Merge pull request diffblue#305 from diffblue/enhancment/taint_array_from_elements

SEC-173: Added end-to-end test 'taint_array_from_elements'.

Author: marek-trtik

regression/end_to_end/taint_array_from_elements/build.xml

@@ -0,0 +1,29 @@
+<project name="taint_array_from_elements" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_array_from_elements.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>
+
+

regression/end_to_end/taint_array_from_elements/rules.json

@@ -0,0 +1,26 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Obtaining tainted data.",
+      "class": "Main",
+      "method": "makeTainted:(Ljava/lang/Object;)V",
+      "result": {
+        "location": "arg0",
+        "taint": "Tainted data"
+      }
+    },
+    {
+      "comment": "Writing potentially tainted array to a sink.",
+      "class": "Main",
+      "method": "sink:([Ljava/lang/Object;)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "Tainted array"
+      }
+    }
+  ]
+}
+
+

regression/end_to_end/taint_array_from_elements/src/Main.java

@@ -0,0 +1,10 @@
+public class Main {
+    private static void makeTainted(Object o) {}
+    private static void sink(Object... o) {}
+    public static void main(boolean nondet) {
+        Object bar = new Object();
+        makeTainted(bar);
+        Object[] obj = { new Object(), bar};
+        sink(obj);
+    }
+}

regression/end_to_end/taint_array_from_elements/test_taint_array_from_elements.py

@@ -0,0 +1,26 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import subprocess
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_taint_array_from_elements():
+    """
+    The test shows a weakness of specification of taint propagation, when
+    an array is assigned a tainted data to some its element and then the
+    whole array is delivered to a sink. The problem is that we are
+    currently unable to define a rule which would make the array tainted
+    when some its element is assigned a tainted data. The cause is that
+    array element update is an assignment statement and rules are related
+    to function calls.
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("dist", "taint_array_from_elements.jar"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() == 1
+    assert traces.trace_exists("java::Main.postBytes:(LData;LOStream;)V", 8)