...newarray java.lang.String[...]
will not be pointed to by the taints
variable.
Description
Hi,
When I test some cases that return type is array and as transfer, such as String.split. I doubt how to correct config the rule.
My test sample:
The transfer rule configured below.
- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: result, type: "java.lang.String[]" }
could transfer to "String[] taints", but var s2 is not tainted after get taints[1].or
- { method: "<java.lang.String: java.lang.String[] split(java.lang.String)>", from: base, to: "result[*]", type: "java.lang.String[]" }
I also tested, but could not transfer to "String[] taints".
Could you provide guidance on how to configure correctly to detect this ArgToResultStringSplit case. Thanks!