AST,CallGraph,DataFlow,ICFG示例图
Source code
// MainApp.java
public class MainApp {
public static void main(String[] args) {
// Source点: main方法的参数被认为是污染源
String taintedData = args[0];
// 跨文件、跨过程调用
DataProcessor processor = new DataProcessor();
processor.process(taintedData);
}
}
// DataProcessor.java
public class DataProcessor {
// 接收来自MainApp的数据,并将其传递给Logger
public void process(String data) {
// 数据在这里可能会被处理,例如拼接字符串
String processedData = "[processed] " + data;
// 跨文件、跨过程调用,将数据传递给Sink点
Logger logger = new Logger();
logger.log(processedData);
}
}
// Logger.java
public class Logger {
// Sink点: log方法的参数"message"是污染数据的终点
public void log(String message) {
// 最终在这里使用数据,例如打印日志
System.out.println("LOG: " + message);
}
}
AST
logger.log(processedData); AST语法树
graph TD;
MethodCallExpr --> NameExpr1[logger];
MethodCallExpr --> SimpleName[log];
MethodCallExpr --> Arguments;
Arguments --> NameExpr2[processedData];
CallGraph
graph TD;
A["Source: MainApp.main()"] --> B["DataProcessor.process()"];
B --> C["Sink: Logger.log()"];
data flow
graph TD;
A["Source: MainApp.main 的参数 args[0]"] --> B["变量: taintedData (in main)"];
B --> C["参数: data (in process)"];
C --> D["变量: processedData (in process)"];
D --> E["Sink: 参数: message (in log)"];
ICFG
graph TD;
Main_Start("MainApp.main: Start") --> Main_Get_Args["获取 taintedData"];
Main_Get_Args --> Main_Call_Process["调用 process(taintedData)"];
Main_Call_Process -- call --> Proc_Start;
Proc_Start("DataProcessor.process: Start") --> Proc_Concat_String["拼接 processedData"];
Proc_Concat_String --> Proc_Call_Log["调用 log(processedData)"];
Proc_Call_Log -- call --> Log_Start;
Log_Start("Logger.log: Start") --> Log_Print["打印 message"];
Log_Print --> Log_End("Logger.log: Return");
Log_End -- return --> Proc_After_Call_Log["..."];
Proc_After_Call_Log --> Proc_End("DataProcessor.process: Return");
Proc_End -- return --> Main_After_Call_Process["..."];
Main_After_Call_Process --> Main_End("MainApp.main: End");
浙公网安备 33010602011771号