search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 293 forks source link

Tainting an object modified by a method, not at an assignment statement #573

Closed NicolasFNino closed 1 year ago

NicolasFNino commented 1 year ago

Greetings,

How should I define a source in the SourcesAndSinks.xml file so that the method taints the object that it works on without being an assignment statement? As an example take the StringBuilder.append method:

virtualinvoke $r2.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>("string literal");

If I want to define this method as a source how would I do it so $r2 becomes tainted. I have tried the following:

<method signature="&lt;java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)&gt;()">
    <return type="java.lang.StringBuilder">
        <accessPath isSource="true" isSink="false"/>
    </return>
</method>

<method signature="&lt;java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)&gt;()">
    <return type="void">
        <accessPath isSource="true" isSink="false"/>
    </return>
</method>

Both times the signatures are recognized as valid sources inside the code but, they do not seem to taint the object $r2.

Thanks a lot,

timll commented 1 year ago 
<method signature="java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)">
    <base>
        <accessPath isSource="true" isSink="false" />
    </base>
</method>

You can also look up the schema at https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow-android/schema/SourcesAndSinks.xsd#L28