├── .gitignore
├── README.md
├── README
├── image-20201005205535293.png
├── image-20201010164412564.png
├── image-20201010164818964.png
├── image-20201010165207853.png
├── image-20210918173747852.png
└── image-20210918174110849.png
├── pom.xml
├── taint-benchmark-code
├── pom.xml
└── src
│ └── main
│ ├── java
│ └── top
│ │ └── anemone
│ │ └── taintbenchmark
│ │ ├── Main.java
│ │ ├── auxiliary
│ │ ├── BadConstructor.java
│ │ ├── BadContainer.java
│ │ ├── BadPasser.java
│ │ ├── BadSink.java
│ │ ├── BadStaticSink.java
│ │ ├── BadTransformer.java
│ │ ├── CommandEngExecutor.java
│ │ ├── Container.java
│ │ ├── EngExecutor.java
│ │ ├── GoodConstructor.java
│ │ ├── GoodContainer.java
│ │ ├── GoodPasser.java
│ │ ├── GoodSink.java
│ │ ├── GoodTransformer.java
│ │ ├── InputEngExecutor.java
│ │ ├── MyException.java
│ │ ├── Sink.java
│ │ ├── Transformer.java
│ │ └── TransformerFactory.java
│ │ ├── container
│ │ ├── ListBad1.java
│ │ ├── ListBad2.java
│ │ ├── ListGood1.java
│ │ ├── MapBad1.java
│ │ ├── MapBad2.java
│ │ ├── MapBad3.java
│ │ ├── MapBad4.java
│ │ ├── MapGood1.java
│ │ └── MapGood2.java
│ │ ├── contextsensitive
│ │ ├── ContextBad1.java
│ │ ├── ContextBad2.java
│ │ ├── ContextBad3.java
│ │ ├── ContextBad4.java
│ │ ├── ContextBad5.java
│ │ ├── ContextBad6.java
│ │ ├── ContextGood1.java
│ │ ├── ContextGood2.java
│ │ ├── ContextGood3.java
│ │ ├── ContextGood4.java
│ │ ├── ContextGood5.java
│ │ ├── ContextGood6.java
│ │ ├── HeapBad1.java
│ │ └── HeapGood1.java
│ │ ├── convertchannel
│ │ ├── ExceptionBad1.java
│ │ ├── ExceptionBad2.java
│ │ ├── ExceptionBad3.java
│ │ ├── ExceptionGood2.java
│ │ ├── ExceptionGood3.java
│ │ ├── FlowEngineBad1.java
│ │ ├── FlowEngineBad2.java
│ │ ├── FlowEngineBad3.java
│ │ ├── FlowEngineBad4.java
│ │ ├── FlowEngineGood1.java
│ │ ├── FlowEngineGood2.java
│ │ ├── FlowEngineGood4.java
│ │ ├── IfBad1.java
│ │ └── IfGood1.java
│ │ ├── differentscope
│ │ └── thirdpartpkg
│ │ │ ├── CommonPassBad1.java
│ │ │ ├── CommonSinkBad1.java
│ │ │ ├── ExeBad1.java
│ │ │ ├── ExeBad2.java
│ │ │ ├── ExeGood1_1.java
│ │ │ ├── ExeGood1_2.java
│ │ │ └── ExeGood2.java
│ │ ├── fieldsensitive
│ │ ├── FieldBad1.java
│ │ ├── FieldBad2.java
│ │ ├── FieldBad3.java
│ │ ├── FieldBad4.java
│ │ ├── FieldBad5.java
│ │ ├── FieldGood1.java
│ │ ├── FieldGood2.java
│ │ ├── FieldGood3.java
│ │ ├── FieldGood4.java
│ │ ├── InterFieldBad1.java
│ │ └── InterFieldGood1.java
│ │ ├── flowsensitive
│ │ ├── FactoryBad1.java
│ │ ├── FactoryGood1.java
│ │ ├── FlowBad1.java
│ │ ├── FlowBad2_1.java
│ │ ├── FlowBad2_2.java
│ │ ├── FlowBad3.java
│ │ ├── FlowBad4.java
│ │ ├── FlowBad5.java
│ │ ├── FlowBad6.java
│ │ ├── FlowFieldBad4_1.java
│ │ ├── FlowFieldBad4_2.java
│ │ ├── FlowFieldBad5.java
│ │ ├── FlowFieldBad6.java
│ │ ├── FlowFieldBad7.java
│ │ ├── FlowFieldBad8_1.java
│ │ ├── FlowFieldBad8_2.java
│ │ ├── FlowFieldBad9_1.java
│ │ ├── FlowFieldBad9_2.java
│ │ ├── FlowFieldGood4_1.java
│ │ ├── FlowFieldGood4_2.java
│ │ ├── FlowFieldGood5.java
│ │ ├── FlowFieldGood7.java
│ │ ├── FlowGood5.java
│ │ └── FlowGood6.java
│ │ ├── interprocedural
│ │ ├── AbstractBad1.java
│ │ ├── AbstractGood1.java
│ │ ├── ConstructBad1.java
│ │ ├── ConstructGood1.java
│ │ ├── InterfaceBad1.java
│ │ ├── InterfaceBad2.java
│ │ ├── InterfaceBad3.java
│ │ ├── InterfaceGood1.java
│ │ ├── InterfaceGood2.java
│ │ ├── InterfaceGood3.java
│ │ ├── PointerBad1.java
│ │ ├── PointerGood1.java
│ │ ├── PointerGood2.java
│ │ ├── PrivateBad1.java
│ │ ├── PrivateGood1.java
│ │ ├── RecursionBad1.java
│ │ ├── StaticBad1.java
│ │ ├── StaticBad2.java
│ │ └── StaticGood1.java
│ │ ├── intraprocedural
│ │ ├── IntraBad1.java
│ │ ├── IntraBad2.java
│ │ └── IntraGood1.java
│ │ ├── pathsensitive
│ │ ├── BadNumPath1.java
│ │ ├── BadNumPath2.java
│ │ ├── BadStrPath2.java
│ │ ├── GoodNumPath1.java
│ │ ├── GoodNumPath2.java
│ │ └── GoodStrPath2.java
│ │ ├── soundiness
│ │ └── reflect
│ │ │ ├── ReflectBad1.java
│ │ │ ├── ReflectBad2.java
│ │ │ ├── ReflectGood1.java
│ │ │ └── ReflectGood2.java
│ │ ├── thread
│ │ └── ThreadBad1.java
│ │ └── withfrontend
│ │ └── BadBackend.java
│ └── resources
│ └── test.html
└── taint-benchmark-dep
├── pom.xml
└── src
└── main
└── java
└── top
└── anemone
└── taintbenchmarkdep
├── BadExecutor.java
├── ExeAgent1.java
├── ExeAgent2.java
├── Executor.java
├── GoodExecutor1.java
└── GoodExecutor2.java
/.gitignore:
--------------------------------------------------------------------------------
1 | *.iml
2 | *.ipr
3 | *.iws
4 | target/
5 | .idea/
6 | codeqldb/
7 | Fortify*
8 | .project
9 | .classpath
10 | .settings/
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Intro
2 | taintbenchmark用于评估污点分析扫描器引擎的能力。
3 |
4 | 白盒扫描器的普遍使用污点分析技术,那么有两方面影响这扫描器的准确性:扫描器引擎本身(如是否支持准确的过程间分析)和规则完备性(如source、sink配置是否充分);
5 |
6 | 在相同benchmark上使用不同规则比较不同扫描器是无意义的。
7 |
8 | # 辅助类
9 |
10 | ## Transformer
11 |
12 | 
13 |
14 | * [I] Transformer:Transformer接口实现`String transform(String from)`方法;
15 | * [C] GoodTransformer:transform方法返回固定字符串(不传播污点);
16 | * [C] BadTransformer:transform方法返回原字符串(传播污点);
17 | * [C] GoodConstructor:transform方法返回固定字符串,但其属性s保存有污点(不传播污点);
18 | * [C] GoodConstructor:transform方法返回属性s,其属性s保存有污点(传播污点);
19 |
20 | ## Container
21 |
22 | 
23 |
24 | Container包含容器(污染)字段obj和安全字段clean,有setObj()和setSetObj()方法设置obj,有getObjObj(),getObjObjObj()方法获取obj,GoodContainer和BadContainer继承Container,区别在于GoodContainer获取info为安全字段,Bad获取obj。
25 |
26 | ## Passer
27 |
28 | 
29 |
30 | BadPasser和GoodPasser都实现transform方法,区别在于其返回/不返回污点。
31 |
32 | ## Transformer
33 |
34 | 
35 |
36 | * Transformer接口提供transform()方法;
37 | * BadTransformer和GoodTransformer实现该接口,GoodTransformer在方法中清洁污点;
38 | * BadConstructor和GoodConstructor实现该接口,在transform时返回s,GoodConstructor在初始化时清洁s。
39 |
40 | ## Sink
41 |
42 | 
43 |
44 | * Sink 接口提供execute()方法;
45 | * BadSink 实现 SInk, 在execute()中进行命令执行;
46 | * GoodSink 实现 Sink, 在execute()中什么都不做.
47 |
48 | ## EngExecutor
49 |
50 | 
51 |
52 | * EngExecutor 接口提供exec方法, 操作Containter中数据, 实现一个简单的流引擎;
53 | * InputEngExecutor 实现EngExecutor, 将Controller.clean中数据复制给Container.obj;
54 | * CommandEngExecutor 实现EngExecutor, 将Controller.obj中数据作为命令执行.
