Tai-e icon indicating copy to clipboard operation
Tai-e copied to clipboard
verified publisher icon pascal-lab

Can the configuration of source and sink support wildcard characters, such as using * to match?

Open SEC-fsq opened this issue 2 years ago • 4 comments

Clear and concise description of the problem

Can the configuration of source and sink support wildcard characters, such as using * to match

Impact Analysis

No response

Suggested Solution

No response

Alternative

No response

Intention to submit PR

No

Additional Context

No response

SEC-fsq avatar Jan 23 '24 12:01 SEC-fsq

Oh, it is a very valuable and funny issue.

As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.

Anyway, we will support it. Stay tuned for next release milestone.

zhangt2333 avatar Jan 23 '24 12:01 zhangt2333

Oh, it is a very valuable and funny issue.

As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.

Anyway, we will support it. Stay tuned for next release milestone.

哦,这是一个非常有价值和有趣的问题。

碰巧的是,我们正在研究一种更方便和专用的机制来描述污点配置中的类/方法/字段;困难的部分是我们在设计“隐藏”表达式机制时试图平衡可读性和功能性。例如,正则表达式很强大,但可读性较差;也许我们需要更多的功能,比如描述子类,但更多并不是更好,这取决于。

无论如何,我们将支持它。请继续关注下一个版本里程碑。

Can we consider opening up an inheritable abstract class that can use Java to write rules, so that users can override and implement the logic in DeserializeSources, DeserializeSinks, DeserializeSanitizers, and DeserializeTransfers according to their needs?

SEC-fsq avatar Jan 24 '24 03:01 SEC-fsq

Can we consider opening up an inheritable abstract class that can use Java to write rules

Writing taint configuration programmatically is our future plan. It's being incubated.

zhangt2333 avatar Jan 24 '24 04:01 zhangt2333

Support for signature wildcards is now available. Documentation is currently in progress.

Here's a preview: https://github.com/pascal-lab/Tai-e/commit/96fde4bb7756a42ac2a55ca9d10669168fcd1b6c

zhangt2333 avatar Jul 12 '24 14:07 zhangt2333

The taint rules with wildcard support are now released in v0.5.1. For details on using wildcards in signatures, please refer to our documentation on signature patterns.

zhangt2333 avatar Dec 31 '24 08:12 zhangt2333