https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Tim Lange <tlange at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tlange at gcc dot gnu.org
--- Comment #3 from Tim Lange <tlange at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #2)
> Currently the taint analysis only has handling for numeric arguments being
> bounds-checked.
>
> How can string arguments transition to a "sanitized" state? Or are string
> arguments always tainted once they've acquired taint?
Many papers introduce sanitizers/taint killers/... besides sources and sinks,
which are also manually-defined methods. Two prime examples in webdev are XSS
and SQL query escaping methods that do replace special characters such that the
user input is not interpreted.
I don't think you can automatically find out that a method is a sanitizer
unless you would track the interesting part of the string on a byte-level.
