diff --git a/core/opentaint-config/config/config/jar-split/ant-1.10.14.yaml b/core/opentaint-config/config/config/jar-split/ant-1.10.14.yaml new file mode 100644 index 000000000..603e04614 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/ant-1.10.14.yaml @@ -0,0 +1,13 @@ +passThrough: +# Apache Ant: FileSet.setDir(File) / setFile(File) — the file argument +# is stored on the FileSet instance, so a subsequent +# `copy.addFileset(fs)` sink that requires a tainted $FILE detects +# the flow. +- function: org.apache.tools.ant.types.FileSet#setDir + copy: + - from: arg(0) + to: this +- function: org.apache.tools.ant.types.FileSet#setFile + copy: + - from: arg(0) + to: this diff --git a/core/opentaint-config/config/config/jar-split/commons-codec-1.16.0.yaml b/core/opentaint-config/config/config/jar-split/commons-codec-1.16.0.yaml new file mode 100644 index 000000000..10459d5ee --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/commons-codec-1.16.0.yaml @@ -0,0 +1,16 @@ +passThrough: +# Apache Commons Codec — Base64 encode/decode just re-codes bytes +# without disturbing the underlying tainted data, so taint should +# flow from input to output. +- function: org.apache.commons.codec.binary.Base64#encodeBase64String + copy: + - from: arg(0) + to: result +- function: org.apache.commons.codec.binary.Base64#encodeBase64 + copy: + - from: arg(0) + to: result +- function: org.apache.commons.codec.binary.Base64#decodeBase64 + copy: + - from: arg(0) + to: result diff --git a/core/opentaint-config/config/config/jar-split/commons-io-2.15.1.yaml b/core/opentaint-config/config/config/jar-split/commons-io-2.15.1.yaml new file mode 100644 index 000000000..ee9f1aa58 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/commons-io-2.15.1.yaml @@ -0,0 +1,8 @@ +passThrough: +# Apache Commons IO: IOUtils.toString(InputStream|Reader|URL, ...) just +# reads bytes/chars from its input and produces a String — taint flows +# from the input source argument to the resulting String. +- function: org.apache.commons.io.IOUtils#toString + copy: + - from: arg(0) + to: result diff --git a/core/opentaint-config/config/config/jar-split/groovy-3.0.21.yaml b/core/opentaint-config/config/config/jar-split/groovy-3.0.21.yaml new file mode 100644 index 000000000..07bb9afcb --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/groovy-3.0.21.yaml @@ -0,0 +1,9 @@ +passThrough: +# Groovy compiler: CompilationUnit.addSource(name, source) — the +# source text becomes part of the CompilationUnit instance that's +# later compiled by .compile(), so the source-text argument taints +# the unit. +- function: org.codehaus.groovy.control.CompilationUnit#addSource + copy: + - from: arg(1) + to: this diff --git a/core/opentaint-config/config/config/jar-split/httpcore5-5.2.4.yaml b/core/opentaint-config/config/config/jar-split/httpcore5-5.2.4.yaml new file mode 100644 index 000000000..92c8a81fd --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/httpcore5-5.2.4.yaml @@ -0,0 +1,7 @@ +passThrough: +# Apache HttpComponents 5 — String-arg wrapper constructor that the +# SSRF sink rules use as an inline taint carrier. +- function: org.apache.hc.core5.http.io.entity.StringEntity# + copy: + - from: arg(*) + to: this diff --git a/core/opentaint-config/config/config/jar-split/jenkins-core-2.426.3.yaml b/core/opentaint-config/config/config/jar-split/jenkins-core-2.426.3.yaml new file mode 100644 index 000000000..565b6f2f5 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/jenkins-core-2.426.3.yaml @@ -0,0 +1,7 @@ +passThrough: +# hudson.FilePath wrapper constructor — taint flows from any +# String/File/URL argument into the constructed FilePath instance. +- function: hudson.FilePath# + copy: + - from: arg(*) + to: this diff --git a/core/opentaint-config/config/config/jar-split/mvel2-2.5.2.Final.yaml b/core/opentaint-config/config/config/jar-split/mvel2-2.5.2.Final.yaml new file mode 100644 index 000000000..5dc56a586 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/mvel2-2.5.2.Final.yaml @@ -0,0 +1,26 @@ +passThrough: +# MVEL compile / executeExpression chain — compileExpression(expr) +# returns a Serializable that's later passed to executeExpression / +# MVELRuntime.execute as a tainted compiled program. The compile +# methods just pass the input expression text through to the result. +- function: org.mvel2.MVEL#compileExpression + copy: + - from: arg(0) + to: result +- function: org.mvel2.MVEL#compileSetExpression + copy: + - from: arg(0) + to: result +- function: org.mvel2.MVEL#compileGetExpression + copy: + - from: arg(0) + to: result +# JSR-223 ScriptEngine compile / compiledScript +- function: org.mvel2.jsr223.MvelScriptEngine#compile + copy: + - from: arg(0) + to: result +- function: org.mvel2.jsr223.MvelScriptEngine#compiledScript + copy: + - from: arg(0) + to: result diff --git a/core/opentaint-config/config/config/jar-split/okhttp-4.12.0.yaml b/core/opentaint-config/config/config/jar-split/okhttp-4.12.0.yaml new file mode 100644 index 000000000..8a22331b3 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/okhttp-4.12.0.yaml @@ -0,0 +1,16 @@ +passThrough: +# OkHttp Request.Builder — `new Request.Builder().url($X).build()` chain. +# `.url()` mutates the builder and returns it (taint flows arg→this and +# arg→result and this→result so the chain propagates through `.build()`). +- function: okhttp3.Request$Builder#url + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: okhttp3.Request$Builder#build + copy: + - from: this + to: result diff --git a/core/opentaint-config/config/config/jar-split/spring-jdbc-5.3.39.yaml b/core/opentaint-config/config/config/jar-split/spring-jdbc-5.3.39.yaml new file mode 100644 index 000000000..cfc9b8e02 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/spring-jdbc-5.3.39.yaml @@ -0,0 +1,9 @@ +passThrough: +# Spring JDBC: NamedParameterUtils.parseSqlStatement(sql) returns a +# ParsedSql wrapping the original SQL, which is then passed to +# (Named)JdbcTemplate query/update sinks. The parse step itself just +# preserves taint into the result. +- function: org.springframework.jdbc.core.namedparam.NamedParameterUtils#parseSqlStatement + copy: + - from: arg(0) + to: result diff --git a/core/opentaint-config/config/config/jar-split/spring-ldap-core-2.4.1.yaml b/core/opentaint-config/config/config/jar-split/spring-ldap-core-2.4.1.yaml new file mode 100644 index 000000000..8b44a1e5b --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/spring-ldap-core-2.4.1.yaml @@ -0,0 +1,109 @@ +passThrough: +# Spring LDAP query builder chain: +# LdapQueryBuilder.query().base(dn).where(attr).is(val) ... -> LdapQuery +# +# The chain mixes the public LdapQueryBuilder/ConditionCriteria/ +# ContainerCriteria interfaces with the package-private +# DefaultConditionCriteria / DefaultContainerCriteria impls. The +# analyzer's chain-split sees the impl-class call sites, so both +# interface and impl entries are needed. +# +# The direct `arg(0) → result` form is what actually propagates taint +# through the chain; the two-step `arg(0)→this` + `this→result` form +# alone wasn't enough (the chain has too many implicit intermediates +# for two-step propagation to reach end-to-end without the direct +# shortcut). +- function: org.springframework.ldap.query.LdapQueryBuilder#base + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.LdapQueryBuilder#where + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.LdapQueryBuilder#filter + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.ConditionCriteria#is + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.ConditionCriteria#like + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.ConditionCriteria#whitespaceWildcardsLike + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: org.springframework.ldap.query.ContainerCriteria#and + copy: + - from: this + to: result +- function: org.springframework.ldap.query.ContainerCriteria#or + copy: + - from: this + to: result +- function: org.springframework.ldap.query.DefaultConditionCriteria#is + copy: + - from: arg(0) + to: this + - from: arg(0) + to: result + - from: this + to: result +- function: org.springframework.ldap.query.DefaultConditionCriteria#like + copy: + - from: arg(0) + to: this + - from: arg(0) + to: result + - from: this + to: result +- function: org.springframework.ldap.query.DefaultConditionCriteria#whitespaceWildcardsLike + copy: + - from: arg(0) + to: this + - from: arg(0) + to: result + - from: this + to: result +- function: org.springframework.ldap.query.DefaultContainerCriteria#and + copy: + - from: this + to: result +- function: org.springframework.ldap.query.DefaultContainerCriteria#or + copy: + - from: this + to: result +- function: org.springframework.ldap.query.DefaultContainerCriteria#append + copy: + - from: arg(0) + to: this + - from: this + to: result diff --git a/core/opentaint-config/config/config/jar-split/spring-web-5.3.39.yaml b/core/opentaint-config/config/config/jar-split/spring-web-5.3.39.yaml new file mode 100644 index 000000000..0d3ac94bd --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/spring-web-5.3.39.yaml @@ -0,0 +1,16 @@ +passThrough: +# Spring RequestEntity static factories + builder .build() — used by +# the SSRF rule's chained-builder pattern: +# RequestEntity.get(URI.create($X)).build() +- function: org.springframework.http.RequestEntity#get + copy: + - from: arg(0) + to: result +- function: org.springframework.http.RequestEntity$BodyBuilder#build + copy: + - from: this + to: result +- function: org.springframework.http.RequestEntity$HeadersBuilder#build + copy: + - from: this + to: result diff --git a/core/opentaint-config/config/config/jar-split/unboundid-ldapsdk-6.0.11.yaml b/core/opentaint-config/config/config/jar-split/unboundid-ldapsdk-6.0.11.yaml new file mode 100644 index 000000000..466f26e62 --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/unboundid-ldapsdk-6.0.11.yaml @@ -0,0 +1,5 @@ +passThrough: +- function: com.unboundid.ldap.sdk.SearchRequest# + copy: + - from: arg(*) + to: this diff --git a/core/opentaint-config/config/config/jar-split/velocity-engine-core-2.3.yaml b/core/opentaint-config/config/config/jar-split/velocity-engine-core-2.3.yaml new file mode 100644 index 000000000..309cc5d3e --- /dev/null +++ b/core/opentaint-config/config/config/jar-split/velocity-engine-core-2.3.yaml @@ -0,0 +1,13 @@ +passThrough: +# Apache Velocity: VelocityContext.put($k, $v) and the AbstractContext +# super-class — taint flows from the value argument into the context +# instance so a tainted value carried into the context reaches a +# subsequent VelocityEngine.evaluate / Template.merge sink. +- function: org.apache.velocity.VelocityContext#put + copy: + - from: arg(1) + to: this +- function: org.apache.velocity.context.AbstractContext#put + copy: + - from: arg(1) + to: this diff --git a/core/opentaint-config/config/config/stdlib.yaml b/core/opentaint-config/config/config/stdlib.yaml index 6d809f14f..1d9e8bfbd 100644 --- a/core/opentaint-config/config/config/stdlib.yaml +++ b/core/opentaint-config/config/config/stdlib.yaml @@ -21358,3 +21358,90 @@ passThrough: to: - this - .java.io.InputStream##java.lang.Object + +# ── Collection / Iterator / Iterable / Enumeration ───────────────────── +- function: java.util.Collection#iterator + copy: + - from: this + to: result +- function: java.lang.Iterable#iterator + copy: + - from: this + to: result +- function: java.util.Iterator#next + copy: + - from: this + to: result +- function: java.util.Enumeration#nextElement + copy: + - from: this + to: result + +# ── java.lang.String#getBytes (String → byte[]) ──────────────────────── +- function: java.lang.String#getBytes + copy: + - from: this + to: result + +# ── java.util.Base64$Encoder ────────────────────────────────────────── +- function: java.util.Base64$Encoder#encodeToString + copy: + - from: arg(0) + to: result +- function: java.util.Base64$Encoder#encode + copy: + - from: arg(0) + to: result + +# ── java.net.URL (String) constructor (direct arg→this; the existing +# URL#(String) entry uses arg(*) which doesn't apply consistently +# enough for tests like UnsafeStaplerServeFileServlet) ──────────────── +- function: java.net.URL# + signature: (java.lang.String) void + copy: + - from: arg(0) + to: this + +# ── java.net.URI ────────────────────────────────────────────────────── +- function: java.net.URI#create + copy: + - from: arg(0) + to: result + +# ── javax.management JMX (stdlib management API) ─────────────────────── +- function: javax.management.remote.JMXServiceURL# + copy: + - from: arg(*) + to: this +- function: javax.management.remote.JMXConnectorFactory#newJMXConnector + copy: + - from: arg(0) + to: result + +# ── javax.xml.transform.stream.StreamSource ──────────────────────────── +- function: javax.xml.transform.stream.StreamSource# + copy: + - from: arg(*) + to: this + +# ── java.net.http.HttpRequest$Builder (Java 11+ HttpClient) ─────────── +- function: java.net.http.HttpRequest#newBuilder + copy: + - from: arg(0) + to: result +- function: java.net.http.HttpRequest$Builder#uri + copy: + - from: arg(0) + to: result + - from: arg(0) + to: this + - from: this + to: result +- function: java.net.http.HttpRequest$Builder#build + copy: + - from: this + to: result +- function: java.net.http.HttpRequest$Builder#GET + copy: + - from: this + to: result