You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like gadgetinspector fails to find com/sun/rowset/JdbcRowSetImpl.setAutoCommit (which is described in the marshalsec paper) due to the fact that the getDataSourceName is not explicitly defined in JdbcRowSetImpl, but is inherited from javax/sql/rowset/BaseRowSet (which is hinted at in the inheritance map).
One other issue is that setAutoCommit accepts a boolean (instead of an L value) and should taint the first argument rather than the return value. This will fail the following check in JacksonSourceDiscovery.java:
if (method.getName().startsWith("set") && method.getDesc().matches("\\(L[^;]*;\\)V")) {
addDiscoveredSource(newSource(method, 0));
}
I think the issue can be resolved by tainting and tracking inherited methods when creating the callgraph AND by updating JacksonSourceDiscovery.java to include the following check:
if (method.getName().startsWith("set") && Type.getArgumentTypes(method.getDesc()).length == 1) {
addDiscoveredSource(newSource(method, 1));
}
Apologies if I'm misunderstanding something. I'm super excited about this tool and I'm interested to learn more about the inner workings.
The text was updated successfully, but these errors were encountered:
It looks like gadgetinspector fails to find
com/sun/rowset/JdbcRowSetImpl.setAutoCommit(which is described in the marshalsec paper) due to the fact that thegetDataSourceNameis not explicitly defined inJdbcRowSetImpl, but is inherited fromjavax/sql/rowset/BaseRowSet(which is hinted at in the inheritance map).One other issue is that
setAutoCommitaccepts a boolean (instead of an L value) and should taint the first argument rather than the return value. This will fail the following check inJacksonSourceDiscovery.java:I think the issue can be resolved by tainting and tracking inherited methods when creating the callgraph AND by updating
JacksonSourceDiscovery.javato include the following check:Apologies if I'm misunderstanding something. I'm super excited about this tool and I'm interested to learn more about the inner workings.
The text was updated successfully, but these errors were encountered: