FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard

Published 20 hours ago verified publisher icon secure-software-engineering

How an Object is tainted in FlowDroid?

Open Hxinrong opened this issue 4 years ago • 0 comments
trafficstars

I wrote a test case:

public class AAMy extends HttpServlet {

    private class User {

        public int id;
        public String telNumber;
        public String address;

        public User() {

        }

        @Override
        public String toString() {
            return "User [id=" + id + ", telNumber=" + telNumber + "]";
        }
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        User user = (User) req.getSession().getAttribute("USER");
        resp.sendRedirect(String.valueOf(user.id));   // no sink
        resp.sendRedirect(user.telNumber);   // sink
        resp.sendRedirect(user.address);  // sink
        resp.sendRedirect(user.toString());    // no sink
    }
}

The test class extends 【FlowDroid/soot-infoflow/test/soot/jimple/infoflow/test/securibench/JUnitTests.java】. And the source is added: "<javax.servlet.http.HttpSession: java.lang.Object getAttribute(java.lang.String)>".

According to the test results, if an Object is tainted, its all "String" member variables are tainted, and any other type member variables are considered not tainted? I also want to know that user.telNumber is tainted, but why there is no sink in "resp.sendRedirect(user.toString())"? Thank you!

Hxinrong avatar Jan 07 '21 08:01 Hxinrong