Taint analysis (#1192)

* updated:
org.jsoup:jsoup ...................................... 1.8.2 -> 1.11.3

* added output sanitization hint TODOs

* reverted update for clean PR

Author: feffi

jooby/src/main/java/org/jooby/Jooby.java

@@ -3311,11 +3311,14 @@ private Config envConf(final Config source, final String env) {
    * @return A config for the file name.
    */
   static Config fileConfig(final String fname) {
+    // TODO: sanitization of arguments
     File dir = new File(System.getProperty("user.dir"));
+    // TODO: sanitization of arguments
     File froot = new File(dir, fname);
     if (froot.exists()) {
       return ConfigFactory.parseFile(froot);
     } else {
+      // TODO: sanitization of arguments
       File fconfig = new File(new File(dir, "conf"), fname);
       if (fconfig.exists()) {
         return ConfigFactory.parseFile(fconfig);
@@ -3485,6 +3488,7 @@ static String logback(final Config conf) {
     } else {
       String env = conf.hasPath("application.env") ? conf.getString("application.env") : null;
       ImmutableList.Builder<File> files = ImmutableList.builder();
+      // TODO: sanitization of arguments
       File userdir = new File(System.getProperty("user.dir"));
       File confdir = new File(userdir, "conf");
       if (env != null) {

jooby/src/main/java/org/jooby/internal/RequestImpl.java

@@ -464,7 +464,7 @@ public Mutant body() throws Exception {
     if (length > 0) {
       MediaType type = type();
       Config conf = require(Config.class);
-
+      // TODO: sanitization of arguments
       File fbody = new File(conf.getString("application.tmpdir"),
           Integer.toHexString(System.identityHashCode(this)));
       files.add(fbody);

modules/jooby-assets-clean-css/src/test/java/org/jooby/assets/Generator.java

@@ -10,11 +10,11 @@
 public class Generator {
 
   private static final String NODE = "/usr/local/bin/node";
-
+  // TODO: sanitization of arguments
   private static final String NPM = new File(System.getProperty("user.home")).toPath()
       .resolve(".node").resolve("lib").resolve("node_modules").resolve("npm").resolve("bin")
       .resolve("npm-cli.js").toString();
-
+  // TODO: sanitization of arguments
   private static final File workDir = new File(System.getProperty("user.dir"), "target");
 
   static File log = new File(workDir, "log.log");
@@ -91,11 +91,13 @@ public static Path install(final String name) throws Exception {
   }
 
   public static Path localFile(final String name) {
+    // TODO: sanitization of arguments
     return new File(System.getProperty("user.dir")).toPath().resolve("src").resolve("test")
         .resolve("resources").resolve(name);
   }
 
   public static Path module(final String name) {
+    // TODO: sanitization of arguments
     return new File(System.getProperty("user.home")).toPath().resolve("node_modules").resolve(name);
   }
 }

modules/jooby-assets-svg-sprites/src/main/java/org/jooby/assets/SvgSprites.java

@@ -321,7 +321,7 @@ public void run(final Config conf) throws Exception {
     if (!spriteElementPath.exists()) {
       throw new FileNotFoundException(spriteElementPath.toString());
     }
-
+    // TODO: sanitization of arguments
     File workdir = new File(Try.apply(() -> conf.getString("application.tmpdir"))
         .orElse(System.getProperty("java.io.tmpdir")));
 

modules/jooby-assets/src/main/java/org/jooby/internal/assets/AssetWriter.java

@@ -272,6 +272,7 @@ private Stream<String> patterns(final Predicate<String> filter) {
 
   public void write(String path, String chunk) throws IOException {
     if (bundle == null) {
+      // TODO: sanitization of arguments
       File output = new File(outDir, path);
       writeFile(output, chunk);
       result.add(output);
@@ -285,6 +286,7 @@ public void write(String path, String chunk) throws IOException {
   public List<File> getResult() throws IOException {
     try {
       if (bundle != null && bundle.length() > 0) {
+        // TODO: sanitization of arguments
         Path filename = Paths.get(fset + "." + sha1(bundle) + ext);
         Path filepath = patterns(filter).findFirst()
             .map(p -> Paths.get(p).resolve(filename))
@@ -322,6 +324,7 @@ private void writeFile(File output, String chunk) throws IOException {
 
   public void add(String path) {
     if (bundle == null) {
+      // TODO: sanitization of arguments
       result.add(new File(outDir, path));
     }
   }

modules/jooby-netty/src/main/java/org/jooby/internal/netty/NettySslContext.java

@@ -258,10 +258,12 @@ static SslContext build(final Config conf) throws IOException, CertificateExcept
   }
 
   static File toFile(final String path, final String tmpdir) throws IOException {
+    // TODO: sanitization of arguments
     File file = new File(path);
     if (file.exists()) {
       return file;
     }
+    // TODO: sanitization of arguments
     file = new File(tmpdir, Paths.get(path).getFileName().toString());
     // classpath resource?
     InputStream in = NettyServer.class.getClassLoader().getResourceAsStream(path);

modules/jooby-pac4j/src/main/java/org/jooby/internal/pac4j/AuthSerializer.java

@@ -222,6 +222,7 @@ public static final Object strToObject(final String value) {
     }
     return Try.apply(() -> {
       byte[] bytes = BaseEncoding.base64().decode(value.substring(PREFIX.length()));
+      // TODO: sanitization of arguments
       return new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject();
     })
         .wrap(x -> new IllegalArgumentException("Can't de-serialize value " + value, x))

modules/jooby-pac4j2/src/main/java/org/jooby/internal/pac4j2/Pac4jSessionStore.java

@@ -275,6 +275,7 @@ static final Object strToObject(final String value) {
     }
     return Try.apply(() -> {
       byte[] bytes = base64().decode(value.substring(PREFIX.length()));
+      // TODO: sanitization of arguments
       return new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject();
     }).get();
   }

modules/jooby-run/src/main/java/org/jooby/run/Main.java

@@ -327,15 +327,18 @@ public static void main(final String[] args) throws Exception {
           excludes = option[1];
           break;
         case "props":
+          // TODO: sanitization of arguments
           setSystemProperties(new File(option[1]));
           break;
         case "deps":
+          // TODO: sanitization of arguments
           String[] deps = option[1].split(File.pathSeparator);
           for (String dep : deps) {
             cp.add(new File(dep));
           }
           break;
         case "watchdirs":
+          // TODO: sanitization of arguments
           String[] dirs = option[1].split(File.pathSeparator);
           for (String dir : dirs) {
             watch.add(new File(dir));
@@ -349,6 +352,7 @@ public static void main(final String[] args) throws Exception {
     logLevel();
 
     if (cp.isEmpty()) {
+      // TODO: sanitization of arguments
       cp.add(new File(System.getProperty("user.dir")));
     }