55 |
56 | # 测试套件
57 |
58 | ## 过程内分析(top.anemone.taintbenchmark.intraprocedural.*)
59 |
60 | (这里只测试最简单的过程内分析,各类敏感情况由其他测试套件测试)
61 |
62 | * IntraBad1:从用户输入读取source,返回到页面上,存在XSS漏洞;
63 | * IntraGood1:从用户输入读取source,随后source被赋值为安全数据,返回到页面上,不存在XSS漏洞;
64 | * IntraBad2:从用户输入读取source,经过append(),replace(),返回到页面上,存在XSS漏洞;
65 |
66 | ## 过程间分析(top.anemone.taintbenchmark.interprocedural.*)
67 |
68 | * PrivateBad1:source通过私有函数bad()函数传递,在sink点调用;
69 | * PrivateGood1:source通过私有函数good()函数清除污点,在sink点调用;
70 | * StaticBad1:source通过静态函数bad()函数传递,在sink点调用;
71 | * StaticGood1:source通过静态函数good()函数清除污点,在sink点调用;
72 | * StaticBad2: source通过静态函数BadStaticSink#execute()函数传递,在sink点调用;
73 | * AbstractBad1/AbstractGood1:初始化BadPasser/GoodPasser传递污点,在sink点调用;
74 | * ConstructBad1/ConstructGood1:初始化BadConstructor/GoodConstructor传递污点,在sink点调用;
75 | * InterfaceBad1/InterfaceGood1:初始化BadTransformer/GoodTransformer传递污点,在sink点调用;
76 | * InterfaceBad2/InterfaceGood2:构造匿名transformer,匿名transformer传递/不传递污点,在sink点调用;
77 | * InterfaceBad3/InterfaceGood3: 初始化 BadSink/GoodSink,实例化的sink决定是否有漏洞;
78 | * PointerBad1:构造Container c且c.obj->"clean",构造Container fakeGood且fakeGood.obj->c,构造Container bad且bad.obj->c,将bad.obj.obj->source,并在sink点取fakeGood.obj.obj;
79 | * PointerGood1:构造Container c且c.obj->source;构造Container good,good.obj->c;构造Container bad,bad.obj->c;将good.obj.obj->"clean",并在sink点取bad.obj.obj;
80 |
81 | ## 域敏感(top.anemone.taintbenchmark.fieldsensitive.*)
82 |
83 | * FieldBad1/FieldGood1:污点和安全数据分别存在container的obj和clean字段(set写入),在sink点取出obj/clean;
84 | * FieldBad2/FieldGood2:污点和安全数据分别存在container的obj和clean字段(构造函数写入),在sink点取出obj/clean;
85 | * FieldBad3/FieldGood3:污点和安全数据分别存在container的obj和clean字段,container位于类的私有变量,在sink点取出obj/clean;
86 |
87 | ## 上下文敏感(top.anemone.taintbenchmark.contextsensitive.*)
88 |
89 | * ContextBad1/ContextGood1:同时初始化BadTransformer和GoodTransformer,并经过`id()`函数返回,在sink点调用`BadTransformer/GoodTransformer.transform(source)`,因此存在/不存在漏洞;
90 | * ContextBad2/ContextGood2:BadTransformer和GoodTransformer 经过Container包装后返回,获取Bad/GoodTransformer的结果,因此存在/不存在漏洞,与ContextBad/Good1不同的是该用例检测1-object sensitive;
91 | * ContextBad3/ContextGood3:类似ContextBad/Good2,与ContextBad2不同是的是setObj()进行了1次封装,用于检测2-CFA;
92 | * ContextBad4/ContextGood4:类似ContextBad/Good2,,与ContextBad2不同是的是setObj()进行了2次封装,用于检测3-CFA;
93 | * ContextBad5/ContextGood5:类似ContextBad/Good2,,与ContextBad2不同是的是getObj()中新建了Container,用于检测2-object sensitive;
94 | * ContextBad6/ContextGood6:类似ContextBad/Good2,,与ContextBad2不同是的是getObjObj()中新建了两次Container,用于检测3-object sensitive;
95 | * HeapBad1/HeapGood1:BadTransformer和GoodTransformer经过newContainer()包装后返回,获取Bad/GoodTransformer的结果,因此存在/不存在漏洞,检测Heap sensitive;
96 |
97 | ## 流敏感(top.anemone.taintbenchmark.flowsensitive.*)
98 |
99 | * FlowBad1:三目操作符,污点有可能传递,因此存在漏洞;
100 | * FlowBad2:if判断,污点有可能传递,因此存在漏洞;
101 | * FlowBad3:while循环,污点传递,因此存在漏洞;
102 | * FlowBad4:for循环,污点传递,因此存在漏洞;
103 | * FlowBad5:source和清洁变量不交换,因此存在漏洞;
104 | * FlowBad6:循环清除污点,但终结时污点传递,因此存在漏洞;
105 | * FlowGood6:循环传递污点,但终结时清楚污点,因此存在漏洞;
106 | * FlowGood5:source和清洁变量交换,因此不存在漏洞;
107 | * FlowFieldBad4_1:source通过构造函数传入container的obj字段,再被sink调用,在调用后被清洁;
108 | * FlowFieldGood4_1:安全数据通过构造函数传入container的obj字段后被set()清除,再被sink调用,在调用后被污染;
109 | * FlowFieldBad4_2:source通过set()传入container的obj字段,再被sink调用,在调用后被清洁;
110 | * FlowFieldGood4_2:安全数据通过set()传入container的obj字段,再被sink调用,在调用后被污染;
111 | * FlowFieldBad5:当 a!=32 时取BadContainer,否则取GoodContainer,再从Container.getInfo()中获取污点/安全数据;
112 | * FlowFieldGood5:当 a==32 时取BadContainer,否则取GoodContainer,再从Container.getInfo()中获取污点/安全数据;
113 | * FlowFieldBad6:`outerContainer->badc; innerContainer->bad;outerContainer.obj->inner`,接着设置inner的obj为source,最后在sink获取badc.obj.obj(source);
114 | * FlowFieldBad7:初始化装载source和安全数据的container,假交换,在sink点获取抓那个在source的container;
115 | * FlowFieldGood7:初始化装载source和安全数据的container,之后交换,在sink点获取安全数据container;
116 | * FactoryBad1: 通过工厂方法获取BadTransformer,传递污点;
117 | * FactoryGood1: 通过工厂方法获取GoodTransformer,不传递污点;
118 |
119 | ## 路径敏感
120 |
121 | * BadNumPath1/GoodNumPath1: 若线性布尔算数表达式(Linear Boolean-Arithmetic Expression)为假则调用sink or 直接返回,注意该表达式永为 false;
122 | * BadNumPath2/GoodNumPath2: 若非线性布尔算数表达式(Non-linear Mixed Boolean-Arithmetic Expressions)为真则调用sink or 直接返回,注意该表达式永为true;
123 | * BadStrPath2/GoodStrPath2: 若字符串布尔表达式为真则调用sink or 直接返回, 注意该表达式永为 true;
124 |
125 | ## 容器类型(top.anemone.taintbenchmark.container.*)
126 |
127 | * ListBad1/ListGood1:污点存储在列表的第0个元素中,sink点取出第0/1个元素,因此存在/不存在漏洞;
128 | * ListBad2: 污点存在列表的第1个元素中, 删除列表第0个元素, 再取第0个元素执行, 因此存在漏洞;
129 | * MapBad1/MapGood1:污点存储在map的"source"键中,sink点取出"source"/"boo"键,因此存在/不存在漏洞;
130 | * MapBad2/MapGood2:污点存储在map的"source"键中,sink点取出"source"/"boo"键,因此存在/不存在漏洞,与MapBad1/MapGood1不同的是"source"键保存在变量中(`String s="source";map.put(s,taint)`);
131 | * MapBad3: 污点首先存储在map, 再将map存储到map1中, 在sink点取出map1中污点, 因此存在漏洞;
132 | * MapBad4: 污点首先存在map, 再用遍历的方式将其存储在map1中, 在sink点取出map1中污点, 因此存在漏洞;
133 |
134 | ## 隐藏信道(top.anemone.taintbenchmark.convertchannel.*)
135 |
136 | * ExceptionBad1:返回异常信息,由于异常信息中存在用户可控内容,因此存在漏洞;
137 | * ExceptionBad2/ExceptionGood2:返回自定义异常信息,由于异常信息中存在用户可控内容,因此存在漏洞;
138 | * ExceptionBad3:在catch处命中sink点,存在漏洞;
139 | * ExceptionGood3:在finally处清洁污点,不存在漏洞;
140 | * IfBad1/IfGood1:在if判断时对比输入是/否为"helloworld",若是/否,将其赋值为"helloworld",若能被成功赋值则不含漏洞;
141 | * FlowEngineBad1: 先用InputEngExecutor将污点从container.clean移动到container.obj, 在用CommandEngExecutor执行container.obj;
142 | * FlowEngineBad2: 与FlowEngineBad1类似, 但使用数组和循环实现两个EngExecutor的调用逻辑;
143 | * FlowEngineBad3: 与FlowEngineBad1类似, 但使用Map和数组实现两个EngExecutor的调用逻辑;
144 | * FlowEngineBad4: 与FlowEngineBad1类似, 但使用数组和if条件实现两个EngExecutor的调用逻辑;
145 | * FlowEngineGood1: 与FlowEngineBad1类似, 但先调用CommandEngExecutor, 故没有漏洞;
146 | * FlowEngineGood2: 与FlowEngineBad2 类似, 但先调用CommandEngExecutor, 故没有漏洞;
147 | * FlowEngineGood4: 与 FlowEngineBad4 类似, 但先调用CommandEngExecutor, 故没有漏洞;
148 |
149 | ## Soundiness
150 | ### Reflect(top.anemone.taintbenchmark.soundiness.reflect.*)
151 | * ReflectBad1/ReflectGood1:构造BadTransformer/GoodTransformer,使用反射调用其transform方法,传入sink;
152 | * ReflectBad2/ReflectGood2:反射获取BadTransformer/GoodTransformer,使用反射调用其transform方法,传入sink;
153 |
154 | ## 跨应用(top.anemone.taintbenchmark.differentscope.thirdpartpkg.*)
155 | * CommonPassBad1:污点通过org.apache.commons.exec.util.StringUtils#fixFileSeparatorChar()传递至sink;
156 | * CommonSinkBad1:污点通过org.apache.commons.exec.DefaultExecutor#execute(org.apache.commons.exec.CommandLine)执行;
157 | * ExeBad1:构造BadExecutor(Executor在另一模块中),污点传入BadExecutor后传入Runtime.exec();
158 | * ExeGood1_1:构造GoodExecutor1,污点传入GoodExecutor1后在exe()中净化,不会传入Runtime.exec();
159 | * ExeGood1_2:构造GoodExecutor2,污点传入GoodExecutor2后在getcmd()中被净化;
160 | * ExeBad2/ExeGood2:构造GoodExecutor2/GoodExecutor1为executor,构造ExeAgent2,将executor和污点传入Agent,Agent调用executor.exe(),造成/不造成漏洞;
161 |
162 | ## 多线程
163 | * ThreadBad1:存在两个线程ContentWriter和RespWriter,污点通过ContentWriter写入cache,再由RespWriter调用sink;
164 |
165 | # Source & Sink
166 |
167 | 本benchmark只会出现以下source&sink点:
168 | ## Source
169 | * javax.servlet.ServletRequest#getParameter
170 | ## Sink
171 | * org.apache.commons.exec.launcher.CommandLauncher#exec(org.apache.commons.exec.CommandLine, java.util.Map, java.io.File)
172 | * java.lang.Runtime#exec(java.lang.String)
173 |
174 | # TODO
175 |
176 | 吸收DroidBench中Reflect和General Java部分
177 |
178 | # Limitation
179 |
180 | * 无法测试大规模程序
181 | * 一些扫描器对函数调用深度、域敏感、上下文敏感深度有限制,本benchmark无法测试
182 | * 对于大规模程序扫描时长本benchmark无法测试
183 |
184 | # 相似项目
185 |
186 | * https://github.com/secure-software-engineering/DroidBench: Android benchmark,本项目吸收了其中很多case,然而该项目是针对Android,有很多Android特性,相比而言本项目面向web,代码更加简单,在测试扫描器时建议结合droidbench(尤其是general java部分)。
--------------------------------------------------------------------------------
/README/image-20201005205535293.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20201005205535293.png
--------------------------------------------------------------------------------
/README/image-20201010164412564.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20201010164412564.png
--------------------------------------------------------------------------------
/README/image-20201010164818964.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20201010164818964.png
--------------------------------------------------------------------------------
/README/image-20201010165207853.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20201010165207853.png
--------------------------------------------------------------------------------
/README/image-20210918173747852.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20210918173747852.png
--------------------------------------------------------------------------------
/README/image-20210918174110849.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Anemone95/taint-benchmark/ba5f21ff08dd9a259a20c9e537aada33bed89902/README/image-20210918174110849.png
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | top.anemone
8 | taint-benchmark
9 | pom
10 | 1.0-SNAPSHOT
11 |
12 | 8.5.23
13 |
14 |
15 |
16 | org.apache.tomcat.embed
17 | tomcat-embed-core
18 | ${tomcat.version}
19 |
20 |
21 | org.apache.tomcat.embed
22 | tomcat-embed-jasper
23 | ${tomcat.version}
24 |
25 |
26 | org.apache.tomcat
27 | tomcat-jasper
28 | ${tomcat.version}
29 |
30 |
31 | org.apache.tomcat
32 | tomcat-jasper-el
33 | ${tomcat.version}
34 |
35 |
36 | org.apache.tomcat
37 | tomcat-jsp-api
38 | ${tomcat.version}
39 |
40 |
41 |
42 | embeddedTomcatSample
43 |
44 |
45 | org.codehaus.mojo
46 | appassembler-maven-plugin
47 | 2.0.0
48 |
49 | target
50 |
51 |
52 | launch.Main
53 | webapp
54 |
55 |
56 |
57 |
58 |
59 | package
60 |
61 | assemble
62 |
63 |
64 |
65 |
66 |
67 | org.apache.maven.plugins
68 | maven-compiler-plugin
69 |
70 | 8
71 | 8
72 | UTF-8
73 |
74 |
75 |
76 |
77 |
78 | taint-benchmark-dep
79 | taint-benchmark-code
80 |
81 |
82 |
83 |
84 |
--------------------------------------------------------------------------------
/taint-benchmark-code/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | taint-benchmark
7 | top.anemone
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | taint-benchmark-code
13 |
14 |
15 |
16 | org.reflections
17 | reflections
18 | 0.9.11
19 |
20 |
21 | javax.servlet
22 | javax.servlet-api
23 | 4.0.1
24 |
25 |
26 | org.apache.commons
27 | commons-exec
28 | 1.3
29 |
30 |
31 | top.anemone
32 | taint-benchmark-dep
33 | ${parent.version}
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/Main.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark;
2 |
3 | import org.apache.catalina.LifecycleException;
4 | import org.apache.catalina.WebResourceRoot;
5 | import org.apache.catalina.Wrapper;
6 | import org.apache.catalina.core.StandardContext;
7 | import org.apache.catalina.servlets.DefaultServlet;
8 | import org.apache.catalina.startup.Tomcat;
9 | import org.apache.catalina.webresources.DirResourceSet;
10 | import org.apache.catalina.webresources.StandardRoot;
11 | import org.reflections.Reflections;
12 | import top.anemone.taintbenchmark.auxiliary.Container;
13 |
14 | import javax.annotation.Resource;
15 | import javax.servlet.annotation.WebServlet;
16 | import javax.servlet.http.HttpServlet;
17 | import javax.servlet.http.HttpServletRequest;
18 | import javax.servlet.http.HttpServletResponse;
19 | import java.io.File;
20 | import java.io.IOException;
21 | import java.util.Set;
22 |
23 |
24 | public class Main extends HttpServlet {
25 |
26 | @Override
27 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
28 | response.setContentType("text/html;");
29 | response.getWriter().write("index");
30 | }
31 |
32 | public static void main(String[] args) throws Exception {
33 |
34 | Tomcat tomcat = new Tomcat();
35 | // 设置主机名称
36 | tomcat.setHostname("localhost");
37 | tomcat.setPort(8080);
38 | tomcat.setBaseDir(System.getProperty("user.dir"));
39 | StandardContext context = new StandardContext();
40 | // 设置资源路径
41 | context.setDocBase(System.getProperty("user.dir") + "/taint-benchmark-code/src/main/resources".replace("/", "\\"));
42 | // 设置应用路径
43 | context.setPath("/");
44 | context.addLifecycleListener(new Tomcat.FixContextListener());
45 | // 将context加入tomcat
46 | tomcat.getHost().addChild(context);
47 | Wrapper testServlet = context.createWrapper();
48 | testServlet.setName("DefaultServlet");
49 | testServlet.setServletClass(DefaultServlet.class.getCanonicalName());
50 | testServlet.addInitParameter("fork", "false");
51 | testServlet.addInitParameter("listings", "true");
52 | context.addChild(testServlet);
53 | context.addServletMapping("/", "DefaultServlet");
54 |
55 |
56 | Reflections reflections = new Reflections("top.anemone.taintbenchmark");
57 | //获取带Handler注解的类
58 | Set> classList = reflections.getTypesAnnotatedWith(javax.servlet.annotation.WebServlet.class);
59 |
60 | for (Class clazz : classList) {
61 | WebServlet declaredAnnotation = clazz.getDeclaredAnnotation(WebServlet.class);
62 |
63 | // 在context中创建表示servlet的Wrapper并返回
64 | Wrapper testServlet1 = context.createWrapper();
65 | testServlet1.setName(clazz.getSimpleName());
66 | testServlet1.setServletClass(clazz.getCanonicalName());
67 | testServlet1.addInitParameter("fork", "false");
68 | context.addChild(testServlet1);
69 | context.addServletMapping(declaredAnnotation.value()[0], clazz.getSimpleName());
70 | }
71 |
72 |
73 | try {
74 | // 启动tomcat
75 | tomcat.start();
76 | } catch (LifecycleException e) {
77 | e.printStackTrace();
78 | }
79 | // 等待请求
80 | tomcat.getServer().await();
81 | }
82 | }
83 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadConstructor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class BadConstructor implements Transformer{
4 | private String s;
5 | public BadConstructor(String s){
6 | this.s=s;
7 | }
8 |
9 | public String transform(String from) {
10 | return s;
11 | }
12 | }
13 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadContainer.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class BadContainer extends Container {
4 |
5 | public T getInfo() {
6 | return super.getObj();
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadPasser.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class BadPasser {
4 | public String transform(String from){
5 | return from;
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadSink.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/25 16:14
8 | */
9 | public class BadSink implements Sink {
10 |
11 | @Override
12 | public void execute(String cmd) throws IOException {
13 | Runtime.getRuntime().exec(cmd);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadStaticSink.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/25 16:31
8 | */
9 | public class BadStaticSink {
10 | public static void execute(String cmd) throws IOException {
11 | Runtime.getRuntime().exec(cmd);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/BadTransformer.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class BadTransformer implements Transformer {
4 | public String transform(String from) {
5 | return from;
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/CommandEngExecutor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/30 15:51
8 | */
9 | public class CommandEngExecutor implements EngExecutor {
10 |
11 | @Override
12 | public void exec(Container container) throws IOException {
13 | Runtime.getRuntime().exec(container.obj);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/Container.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class Container {
4 | public T clean;
5 | public T obj;
6 |
7 |
8 | public Container(T obj, T clean) {
9 | this.obj = obj;
10 | this.clean = clean;
11 | }
12 |
13 | public Container() {
14 | }
15 |
16 | public T getObj() {
17 | return obj;
18 | }
19 |
20 | public void setSetSetObj(T obj) {
21 | setSetObj(obj);
22 | }
23 |
24 | public void setSetObj(T obj) {
25 | setObj(obj);
26 | }
27 |
28 | public void setObj(T obj) {
29 | this.obj = obj;
30 | }
31 |
32 | public T getClean() {
33 | return clean;
34 | }
35 |
36 | public void setClean(T clean) {
37 | this.clean = clean;
38 | }
39 |
40 | public T getInfo() {
41 | return this.obj;
42 | }
43 |
44 |
45 | public T getObjObj(T t) {
46 | Container c1 = new Container<>();
47 | c1.setObj(t);
48 | return c1.getObj();
49 | }
50 |
51 | public T getObjObjObj(T t) {
52 | Container c1 = new Container<>();
53 | Container> c2 = new Container<>();
54 | c1.setObj(t);
55 | c2.setObj(c1);
56 | return c2.getObj().getObj();
57 | }
58 |
59 | }
60 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/EngExecutor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/30 15:51
8 | */
9 | public interface EngExecutor {
10 | void exec(Container container) throws IOException;
11 | }
12 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/GoodConstructor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class GoodConstructor implements Transformer{
4 | private String s;
5 | public GoodConstructor(String s){
6 | this.s="good";
7 | }
8 |
9 | public String transform(String from) {
10 | return s;
11 | }
12 | }
13 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/GoodContainer.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class GoodContainer extends Container {
4 |
5 | public T getInfo() {
6 | return super.getClean();
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/GoodPasser.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class GoodPasser extends BadPasser {
4 | public String transform(String from){
5 | return "good";
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/GoodSink.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/25 16:14
8 | */
9 | public class GoodSink implements Sink {
10 |
11 | @Override
12 | public void execute(String cmd) throws IOException {
13 | System.out.println(cmd);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/GoodTransformer.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class GoodTransformer implements Transformer{
4 | public String transform(String from) {
5 | return "clean";
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/InputEngExecutor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
4 |
5 | import java.io.IOException;
6 |
7 | /**
8 | * @author anemone(anemone95@qq.com)
9 | * @date 2021/8/30 15:51
10 | */
11 | public class InputEngExecutor implements EngExecutor {
12 |
13 | @Override
14 | public void exec(Container container) throws IOException {
15 | container.obj=container.clean;
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/MyException.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class MyException extends Exception {
4 | private String s;
5 | public MyException(String s){
6 | this.s=s;
7 | }
8 |
9 | @Override
10 | public String toString() {
11 | return s;
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/Sink.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | import java.io.IOException;
4 |
5 | /**
6 | * @author anemone(anemone95@qq.com)
7 | * @date 2021/8/25 16:14
8 | */
9 | public interface Sink {
10 | void execute(String cmd) throws IOException;
11 | }
12 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/Transformer.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public interface Transformer {
4 | String transform(String from);
5 | }
6 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/auxiliary/TransformerFactory.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.auxiliary;
2 |
3 | public class TransformerFactory {
4 | public static Transformer getTransformer(String type){
5 | if (type.equals("bad")){
6 | return new BadTransformer();
7 | } else {
8 | return new GoodTransformer();
9 | }
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/ListBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.LinkedList;
11 | import java.util.List;
12 |
13 | /**
14 | * 污点存储在列表的第0个元素中,sink点取出第0个元素,因此存在漏洞
15 | */
16 | @WebServlet("/container/ListBad1")
17 | public class ListBad1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 | List list=new LinkedList<>();
25 | list.add(source);
26 | list.add("nonce");
27 | Runtime.getRuntime().exec(list.get(0));
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/ListBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.util.LinkedList;
10 | import java.util.List;
11 |
12 | /**
13 | * 污点存储在列表的第0个元素中,sink点取出第0个元素,因此存在漏洞
14 | */
15 | @WebServlet("/container/ListBad1")
16 | public class ListBad2 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 | List list=new LinkedList<>();
24 | list.add("nonce");
25 | list.add(source);
26 | list.remove(0);
27 | Runtime.getRuntime().exec(list.get(0));
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/ListGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.LinkedList;
11 | import java.util.List;
12 |
13 | /**
14 | * 污点存储在列表的第0个元素中,sink点取出第1个元素,因此不存在漏洞
15 | */
16 | @WebServlet("/container/ListGood1")
17 | public class ListGood1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 | List list=new LinkedList<>();
25 | list.add(source);
26 | list.add("nonce");
27 | Runtime.getRuntime().exec(list.get(1));
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.HashMap;
11 | import java.util.Map;
12 |
13 | @WebServlet("/container/MapBad1")
14 | public class MapBad1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | Map map=new HashMap<>();
22 | map.put("source",source);
23 | map.put("boo","bar");
24 | Runtime.getRuntime().exec(map.get("source"));
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.HashMap;
11 | import java.util.Map;
12 |
13 | @WebServlet("/container/MapBad2")
14 | public class MapBad2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | Map map=new HashMap<>();
22 | String s="source";
23 | map.put(s,source);
24 | map.put("boo","bar");
25 | Runtime.getRuntime().exec(map.get(s));
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.util.HashMap;
10 | import java.util.Map;
11 |
12 | @WebServlet("/container/MapBad1")
13 | public class MapBad3 extends HttpServlet {
14 |
15 | private static final long serialVersionUID = 1L;
16 |
17 | @Override
18 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
19 | String source = request.getParameter("source");
20 | Map map=new HashMap<>();
21 | map.put("source",source);
22 | map.put("boo","bar");
23 | Map map1=new HashMap<>();
24 | map1.putAll(map);
25 | Runtime.getRuntime().exec(map1.get("source"));
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapBad4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.util.HashMap;
