How can I cast from Tainted String to Untainted String?
643 views
Skip to first unread message
pedroabs
Oct 26, 2009, 9:28:13 AM10/26/09
to Checker Framework discussion
in the sample code shown in Chapter 8 (Tainting Checkers), I would
like to know how to turn a Tainted String into a Untainted String.
because I would receive a Tainted String and somewhere in my program
should validate to Untainted String
public boolean execute(@Untainted String sql) throws SQLException;
public boolean executeUpdate(@Untainted String sql) throws
SQLException;
Should I make a cast somewhere in my program?
like to know how to turn a Tainted String into a Untainted String.
because I would receive a Tainted String and somewhere in my program
should validate to Untainted String
public boolean execute(@Untainted String sql) throws SQLException;
public boolean executeUpdate(@Untainted String sql) throws
SQLException;
Should I make a cast somewhere in my program?
Michael Ernst
Oct 26, 2009, 9:53:19 AM10/26/09
to checker-fram...@googlegroups.com, pedro...@gmail.com
> in the sample code shown in Chapter 8 (Tainting Checkers), I would
> like to know how to turn a Tainted String into a Untainted String.
>
> like to know how to turn a Tainted String into a Untainted String.
>
> Should I make a cast somewhere in my program?
Yes, as illustrated in section 2.1, you can write a cast:
String myvar = (@Untainted String) expr;
where "expr" has type @Tainted String.
This will result in a compile-time warning or error (depending on how you
have the checker configured). If you are sure the cast is acceptable, you
can suppress the warning:
@SuppressWarnings("tainting")
String myvar = (@Untainted String) expr;
You can also encapsulate this functionality in a method; for instance, the
Nullness Checker has a method called castNonNull. See
http://types.cs.washington.edu/checker-framework/current/doc/checkers/nullness/NullnessUtils.html#castNonNull%28T%29
-Michael Ernst
java.dev...@gmail.com
Dec 19, 2014, 6:16:21 PM12/19/14
to checker-fram...@googlegroups.com, pedro...@gmail.com
Is it possible to write some cleaning functionality that would mark a method as removing a taint (maybe with @Cleansing) ? this could be more in line with the framework and allow for validating the type converstion without the suppression.
Cheers,
javabean.
Op maandag 26 oktober 2009 14:53:19 UTC+1 schreef Michael Ernst:
Cheers,
javabean.
Op maandag 26 oktober 2009 14:53:19 UTC+1 schreef Michael Ernst:
Michael Ernst
Dec 20, 2014, 12:50:49 AM12/20/14
to java development, Checker Framework Discussions, pedroabs
Yes, this is possible.
If the cleansing method returns a value, then you just have to annotate
the return value as non-tainted.
If the cleansing method side-effects or merely checks an existing value
but doesn't return it, then see section 25.5 "Dataflow: enhancing
flow-sensitive type qualifier inference":
http://types.cs.washington.edu/checker-framework/current/checker-framework-manual.html#dataflow
-Mike
> Subject: Re: How can I cast from Tainted String to Untainted String?
> From: java.dev...@gmail.com
> To: checker-fram...@googlegroups.com
> Date: Fri, 19 Dec 2014 15:16:21 -0800 (PST)
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Checker Framework discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to checker-framework-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
If the cleansing method returns a value, then you just have to annotate
the return value as non-tainted.
If the cleansing method side-effects or merely checks an existing value
but doesn't return it, then see section 25.5 "Dataflow: enhancing
flow-sensitive type qualifier inference":
http://types.cs.washington.edu/checker-framework/current/checker-framework-manual.html#dataflow
-Mike
> Subject: Re: How can I cast from Tainted String to Untainted String?
> From: java.dev...@gmail.com
> To: checker-fram...@googlegroups.com
> Date: Fri, 19 Dec 2014 15:16:21 -0800 (PST)
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Checker Framework discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to checker-framework-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
java.dev...@gmail.com
Dec 20, 2014, 6:17:57 AM12/20/14
to checker-fram...@googlegroups.com, java.dev...@gmail.com, pedro...@gmail.com
Hi Michael, thanks for your reply.
Is there an example with @tainted and dataflow you mention ? this is pretty dense stuff.
Are there plans for a static security analyzer with the Checkers Framework ?
Kind regards,
javabean.
Op zaterdag 20 december 2014 06:50:49 UTC+1 schreef Michael Ernst:
Is there an example with @tainted and dataflow you mention ? this is pretty dense stuff.
Are there plans for a static security analyzer with the Checkers Framework ?
Kind regards,
javabean.
Op zaterdag 20 december 2014 06:50:49 UTC+1 schreef Michael Ernst:
> an email to checker-framework-discuss+unsub...@googlegroups.com.
Michael Ernst
Dec 20, 2014, 2:25:59 PM12/20/14
to java development, Checker Framework Discussions, pedroabs
> Is there an example with @tainted and dataflow you mention ? this is
> pretty dense stuff.
I don't have the exact thing you want, in part because I'm not sure what
> pretty dense stuff.
you want. You can create it yourself, though. I agree it's not trivial,
but a number of users have successfully followed the instructions in the
manual.
> Are there plans for a static security analyzer with the Checkers
> Framework ?
http://types.cs.washington.edu/checker-framework/current/checker-framework-manual.html#checklt-checker
http://types.cs.washington.edu/checker-framework/current/checker-framework-manual.html#sparta-checker
-Mike
> Subject: Re: How can I cast from Tainted String to Untainted String?
> From: java.dev...@gmail.com
> To: checker-fram...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Checker Framework discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to checker-framework-...@googlegroups.com.
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Checker Framework discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
Reply all
Reply to author
Forward
0 new messages