Test where Cookie's constructor takes 2 potentially tainted arguments.

The test case shows a weakness in our rules system. The test defines
a class Cookie, whose constructor takes 2 arguments, and each of them
can bring tainted data to the created instance. However, our rule
allows only for 1 tainted input.

Author: marek-trtik

regression/end_to_end/multitaint/build.xml

@@ -0,0 +1,27 @@
+<project name="multitaint" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/multitaint.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>

regression/end_to_end/multitaint/rules.json

@@ -0,0 +1,37 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Obtaining tainted data.",
+      "class": "Main",
+      "method": "makeTainted:(Ljava/lang/Object;)V",
+      "result": {
+        "location": "arg0",
+        "taint": "Tainted data"
+      }
+    },
+    {
+      "comment": "Put tainted name to cookie",
+      "class": "Cookie",
+      "method": "<init>:(Ljava/lang/Object;Ljava/lang/Object;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted data"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing potentially tainted data to a sink.",
+      "class": "Main",
+      "method": "sink:(LCookie;)V",
+      "sinkTarget": {
+        "location": "arg0",
+        "vulnerability": "Tainted cookie"
+      }
+    }
+  ]
+}

regression/end_to_end/multitaint/src/Main.java

@@ -0,0 +1,24 @@
+class Cookie {
+    public Cookie(Object name, Object value) {
+    }
+}
+public class Main {
+    private static void makeTainted(Object o) {}
+    private static void sink(Cookie o) {}
+
+    public static void taint_via_name() {
+        Object name = new Object();
+        Object value = new Object();
+        makeTainted(name);
+        Cookie c = new Cookie(name, value);
+        sink(c);
+    }
+
+    public static void taint_via_value() {
+        Object name = new Object();
+        Object value = new Object();
+        makeTainted(value);
+        Cookie c = new Cookie(name, value);
+        sink(c);
+    }
+}

regression/end_to_end/multitaint/test_multitaint.py

@@ -0,0 +1,24 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import subprocess
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_multitaint():
+    """
+    The test case shows a weakness in our rules system. The test defines
+    a class Cookie, whose constructor takes 2 arguments, and each of them
+    can bring tainted data to the created instance. However, our rule
+    allows only for 1 tainted input.
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call("ant")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("dist", "multitaint.jar"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)))
+    assert traces.count_traces() == 2
+    assert traces.trace_exists("java::Main.taint_via_name:()V", 13)
+    assert traces.trace_exists("java::Main.taint_via_value:()V", 20)