10 | import java.util.Map;
11 |
12 | @WebServlet("/container/MapBad1")
13 | public class MapBad4 extends HttpServlet {
14 |
15 | private static final long serialVersionUID = 1L;
16 |
17 | @Override
18 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
19 | String source = request.getParameter("source");
20 | Map map=new HashMap<>();
21 | map.put("source",source);
22 | map.put("boo","bar");
23 | Map map1=new HashMap<>();
24 | for (String key: map.keySet()){
25 | map1.put(key, map.get(key));
26 | }
27 | Runtime.getRuntime().exec(map1.get("source"));
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.HashMap;
11 | import java.util.Map;
12 |
13 | @WebServlet("/container/MapGood1")
14 | public class MapGood1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | Map map=new HashMap<>();
22 | map.put("source",source);
23 | map.put("boo","bar");
24 | Runtime.getRuntime().exec(map.get("boo"));
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/container/MapGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.container;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 | import java.util.HashMap;
11 | import java.util.Map;
12 |
13 | @WebServlet("/container/MapGood2")
14 | public class MapGood2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | Map map=new HashMap<>();
22 | String s="source";
23 | map.put(s,source);
24 | map.put("boo","bar");
25 | String k="source";
26 | Runtime.getRuntime().exec(map.get(k));
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
5 | import top.anemone.taintbenchmark.auxiliary.Transformer;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/ContextSensitive/ContextBad1")
15 | public class ContextBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 | Transformer bt = new BadTransformer();
23 | Transformer gt = new GoodTransformer();
24 | Transformer pbt = id(bt);
25 | Transformer pgt = id(gt);
26 |
27 | Runtime.getRuntime().exec(pbt.transform(source)); // 获取bad transformer
28 | }
29 |
30 | /**
31 | * @param n=pbt,pgt
32 | * @return
33 | */
34 | public Transformer id(Transformer n) {
35 | return n;
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.*;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/ContextBad2")
13 | @SuppressWarnings("Duplicates")
14 | public class ContextBad2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | Transformer bt=new BadTransformer();
23 | Transformer gt=new GoodTransformer();
24 | Container cbt=new Container<>();
25 | cbt.setObj(bt);
26 | Container cgt=new Container<>();
27 | cgt.setObj(gt);
28 |
29 |
30 | Runtime.getRuntime().exec(cbt.getObj().transform(source)); // 获取bad transformer
31 | }
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
6 | import top.anemone.taintbenchmark.auxiliary.Transformer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextBad3")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextBad3 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer bt=new BadTransformer();
26 | Transformer gt=new GoodTransformer();
27 | Container cbt=new Container<>();
28 | cbt.setSetObj(bt);
29 | Container cgt=new Container<>();
30 | cgt.setSetObj(gt);
31 |
32 |
33 | Runtime.getRuntime().exec(cbt.getObj().transform(source)); // 获取bad transformer
34 | }
35 |
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.*;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/ContextBad4")
13 | @SuppressWarnings("Duplicates")
14 | public class ContextBad4 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | Transformer bt=new BadTransformer();
23 | Transformer gt=new GoodTransformer();
24 | Container cbt=new Container<>();
25 | cbt.setSetSetObj(bt);
26 | Container cgt=new Container<>();
27 | cgt.setSetSetObj(gt);
28 |
29 |
30 | Runtime.getRuntime().exec(cbt.getObj().transform(source)); // 获取bad transformer
31 | }
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
5 | import top.anemone.taintbenchmark.auxiliary.Transformer;
6 | import top.anemone.taintbenchmark.auxiliary.*;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextBad5")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextBad5 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer bt=new BadTransformer();
26 | Transformer gt=new GoodTransformer();
27 | Container cbt=new Container<>();
28 | Container cgt=new Container<>();
29 |
30 |
31 | Runtime.getRuntime().exec(cbt.getObjObj(bt).transform(source)); // 获取bad transformer
32 | }
33 |
34 | }
35 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextBad6.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
6 | import top.anemone.taintbenchmark.auxiliary.Transformer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextBad6")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextBad6 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer bt=new BadTransformer();
26 | Transformer gt=new GoodTransformer();
27 | Container cbt=new Container<>();
28 | Container cgt=new Container<>();
29 |
30 |
31 | Runtime.getRuntime().exec(cbt.getObjObjObj(bt).transform(source)); // 获取bad transformer
32 | }
33 |
34 | }
35 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
5 | import top.anemone.taintbenchmark.auxiliary.Transformer;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/ContextSensitive/ContextGood1")
15 | public class ContextGood1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 |
24 | Transformer bt = new BadTransformer();
25 | Transformer gt = new GoodTransformer();
26 | Transformer pbt = id(bt);
27 | Transformer pgt = id(gt);
28 |
29 |
30 | Runtime.getRuntime().exec(pgt.transform(source)); // 获取good transformer
31 | }
32 |
33 | /**
34 | * @param n=pbt,pgt
35 | * @return
36 | */
37 | public Transformer id(Transformer n) {
38 | return n;
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.*;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/ContextGood2")
13 | @SuppressWarnings("Duplicates")
14 | public class ContextGood2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | /**
19 | * 误报说明上下文非敏感
20 | * @param request
21 | * @param response
22 | * @throws IOException
23 | */
24 | @Override
25 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
26 | String source = request.getParameter("source");
27 |
28 | Transformer bt=new BadTransformer();
29 | Transformer gt=new GoodTransformer();
30 |
31 | Container cbt=new Container<>();
32 | cbt.setObj(bt);
33 | Container cgt=new Container<>();
34 | cgt.setObj(gt);
35 |
36 |
37 | Runtime.getRuntime().exec(cgt.getObj().transform(source)); // 获取good transformer
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
6 | import top.anemone.taintbenchmark.auxiliary.Transformer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextGood3")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextGood3 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer bt=new BadTransformer();
26 | Transformer gt=new GoodTransformer();
27 | Container cbt=new Container<>();
28 | cbt.setSetObj(bt);
29 | Container cgt=new Container<>();
30 | cgt.setSetObj(gt);
31 |
32 |
33 | Runtime.getRuntime().exec(cgt.getObj().transform(source)); // 获取good transformer
34 | }
35 |
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
6 | import top.anemone.taintbenchmark.auxiliary.Transformer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextGood4")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextGood4 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer bt=new BadTransformer();
26 | Transformer gt=new GoodTransformer();
27 | Container cbt=new Container<>();
28 | cbt.setSetSetObj(bt);
29 | Container cgt=new Container<>();
30 | cgt.setSetSetObj(gt);
31 |
32 |
33 | Runtime.getRuntime().exec(cgt.getObj().transform(source)); // 获取good transformer
34 | }
35 |
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.*;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/ContextGood5")
13 | @SuppressWarnings("Duplicates")
14 | public class ContextGood5 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | /**
19 | * 误报说明1-callsite
20 | * @param request
21 | * @param response
22 | * @throws IOException
23 | */
24 | @Override
25 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
26 | String source = request.getParameter("source");
27 |
28 | Transformer bt=new BadTransformer();
29 | Transformer gt=new GoodTransformer();
30 | Container cbt=new Container<>();
31 | Container cgt=new Container<>();
32 |
33 |
34 | Runtime.getRuntime().exec(cgt.getObjObj(gt).transform(source)); // 获取good transformer
35 | }
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/ContextGood6.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
6 | import top.anemone.taintbenchmark.auxiliary.Transformer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/ContextSensitive/ContextGood6")
16 | @SuppressWarnings("Duplicates")
17 | public class ContextGood6 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | /**
22 | * 误报说明1-callsite
23 | * @param request
24 | * @param response
25 | * @throws IOException
26 | */
27 | @Override
28 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
29 | String source = request.getParameter("source");
30 |
31 | Transformer bt=new BadTransformer();
32 | Transformer gt=new GoodTransformer();
33 | Container cbt=new Container<>();
34 | Container cgt=new Container<>();
35 |
36 |
37 | Runtime.getRuntime().exec(cgt.getObjObjObj(gt).transform(source)); // 获取good transformer
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/HeapBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Container;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/HeapBad1")
13 | @SuppressWarnings("Duplicates")
14 | public class HeapBad1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | String clean = new String("clean");
22 | Container bad=newContainer(source);
23 | Container good=newContainer(clean);
24 |
25 |
26 |
27 | Runtime.getRuntime().exec((String) bad.getObj()); // sink
28 | }
29 |
30 | private Container newContainer(String s) {
31 | Container c = new Container<>(); //这里未做heap sensitive那么任何上下文指向的对象永远为o34
32 | c.setObj(s);
33 | return c;
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/contextsensitive/HeapGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.contextsensitive;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Container;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/ContextSensitive/HeapGood1")
13 | @SuppressWarnings("Duplicates")
14 | public class HeapGood1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | String clean = new String("clean");
22 | Container bad=newContainer(source);
23 | Container good=newContainer(clean);
24 |
25 |
26 |
27 | Runtime.getRuntime().exec((String) good.getObj()); // sink
28 | }
29 |
30 |
31 | private Container newContainer(String s) {
32 | Container c = new Container<>(); //这里未做heap sensitive那么任何上下文指向的对象永远为o34
33 | c.setObj(s);
34 | return c;
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/ExceptionBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.*;
8 |
9 |
10 | @WebServlet("/convertchannel/ExceptionBad1")
11 | public class ExceptionBad1 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 |
19 | String ret="success";
20 |
21 | try {
22 | FileInputStream file = new FileInputStream(source);
23 | } catch (IOException f) { // Not valid!
