I am using the "Find Security Bugs" plugin for Findbugs: https://find-sec-bugs.github.io/
Many of the detectors use "Taint analysis" to raise their warnings.
Is there any documentation on how to remove "taint" from a value?
I can't find any docs about this on their site, and I have been poking around their source code and can't figure it out:
- src/main/java/com/h3xstream/findsecbugs/taintanalysis
- src/main/resources/taint-config
- See also this wiki page "Injection detection"
The tool is identifying a possible injection bug from code like:
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;
public Response get(String x, String y) throws IOException {
String url = String.format("%s/%s",
x,
y);
HttpGet request = new HttpGet(url); // HERE
...
}
I have fixed this bug to my satisfaction with:
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;
import static com.google.common.net.UrlEscapers.urlPathSegmentEscaper;
public Response get(String x, String y) throws IOException {
String url = String.format("%s/%s",
urlPathSegmentEscaper().escape(x),
urlPathSegmentEscaper().escape(y));
HttpGet request = new HttpGet(url);
...
}
... but the tool is still flagging a possible bug. I believe that this is because it does not recognise "com.google.common.net.UrlEscapers.urlPathSegmentEscaper()
" as removing Taint here.
How can I persuade it otherwise? If I cannot, what sanitisation techniques can I use here that the tool does recognise?
An answer was given on the issue tracker : https://github.com/find-sec-bugs/find-sec-bugs/issues/346#issuecomment-334286419