Merge pull request #609 from timll/fixAPWarning

Fix various "Primitive types cannot have fields" warnings observed in real-world apps

Author: StevenArzt

soot-infoflow-summaries/summariesManual/java.lang.Object.xml

@@ -3,7 +3,7 @@
 	<methods>
 		<method id="java.lang.String toString()">
 			<flows>
-				<flow isAlias="false" typeChecking="false">
+				<flow isAlias="false" typeChecking="false" cutSubfields="true">
 					<from sourceSinkType="Field" />
 					<to sourceSinkType="Return" />
 				</flow>

soot-infoflow-summaries/summariesManual/java.math.BigDecimal.xml

@@ -855,9 +855,7 @@
 					<from sourceSinkType="Field"
 						AccessPath="[java.math.BigDecimal: java.lang.Object value]"
 						AccessPathTypes="[java.lang.Object]" />
-					<to sourceSinkType="Return"
-						AccessPath="[java.math.BigDecimal: java.lang.Object value]"
-						AccessPathTypes="[java.lang.Object]" />
+					<to sourceSinkType="Return" />
 				</flow>
 			</flows>
 		</method>

soot-infoflow-summaries/summariesManual/java.math.BigInteger.xml

@@ -470,8 +470,7 @@
 				<flow isAlias="false" typeChecking="false">
 					<from sourceSinkType="Field" AccessPath="[java.math.BigInteger: java.lang.Object value]"
 						AccessPathTypes="[java.lang.Object]" />
-					<to sourceSinkType="Return" AccessPath="[java.math.BigInteger: java.lang.Object value]"
-						AccessPathTypes="[java.lang.Object]" />
+					<to sourceSinkType="Return" />
 				</flow>
 			</flows>
 		</method>

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/ApiClassClient.java

@@ -3,6 +3,9 @@
 import java.io.ByteArrayOutputStream;
 import java.io.ObjectOutputStream;
 import java.io.ObjectOutputStream.PutField;
+import java.math.BigInteger;
+import java.util.HashMap;
+import java.util.Map;
 
 public class ApiClassClient {
 	public Object source() {
@@ -275,4 +278,28 @@ public void killTaint2() {
 		sink(collection.get());
 	}
 
+	public void taintedFieldToString() {
+		Data d = new Data();
+		d.objectField = source();
+		// in: d.objectField
+		// expected out: str (not str.objectField!)
+		String str = d.toString();
+		char c = str.charAt(2);
+		sink(c);
+	}
+
+	public void bigIntegerToString() {
+		BigInteger i = new BigInteger(stringSource());
+		String str = i.toString();
+		char c = str.charAt(2);
+		sink(c);
+	}
+
+	public void mapToString() {
+		Map<String, String> map = new HashMap<>();
+		map.put("Secret", stringSource());
+		String str = map.toString();
+		char c = str.charAt(2);
+		sink(c);
+	}
 }

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/junit/SummaryTaintWrapperTests.java

@@ -212,6 +212,21 @@ public void killTaint2() {
 		testNoFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void killTaint2()>");
 	}
 
+	@Test(timeout = 30000)
+	public void taintedFieldToString() {
+		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void taintedFieldToString()>");
+	}
+
+	@Test(timeout = 30000)
+	public void bigIntegerToString() {
+		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void bigIntegerToString()>");
+	}
+
+	@Test(timeout = 30000)
+	public void mapToString() {
+		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void mapToString()>");
+	}
+
 	@Test
 	public void testAllSummaries() throws URISyntaxException, IOException {
 		EagerSummaryProvider provider = new EagerSummaryProvider(TaintWrapperFactory.DEFAULT_SUMMARY_DIR);