24 | ret=f.toString();
25 | }
26 |
27 |
28 | Runtime.getRuntime().exec(ret); // sink
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/ExceptionBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.MyException;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 |
13 | @WebServlet("/convertchannel/ExceptionBad2")
14 | public class ExceptionBad2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | String ret = "success";
23 |
24 | try {
25 | getString(source);
26 | } catch (MyException f) { // Not valid!
27 | ret = f.toString();
28 | }
29 |
30 |
31 | Runtime.getRuntime().exec(ret); // sink
32 | }
33 |
34 | private String getString(String s) throws MyException {
35 | throw new MyException(s);
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/ExceptionBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 |
11 | @WebServlet("/convertchannel/ExceptionBad3")
12 | public class ExceptionBad3 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | String ret="clean";
21 | try {
22 | ret=source;
23 | throw new RuntimeException();
24 | } catch (RuntimeException f) { // Not valid!
25 |
26 | Runtime.getRuntime().exec(ret); // sink
27 | }
28 |
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/ExceptionGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.MyException;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 |
13 | @WebServlet("/convertchannel/ExceptionGood3")
14 | public class ExceptionGood2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | String ret = "success";
23 |
24 | try {
25 | getString(source);
26 | } catch (MyException f) { // Not valid!
27 | ret = f.toString();
28 | }
29 |
30 |
31 | Runtime.getRuntime().exec(ret); // sink
32 | }
33 |
34 | private String getString(String s) throws MyException {
35 | throw new MyException("clean");
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/ExceptionGood3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.FileInputStream;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 |
12 | @WebServlet("/convertchannel/ExceptionGood3")
13 | public class ExceptionGood3 extends HttpServlet {
14 |
15 | private static final long serialVersionUID = 1L;
16 |
17 | @Override
18 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
19 | String source = request.getParameter("source");
20 |
21 | String ret = "success";
22 |
23 | try {
24 | FileInputStream file = new FileInputStream(source);
25 | } catch (IOException f) { // Not valid!
26 | ret = f.toString();
27 | } finally {
28 | ret = "success";
29 | }
30 |
31 | Runtime.getRuntime().exec(ret); // sink
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 |
13 | /**
14 | * @author anemone(anemone95 @ qq.com)
15 | * @date 2021/8/31 17:47
16 | */
17 |
18 | @WebServlet("/convertchannel/FlowEngineBad1")
19 | public class FlowEngineBad1 extends HttpServlet {
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 | Container container = new Container<>();
25 | container.clean = source;
26 | new InputEngExecutor().exec(container);
27 | new CommandEngExecutor().exec(container);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
6 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 |
14 | /**
15 | * @author anemone(anemone95 @ qq.com)
16 | * @date 2021/8/31 17:47
17 | */
18 |
19 | @WebServlet("/convertchannel/FlowEngineBad2")
20 | public class FlowEngineBad2 extends HttpServlet {
21 |
22 | @Override
23 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
24 | String source = request.getParameter("source");
25 | Container container = new Container<>();
26 | container.clean = source;
27 | // In fact, many frameworks use annotation to register their executors, which makes SCA harder to deal with.
28 | EngExecutor[] executors = {new InputEngExecutor(), new CommandEngExecutor()};
29 | for (EngExecutor e : executors) {
30 | e.exec(container);
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
6 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.util.HashMap;
14 | import java.util.Map;
15 |
16 | /**
17 | * @author anemone(anemone95@qq.com)
18 | * @date 2021/8/31 17:47
19 | */
20 |
21 | @WebServlet("/convertchannel/FlowEngineBad3")
22 | public class FlowEngineBad3 extends HttpServlet {
23 |
24 | @Override
25 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
26 | String source = request.getParameter("source");
27 | Container container=new Container<>();
28 | container.clean=source;
29 | Map executorMap=new HashMap<>();
30 | executorMap.put("input", new InputEngExecutor());
31 | executorMap.put("command", new CommandEngExecutor());
32 | String[] seq={"input", "command"};
33 | for (String e : seq) {
34 | executorMap.get(e).exec(container);
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineBad4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
6 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.util.HashMap;
14 | import java.util.Map;
15 |
16 | /**
17 | * @author anemone(anemone95@qq.com)
18 | * @date 2021/8/31 17:47
19 | */
20 |
21 | @WebServlet("/convertchannel/FlowEngineBad4")
22 | public class FlowEngineBad4 extends HttpServlet {
23 |
24 | @Override
25 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
26 | String source = request.getParameter("source");
27 | Container container=new Container<>();
28 | container.clean=source;
29 | EngExecutor inputExecutor = new InputEngExecutor();
30 | EngExecutor commandExecutor = new CommandEngExecutor();
31 | String[] seq = {"input", "command"};
32 | for (String e : seq) {
33 | if (e.equals("command")){
34 | commandExecutor.exec(container);
35 | } else if (e.equals("input")){
36 | inputExecutor.exec(container);
37 | }
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 |
13 | /**
14 | * @author anemone(anemone95@qq.com)
15 | * @date 2021/8/31 17:47
16 | */
17 |
18 | @WebServlet("/convertchannel/FlowEngineGood1")
19 | public class FlowEngineGood1 extends HttpServlet {
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 | Container container=new Container<>();
25 | container.clean=source;
26 | new CommandEngExecutor().exec(container);
27 | new InputEngExecutor().exec(container);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
6 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 |
14 | /**
15 | * @author anemone(anemone95@qq.com)
16 | * @date 2021/8/31 17:47
17 | */
18 |
19 | @WebServlet("/convertchannel/FlowEngineGood2")
20 | public class FlowEngineGood2 extends HttpServlet {
21 |
22 | @Override
23 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
24 | String source = request.getParameter("source");
25 | Container container=new Container<>();
26 | container.clean=source;
27 | // In fact, many frameworks use annotation to register their executors, which makes SCA harder to deal with.
28 | EngExecutor[] executors={new CommandEngExecutor(), new InputEngExecutor()};
29 | for (EngExecutor e : executors) {
30 | e.exec(container);
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/FlowEngineGood4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.CommandEngExecutor;
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 | import top.anemone.taintbenchmark.auxiliary.EngExecutor;
6 | import top.anemone.taintbenchmark.auxiliary.InputEngExecutor;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 |
14 | /**
15 | * @author anemone(anemone95@qq.com)
16 | * @date 2021/8/31 17:47
17 | */
18 |
19 | @WebServlet("/convertchannel/FlowEngineGood4")
20 | public class FlowEngineGood4 extends HttpServlet {
21 |
22 | @Override
23 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
24 | String source = request.getParameter("source");
25 | Container container=new Container<>();
26 | container.clean=source;
27 | EngExecutor inputExecutor = new InputEngExecutor();
28 | EngExecutor commandExecutor = new CommandEngExecutor();
29 | String[] seq = {"command", "input"};
30 | for (String e : seq) {
31 | if (e.equals("command")) {
32 | commandExecutor.exec(container);
33 | } else if (e.equals("input")) {
34 | inputExecutor.exec(container);
35 | }
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/IfBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/convertchannel/IfBad1")
12 | public class IfBad1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 |
21 | if (source.equals("hello world")) {
22 | source = "hello world";
23 | }
24 | Runtime.getRuntime().exec(source); // sink
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/convertchannel/IfGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.convertchannel;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/convertchannel/IfGood1")
12 | public class IfGood1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 |
21 | if (!source.equals("hello world")) {
22 | source = "hello world";
23 | }
24 | Runtime.getRuntime().exec(source); // sink
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/CommonPassBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 |
4 | import org.apache.commons.exec.util.StringUtils;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 |
14 | @WebServlet("/ThirdPart/CommonPassBad1")
15 | public class CommonPassBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | String res= StringUtils.fixFileSeparatorChar(source);
24 |
25 | Runtime.getRuntime().exec(res); // sink
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/CommonSinkBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 |
4 | import org.apache.commons.exec.CommandLine;
5 | import org.apache.commons.exec.DefaultExecutor;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 |
15 | @WebServlet("/ThirdPart/CommonSinkBad1")
16 | public class CommonSinkBad1 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | CommandLine cmd=CommandLine.parse(source);
25 | int i=new DefaultExecutor().execute(cmd);
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/ExeBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 | import top.anemone.taintbenchmarkdep.BadExecutor;
4 | import top.anemone.taintbenchmarkdep.ExeAgent1;
5 | import top.anemone.taintbenchmarkdep.Executor;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/ThirdPart/ExeBad1")
15 | public class ExeBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Executor e=new BadExecutor();
24 | e.setcmd(source);
25 | ExeAgent1 exeAgent1=new ExeAgent1();
26 | exeAgent1.exe(e); //sink
27 | }
28 |
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/ExeBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 | import top.anemone.taintbenchmarkdep.*;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | @WebServlet("/intraprocedural/IntraBad1")
13 | public class ExeBad2 extends HttpServlet {
14 |
15 | private static final long serialVersionUID = 1L;
16 |
17 | @Override
18 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
19 | String source = request.getParameter("source");
20 |
21 | Executor e=new GoodExecutor2();
22 | e.setcmd(source);
23 | ExeAgent2 exeAgent2=new ExeAgent2();
24 | exeAgent2.exe(e,source); //sink
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/ExeGood1_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 | import top.anemone.taintbenchmarkdep.ExeAgent1;
4 | import top.anemone.taintbenchmarkdep.Executor;
5 | import top.anemone.taintbenchmarkdep.GoodExecutor1;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/intraprocedural/IntraBad1")
15 | public class ExeGood1_1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Executor e=new GoodExecutor1();
24 | e.setcmd(source);
25 | ExeAgent1 exeAgent1=new ExeAgent1();
26 | exeAgent1.exe(e); //sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/ExeGood1_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 | import top.anemone.taintbenchmarkdep.ExeAgent1;
4 | import top.anemone.taintbenchmarkdep.Executor;
5 | import top.anemone.taintbenchmarkdep.GoodExecutor2;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/intraprocedural/IntraBad1")
15 | public class ExeGood1_2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Executor e=new GoodExecutor2();
24 | e.setcmd(source);
25 | ExeAgent1 exeAgent1=new ExeAgent1();
26 | exeAgent1.exe(e); //sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/differentscope/thirdpartpkg/ExeGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.differentscope.thirdpartpkg;
2 |
3 | import top.anemone.taintbenchmarkdep.ExeAgent2;
4 | import top.anemone.taintbenchmarkdep.Executor;
5 | import top.anemone.taintbenchmarkdep.GoodExecutor1;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/ThirdPart/ExeGood2")
15 | public class ExeGood2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Executor e=new GoodExecutor1();
24 | e.setcmd(source);
25 | ExeAgent2 exeAgent2=new ExeAgent2();
26 | exeAgent2.exe(e,source); //sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldBad1")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Container a = new Container<>();
24 | a.setObj(source);
25 | a.setClean("clean");
26 |
27 | Runtime.getRuntime().exec(a.getObj()); // sink
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldBad2")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldBad2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Container a = new Container<>(source,"clean");
24 |
25 | Runtime.getRuntime().exec(a.getObj()); // sink
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldBad3")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldBad3 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 | private Container c;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | c=new Container<>();
26 | c.setObj(source);
27 | c.setClean("clean");
28 |
29 | Runtime.getRuntime().exec(c.getObj()); // sink
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldBad4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 |
12 | @WebServlet("/FieldSensitive/FieldBad4")
13 | @SuppressWarnings("Duplicates")
14 | public class FieldBad4 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 | Container c=new Container<>();
23 | Container> c2=new Container<>();
24 | Container> c3;
25 | c.setObj("clean");
26 | c2.setObj(c);
27 | c3=c2;
28 | c3.getObj().setObj(source);
29 |
30 | Runtime.getRuntime().exec(c2.getObj().getObj()); // sink
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldBad5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 |
12 | @WebServlet("/FieldSensitive/FieldBad5")
13 | @SuppressWarnings("Duplicates")
14 | public class FieldBad5 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 | Container c=new Container<>();
23 | Container c2=c;
24 | c2.obj=source;
25 |
26 | Runtime.getRuntime().exec(c.obj); // sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldGood1")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldGood1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Container a = new Container<>();
24 | a.setObj(source);
25 | a.setClean("clean");
26 |
27 | Runtime.getRuntime().exec(a.getClean()); // sink
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldGood2")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldGood2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Container a = new Container<>(source,"clean");
24 |
25 | Runtime.getRuntime().exec(a.getClean()); // sink
26 | }
27 |
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldGood3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/FieldSensitive/FieldGood3")
14 | @SuppressWarnings("Duplicates")
15 | public class FieldGood3 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 | private Container c;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | c=new Container<>();
26 | c.setObj(source);
27 | c.setClean("clean");
28 |
29 | Runtime.getRuntime().exec(c.getClean()); // sink
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/FieldGood4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 |
12 | @WebServlet("/FieldSensitive/FieldGood4")
13 | @SuppressWarnings("Duplicates")
14 | public class FieldGood4 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 | Container c=new Container<>();
23 | Container> c2=new Container<>();
24 | Container> c3;
25 | c.setObj(source);
26 | c2.setObj(c);
27 | c3=c2;
28 | c3.getObj().setObj("clean");
29 |
30 | Runtime.getRuntime().exec(c2.getObj().getObj()); // sink
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/InterFieldBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 |
12 | @WebServlet("/FieldSensitive/FieldBad1")
13 | @SuppressWarnings("Duplicates")
14 | public class InterFieldBad1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | Container a = new Container<>();
23 | a.setObj("clean");
24 | a.setClean("clean");
25 | put(a, source);
26 |
27 | Runtime.getRuntime().exec(a.getObj()); // sink
28 | }
29 | private void put(Container c, String s){
30 | c.setObj(s);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/fieldsensitive/InterFieldGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.fieldsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 |
12 | @WebServlet("/FieldSensitive/FieldBad1")
13 | @SuppressWarnings("Duplicates")
14 | public class InterFieldGood1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 |
22 | Container a = new Container<>();
23 | a.setObj("clean");
24 | a.setClean("clean");
25 | put(a, source);
26 |
27 | Runtime.getRuntime().exec(a.getObj()); // sink
28 | }
29 | private void put(Container c, String s){
30 | c.setClean(s);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FactoryBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 | import top.anemone.taintbenchmark.auxiliary.TransformerFactory;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/Factory/IntraBad1")
15 | public class FactoryBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Transformer t = TransformerFactory.getTransformer("bad");
24 |
25 | Runtime.getRuntime().exec(t.transform(source)); // sink
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FactoryGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 | import top.anemone.taintbenchmark.auxiliary.TransformerFactory;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/Factory/IntraBad1")
15 | public class FactoryGood1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Transformer t = TransformerFactory.getTransformer("good");
24 |
25 | Runtime.getRuntime().exec(t.transform(source)); // sink
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad1")
11 | public class FlowBad1 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 | source = request.getParameter("fromp").equals("true") ? source : "clean";
19 |
20 |
21 | Runtime.getRuntime().exec(source); // sink
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad2_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad2-1")
11 | public class FlowBad2_1 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 | String ret;
19 | if (request.getParameter("fromp").equals("true")){
20 | ret=source;
21 | } else {
22 | ret="clean";
23 | }
24 |
25 |
26 | Runtime.getRuntime().exec(ret); // sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad2_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad2")
11 | public class FlowBad2_2 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 | String ret;
19 | if (request.getParameter("fromp").equals("true")){
20 | ret="clean";
21 | } else {
22 | ret=source;
23 | }
24 |
25 |
26 | Runtime.getRuntime().exec(ret); // sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad3")
11 | public class FlowBad3 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 | String ret = source;
19 | int cnt = 0;
20 | while (cnt < 0) {
21 | ret = "clean";
22 | cnt++;
23 | }
24 |
25 |
26 | Runtime.getRuntime().exec(ret); // sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad4.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad4")
11 | public class FlowBad4 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 | String ret = source;
19 | for (int i=0;i<0;i++){
20 | ret = "clean";
21 | }
22 |
23 |
24 | Runtime.getRuntime().exec(ret); // sink
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/flow/FlowBad5")
12 | public class FlowBad5 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
16 | String source = request.getParameter("source");
17 |
18 | String fakeClean="clean";
19 | String tmp;
20 | // fakeSource, fakeClean=fakeClean, fakeSource
21 | tmp=source;
22 | fakeClean=tmp;
23 | source=fakeClean;
24 |
25 |
26 | Runtime.getRuntime().exec(source); // get source
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowBad6.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad1")
11 | public class FlowBad6 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 |
19 | String ret;
20 | for (int i = 0; ; i++) {
21 | if (i==4){
22 | ret = source;
23 | break;
24 | }
25 | ret = "clean";
26 | }
27 | Runtime.getRuntime().exec(source); // sink
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad4_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad4_1")
14 | @SuppressWarnings("Duplicates")
15 | public class FlowFieldBad4_1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 | private Container c;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | c=new Container<>(source,"boo");
26 | c.setObj(source);
27 |
28 | Runtime.getRuntime().exec(c.getObj()); // sink before clean
29 | c.setObj("clean");
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad4_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad4_2")
14 | @SuppressWarnings("Duplicates")
15 | public class FlowFieldBad4_2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 | private Container c;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | c=new Container<>(source,"boo");
26 |
27 | Runtime.getRuntime().exec(c.getObj()); // sink before clean
28 | c.setObj("clean");
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.BadContainer;
5 | import top.anemone.taintbenchmark.auxiliary.Container;
6 | import top.anemone.taintbenchmark.auxiliary.GoodContainer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/flow/FlowFieldBad5")
16 | public class FlowFieldBad5 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Container c;
26 | int a = 31 + 1;
27 | if (a == 32) {
28 | c = new BadContainer<>();
29 | } else {
30 | c = new GoodContainer<>();
31 | }
32 | c.setObj(source);
33 | c.setClean("clean");
34 |
35 | Runtime.getRuntime().exec(c.getInfo()); // sink
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad6.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad6")
14 | public class FlowFieldBad6 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 |
23 | Container inner;
24 | Container> outer;
25 | Container good=new Container<>();
26 | Container bad=new Container<>();
27 | Container> goodc=new Container<>();
28 | Container> badc=new Container<>();
29 | int a = 31 + 1;
30 | if (a == 32) {
31 | outer=badc;
32 | inner=bad;
33 | } else {
34 | outer=goodc;
35 | inner=good;
36 | }
37 | outer.obj=inner;
38 | inner.setObj(source);
39 | Runtime.getRuntime().exec(badc.getObj().getObj());
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad7.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad7")
14 | public class FlowFieldBad7 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container bad, fakeClean, tmp;
21 | bad=new Container<>(source,source);
22 | fakeClean=new Container<>("clean","clean");
23 | tmp=bad;
24 | fakeClean=tmp;
25 | bad=fakeClean;
26 |
27 | Runtime.getRuntime().exec(bad.obj); // get clean
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad8_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad7")
14 | public class FlowFieldBad8_1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container bad = new Container<>();
21 | if (source.startsWith("aaa")){
22 | bad.obj=source;
23 | }else {
24 | bad.obj="Clean";
25 | }
26 |
27 |
28 | Runtime.getRuntime().exec(bad.obj); // get clean
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad8_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.util.Random;
12 |
13 | @WebServlet("/flow/FlowFieldBad8_2")
14 | public class FlowFieldBad8_2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container bad = new Container<>();
21 | if (new Random().nextFloat()<0.5){
22 | bad.obj="Clean";
23 | }else {
24 | bad.obj=source;
25 | }
26 |
27 |
28 | Runtime.getRuntime().exec(bad.obj); // get clean
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad9_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.util.Random;
12 |
13 | @WebServlet("/flow/FlowFieldBad7")
14 | public class FlowFieldBad9_1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container bad = new Container<>();
21 | Container bad2 = bad;
22 |
23 | if (new Random().nextFloat()<0.5){
24 | bad2.obj=source;
25 | }else {
26 | bad2.obj="Clean";
27 | }
28 |
29 | Runtime.getRuntime().exec(bad.obj); // get clean
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldBad9_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.util.Random;
12 |
13 | @WebServlet("/flow/FlowFieldBad7")
14 | public class FlowFieldBad9_2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container bad = new Container<>();
21 | Container bad2 = bad;
22 |
23 | if (new Random().nextFloat()<0.5){
24 | bad2.obj="Clean";
25 | }else {
26 | bad2.obj=source;
27 | }
28 |
29 | Runtime.getRuntime().exec(bad.obj); // get clean
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldGood4_1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldBad4_1")
14 | public class FlowFieldGood4_1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | private Container c;
18 |
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | c=new Container<>(source,"boo");
25 | c.setObj("clean");
26 |
27 | Runtime.getRuntime().exec(c.getObj()); // sink before taint
28 | c.setObj(source);
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldGood4_2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldGood4_2")
14 | public class FlowFieldGood4_2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | private Container c;
18 |
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | c=new Container<>("foo","bar");
25 |
26 | Runtime.getRuntime().exec(c.getObj()); // sink before taint
27 | c.setObj(source);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldGood5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.BadContainer;
5 | import top.anemone.taintbenchmark.auxiliary.Container;
6 | import top.anemone.taintbenchmark.auxiliary.GoodContainer;
7 |
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | @WebServlet("/flow/FlowFieldGood5")
16 | public class FlowFieldGood5 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Container c;
26 | int a = 31 + 1;
27 | if (a != 32) {
28 | c = new BadContainer<>();
29 | } else {
30 | c = new GoodContainer<>();
31 | }
32 | c.setObj(source);
33 | c.setClean("clean");
34 |
35 | Runtime.getRuntime().exec(c.getInfo()); // sink
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowFieldGood7.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/flow/FlowFieldGood7")
14 | public class FlowFieldGood7 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | Container fakeBad, fakeClean, tmp;
21 | fakeBad=new Container<>(source,source);
22 | fakeClean=new Container<>("clean","clean");
23 | tmp=fakeBad;
24 | fakeBad=fakeClean;
25 | fakeClean=tmp;
26 |
27 | Runtime.getRuntime().exec(fakeBad.obj); // get clean
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowGood5.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/flow/FlowGood5")
12 | public class FlowGood5 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
16 | String fakeSource = request.getParameter("source");
17 |
18 | String fakeClean="clean";
19 | String tmp;
20 | // fakeSource, fakeClean=fakeClean, fakeSource
21 | tmp=fakeSource;
22 | fakeSource=fakeClean;
23 | fakeClean=tmp;
24 |
25 |
26 | Runtime.getRuntime().exec(fakeSource); // get clean
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/flowsensitive/FlowGood6.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.flowsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.io.PrintWriter;
9 |
10 | @WebServlet("/flow/FlowBad1")
11 | public class FlowGood6 extends HttpServlet {
12 |
13 | private static final long serialVersionUID = 1L;
14 |
15 | @Override
16 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
17 | String source = request.getParameter("source");
18 |
19 | String ret;
20 | for (int i = 0; ; i++) {
21 | if (i==4){
22 | ret = "clean";
23 | break;
24 | }
25 | ret = source;
26 | }
27 | Runtime.getRuntime().exec(source); // sink
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/AbstractBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.BadPasser;
5 |
6 | import javax.servlet.ServletException;
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/IntraProcedural/IntraBad1")
15 | public class AbstractBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
21 | String source = request.getParameter("source");
22 |
23 | BadPasser passer=new BadPasser();
24 | source=passer.transform(source);
25 |
26 | Runtime.getRuntime().exec(source); // sink
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/AbstractGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.BadPasser;
5 | import top.anemone.taintbenchmark.auxiliary.GoodPasser;
6 |
7 | import javax.servlet.ServletException;
8 | import javax.servlet.annotation.WebServlet;
9 | import javax.servlet.http.HttpServlet;
10 | import javax.servlet.http.HttpServletRequest;
11 | import javax.servlet.http.HttpServletResponse;
12 | import java.io.IOException;
13 | import java.io.PrintWriter;
14 |
15 | /**
16 | * 该类误报很可能扫描器使用CHA构建调用图
17 | */
18 | @WebServlet("/InterProcedural/AbstractGood1")
19 | public class AbstractGood1 extends HttpServlet {
20 |
21 | private static final long serialVersionUID = 1L;
22 |
23 | @Override
24 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
25 | String source = request.getParameter("source");
26 |
27 | BadPasser passer=new GoodPasser();
28 | source=passer.transform(source);
29 |
30 | Runtime.getRuntime().exec(source); // sink
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/ConstructBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadConstructor;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | /**
14 | * 该类误报很可能扫描器使用CHA构建调用图
15 | */
16 | @WebServlet("/IntraProcedural/ConstructBad1")
17 | public class ConstructBad1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer constructor=new BadConstructor(source);
26 | source = constructor.transform("nonce");
27 |
28 | Runtime.getRuntime().exec(source); // sink
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/ConstructGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.GoodConstructor;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | /**
14 | * 该类误报很可能扫描器使用CHA构建调用图
15 | */
16 | @WebServlet("/IntraProcedural/ConstructGood1")
17 | public class ConstructGood1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer constructor=new GoodConstructor(source);
26 | source = constructor.transform("nonce");
27 |
28 | Runtime.getRuntime().exec(source); // sink
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | /**
14 | * 该类误报很可能扫描器使用CHA构建调用图
15 | */
16 | @WebServlet("/IntraProcedural/InterfaceBad1")
17 | public class InterfaceBad1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer transformer=new BadTransformer();
26 | source = transformer.transform(source);
27 |
28 | Runtime.getRuntime().exec(source); // sink
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Transformer;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | /**
13 | * 该类误报很可能扫描器使用CHA构建调用图
14 | */
15 | @WebServlet("/IntraProcedural/InterfaceBad2")
16 | public class InterfaceBad2 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | Transformer transformer=new Transformer() {
25 | @Override
26 | public String transform(String from) {
27 | return from;
28 | }
29 | };
30 | source = transformer.transform(source);
31 |
32 | Runtime.getRuntime().exec(source); // sink
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceBad3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadSink;
4 | import top.anemone.taintbenchmark.auxiliary.Sink;
5 | import top.anemone.taintbenchmark.auxiliary.Transformer;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | /**
15 | * 该类误报很可能扫描器使用CHA构建调用图
16 | */
17 | @WebServlet("/IntraProcedural/InterfaceBad3")
18 | public class InterfaceBad3 extends HttpServlet {
19 |
20 | private static final long serialVersionUID = 1L;
21 |
22 | @Override
23 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
24 | String source = request.getParameter("source");
25 | Sink sink=new BadSink();
26 | sink.execute(source);
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | /**
14 | * 该类误报很可能扫描器使用CHA构建调用图
15 | */
16 | @WebServlet("/InterProcedural/InterfaceGood1")
17 | public class InterfaceGood1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | Transformer transformer=new GoodTransformer();
26 | source = transformer.transform(source);
27 |
28 | Runtime.getRuntime().exec(source); // sink
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Transformer;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 |
12 | /**
13 | * 该类误报很可能扫描器使用CHA构建调用图
14 | */
15 | @WebServlet("/InterProcedural/InterfaceGood2")
16 | public class InterfaceGood2 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | Transformer transformer=new Transformer() {
25 | @Override
26 | public String transform(String from) {
27 | return "clean";
28 | }
29 | };
30 | source = transformer.transform(source);
31 |
32 | Runtime.getRuntime().exec(source); // sink
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/InterfaceGood3.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadSink;
4 | import top.anemone.taintbenchmark.auxiliary.GoodSink;
5 | import top.anemone.taintbenchmark.auxiliary.Sink;
6 |
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 |
13 | /**
14 | * 该类误报很可能扫描器使用CHA构建调用图
15 | */
16 | @WebServlet("/IntraProcedural/InterfaceBad3")
17 | public class InterfaceGood3 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 | Sink sink=new GoodSink();
25 | sink.execute(source);
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/PointerBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.ServletException;
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/IntraProcedural/PointerBad1")
15 | public class PointerBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | /**
20 | * 未做域敏感或者未做指针分析
21 | * @param request
22 | * @param response
23 | * @throws ServletException
24 | * @throws IOException
25 | */
26 | @Override
27 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
28 | String source = request.getParameter("source");
29 |
30 |
31 | Container c=new Container<>();
32 | c.setObj("clean");
33 |
34 | Container> fakeGood=new Container<>();
35 | fakeGood.obj=c;
36 | Container> bad=new Container<>();
37 | bad.obj=c;
38 |
39 | bad.obj.setObj(source);
40 | Container> p=fakeGood;
41 |
42 |
43 | Runtime.getRuntime().exec(p.obj.getObj()); // sink
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/PointerGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.ServletException;
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/InterProcedural/PointerGood1")
15 | public class PointerGood1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | /**
20 | * 如果报出那么无指针分析
21 | * @param request
22 | * @param response
23 | * @throws ServletException
24 | * @throws IOException
25 | */
26 | @Override
27 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
28 | String source = request.getParameter("source");
29 |
30 |
31 | Container c=new Container<>();
32 | c.setObj(source);
33 |
34 | Container> good=new Container<>();
35 | good.obj=c;
36 | Container> bad=new Container<>();
37 | bad.obj=c;
38 |
39 | good.obj.setObj("clean");
40 | Container> p=bad;
41 |
42 |
43 | Runtime.getRuntime().exec(p.obj.getObj()); // sink
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/PointerGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.ServletException;
7 | import javax.servlet.annotation.WebServlet;
8 | import javax.servlet.http.HttpServlet;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import java.io.IOException;
12 | import java.io.PrintWriter;
13 |
14 | @WebServlet("/InterProcedural/PointerGood2")
15 | public class PointerGood2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | /**
20 | * 如果报出那么无指针分析
21 | * @param request
22 | * @param response
23 | * @throws ServletException
24 | * @throws IOException
25 | */
26 | @Override
27 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
28 | String source = request.getParameter("source");
29 |
30 |
31 | Container c=new Container<>();
32 | c.obj=source;
33 |
34 | Container> good=new Container<>();
35 | good.obj=c;
36 |
37 | c.obj="clean";
38 |
39 |
40 | Runtime.getRuntime().exec(good.obj.obj); // sink
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/PrivateBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | /**
12 | * 最简单的污点分析模型,从request中读取内容并返回,造成xss
13 | */
14 | @WebServlet("/InterProcedural/PrivateBad1")
15 | public class PrivateBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source"); // source
22 |
23 |
24 | Runtime.getRuntime().exec(bad(source)); // sink
25 | }
26 | private String bad(String s){
27 | return s;
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/PrivateGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/InterProcedural/PrivateGood1")
12 | public class PrivateGood1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 |
21 | Runtime.getRuntime().exec(good(source)); // sink
22 | }
23 | private String good(String s){
24 | return "good";
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/RecursionBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintStream;
10 | import java.io.PrintWriter;
11 |
12 | /**
13 | */
14 | @WebServlet("/InterProcedural/RecursionBad1")
15 | public class RecursionBad1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source"); // source
22 |
23 |
24 |
25 | bad(source, System.out, 0);
26 | }
27 |
28 | private void bad(String s, PrintStream out, int l) throws IOException {
29 | if (l>100) return;
30 | bad(s, out,l+1);
31 | Runtime.getRuntime().exec(s); // sink
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/StaticBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/InterProcedural/StaticGood1")
12 | public class StaticBad1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 | Runtime.getRuntime().exec(bad(source)); // sink
20 | }
21 | public static String bad(String s){
22 | return s;
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/StaticBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.BadStaticSink;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | @WebServlet("/InterProcedural/StaticBad2")
14 | public class StaticBad2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | @Override
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source = request.getParameter("source");
21 | BadStaticSink.execute(source);
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/interprocedural/StaticGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.interprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/InterProcedural/StaticGood1")
12 | public class StaticGood1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 |
21 | Runtime.getRuntime().exec(good(source)); // sink
22 | }
23 | public static String good(String s){
24 | return "good";
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/intraprocedural/IntraBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.intraprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/IntraProcedural/IntraBad1")
12 | public class IntraBad1 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 |
21 | Runtime.getRuntime().exec(source); // sink
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/intraprocedural/IntraBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.intraprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | @WebServlet("/IntraProcedural/IntraBad1")
12 | public class IntraBad2 extends HttpServlet {
13 |
14 | private static final long serialVersionUID = 1L;
15 |
16 | @Override
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source = request.getParameter("source");
19 |
20 | source=source+"source";
21 | source=source.replace("1","2");
22 | source=source+1;
23 |
24 | Runtime.getRuntime().exec(source); // sink
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/intraprocedural/IntraGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.intraprocedural;
2 |
3 |
4 | import javax.servlet.annotation.WebServlet;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import java.io.IOException;
9 | import java.io.PrintWriter;
10 |
11 | /**
12 | * 如果该类被报出说明扫描器不存在污点分析
13 | */
14 | @WebServlet("/IntraProcedural/IntraGood1")
15 | public class IntraGood1 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | @Override
20 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
21 | String source = request.getParameter("source");
22 | source = "foo";
23 |
24 |
25 | Runtime.getRuntime().exec(source); // sink
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/BadNumPath1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 |
9 | /**
10 | * @author anemone(anemone95@qq.com)
11 | * @date 2021/8/31 16:57
12 | */
13 | @WebServlet("/flow/BadPath1")
14 | public class BadNumPath1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source;
19 | source = request.getParameter("source");
20 | int x = 86;
21 | if ((7*42)-x <200){
22 | return;
23 | } else {
24 | Runtime.getRuntime().exec(source);
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/BadNumPath2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.util.Random;
9 |
10 | /**
11 | * @author anemone(anemone95@qq.com)
12 | * @date 2021/8/31 16:57
13 | */
14 | @WebServlet("/flow/BadNumPath2")
15 | public class BadNumPath2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source;
21 | source = request.getParameter("source");
22 | int x = new Random().nextInt();
23 | if (x * (x + 1) % 2 == 0) {
24 | Runtime.getRuntime().exec(source);
25 | } else {
26 | return;
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/BadStrPath2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.util.Random;
9 |
10 | /**
11 | * @author anemone(anemone95@qq.com)
12 | * @date 2021/8/31 16:57
13 | */
14 | @WebServlet("/flow/BadNumPath2")
15 | public class BadStrPath2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source;
21 | source = request.getParameter("source");
22 | String x = "AB";
23 | if (x.charAt(0) == 'A') {
24 | Runtime.getRuntime().exec(source);
25 | } else {
26 | return;
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/GoodNumPath1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 |
9 | /**
10 | * @author anemone(anemone95@qq.com)
11 | * @date 2021/8/31 16:57
12 | */
13 | @WebServlet("/flow/GoodPath1")
14 | public class GoodNumPath1 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
18 | String source;
19 | source = request.getParameter("source");
20 | int x = 86;
21 | if ((7*42)-x <200){
22 | Runtime.getRuntime().exec(source);
23 | } else {
24 | return;
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/GoodNumPath2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 | import java.util.Random;
9 |
10 | /**
11 | * @author anemone(anemone95@qq.com)
12 | * @date 2021/8/31 16:57
13 | */
14 | @WebServlet("/flow/BadNumPath2")
15 | public class GoodNumPath2 extends HttpServlet {
16 |
17 | private static final long serialVersionUID = 1L;
18 |
19 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
20 | String source;
21 | source = request.getParameter("source");
22 | int x = new Random().nextInt();
23 | if (x * (x + 1) % 2 == 0) {
24 | return;
25 | } else {
26 | Runtime.getRuntime().exec(source);
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/pathsensitive/GoodStrPath2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.pathsensitive;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 |
9 | /**
10 | * @author anemone(anemone95@qq.com)
11 | * @date 2021/8/31 16:57
12 | */
13 | @WebServlet("/flow/BadNumPath2")
14 | public class GoodStrPath2 extends HttpServlet {
15 |
16 | private static final long serialVersionUID = 1L;
17 |
18 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
19 | String source;
20 | source = request.getParameter("source");
21 | String x = "AB";
22 | if (x.charAt(0) == 'A') {
23 | return;
24 | } else {
25 | Runtime.getRuntime().exec(source);
26 | }
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/soundiness/reflect/ReflectBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.soundiness.reflect;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.BadTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 | import java.lang.reflect.InvocationTargetException;
13 | import java.lang.reflect.Method;
14 |
15 |
16 | @WebServlet("/Soundiness/ReflectBad1")
17 | public class ReflectBad1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | try {
26 | Class clazz = BadTransformer.class;
27 | Transformer transformer = (Transformer) clazz.newInstance();
28 | Method m = clazz.getDeclaredMethod("transform", String.class);
29 | source = (String) m.invoke(transformer, source);
30 |
31 | Runtime.getRuntime().exec(source); // sink
32 | } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException | InstantiationException e) {
33 | e.printStackTrace();
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/soundiness/reflect/ReflectBad2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.soundiness.reflect;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Transformer;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 | import java.lang.reflect.InvocationTargetException;
12 | import java.lang.reflect.Method;
13 |
14 |
15 | @WebServlet("/Soundiness/ReflectBad2")
16 | public class ReflectBad2 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | try {
25 | Class clazz = Class.forName("top.anemone.taintbenchmark.auxiliary.BadTransformer");
26 | Transformer transformer = (Transformer) clazz.newInstance();
27 | Method m = clazz.getDeclaredMethod("transform", String.class);
28 | source = (String) m.invoke(transformer, source);
29 |
30 | Runtime.getRuntime().exec(source); // sink
31 | } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException | InstantiationException | ClassNotFoundException e) {
32 | e.printStackTrace();
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/soundiness/reflect/ReflectGood1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.soundiness.reflect;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.GoodTransformer;
4 | import top.anemone.taintbenchmark.auxiliary.Transformer;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 | import java.lang.reflect.InvocationTargetException;
13 | import java.lang.reflect.Method;
14 |
15 |
16 | @WebServlet("/Soundiness/ReflectGood1")
17 | public class ReflectGood1 extends HttpServlet {
18 |
19 | private static final long serialVersionUID = 1L;
20 |
21 | @Override
22 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
23 | String source = request.getParameter("source");
24 |
25 | try {
26 | Class clazz = GoodTransformer.class;
27 | Transformer transformer = (Transformer) clazz.newInstance();
28 | Method m = clazz.getDeclaredMethod("transform", String.class);
29 | source = (String) m.invoke(transformer, source);
30 |
31 | Runtime.getRuntime().exec(source); // sink
32 | } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException | InstantiationException e) {
33 | e.printStackTrace();
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/soundiness/reflect/ReflectGood2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.soundiness.reflect;
2 |
3 | import top.anemone.taintbenchmark.auxiliary.Transformer;
4 |
5 | import javax.servlet.annotation.WebServlet;
6 | import javax.servlet.http.HttpServlet;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.io.PrintWriter;
11 | import java.lang.reflect.InvocationTargetException;
12 | import java.lang.reflect.Method;
13 |
14 |
15 | @WebServlet("/Soundiness/ReflectGood2")
16 | public class ReflectGood2 extends HttpServlet {
17 |
18 | private static final long serialVersionUID = 1L;
19 |
20 | @Override
21 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
22 | String source = request.getParameter("source");
23 |
24 | try {
25 | Class clazz = Class.forName("top.anemone.taintbenchmark.auxiliary.GoodTransformer");
26 | Transformer transformer = (Transformer) clazz.newInstance();
27 | Method m = clazz.getDeclaredMethod("transform", String.class);
28 | source = (String) m.invoke(transformer, source);
29 |
30 | Runtime.getRuntime().exec(source); // sink
31 | } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException | InstantiationException | ClassNotFoundException e) {
32 | e.printStackTrace();
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/thread/ThreadBad1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.thread;
2 |
3 |
4 | import top.anemone.taintbenchmark.auxiliary.Container;
5 |
6 | import javax.servlet.annotation.WebServlet;
7 | import javax.servlet.http.HttpServlet;
8 | import javax.servlet.http.HttpServletRequest;
9 | import javax.servlet.http.HttpServletResponse;
10 | import java.io.IOException;
11 | import java.io.PrintWriter;
12 |
13 | class ContentWriter implements Runnable{
14 | private Container container;
15 | private String content;
16 | public ContentWriter(Container container, String content){
17 | this.container=container;
18 | this.content=content;
19 | }
20 |
21 | @Override
22 | public void run() {
23 | container.setObj(content);
24 | }
25 | }
26 |
27 | class RceRunner implements Runnable{
28 | private PrintWriter writer;
29 | private Container container;
30 | public RceRunner( Container container){
31 | this.container=container;
32 | }
33 |
34 | @Override
35 | public void run() {
36 | while (true){
37 | if (container.getObj()!=null){
38 | try {
39 | Runtime.getRuntime().exec(container.getObj());
40 | } catch (IOException e) {
41 | e.printStackTrace();
42 | }
43 | break;
44 | }
45 | }
46 | }
47 | }
48 |
49 | @WebServlet("/Thread/ThreadBad1")
50 | public class ThreadBad1 extends HttpServlet {
51 |
52 | private static final long serialVersionUID = 1L;
53 | @Override
54 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
55 | String source = request.getParameter("xss");
56 | response.setContentType("text/html;");
57 | Container cache=new Container<>();
58 | RceRunner rceRunner =new RceRunner(cache);
59 | ContentWriter contentWriter=new ContentWriter(cache, source);
60 | Thread t1=new Thread(rceRunner);
61 | t1.start();
62 | Thread t2=new Thread(contentWriter);
63 | t2.start();
64 | }
65 |
66 | }
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/java/top/anemone/taintbenchmark/withfrontend/BadBackend.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmark.withfrontend;
2 |
3 | import javax.servlet.annotation.WebServlet;
4 | import javax.servlet.http.HttpServlet;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import java.io.IOException;
8 |
9 | @WebServlet("/BadBackend")
10 | public class BadBackend extends HttpServlet {
11 |
12 | @Override
13 | public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
14 | String source = request.getParameter("xss");
15 | response.setContentType("application/json");
16 | response.getWriter().write("{\"msg\": \""+source+"\"}");
17 | }
18 |
19 | }
20 |
--------------------------------------------------------------------------------
/taint-benchmark-code/src/main/resources/test.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
23 |
24 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | taint-benchmark
7 | top.anemone
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | taint-benchmark-dep
13 |
14 |
15 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/BadExecutor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public class BadExecutor implements Executor {
6 | private String cmd;
7 | public void setcmd(String s) {
8 | cmd=s;
9 | }
10 |
11 | public String getcmd() {
12 | return cmd;
13 | }
14 |
15 | public Process exe(String exe) throws IOException {
16 | return Runtime.getRuntime().exec(cmd);
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/ExeAgent1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public class ExeAgent1 {
6 | public void exe(Executor taint) throws IOException {
7 | new BadExecutor().exe(taint.getcmd());
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/ExeAgent2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public class ExeAgent2 {
6 | public void exe(Executor e, String taint) throws IOException {
7 | e.exe(taint);
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/Executor.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public interface Executor {
6 | void setcmd(String s);
7 | String getcmd();
8 | Process exe(String exe) throws IOException;
9 | }
10 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/GoodExecutor1.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public class GoodExecutor1 implements Executor {
6 | private String cmd;
7 | public void setcmd(String s) {
8 | cmd=s;
9 | }
10 |
11 | public String getcmd() {
12 | return cmd;
13 | }
14 |
15 | public Process exe(String exe) throws IOException {
16 | return Runtime.getRuntime().exec("ls");
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/taint-benchmark-dep/src/main/java/top/anemone/taintbenchmarkdep/GoodExecutor2.java:
--------------------------------------------------------------------------------
1 | package top.anemone.taintbenchmarkdep;
2 |
3 | import java.io.IOException;
4 |
5 | public class GoodExecutor2 implements Executor {
6 | private String cmd;
7 | public void setcmd(String s) {
8 | cmd=s;
9 | }
10 |
11 | public String getcmd() {
12 | return "exe";
13 | }
14 |
15 | public Process exe(String exe) throws IOException {
16 | return Runtime.getRuntime().exec(exe);
17 | }
18 | }
19 |
--------------------------------------------------------------------------------