How to taint class instance
raylax opened this issue · comments
Hi~
java code
String tainted = xxx;
StringBuilder sb = new StringBuilder();
sb.append(tainted);
sink(sb.toString());
jimple IR
$stack7 = new java.lang.StringBuilder;
specialinvoke $stack7.<java.lang.StringBuilder: void <init>()>();
sb = $stack7;
$stack8 = virtualinvoke sb.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>(tainted);
$stack9 = virtualinvoke sb.<java.lang.StringBuilder: java.lang.String toString()>();
specialinvoke this.<ClassA: void sink(java.lang.String)>($stack9);
How to mark sb
when the parameter passed to method append
is tainted?
my code
if (callArgs[0].equivTo(source.value)) {
ret.add(invokeExpr.base) // maybe not working
ret.add(leftOp)
}
Thanks :)
Hello. I am not sure what's going wrong in your case. Taint generation usually happens within the call-to-return-flow function. Is this where your code is located?
Cheers
Eric