-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathA.java
More file actions
49 lines (38 loc) · 1.41 KB
/
A.java
File metadata and controls
49 lines (38 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import java.util.Formatter;
import java.lang.StringBuilder;
class A {
public static String source() {
return "tainted";
}
public static void sink(Object o) { }
public static void test1() {
String bad = source();
String good = "hi";
sink(bad.formatted(good)); // $ hasTaintFlow
sink(good.formatted("a", bad, "b", good)); // $ hasTaintFlow
sink(String.format("%s%s", bad, good)); // $ hasTaintFlow
sink(String.format("%s", good));
sink(String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad)); // $ hasTaintFlow
}
public static void test2() {
String bad = source();
Formatter f = new Formatter();
sink(f.toString());
sink(f.format("%s", bad)); // $ hasTaintFlow
sink(f.toString()); // $ hasTaintFlow
}
public static void test3() {
String bad = source();
StringBuilder sb = new StringBuilder();
Formatter f = new Formatter(sb);
sink(sb.toString()); // $ SPURIOUS: hasTaintFlow
sink(f.format("%s", bad)); // $ hasTaintFlow
sink(sb.toString()); // $ hasTaintFlow
}
public static void test4() {
String bad = source();
StringBuilder sb = new StringBuilder();
sink(sb.append(bad)); // $ hasTaintFlow
sink(new Formatter(sb).format("ok").toString()); // $ hasTaintFlow
}
}