Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint not transfered in chained call of StringBuilder.append #83

Closed
formanek opened this issue Sep 7, 2015 · 0 comments
Closed

Taint not transfered in chained call of StringBuilder.append #83

formanek opened this issue Sep 7, 2015 · 0 comments
Labels
bug
Milestone
version-1.4.3

Comments

@formanek
Copy link
Contributor

formanek commented Sep 7, 2015

In a piece of code like this

StringBuilder builder = new StringBuilder();
builder.append("safe").append(tainted);
// taint sink with builder.toString()

the taint state from variable tainted is not transferred to builder. As a result, there can be false negatives, if this construction is used. In practise, toString methods with false safe taint state were sometimes generated.

This was fixed by proper taint transfer between the stack and local variables.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
version-1.4.3
Development

No branches or pull requests
2 participants
@h3xstream @formanek