Merge pull request #424 from stefanie-koss/fixTaintWrappers

Fix killed taints in taint wrappers

Author: StevenArzt

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/generator/SummaryGenerationTaintWrapper.java

@@ -127,19 +127,23 @@ protected Set<Abstraction> getTaintsForHashCodeEquals(Stmt stmt, Abstraction tai
 			InstanceInvokeExpr iiexpr = (InstanceInvokeExpr) iexpr;
 			AccessPath ap = taintedPath.getAccessPath();
 
+			final Set<Abstraction> taints = new HashSet<Abstraction>();
+
+			// We always keep the incoming taint
+			taints.add(taintedPath);
+
 			// Check for hashCode()
 			if (ref.getName().equals("hashCode") && ref.getParameterTypes().isEmpty()
 					&& ref.getReturnType() instanceof IntType) {
 				if (ap.getPlainValue() == iiexpr.getBase()) {
 					// If the return value is used, we taint it
 					if (stmt instanceof DefinitionStmt) {
 						DefinitionStmt defStmt = (DefinitionStmt) stmt;
-						return Collections.singleton(taintedPath.deriveNewAbstraction(
+						taints.add(taintedPath.deriveNewAbstraction(
 								manager.getAccessPathFactory().createAccessPath(defStmt.getLeftOp(), false), stmt));
 					}
 
-					// The return value is apparently ignored
-					return Collections.emptySet();
+					return taints;
 				}
 			}
 
@@ -150,12 +154,11 @@ protected Set<Abstraction> getTaintsForHashCodeEquals(Stmt stmt, Abstraction tai
 				// If the return value is used, we taint it
 				if (config.getImplicitFlowMode().trackControlFlowDependencies() && stmt instanceof DefinitionStmt) {
 					DefinitionStmt defStmt = (DefinitionStmt) stmt;
-					return Collections.singleton(taintedPath.deriveNewAbstraction(
+					taints.add(taintedPath.deriveNewAbstraction(
 							manager.getAccessPathFactory().createAccessPath(defStmt.getLeftOp(), false), stmt));
 				}
 
-				// The return value is apparently ignored
-				return Collections.emptySet();
+				return taints;
 			}
 		}
 

soot-infoflow/src/soot/jimple/infoflow/taintWrappers/EasyTaintWrapper.java

@@ -186,22 +186,16 @@ public EasyTaintWrapper(EasyTaintWrapper taintWrapper) {
 	@Override
 	public Set<AccessPath> getTaintsForMethodInternal(Stmt stmt, AccessPath taintedPath) {
 		if (!stmt.containsInvokeExpr())
-			return Collections.emptySet();
+			return Collections.singleton(taintedPath);
 
 		final Set<AccessPath> taints = new HashSet<AccessPath>();
 		final SootMethod method = stmt.getInvokeExpr().getMethod();
 
-		// If the callee is a phantom class or has no body, we pass on the taint
-		if (method.isPhantom() || !method.hasActiveBody()) {
-			// Exception: Tainted value is overwritten
-			if (!(!taintedPath.isStaticFieldRef() && stmt instanceof DefinitionStmt
-					&& ((DefinitionStmt) stmt).getLeftOp() == taintedPath.getPlainValue()))
-				taints.add(taintedPath);
-		}
+		// We always keep the incoming taint
+		taints.add(taintedPath);
 
-		// For the moment, we don't implement static taints on wrappers. Pass it
-		// on
-		// not to break anything
+		// For the moment, we don't implement static taints on wrappers. Pass it on not
+		// to break anything
 		if (taintedPath.isStaticFieldRef())
 			return Collections.singleton(taintedPath);
 
@@ -249,9 +243,6 @@ public Set<AccessPath> getTaintsForMethodInternal(Stmt stmt, AccessPath taintedP
 							&& SystemClassHandler.v().isTaintVisible(taintedPath, method))
 						taints.add(manager.getAccessPathFactory().createAccessPath(def.getLeftOp(), true));
 				}
-
-				// If the base object is tainted, we pass this taint on
-				taints.add(taintedPath);
 			}
 		}
 
@@ -289,10 +280,6 @@ public Set<AccessPath> getTaintsForMethodInternal(Stmt stmt, AccessPath taintedP
 				if (stmt.getInvokeExprBox().getValue() instanceof InstanceInvokeExpr)
 					taints.add(manager.getAccessPathFactory().createAccessPath(
 							((InstanceInvokeExpr) stmt.getInvokeExprBox().getValue()).getBase(), true));
-
-				// The originally tainted parameter or base object as such
-				// stays tainted
-				taints.add(taintedPath);
 			}
 		}
 

soot-infoflow/src/soot/jimple/infoflow/taintWrappers/IdentityTaintWrapper.java

@@ -11,6 +11,7 @@
 package soot.jimple.infoflow.taintWrappers;
 
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import soot.SootMethod;
@@ -38,29 +39,38 @@ public Set<AccessPath> getTaintsForMethodInternal(Stmt stmt, AccessPath taintedP
 		if (!stmt.getInvokeExpr().getMethod().getDeclaringClass().isLibraryClass())
 			return null;
 
-		// For the moment, we don't implement static taints on wrappers. Pass it on
-		// not to break anything
+		// For the moment, we don't implement static taints on wrappers. Pass it on not
+		// to break anything
 		if (taintedPath.isStaticFieldRef())
 			return Collections.singleton(taintedPath);
 
+		final Set<AccessPath> taints = new HashSet<AccessPath>();
+
+		// We always keep the incoming taint
+		taints.add(taintedPath);
+
 		if (stmt.getInvokeExpr() instanceof InstanceInvokeExpr) {
 			InstanceInvokeExpr iiExpr = (InstanceInvokeExpr) stmt.getInvokeExpr();
 
 			// If the base object is tainted, the return value is always tainted
 			if (taintedPath.getPlainValue().equals(iiExpr.getBase()))
-				if (stmt instanceof AssignStmt)
-					return Collections.singleton(manager.getAccessPathFactory()
-							.createAccessPath(((AssignStmt) stmt).getLeftOp(), taintedPath.getTaintSubFields()));
+				if (stmt instanceof AssignStmt) {
+					taints.add(manager.getAccessPathFactory().createAccessPath(((AssignStmt) stmt).getLeftOp(),
+							taintedPath.getTaintSubFields()));
+					return taints;
+				}
 		}
 
 		// If one of the parameters is tainted, the return value is tainted, too
 		for (Value param : stmt.getInvokeExpr().getArgs())
 			if (taintedPath.getPlainValue().equals(param))
-				if (stmt instanceof AssignStmt)
-					return Collections.singleton(manager.getAccessPathFactory()
-							.createAccessPath(((AssignStmt) stmt).getLeftOp(), taintedPath.getTaintSubFields()));
+				if (stmt instanceof AssignStmt) {
+					taints.add(manager.getAccessPathFactory().createAccessPath(((AssignStmt) stmt).getLeftOp(),
+							taintedPath.getTaintSubFields()));
+					return taints;
+				}
 
-		return Collections.emptySet();
+		return taints;
 	}
 
 	@Override