You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
False negative when concatenating a character onto a String. Characters should not be considered SAFE in the taint configuration. This affects several detectors that rely on the standard taint configuration.
Concatenating strings propagates the taint configuration of the input strings to the resulting string. The current configuration files consider concatenation of all primitive types to be safe, but the char type is not safe to concatenate.
Code
The example code relies on the findsecbugs-plugin/src/main/resources/taint-config/java-lang.txt configuration that declares java/lang/StringBuilder.append(C)Ljava/lang/StringBuilder;:1. PATH_TRAVERSAL_IN is one of the patterns that relies on taint analysis though many others do as well and are similarly affected.
The rules in java-lang.txt for StringBuffer are similarly affected, and there may be additional taint configuration rules that do the same.
importjava.io.FileInputStream;
importjava.io.IOException;
/**
* BothmethodscreatethesamestringinputtoFileInputStreamfromthesameinputs.
* OnlythesecondmethodproducesapositivePATH_TRAVERSAL_INfinding.
* /
publicclassExample {
publicstaticFileInputStreamfalseNegative(Stringfile, Stringfoo) throwsIOException {
StringBuilderbuf = newStringBuilder();
// The foo variable is not trusted, and we circumvent that by// breaking it into a char array.for (charc : foo.toCharArray()) {
buf.append(c);
}
returnnewFileInputStream("Hello" + buf);
}
publicstaticFileInputStreamtruePositive(Stringfile, Stringfoo) throwsIOException {
returnnewFileInputStream("Hello" + foo);
}
}
The text was updated successfully, but these errors were encountered:
jbindel
changed the title
False Negative: String concatenation with char should not be considered SAFE
False Negative: String concatenation with char should not consider char to be SAFE
Aug 17, 2023
Environment
Problem
False negative when concatenating a character onto a String. Characters should not be considered
SAFE
in the taint configuration. This affects several detectors that rely on the standard taint configuration.Concatenating strings propagates the taint configuration of the input strings to the resulting string. The current configuration files consider concatenation of all primitive types to be safe, but the
char
type is not safe to concatenate.Code
The example code relies on the
findsecbugs-plugin/src/main/resources/taint-config/java-lang.txt
configuration that declaresjava/lang/StringBuilder.append(C)Ljava/lang/StringBuilder;:1
.PATH_TRAVERSAL_IN
is one of the patterns that relies on taint analysis though many others do as well and are similarly affected.The rules in
java-lang.txt
forStringBuffer
are similarly affected, and there may be additional taint configuration rules that do the same.The text was updated successfully, but these errors were encountered: