|
8 | 8 | "method": "getAttribute:(Ljava/lang/String;)Ljava/lang/Object;", |
9 | 9 | "result": { |
10 | 10 | "location": "returns", |
11 | | - "taint": "Tainted servlet attribute" |
| 11 | + "taint": "Tainted request attribute" |
12 | 12 | } |
13 | 13 | }, |
14 | 14 | { |
|
25 | 25 |
|
26 | 26 |
|
27 | 27 | { |
28 | | - "comment": "Obtained stream from the tainted servlet attribute.", |
| 28 | + "comment": "Obtained stream from the tainted request attribute.", |
29 | 29 | "class": "org.apache.commons.fileupload.FileItem", |
30 | 30 | "method": "getInputStream:()Ljava/io/InputStream;", |
31 | 31 | "input": { |
32 | 32 | "location": "this", |
33 | | - "taint": "Tainted servlet attribute" |
| 33 | + "taint": "Tainted request attribute" |
34 | 34 | }, |
35 | 35 | "result": { |
36 | 36 | "location": "returns", |
|
59 | 59 | "vulnerability": "Tainted input stream" |
60 | 60 | } |
61 | 61 | }, |
62 | | - { |
63 | | - "comment": "Marking path to the file where is written the content of a tainted stream as tainted.", |
64 | | - "class": "java.nio.file.Files", |
65 | | - "method": "copy:(Ljava/io/InputStream;Ljava/nio/file/Path;[Ljava/nio/file/CopyOption;)J", |
66 | | - "input": { |
67 | | - "location": "arg0", |
68 | | - "taint": "Tainted input stream" |
69 | | - }, |
70 | | - "result": { |
71 | | - "location": "arg1", |
72 | | - "taint": "Tainted pathname" |
73 | | - } |
74 | | - }, |
75 | | - { |
76 | | - "comment": "Writing a tainted string to a file makes the file tainted.", |
77 | | - "class": "org.apache.commons.io.FileUtils", |
78 | | - "method": "writeStringToFile:(Ljava/io/File;Ljava/lang/String;)V", |
79 | | - "result": { |
80 | | - "location": "this", |
81 | | - "taint": "Tainted file" |
82 | | - } |
83 | | - }, |
84 | | - { |
85 | | - "comment": "Obtained ZIP file from potentially tainted file.", |
86 | | - "class": "java.util.zip.ZipFile", |
87 | | - "method": "<init>:(Ljava/io/File;Ljava/nio/charset/Charset;)V", |
88 | | - "input": { |
89 | | - "location": "arg1", |
90 | | - "taint": "Tainted file" |
91 | | - }, |
92 | | - "result": { |
93 | | - "location": "this", |
94 | | - "taint": "Tainted zip file" |
95 | | - } |
96 | | - }, |
97 | | - { |
98 | | - "comment": "Collection of entries from tainted ZIP file are tainted.", |
99 | | - "class": "java.util.zip.ZipFile", |
100 | | - "method": "entries:()Ljava/util/Enumeration;", |
101 | | - "input": { |
102 | | - "location": "this", |
103 | | - "taint": "Tainted zip file" |
104 | | - }, |
105 | | - "result": { |
106 | | - "location": "returns", |
107 | | - "taint": "Tainted zip entries" |
108 | | - } |
109 | | - }, |
110 | | - { |
111 | | - "comment": "Any entry from tainted collection of ZIP entries is tainted.", |
112 | | - "class": "java.util.Enumeration", |
113 | | - "method": "nextElement:()Ljava/lang/Object;", |
114 | | - "input": { |
115 | | - "location": "this", |
116 | | - "taint": "Tainted zip entries" |
117 | | - }, |
118 | | - "result": { |
119 | | - "location": "returns", |
120 | | - "taint": "Tainted zip entry" |
121 | | - } |
122 | | - }, |
123 | | - { |
124 | | - "comment": "Input stream returned from tainted ZIP file is tainted.", |
125 | | - "class": "java.util.zip.ZipFile", |
126 | | - "method": "getInputStream:(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;", |
127 | | - "input": { |
128 | | - "location": "this", |
129 | | - "taint": "Tainted zip file" |
130 | | - }, |
131 | | - "result": { |
132 | | - "location": "returns", |
133 | | - "taint": "Tainted input stream" |
134 | | - } |
135 | | - }, |
136 | | - { |
137 | | - "comment": "Input stream returned from a ZIP file for tainted ZIP entry is tainted.", |
138 | | - "class": "java.util.zip.ZipFile", |
139 | | - "method": "getInputStream:(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;", |
