Inspectopedia
 
2024.3

Non-safe string is passed to safe method

Warning
New
Last modified: 03 December 2024

Reports cases when a non-safe object is passed to a method with a parameter marked with @Untainted annotations, returned from annotated methods or assigned to annotated fields, parameters, or local variables. Kotlin set and get methods for fields are not supported as entry points.

A safe object (in the same class) is:

  • a string literal, interface instance, or enum object

  • a result of a call of a method that is marked as @Untainted

  • a private field, which is assigned only with a string literal and has a safe initializer

  • a final field, which has a safe initializer

  • local variable or parameter that are marked as @Untainted and are not assigned from non-safe objects

This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable.

Also static final fields are considered as safe.

The analysis is performed only inside one file. To process dependencies from other classes, use options. The analysis extends to private or static methods and has a limit of depth propagation.

Example:

Here we do not have non-safe string assignments to s so a warning is not produced. On the other hand:

Here we have a warning since s1 has an unknown state after foo call result assignment.

New in 2021.2