search

wala / WALA

T.J. Watson Libraries for Analysis, with frontends for Java, Android, and JavaScript, and may common static program analyses
http://github.com/wala/WALA
Eclipse Public License 2.0
762 stars 222 forks source link

I doubt the slice result #767

Open 161250029 opened 4 years ago

161250029 commented 4 years ago

The following source code is testing code.

/* uses badsource and badsink */
    public void bad() throws Throwable
    {
        String data;

        /* FLAW: Set data to a hardcoded string */
        data = "7e5tc4s3";

        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;

        if (data != null)
        {
            try
            {
                /* POTENTIAL FLAW: data used as password in database connection */
                connection = DriverManager.getConnection("data-url", "root", data);
                preparedStatement = connection.prepareStatement("select * from test_table");
                resultSet = preparedStatement.executeQuery();
            }
            catch (SQLException exceptSql)
            {
                IO.logger.log(Level.WARNING, "Error with database connection", exceptSql);
            }
            finally
            {
                try
                {
                    if (resultSet != null)
                    {
                        resultSet.close();
                    }
                }
                catch (SQLException exceptSql)
                {
                    IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
                }

                try
                {
                    if (preparedStatement != null)
                    {
                        preparedStatement.close();
                    }
                }
                catch (SQLException exceptSql)
                {
                    IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
                }

                try
                {
                    if (connection != null)
                    {
                        connection.close();
                    }
                }
                catch (SQLException exceptSql)
                {
                    IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
                }
            }
        }
    }

I want to do slicer for the source code 'connection = DriverManager.getConnection("data-url", "root", data);' After getting the seed stament ,I try backwardSlice to do slice. However , the slicer result has only seed statement itself. I expect the slice result like 

connection = DriverManager.getConnection("data-url", "root", data);
                preparedStatement = connection.prepareStatement("select * from test_table");
                resultSet = preparedStatement.executeQuery();

So how can I get a more pretty result?

161250029 commented 4 years ago

I wonder whether my way to slice is incorrect or the result is exactly like this.

161250029 commented 4 years ago

Can u give me some advice if convenient.

msridhar commented 4 years ago

From your expected result, it seems you want to do a forward slice from your seed statement, to see what else depends on it. Did you try that?

161250029 commented 4 years ago

I tried it just now. The final slice result only contains the statement ‘ResultSet resultSet = null;’. This is the slice result I get:

NORMAL bad:11 = invokestatic < Application, Ljava/sql/DriverManager, getConnection(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/sql/Connection; > 8,9,7 @31 exception:10 Node: < Application, Ltestcases/CWE259_Hard_Coded_Password/CWE259_Hard_Coded_Password__driverManager_05, bad()V > Context: Everywhere

I map the statement location to the source code line number according to the slice result and then get the statement ‘ResultSet resultSet = null;’.

msridhar commented 4 years ago

@161250029 my guess is that your pointer analysis is very incomplete. In particular, if the points-to set for connection is empty, you might see issues like this. This will depend on whether WALA sees any call targets for DriverManager.getConnection. Maybe you can check the call graph.

161250029 commented 4 years ago

Thank u for your advice.Since the generation of callgraph depends on entrypointer, I understand you mean that I need to make entrypointer more complete. If what I understand is correct, can you give me an example to make entrypointer more complete.

msridhar commented 4 years ago

I would first check the call graph and confirm it’s an issue. Did you do that? Here is some documentation on entry points:

https://github.com/wala/WALA/wiki/Pointer-Analysis#entry-points