Class TaintTracking::TaintTracking::Configuration

A configuration of interprocedural taint tracking analysis. This defines sources, sinks, and any other configurable aspect of the analysis. Each use of the taint tracking library must define its own unique extension of this abstract class.

A taint-tracking configuration is a special data flow configuration (DataFlow::Configuration) that allows for flow through nodes that do not necessarily preserve values but are still relevant from a taint-tracking perspective. (For example, string concatenation, where one of the operands is tainted.)

To create a configuration, extend this class with a subclass whose characteristic predicate is a unique singleton string. For example, write

class MyAnalysisConfiguration extends TaintTracking::Configuration {
  MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
  // Override `isSource` and `isSink`.
  // Optionally override `isSanitizer`.
  // Optionally override `isSanitizerEdge`.
  // Optionally override `isAdditionalTaintStep`.
}

Then, to query whether there is flow between some source and sink, write

exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))

Multiple configurations can coexist, but it is unsupported to depend on a TaintTracking::Configuration or a DataFlow::Configuration in the overridden predicates that define sources, sinks, or additional steps. Instead, the dependency should go to a TaintTracking::Configuration2 or a DataFlow{2,3,4}::Configuration.

Direct supertypes

Indirect supertypes

Predicates

isAdditionalFlowStep

Holds if the additional flow step from node1 to node2 must be taken into account in the analysis.

isAdditionalTaintStep

Holds if the additional taint propagation step from source to target must be taken into account in the analysis. This step will only be followed if target is not in the isSanitizer predicate.

isBarrier

Holds if data flow through node is prohibited.

isBarrierEdge

DEPRECATED: use isSanitizerEdge instead.

isSanitizer

Holds if taint should not flow into node.

isSanitizerEdge

Holds if data flow from node1 to node2 is prohibited.

isSink

Holds if sink is a taint sink.

isSource

Holds if source is a taint source.

Inherited predicates

charAt

Returns a one-character string containing the character in the receiver at the given index (which ranges from 0 through length minus one)

from string
fieldFlowBranchLimit

Gets the virtual dispatch branching limit when calculating field flow. This can be overridden to a smaller value to improve performance (a value of 0 disables field flow), or a larger value to get more results.

from Configuration
hasFlow

Holds if data may flow from source to sink for this configuration.

from Configuration
hasFlowBackward

DEPRECATED: use hasFlow instead.

from Configuration
hasFlowForward

DEPRECATED: use hasFlow instead.

from Configuration
hasFlowPath

Holds if data may flow from source to sink for this configuration.

from Configuration
hasFlowTo

Holds if data may flow from some source to sink for this configuration.

from Configuration
hasFlowToExpr

Holds if data may flow from some source to sink for this configuration.

from Configuration
indexOf

Returns all the offsets at which the given string occurs in the receiver

from string
indexOf

Returns the index of n’th occurrence of the given string within receiver, starting at the given offset

from string
isLowercase

Holds when the receiver contains no upper-case letters

from string
isUppercase

Holds when the receiver contains no lower-case letters

from string
length

Returns the length of the receiver (in UTF-16 code units)

from string
matches

Holds when the receiver matches the pattern. Patterns are matched by case sensitive string matching, and there are two wildcards: _ matches a single character, and % matches any sequence of characters. To match the actual characters _ or % in the pattern, they must be escaped using backslashes. For example, "anythingstring%".matches("%string\\%") holds.

from string
prefix

Returns the substring of the receiver ending at the given offset

from string
regexpCapture

When the given regexp matches the entire receiver, returns the substring matched by the given capture group

from string
regexpFind

Returns a substring of the receiver which matches the given regexp. Also returns the offset within the receiver at which the match occurred (occurrenceOffset), and the number of matches which occur at smaller offsets (occurrenceIndex)

from string
regexpMatch

Holds when the given regexp matches the entire receiver

from string
regexpReplaceAll

Returns a copy of the receiver with every substring which matches the given regexp is replaced by the replacement

from string
replaceAll

Returns a copy of the receiver with all occurrences of the target replaced by the replacement

from string
splitAt

Returns all of the substrings obtained by splitting the receiver at every occurrence of the argument

from string
splitAt

Returns the n’th substring obtained by splitting the receiver at every occurrence of the argument

from string
substring

Returns the substring of the receiver which starts and ends at the given indices

from string
suffix

Returns the substring of the receiver starting at the given offset

from string
toDate

Returns the date, if any, obtained by parsing the receiver

from string
toFloat

Returns the floating point number, if any, obtained by parsing the receiver

from string
toInt

Returns the integer, if any, obtained by parsing the receiver

from string
toLowerCase

Returns a copy of the receiver with all uppercase characters replaced by lowercase ones

from string
toString

Returns the receiver

from string
toUpperCase

Returns a copy of the receiver with all lowercase characters replaced by uppercase ones

from string
trim

Returns a copy of the receiver with all whitespace removed from the beginning and end of the string (where whitespace is defined as unicode codepoints ‘\u0000’ through ‘\u0020’ inclusive)

from string

Charpred