How to remove "taint" for Findbugs "Find Security Bugs"

Question

I am using the "Find Security Bugs" plugin for Findbugs: https://find-sec-bugs.github.io/

Many of the detectors use "Taint analysis" to raise their warnings.

Is there any documentation on how to remove "taint" from a value?

I can't find any docs about this on their site, and I have been poking around their source code and can't figure it out:

• src/main/java/com/h3xstream/findsecbugs/taintanalysis
• src/main/resources/taint-config
• See also this wiki page "Injection detection"

The tool is identifying a possible injection bug from code like:

import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;

public Response get(String x, String y) throws IOException {

    String url = String.format("%s/%s",
            x,
            y);

    HttpGet request = new HttpGet(url); // HERE

    ...
}

I have fixed this bug to my satisfaction with:

import javax.ws.rs.core.Response;
import org.apache.http.client.methods.HttpGet;
import static com.google.common.net.UrlEscapers.urlPathSegmentEscaper;

public Response get(String x, String y) throws IOException {

    String url = String.format("%s/%s",
            urlPathSegmentEscaper().escape(x),
            urlPathSegmentEscaper().escape(y));

    HttpGet request = new HttpGet(url);

    ...
}

... but the tool is still flagging a possible bug. I believe that this is because it does not recognise "com.google.common.net.UrlEscapers.urlPathSegmentEscaper()" as removing Taint here.

How can I persuade it otherwise? If I cannot, what sanitisation techniques can I use here that the tool does recognise?

Answer 1

An answer was given on the issue tracker : https://github.com/find-sec-bugs/find-sec-bugs/issues/346#issuecomment-334286419