Merge pull request diffblue#377 from diffblue/introduce_rules_files_for_dspace

marek-trtik · web-flow · commit 155e84110a5a · 2018-06-05T13:35:03.000+01:00
SEC-352: Introduced rules JSON file for DSPACE.
diff --git a/benchmarks/GENUINE/DSpace_rules.json b/benchmarks/GENUINE/DSpace_rules.json
@@ -0,0 +1,223 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Obtained ServletRequest's attribute with potentially tainted data.",
+        "class": "javax.servlet.http.HttpServletRequest",
+        "method": "getAttribute:(Ljava/lang/String;)Ljava/lang/Object;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted request attribute"
+        }
+      },
+      {
+        "comment": "Obtained ServletRequest's poarameter with potentially tainted data.",
+        "class": "javax.servlet.http.HttpServletRequest",
+        "method": "getParameter:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      
+
+
+
+      {
+        "comment": "Obtained stream from the tainted request attribute.",
+        "class": "org.apache.commons.fileupload.FileItem",
+        "method": "getInputStream:()Ljava/io/InputStream;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted request attribute"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted input stream"
+        }
+      },
+      {
+        "comment": "Trimmed tainted string remains tainted.",
+        "class": "org.apache.commons.lang3.StringUtils",
+        "method": "trimToNull:(Ljava/lang/String;)Ljava/lang/String;",
+        "input": {
+          "location": "arg0",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Writing content of a tainted stream to disk is a sink.",
+        "class": "java.nio.file.Files",
+        "method": "copy:(Ljava/io/InputStream;Ljava/nio/file/Path;[Ljava/nio/file/CopyOption;)J",
+        "sinkTarget": {
+          "location": "arg0",
+          "vulnerability": "Tainted input stream"
+        }
+      },
+
+      {
+        "comment": "Streams returned by getInputStream on ServletRequest are tainted",
+        "class": "training07.HttpServletRequest",
+        "method": "getInputStream:()Ltraining07/InputStream;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted stream"
+        }
+      },
+      {
+        "comment": "Read up to exact number of bytes from tainted stream gives tainted array of bytes",
+        "class": "java.io.InputStream",
+        "method": "read:([BII)I",
+        "input": {
+          "location": "this",
+          "taint": "Tainted stream"
+        },
+        "result": {
+          "location": "arg1",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Read some number of bytes from tainted stream gives tainted array of bytes",
+        "class": "java.io.InputStream",
+        "method": "read:([B)I",
+        "input": {
+          "location": "this",
+          "taint": "Tainted stream"
+        },
+        "result": {
+          "location": "arg1",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes to a file stream is a sink.",
+        "class": "java.io.FileOutputStream",
+        "method": "write:([BII)V",
+        "sinkTarget": {
+          "location": "arg1",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Read from file channel gives tainted buffer of bytes.",
+        "class": "java.nio.channels.FileChannel",
+        "method": "read:(Ljava/nio/ByteBuffer;)I",
+        "result": {
+          "location": "arg1",
+          "taint": "Tainted byte buffer"
+        }
+      },
+      {
+        "comment": "Read from tainted buffer of bytes gives a tainted string.",
+        "class": "java.nio.ByteBuffer",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted byte buffer"
+        },
+        "result": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Construction of string from an array of tainted bytes gives a tainted string.",
+        "class": "java.lang.String",
+        "method": "<init>:([BII)V",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted byte array"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Tainted string appended to a StringBuilder makes the builder tainted/",
+        "class": "java.lang.StringBuilder",
+        "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        }
+      },
+      {
+        "comment": "A string returnded from a tainted StringBuilder is tainted.",
+        "class": "java.lang.StringBuilder",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Tainted string with some replaced cheracters remains tainted.",
+        "class": "java.lang.String",
+        "method": "replaceAll:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
+        "input": {
+          "location": "arg0",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Substring of a tainted string remains tainted.",
+        "class": "java.lang.String",
+        "method": "substring:(II)Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+
+
+      {
+        "comment": "Storing tainted string in a list; making the list tainted.",
+        "class": "java.util.List",
+        "method": "add:(Ljava/lang/Object;)Z",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted list"
+        }
+      },
+      {
+        "comment": "Converting tainted list to an array.",
+        "class": "java.util.List",
+        "method": "toArray:()[Ljava/lang/Object;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted list"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted array"
+        }
+      }
+    ]
+}
