False Negative: String concatenation with char should not consider char to be SAFE

[jbindel]

Environment

Component	Version
Java	8
SpotBugs	4.7.3
FindSecBugs	1.12.0

Problem

False negative when concatenating a character onto a String. Characters should not be considered SAFE in the taint configuration. This affects several detectors that rely on the standard taint configuration.

Concatenating strings propagates the taint configuration of the input strings to the resulting string. The current configuration files consider concatenation of all primitive types to be safe, but the char type is not safe to concatenate.

Code

The example code relies on the findsecbugs-plugin/src/main/resources/taint-config/java-lang.txt configuration that declares java/lang/StringBuilder.append(C)Ljava/lang/StringBuilder;:1. PATH_TRAVERSAL_IN is one of the patterns that relies on taint analysis though many others do as well and are similarly affected.

The rules in java-lang.txt for StringBuffer are similarly affected, and there may be additional taint configuration rules that do the same.

import java.io.FileInputStream;
import java.io.IOException;

/**
 * Both methods create the same string input to FileInputStream from the same inputs.
 * Only the second method produces a positive PATH_TRAVERSAL_IN finding.
 * /
public class Example {
	public static FileInputStream falseNegative(String file, String foo) throws IOException {
		StringBuilder buf = new StringBuilder();
		// The foo variable is not trusted, and we circumvent that by
		// breaking it into a char array.
		for (char c : foo.toCharArray()) {
			buf.append(c);
		}
		return new FileInputStream("Hello" + buf);
	}

	public static FileInputStream truePositive(String file, String foo) throws IOException {
		return new FileInputStream("Hello" + foo);
	}
}

[jbindel]

See Pull Request #712