Inspectopedia Help

Non-safe string is passed to safe method

Reports cases when a non-safe string is passed to a method with a parameter marked with @Untainted annotations, returned from annotated methods or assigned to annotated fields, parameters, or local variables. Kotlin set and get methods for fields are not supported as entry points.

A safe object (in the same class) is:

  • a string literal, interface instance, or enum object

  • a result of a call of a method that is marked as @Untainted

  • a private field, which is assigned only with a string literal and has a safe initializer

  • a final field, which has a safe initializer

  • local variable or parameter that are marked as @Untainted and are not assigned from non-safe objects This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable.

Also static final fields are considered as safe.

The analysis is performed only inside one file. To process dependencies from other classes, use options. The analysis extends to private or static methods and has a limit of depth propagation.

Example:

void doSmth(boolean b) { String s = safe(); String s1 = "other"; if (b) s1 = s; sink(s); } String sink(@Untainted String s) {}

Here we do not have non-safe string assignments to s so a warning is not produced. On the other hand:

void doSmth(boolean b) { String s = safe(); String s1 = "other"; s1 = foo(); if (b) s = s1; sink(s); // warning here } String foo(); String sink(@Untainted String s) {}

Here we have a warning since s1 has an unknown state after foo call result assignment.

New in 2021.2

Inspection options

Option

Type

Default

Tainted annotations

StringList

[javax.annotation.Tainted, org.checkerframework.checker.tainting.qual.Tainted]

Untainted annotations

StringList

[javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted]

Tainted parameters

Table

None

Class Name

TableColumn

[]

Method Name Regex

TableColumn

[]

Parameter Index

TableColumn

[]

Untainted parameters

Table

None

Class Name

TableColumn

[]

Method Name Regex

TableColumn

[]

Parameter Index

TableColumn

[]

Consider external methods untainted if receivers and arguments are untainted

Checkbox

true

Tainted methods

Table

None

Class Name

TableColumn

[]

Method Name Regex

TableColumn

[]

Untainted methods

Table

None

Class Name

TableColumn

[]

Method Name Regex

TableColumn

[]

Safe classes

StringList

[java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass]

Untainted fields

Table

None

Class Name

TableColumn

[]

Field Name

TableColumn

[]

Consider parameters of private methods as safe

Checkbox

false

Report if the case is too complex to check

Checkbox

false

Inspection Details

Available in:

IntelliJ IDEA 2023.3, Qodana for JVM 2023.3

Plugin:

Java, 233.SNAPSHOT

Last modified: 13 July 2023