Skip to content

feat(rules): Add security rules and sanitizers #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
misonijnik wants to merge 50 commits into
base: main
Choose a base branch
from
Draft

feat(rules): Add security rules and sanitizers #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
0edf76c
feat(analyzer): Add third-party + stdlib taint passThrough propagators
misonijnik May 22, 2026
47442d0
refactor(analyzer): Complete passThrough builder chains and package c…
misonijnik May 24, 2026
d35886d
refactor(analyzer): Route wrapper/builder taint through typed virtual…
misonijnik May 25, 2026
39253c3
refactor(analyzer): Drop passThrough approximations duplicated elsewhere
misonijnik May 25, 2026
69443a7
refactor(analyzer): Fix RequestEntity static factories in v7, drop 5.…
misonijnik May 25, 2026
e2d0bb6
refactor(analyzer): Use builder-typed RequestEntity slot with re-key …
misonijnik May 25, 2026
ec3bdd8
refactor(analyzer): Type virtual-field slot owners precisely with re-…
misonijnik May 26, 2026
0b087fd
refactor(analyzer): Exact per-overload signatures and named vfields i…
misonijnik May 27, 2026
898e120
More Java/Kotlin rules
dvvrd Mar 24, 2026
162bf90
Wire missing -in-servlet-app/-in-spring-app rules and add CodeQL sani…
misonijnik May 16, 2026
3b63cc9
Add CodeQL-aligned LDAP/SSRF/XSS sanitizers and exercising negative t…
misonijnik May 16, 2026
32a2d10
Add minimal repros for analyzer FN gaps + the propagators that fix them
misonijnik May 17, 2026
b994ee7
Add JVM-level regression tests for pattern-matcher behaviours touched…
misonijnik May 17, 2026
d81967c
Add Servlet API propagators + widen servlet entry-point pattern
misonijnik May 17, 2026
ebdad96
Drive rules/test FN from 281 to 7 with CI-style JVM flags
misonijnik May 17, 2026
a881331
Add CodeQL-aligned barriers with test bank for path, ssrf, ldap, log,…
misonijnik May 17, 2026
be463a0
More CodeQL-aligned barriers: XPath, SSTI, deser, log line-breaks, re…
misonijnik May 17, 2026
ea4dfd2
Add SMTP CRLF, unvalidated-redirect, and Spring/XSS barrier sanitizers
misonijnik May 17, 2026
2c934f1
Add ValidatingObjectInputStream deserialization barrier test
misonijnik May 17, 2026
3f11f56
More XSS encoder barriers: Apache escapeEcmaScript, OWASP ESAPI suite
misonijnik May 17, 2026
fdfb94a
Extend response-injection barriers to match XSS encoder set
misonijnik May 17, 2026
62aebee
Extend spring-response-injection barriers to match XSS encoder set
misonijnik May 17, 2026
e3ebc47
Add CodeQL external barrierModel sanitizers: File.getName + ESAPI Val…
misonijnik May 17, 2026
8464989
Treat URL encoders as CRLF/http-response-splitting barriers
misonijnik May 17, 2026
2450aa3
Add Jenkins hudson.Util.escape as XSS / response-injection barrier
misonijnik May 17, 2026
bf6a71f
Drop ESAPI Validator.getValidURI — not in current ESAPI surface
misonijnik May 17, 2026
a30ad58
Add pixee java-security-toolkit barriers: HtmlEncoder, Newlines
misonijnik May 17, 2026
2fd03a3
Add pixee Urls.create as SSRF barrier
misonijnik May 17, 2026
6fcab02
Add pixee Urls.create as unvalidated-redirect barrier
misonijnik May 17, 2026
8376266
Add pixee deser + reflection barriers
misonijnik May 17, 2026
4641bee
Drop runCommandAsString sanitizer (not in pixee 1.2.3 API)
misonijnik May 17, 2026
bf83fd2
Add pixee jakarta.PathValidator.validateDispatcherPath as url-forward…
misonijnik May 17, 2026
c86cefb
Eliminate remaining 7 FN by fixing sink + propagator gaps
misonijnik May 17, 2026
33ff37f
Remove rule tests
misonijnik May 18, 2026
00b5904
Polish rules: dedupe, fix typos, consolidate provenance
misonijnik May 18, 2026
959a69a
Activate rule-test suite end-to-end: rename test IDs, add propagators
misonijnik May 18, 2026
84f16af
ssrf-sinks: add inline URL/URI wrapper variants for 9 missing sinks
misonijnik May 18, 2026
3b06212
ssrf-sinks: refactor URL/URI wrappers into pattern-inside let-bindings
misonijnik May 18, 2026
43bd832
ssrf-sinks: chain pattern-inside let-bindings via shared metavars
misonijnik May 18, 2026
27a8049
ssrf-sinks: collapse builder-chain steps into a single multi-line pat…
misonijnik May 18, 2026
b4cd62b
ssrf-sinks: document why `$_` is the .uri/.url receiver
misonijnik May 18, 2026
c5606bd
ssrf-sinks: use literal `new Request.Builder()` for OkHttp, keep `$_`…
misonijnik May 18, 2026
506d1df
ssrf-sinks: bind HttpRequest newBuilder() receiver via $NEW_BUILDER
misonijnik May 20, 2026
9006f0d
Remove new taint sources (revert to origin/main source rules)
misonijnik May 22, 2026
079c81a
ci-rules: overlay source propagators into analyzer jar
misonijnik May 22, 2026
50cdbe9
ci-rules: overlay config with zip to avoid jar uf duplicate-entry crash
misonijnik May 22, 2026
224885c
rules: detect taint entering wrappers carried on virtual fields
misonijnik May 26, 2026
ee96c70
rules: pin ognl-injection-sinks Map.of receiver via pattern-inside
misonijnik May 27, 2026
32180a0
rules: leave $COND unconstrained in ldap-injection-sinks Spring block
misonijnik May 27, 2026
e653e3c
ci-rules: point config overlay at relocated java-config path
misonijnik May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/ci-rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@ on:
push:
paths:
- 'rules/**'
- 'core/opentaint-config/java-config/config/**'
- '.github/workflows/ci-rules.yaml'
branches: [ "main" ]
pull_request:
paths:
- 'rules/**'
- 'core/opentaint-config/java-config/config/**'
- '.github/workflows/ci-rules.yaml'
branches: [ "main" ]
workflow_dispatch:
Expand Down Expand Up @@ -70,6 +72,26 @@ jobs:
--logs-file autobuild.log \
--verbosity debug

- name: Use source propagators (overlay repo config into analyzer jar)
run: |
# The rule-test runner (--debug-run-rule-tests -> TestProjectAnalyzer)
# loads taint passThrough rules only from the analyzer jar's bundled
# /java-config resources (loadDefaultConfig -> ConfigLoader); it does NOT read
# --approximations-config. The released analyzer jar is built from main,
# so its bundled config lacks the propagators kept in this repo's source
# tree, which surfaces as false negatives. Overlay the in-repo propagators
# (core/opentaint-config/java-config/config/java-config -> jar entries under
# java-config/) so the rule tests run against the source config.
#
# Use `zip`, not `jar uf`: the analyzer is a shadow/fat jar with duplicate
# directory entries (e.g. `org/`). `jar uf` rewrites the whole archive via
# ZipOutputStream, which aborts on those pre-existing duplicates
# (java.util.zip.ZipException: duplicate entry: org/). `zip` copies existing
# entries as-is and only replaces/adds the config files.
apt-get update && apt-get install -y zip
JAR="$PWD/opentaint-analyzer/opentaint-project-analyzer.jar"
( cd core/opentaint-config/java-config/config && zip -r "$JAR" java-config )

- name: Run OpenTaint analyzer
run: |
java -Xmx8G -Djdk.util.jar.enableMultiRelease=false -Dorg.opentaint.ir.impl.storage.defaultBatchSize=2000 \
Expand Down
13 changes: 13 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/ant-1.10.14.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
passThrough:
- function: org.apache.tools.ant.types.FileSet#setDir
copy:
- from: arg(0)
to:
- this
- .org.apache.tools.ant.types.FileSet#path#java.lang.Object
- function: org.apache.tools.ant.types.FileSet#setFile
copy:
- from: arg(0)
to:
- this
- .org.apache.tools.ant.types.FileSet#path#java.lang.Object
17 changes: 17 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/commons-codec-1.16.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
passThrough:
- function: org.apache.commons.codec.binary.Base64#encodeBase64String
copy:
- from: arg(0)
to: result
- function: org.apache.commons.codec.binary.Base64#encodeBase64URLSafeString
copy:
- from: arg(0)
to: result
- function: org.apache.commons.codec.binary.Base64#encodeBase64URLSafe
copy:
- from: arg(0)
to: result
- function: org.apache.commons.codec.binary.Base64#encodeBase64Chunked
copy:
- from: arg(0)
to: result
17 changes: 17 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/commons-io-2.15.1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
passThrough:
- function: org.apache.commons.io.IOUtils#toString
copy:
- from: arg(0)
to: result
- function: org.apache.commons.io.IOUtils#toByteArray
copy:
- from: arg(0)
to: result
- function: org.apache.commons.io.IOUtils#toCharArray
copy:
- from: arg(0)
to: result
- function: org.apache.commons.io.IOUtils#readLines
copy:
- from: arg(0)
to: result
36 changes: 36 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/groovy-3.0.21.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
passThrough:
- function: org.codehaus.groovy.control.CompilationUnit#addSource
signature: (java.io.File) *
copy:
- from: arg(0)
to:
- this
- .org.codehaus.groovy.control.CompilationUnit#source#java.lang.Object
- function: org.codehaus.groovy.control.CompilationUnit#addSource
signature: (java.net.URL) *
copy:
- from: arg(0)
to:
- this
- .org.codehaus.groovy.control.CompilationUnit#source#java.lang.Object
- function: org.codehaus.groovy.control.CompilationUnit#addSource
signature: (java.lang.String, java.io.InputStream) *
copy:
- from: arg(1)
to:
- this
- .org.codehaus.groovy.control.CompilationUnit#source#java.lang.Object
- function: org.codehaus.groovy.control.CompilationUnit#addSource
signature: (java.lang.String, java.lang.String) *
copy:
- from: arg(1)
to:
- this
- .org.codehaus.groovy.control.CompilationUnit#source#java.lang.Object
- function: org.codehaus.groovy.control.CompilationUnit#addSource
signature: (org.codehaus.groovy.control.SourceUnit) *
copy:
- from: arg(0)
to:
- this
- .org.codehaus.groovy.control.CompilationUnit#source#java.lang.Object
43 changes: 43 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/httpcore5-5.2.4.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
passThrough:
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String, org.apache.hc.core5.http.ContentType) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String, java.nio.charset.Charset) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String, org.apache.hc.core5.http.ContentType, boolean) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String, java.nio.charset.Charset, boolean) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
signature: (java.lang.String, org.apache.hc.core5.http.ContentType, java.lang.String, boolean) *
copy:
- from: arg(0)
to:
- this
- .org.apache.hc.core5.http.io.entity.StringEntity#content#java.lang.Object
22 changes: 22 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/jenkins-core-2.426.3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
passThrough:
- function: hudson.FilePath#<init>
signature: (hudson.remoting.VirtualChannel, java.lang.String) *
copy:
- from: arg(1)
to:
- this
- .hudson.FilePath#path#java.lang.Object
- function: hudson.FilePath#<init>
signature: (java.io.File) *
copy:
- from: arg(0)
to:
- this
- .hudson.FilePath#path#java.lang.Object
- function: hudson.FilePath#<init>
signature: (hudson.FilePath, java.lang.String) *
copy:
- from: arg(1)
to:
- this
- .hudson.FilePath#path#java.lang.Object
21 changes: 21 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/mvel2-2.5.2.Final.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
passThrough:
- function: org.mvel2.MVEL#compileExpression
copy:
- from: arg(0)
to: result
- function: org.mvel2.MVEL#compileSetExpression
copy:
- from: arg(0)
to: result
- function: org.mvel2.MVEL#compileGetExpression
copy:
- from: arg(0)
to: result
- function: org.mvel2.jsr223.MvelScriptEngine#compile
copy:
- from: arg(0)
to: result
- function: org.mvel2.jsr223.MvelScriptEngine#compiledScript
copy:
- from: arg(0)
to: result
166 changes: 166 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/okhttp-4.12.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
passThrough:
- function: okhttp3.Request$Builder#url
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#header
signature: (java.lang.String, java.lang.String) *
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#addHeader
signature: (java.lang.String, java.lang.String) *
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#headers
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#post
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#put
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#patch
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#delete
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#method
signature: (java.lang.String, okhttp3.RequestBody) *
copy:
- from: arg(0)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- result
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(0)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: arg(1)
to:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
- from: this
to: result
- function: okhttp3.Request$Builder#get
copy:
- from: this
to: result
- function: okhttp3.Request$Builder#head
copy:
- from: this
to: result
- function: okhttp3.Request$Builder#removeHeader
copy:
- from: this
to: result
- function: okhttp3.Request$Builder#cacheControl
copy:
- from: this
to: result
- function: okhttp3.Request$Builder#tag
copy:
- from: this
to: result
- function: okhttp3.Request$Builder#build
copy:
- from: this
to: result
- from:
- this
- .okhttp3.Request$Builder#url#java.lang.Object
to:
- result
- .okhttp3.Request#url#java.lang.Object
13 changes: 13 additions & 0 deletions core/opentaint-config/java-config/config/java-config/jar-split/spring-jdbc-5.3.39.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
passThrough:
- function: org.springframework.jdbc.core.namedparam.NamedParameterUtils#parseSqlStatement
copy:
- from: arg(0)
to: result
- function: org.springframework.jdbc.core.namedparam.NamedParameterUtils#substituteNamedParameters
copy:
- from: arg(0)
to: result
- function: org.springframework.jdbc.core.namedparam.NamedParameterUtils#parseSqlStatementIntoString
copy:
- from: arg(0)
to: result
Loading
Loading