Non-safe string is passed to safe method
Reports cases when a non-safe object is passed to a method with a parameter marked with @Untainted annotations, returned from annotated methods or assigned to annotated fields, parameters, or local variables. Kotlin set and get methods for fields are not supported as entry points.
A safe object (in the same class) is:
a string literal, interface instance, or enum object
a call result of a method that is marked as
@Untainteda private field, which is assigned only with a string literal and has a safe initializer
a final field, which has a safe initializer
local variable or parameter that are marked as
@Untaintedand are not assigned from non-safe objects
This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable. Also static final fields are considered as safe.
The analysis is performed only inside one file. To process dependencies from other classes, use options. The analysis extends to private or static methods and has a limit of depth propagation.
Example:
Here we do not have non-safe string assignments to s so a warning is not produced. On the other hand:
Here we have a warning since s1 has an unknown state after foo call result assignment.
Locating this inspection
- By ID
Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.
tainting- Via Settings dialog
Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.
Inspection ID: SourceToSinkFlow
New in 2021.2
Inspection options
Here you can find the description of settings available for the Non-safe string is passed to safe method inspection, and the reference of their default values.
- Tainted annotations
Option ID:
taintedAnnotationsDefault value:
[javax.annotation.Tainted, org.checkerframework.checker.tainting.qual.Tainted]- Untainted annotations
Option ID:
untaintedAnnotationsDefault value:
[javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted]- Tainted parameters
Default value:
None- Untainted parameters
Default value:
None- Untainted parameters
Default value:
None- Consider external methods untainted if receivers and arguments are untainted
Option ID:
processOuterMethodAsQualifierAndArgumentsDefault value:
Selected- Tainted methods
Default value:
None- Untainted methods
Default value:
None- Safe classes
Option ID:
skipClassesDefault value:
[java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass]- Untainted fields
Default value:
None- Consider parameters of private methods as safe
Option ID:
parameterOfPrivateMethodIsUntaintedDefault value:
Not selected- Report if the case is too complex to check
Option ID:
warnIfComplexDefault value:
Not selected- Checked types
Option ID:
checkedTypesDefault value:
[java.lang.String]- Methods to clean qualifiers
Default value:
None- Analysis Depth inside the method
Option ID:
depthInsideDefault value:
5- Report unknown object
Option ID:
showUnknownObjectDefault value:
Selected- Report unsafe object
Option ID:
showUnsafeObjectDefault value:
Selected
Suppressing Inspection
You can suppress this inspection by placing the following comment marker before the code fragment where you no longer want messages from this inspection to appear:
More detailed instructions as well as other ways and options that you have can be found in the product documentation:
Inspection Details | |
|---|---|
By default bundled with: |