Merge pull request diffblue#282 from diffblue/marek/splitting_test_tainted-string-type

SEC-142: Splitting composed regression test 'tainted-string-type' into 2 tests.

Author: marek-trtik

regression/end_to_end/tainted-string-type/src/build.xml renamed to regression/end_to_end/tainted-string-type-concat/build.xml

@@ -1,7 +1,7 @@
-<project name="Main" basedir="." default="jar">
+<project name="concat" basedir="." default="jar">
 
   <property name="root.dir"      value="./"/>
-  <property name="src.dir"       value="${root.dir}"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
   <property name="classes.dir"   value="${root.dir}/build"/>
   <property name="install.dir"   value="${root.dir}/dist"/>
 

regression/end_to_end/tainted-string-type-concat/rules.json

@@ -0,0 +1,76 @@
+{
+  "rules": [
+    {
+      "comment": "Taint source",
+      "id": "basic1_source",
+      "class": "concat",
+      "method": "source:()Ljava/lang/String;",
+      "result": {
+        "location": "return_value",
+        "taint": "XXX"
+      }
+    },
+    {
+      "comment": "Cleans argument",
+      "id": "basic1_sanitiser",
+      "class": "concat",
+      "method": "mark_clean:(Ljava/lang/String;)V",
+      "sanitizes": {
+        "location": "arg0",
+        "taint": "XXX"
+      }
+    },
+    {
+      "comment": "Taint sink",
+      "id": "basic1_sink",
+      "class": "concat",
+      "method": "sink:(Ljava/lang/String;)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "XXX"
+      }
+    },
+    {
+      "comment": "Taint leaves StringBuilder",
+      "id": "sb_tostring",
+      "class": "java.lang.StringBuilder",
+      "method": "toString:()Ljava/lang/String;",
+      "input": {
+        "location": "this",
+        "taint": "SBXXX"
+      },
+      "result": {
+        "location": "return_value",
+        "taint": "XXX"
+      }
+    },
+    {
+      "comment": "Taint appended to StringBuilder",
+      "id": "sb_append",
+      "class": "java.lang.StringBuilder",
+      "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
+      "input": {
+        "location": "arg1",
+        "taint": "XXX"
+      },
+      "result": {
+        "location": "this",
+        "taint": "SBXXX"
+      }
+    },
+    {
+      "comment": "Taint preserved by substring operation",
+      "id": "substring",
+      "class": "java.lang.String",
+      "method": "substring:(II)Ljava/lang/String;",
+      "input": {
+        "location": "this",
+        "taint": "XXX"
+      },
+      "result": {
+        "location": "return_value",
+        "taint": "XXX"
+      }
+    }
+  ]
+}

regression/end_to_end/tainted-string-type/src/concat.java renamed to regression/end_to_end/tainted-string-type-concat/src/concat.java

@@ -1,19 +1,23 @@
 public class concat {
 
+    public static void mark_clean(String x) { }
+    public static String source() { return new String("Pure evil"); }
+    public static void sink(String x) { }
+
     public static void main(int unknown) {
 
-        String tainted = test.source();
+        String tainted = source();
         String untainted = "No worries here";
         String taint_concat = tainted + " addition";
         String taint_sub = taint_concat.substring(5, 10);
 
         String maybe_tainted = unknown == 100 ? taint_sub : untainted;
 
         if(unknown == 200) {
-            test.mark_clean(maybe_tainted);
-            test.sink(maybe_tainted);
+            mark_clean(maybe_tainted);
+            sink(maybe_tainted);
         }
-        test.sink(maybe_tainted);
+        sink(maybe_tainted);
 
     }
 

regression/end_to_end/tainted-string-type/src/java/lang/String.java renamed to regression/end_to_end/tainted-string-type-concat/src/java/lang/String.java

@@ -0,0 +1,17 @@
+import regression.end_to_end.driver as pipeline_executor
+import os.path
+import pytest
+import subprocess
+
+
+@pytest.mark.xfail
+def test_taint_crossing_substr_and_concatenation():
+    with pipeline_executor.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        "dist/concat.jar",
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() > 0
+    assert not traces.trace_exists("java::concat.main:(I)V", 18)
+    assert traces.trace_exists("java::concat.main:(I)V", 20)

regression/end_to_end/tainted-string-type/src/java/lang/StringBuilder.java renamed to regression/end_to_end/tainted-string-type-concat/src/java/lang/StringBuilder.java

@@ -0,0 +1,27 @@
+<project name="test" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/test.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on" />
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>
+

regression/end_to_end/tainted-string-type-concat/test_tainted_string_type_concat.py

@@ -29,62 +29,6 @@
         "location": "arg0",
         "vulnerability": "XXX"
       }
-    },
-    {
-      "comment": "Taint enters StringBuilder",
-      "id": "sb_constructor",
-      "class": "java.lang.StringBuilder",
-      "method": "<init>:()V",
-      "input": {
-        "location": "arg0",
-        "taint": "XXX"
-      },
-      "result": {
-        "location": "this",
-        "taint": "SBXXX"
-      }
-    },
-    {
-      "comment": "Taint leaves StringBuilder",
-      "id": "sb_tostring",
-      "class": "java.lang.StringBuilder",
-      "method": "toString:()Ljava/lang/String;",
-      "input": {
-        "location": "this",
-        "taint": "SBXXX"
-      },
-      "result": {
-        "location": "return_value",
-        "taint": "XXX"
-      }
-    },
-    {
-      "comment": "Taint appended to StringBuilder",
-      "id": "sb_append",
-      "class": "java.lang.StringBuilder",
-      "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
-      "input": {
-        "location": "arg1",
-        "taint": "XXX"
-      },
-      "result": {
-        "location": "this",
-        "taint": "SBXXX"
-      }
-    },
-    {
-      "comment": "Taint preserved by substring operation",
-      "id": "substring",
-      "class": "java.lang.String",
-      "method": "substring:(II)Ljava/lang/String;",
-      "input": {
-        "location": "this",
-        "taint": "XXX"
-      },
-      "result": {
-        "location": "return_value",
-        "taint": "XXX"
-      }
     }
   ]
 }

regression/end_to_end/tainted-string-type/build.xml

@@ -1,24 +1,14 @@
-
-from regression.end_to_end.driver \
-    import run_security_analyser_pipeline
-
+import regression.end_to_end.driver as pipeline_executor
 import os.path
-import pytest
+import subprocess
+
 
 def test_tainted_string():
-    traces = run_security_analyser_pipeline(
-        "test.class",
+    with pipeline_executor.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        "dist/test.jar",
         "rules.json",
         os.path.realpath(os.path.dirname(__file__)))
     assert traces.count_traces() > 0
     assert traces.trace_exists("java::test.main:(I)V", 16)
-
-@pytest.mark.xfail
-def test_taint_crossing_substr_and_concatenation():
-    traces = run_security_analyser_pipeline(
-        "concat.jar",
-        "rules.json",
-        os.path.realpath(os.path.dirname(__file__)))
-    assert traces.count_traces() > 0
-    assert not traces.trace_exists("java::concat.main:(I)V", 14)
-    assert traces.trace_exists("java::concat.main:(I)V", 16)