The strings were concatenated, making it impossible to match the path.

[fraudV]

Source can query the fileName.

Sink can also query data.

Logic can be connected.

But no results were found.

The test from fileName to FileUtils.isValidFilename can retrieve results.

However, when querying from fileName to writeBytes, no results are returned. The data passes through the line "String filePath = Global.getDownloadPath() + fileName;" in the middle.

[redsun82]

👋 @fraudV

As far as I can tell what you're trying to achieve is not data flow (that tracks unchanged data flowing through the program), but rather taint tracking, which tracks so-called "taint" in data, that can get transmitted through data transformation like string concatentation.

You can find more information about this in this section of the docs. In a nutshell, if you replace DataFlow with TaintTracking in your query source you should be able to find the result you're expecting.

[fraudV]

Thank you very much! The previous issue was resolved after changing it to TaintTracking, and here's another related problem.
Taint analysis from String requestData to executorBiz.run(triggerParam); can retrieve results.

But when it comes to "XxlJobExecutor.loadJobThread(triggerParam.getJobId());", no matching result can be found in taint analysis.
I modified it to TaintTracking.

Sink can query the corresponding results.

I checked the Sources of all Expr and Parameter and found paths in other places, but didn't find what I needed.

I walked through it dynamically, and it should be possible that String requestData -> executorBiz.run(triggerParam); -> XxlJobExecutor.loadJobThread(triggerParam.getJobId());

[redsun82]

Hi @fraudV

Am I following correctly that you would like taint to flow through both GsonTool.fromJson (going from requestParam to paramTrigger) and then through the .getJobId() method call of requestParam?

I'm afraid that is not available automatically: gson is not listed as a supported framework in this list. I can raise this to the internal team, to see if built-in support is coming any time soon. In the meantime, you will probably need to model the missing flow yourself implementing predicate isAdditionalFlowStep(Node node1, Node node2) in your DataFlow::ConfigSig implementation to add any flows you're missing.

[fraudV]

Hi @fraudV

Am I following correctly that you would like taint to flow through both GsonTool.fromJson (going from requestParam to paramTrigger) and then through the .getJobId() method call of requestParam?

I'm afraid that is not available automatically: gson is not listed as a supported framework in this list. I can raise this to the internal team, to see if built-in support is coming any time soon. In the meantime, you will probably need to model the missing flow yourself implementing predicate isAdditionalFlowStep(Node node1, Node node2) in your DataFlow::ConfigSig implementation to add any flows you're missing.

Okay, I see. Thank you very much.