140 | | - "input": { |
141 | | - "location": "arg1", |
142 | | - "taint": "Tainted zip entry" |
143 | | - }, |
144 | | - "result": { |
145 | | - "location": "returns", |
146 | | - "taint": "Tainted input stream" |
147 | | - } |
148 | | - }, |
149 | 62 |
|
150 | 63 | { |
151 | 64 | "comment": "Streams returned by getInputStream on ServletRequest are tainted", |
|
157 | 70 | } |
158 | 71 | }, |
159 | 72 | { |
160 | | - "comment": "Read from tainted stream gives tainted array of bytes", |
| 73 | + "comment": "Read up to exact number of bytes from tainted stream gives tainted array of bytes", |
161 | 74 | "class": "java.io.InputStream", |
162 | 75 | "method": "read:([BII)I", |
163 | 76 | "input": { |
|
170 | 83 | } |
171 | 84 | }, |
172 | 85 | { |
173 | | - "comment": "Read from tainted stream gives tainted array of bytes", |
| 86 | + "comment": "Read some number of bytes from tainted stream gives tainted array of bytes", |
174 | 87 | "class": "java.io.InputStream", |
175 | 88 | "method": "read:([B)I", |
176 | 89 | "input": { |
|
192 | 105 | } |
193 | 106 | }, |
194 | 107 | { |
195 | | - "comment": "Read from file channel gives tainted buffer of bytes", |
| 108 | + "comment": "Read from file channel gives tainted buffer of bytes.", |
196 | 109 | "class": "java.nio.channels.FileChannel", |
197 | 110 | "method": "read:(Ljava/nio/ByteBuffer;)I", |
198 | 111 | "result": { |
|
201 | 114 | } |
202 | 115 | }, |
203 | 116 | { |
204 | | - "comment": "Read from file channel gives tainted buffer of bytes", |
| 117 | + "comment": "Read from tainted buffer of bytes gives a tainted string.", |
205 | 118 | "class": "java.nio.ByteBuffer", |
206 | 119 | "method": "toString:()Ljava/lang/String;", |
207 | 120 | "input": { |
|
280 | 193 | }, |
281 | 194 |
|
282 | 195 |
|
283 | | - { |
284 | | - "comment": "Put a tainted object to a map makes the map tainted.", |
285 | | - "class": "java.util.Map", |
286 | | - "method": "put:(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;", |
287 | | - "input": { |
288 | | - "location": "arg2", |
289 | | - "taint": "Tainted object" |
290 | | - }, |
291 | | - "result": { |
292 | | - "location": "returns", |
293 | | - "taint": "Tainted map" |
294 | | - } |
295 | | - }, |
296 | | - { |
297 | | - "comment": "Gut an object from a tainted map is a tainted object.", |
298 | | - "class": "java.util.Map", |
299 | | - "method": "get:(Ljava/lang/Object;)Ljava/lang/Object;", |
300 | | - "input": { |
301 | | - "location": "this", |
302 | | - "taint": "Tainted map" |
303 | | - }, |
304 | | - "result": { |
305 | | - "location": "returns", |
306 | | - "taint": "Tainted object" |
307 | | - } |
308 | | - }, |
309 | | - |
310 | | - |
311 | | - |
312 | 196 | { |
313 | 197 | "comment": "Get an iterator to characters of a tainted string is a tainted iterator.", |
314 | 198 | "class": "com.ibm.icu.text.RuleBasedCollator", |
|
336 | 220 | } |
337 | 221 | }, |
338 | 222 | { |
339 | | - "comment": "Converting integer (character code) from tainted character sequence to a tainted string.", |
| 223 | + "comment": "Converting tainted integer to a tainted string.", |
340 | 224 | "class": "java.lang.Integer", |
341 | 225 | "method": "toString:(II)Ljava/lang/String;", |
342 | 226 | "input": { |
|
370 | 254 | "taint": "Tainted list" |
371 | 255 | }, |
372 | 256 | "result": { |
373 | | - "location": "this", |
| 257 | + "location": "returns", |
374 | 258 | "taint": "Tainted array" |
375 | 259 | } |
376 | 260 | }, |
|
409 | 293 | "taint": "Tainted object" |
410 | 294 | }, |
411 | 295 | "result": { |
412 | | - "location": "returns", |
| 296 | + "location": "this", |
413 | 297 | "taint": "Tainted SQL query statement" |
414 | 298 | } |
415 | 299 | }, |
|
0 commit comments