测试代码
// 创建DocumentBuilderFactory对象
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
// 解析用户提供的XML数据
Document document = builder.parse(new InputSource(new StringReader(username)));
// 提取username元素的内容
NodeList nodeList = document.getElementsByTagName("username");
if (nodeList.getLength() > 0) {
Element element = (Element) nodeList.item(0);
System.out.println("Extracted username: " + element.getTextContent());
}
代码的中间表示
%0 = javax.xml.parsers.DocumentBuilderFactory.newInstance()
%2 = %0.newDocumentBuilder()
%4 = new org.xml.sax.InputSource
%5 = new java.io.StringReader
%5.<init>(username)
%4.<init>(%5)
%6 = %2.parse(%4)
%8 = %6.getElementsByTagName("username")
在为new StringReader(username)配置PassThrough时,根据中间表示将functionName配置如下
"functionName": {"_": "NameIsEqualTo","name": "<init>"}
但是一直无法匹配,后在源代码中搜索"init"发现如下结果
最后配置构造函数的名称为“init^”后,该条PassThrough生效。
"functionName": {"_": "NameIsEqualTo","name": "init^"},
完成的PassThrough配置
{
"_": "PassThrough",
"methodInfo": {
"cls": {
"packageMatcher": {"_": "NameIsEqualTo","name": "java.io"},
"classNameMatcher": {"_": "NameIsEqualTo","name": "StringReader"}
},
"functionName": {"_": "NameIsEqualTo","name": "init^"},
"parametersMatchers": [],
"returnTypeMatcher": {"_": "AnyTypeMatches"},
"applyToOverrides": true,
"functionLabel": null,
"modifier": -1,
"exclude": []
},
"condition": {
"_": "ConstantTrue"
},
"actionsAfter": [
{
"_": "CopyAllMarks",
"from": {"_": "Argument","number": 0},
"to": {"_": "This"}
}
]
}
该条PassThrough是在new StringReader(xxx)时,将xxx所带的mark全部复制到StringReader对象上。如果xxx是一个污点,那么新建的StringReader对象也是一个污点,即污点传播了。