Giters

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page:https://find-sec-bugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Inconsistency in COMMAND_INJECTION Rule: Discrepancy in Violation Reporting with Nested Class

soyodream opened this issue · comments

commented

Environment

Component Version
Java 11.0.19
FindSecBugs 1.12.0

Problem

I have encountered an inconsistency in the detection behavior of the COMMAND_INJECTION rule in find-sec-bugs. In the first code case, the rule reports two Buginstances. However, when introducing a nested class, as shown in the second code case, the rule only reports one Buginstance. This behavior seems inconsistent.

Code

code1

class MoreMethods{
    public static HttpServletRequest req;
    public static String tainted() {
        return req.getParameter("input");
    }
    public String safe() {
        return "safe";
    }
}
class SubClass extends MoreMethods {
    HttpServletRequest req;
    public void method() throws IOException {
        Runtime.getRuntime().exec(safe());
        Runtime.getRuntime().exec(tainted());
    }
}

code2

class MoreMethods{
    public static HttpServletRequest req;
    public static String tainted() {
        return req.getParameter("input");
    }
    public String safe() {
        return "safe";
    }
}
class SubClass extends MoreMethods {
    HttpServletRequest req;
    class SubClass655 {
        public void method() throws IOException {
            Runtime.getRuntime().exec(safe());
            Runtime.getRuntime().exec(tainted());
        }
    }
}