Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can the configuration of source and sink support wildcard characters, such as using * to match? #86

Open
SEC-fsq opened this issue Jan 23, 2024 · 4 comments
Open

Can the configuration of source and sink support wildcard characters, such as using * to match? #86

SEC-fsq opened this issue Jan 23, 2024 · 4 comments
Labels
type: enhancement A general enhancement

Comments

@SEC-fsq
Copy link

SEC-fsq commented Jan 23, 2024

Clear and concise description of the problem

Can the configuration of source and sink support wildcard characters, such as using * to match

Impact Analysis

No response

Suggested Solution

No response

Alternative

No response

Intention to submit PR

No

Additional Context

No response
@SEC-fsq SEC-fsq added the type: enhancement A general enhancement label Jan 23, 2024
@zhangt2333
Copy link
Member

zhangt2333 commented Jan 23, 2024
edited
Loading

Oh, it is a very valuable and funny issue.

As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.

Anyway, we will support it. Stay tuned for next release milestone.

@SEC-fsq
Copy link
Author

SEC-fsq commented Jan 24, 2024

Oh, it is a very valuable and funny issue.

As it happens, We're working on a more convenient and dedicated mechanism for describing class/method/field in taint configuration; the hard part is we're trying to balance readability and functionality when designing the "wildcard" expression mechanism. For example, regular expressions are powerful, but they are less readable; maybe we need more functionality, such as describing subclasses, but more is not better, it depends.

Anyway, we will support it. Stay tuned for next release milestone.

哦,这是一个非常有价值和有趣的问题。

碰巧的是,我们正在研究一种更方便和专用的机制来描述污点配置中的类/方法/字段;困难的部分是我们在设计“隐藏”表达式机制时试图平衡可读性和功能性。例如,正则表达式很强大,但可读性较差;也许我们需要更多的功能,比如描述子类,但更多并不是更好,这取决于。

无论如何,我们将支持它。请继续关注下一个版本里程碑。

Can we consider opening up an inheritable abstract class that can use Java to write rules, so that users can override and implement the logic in DeserializeSources, DeserializeSinks, DeserializeSanitizers, and DeserializeTransfers according to their needs?

@zhangt2333
Copy link
Member

Can we consider opening up an inheritable abstract class that can use Java to write rules

Writing taint configuration programmatically is our future plan. It's being incubated.

@zhangt2333 zhangt2333 mentioned this issue May 27, 2024
Closed
@zhangt2333
Copy link
Member

Support for signature wildcards is now available. Documentation is currently in progress.

Here's a preview: 96fde4b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SEC-fsq @zhangt2333