How to remove "taint" for Findbugs "Find Security Bugs"

475 Views Asked by At

I am using the "Find Security Bugs" plugin for Findbugs: https://find-sec-bugs.github.io/

Many of the detectors use "Taint analysis" to raise their warnings.

Is there any documentation on how to remove "taint" from a value?

I can't find any docs about this on their site, and I have been poking around their source code and can't figure it out:

The tool is identifying a possible injection bug from code like:

import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;

public Response get(String x, String y) throws IOException {

    String url = String.format("%s/%s",
            x,
            y);

    HttpGet request = new HttpGet(url); // HERE

    ...
}

I have fixed this bug to my satisfaction with:

import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;
import static com.google.common.net.UrlEscapers.urlPathSegmentEscaper;

public Response get(String x, String y) throws IOException {

    String url = String.format("%s/%s",
            urlPathSegmentEscaper().escape(x),
            urlPathSegmentEscaper().escape(y));

    HttpGet request = new HttpGet(url);

    ...
}

... but the tool is still flagging a possible bug. I believe that this is because it does not recognise "com.google.common.net.UrlEscapers.urlPathSegmentEscaper()" as removing Taint here.

How can I persuade it otherwise? If I cannot, what sanitisation techniques can I use here that the tool does recognise?

1

There are 1 best solutions below

0
On