Do not add the incoming taint to the outgoing set in the CallToReturn Flow Function if a taint wrapper marked the method as exclusive

Previously, that would happen if the summarized function had no callee.

Author: t1mlange

soot-infoflow-integration/test/soot/jimple/infoflow/integration/test/junit/AndroidRegressionTests.java

@@ -88,4 +88,15 @@ public void testKotlinAppWithCollections() throws IOException {
         Assert.assertEquals(4, results.size());
         Assert.assertEquals(4, results.getResultSet().size());
     }
+
+    /**
+     * Tests that the CallToReturnFunction does not pass on taints that were killed
+     * by a taint wrapper that marked the method as exclusive.
+     */
+    @Test
+    public void testMapClear() throws XmlPullParserException, IOException {
+        SetupApplication app = initApplication("testAPKs/MapClearTest.apk");
+        InfoflowResults results = app.runInfoflow("../soot-infoflow-android/SourcesAndSinks.txt");
+        Assert.assertEquals(0, results.size());
+    }
 }

soot-infoflow-integration/testAPKs/MapClearTest.apk

@@ -884,17 +884,13 @@ private Set<Abstraction> computeTargetsInternal(Abstraction d1, Abstraction sour
 						// overwrite them. This is needed e.g. if an heap object
 						// is an argument and leaked twice in the same path.
 						// See also Android Source Sink Tests
-						if (isSink && !manager.getConfig().getInspectSinks()) {
-							if (source != zeroValue)
-								res.add(source);
-						}
+						if (isSink && !manager.getConfig().getInspectSinks() && source != zeroValue && !killSource.value)
+							res.add(source);
 
-						// If method is excluded, add the taint to not
-						// break anything
-						if (isExcluded(callee)) {
-							if (source != zeroValue)
-								res.add(source);
-						}
+						// If method is excluded, add the taint to not break anything
+						// unless one of the rules doesn't want so
+						if (isExcluded(callee) && source != zeroValue && !killSource.value)
+							res.add(source);
 
 						// Static values can be propagated over methods if
 						// the value isn't written inside the method.

soot-infoflow/src/soot/jimple/infoflow/problems/BackwardsInfoflowProblem.java

@@ -812,8 +812,7 @@ private Set<Abstraction> computeTargetsInternal(Abstraction d1, Abstraction sour
 						if (passOn && invExpr instanceof InstanceInvokeExpr
 								&& (manager.getConfig().getInspectSources() || !isSource)
 								&& (manager.getConfig().getInspectSinks() || !isSink) && !isPrimitiveOrString
-								&& newSource.getAccessPath().isInstanceFieldRef() && (hasValidCallees
-										|| (taintWrapper != null && taintWrapper.isExclusive(iCallStmt, newSource)))) {
+								&& newSource.getAccessPath().isInstanceFieldRef() && hasValidCallees) {
 							// If one of the callers does not read the value, we
 							// must pass it on in any case
 							Collection<SootMethod> callees = interproceduralCFG().getCalleesOfCallAt(call);

soot-infoflow/src/soot/jimple/infoflow/problems/InfoflowProblem.java

@@ -179,9 +179,6 @@ public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstrac
 							abs = abs.deriveNewAbstractionWithTurnUnit(stmt);
 						}
 					}
-
-					if (!killSource.value && absAp.equals(sourceAp))
-						killSource.value = source != abs;
 				}
 
 				if (addAbstraction)
@@ -190,6 +187,10 @@ public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstrac
 			res = resWAliases;
 		}
 
+		// We assume that a taint wrapper returns the complete set of taints for exclusive methods. Thus, if the
+		// incoming taint should be kept alive, the taint wrapper needs to add it to the outgoing set.
+		killSource.value |= wrapper.isExclusive(stmt, source);
+
 		if (res != null)
 			for (Abstraction abs : res)
 				if (abs != source)

soot-infoflow/src/soot/jimple/infoflow/problems/rules/backward/BackwardsWrapperRule.java

@@ -47,7 +47,8 @@ public Collection<Abstraction> propagateNormalFlow(Abstraction d1, Abstraction s
 	 * @param source The taint source
 	 * @return The taints computed by the wrapper
 	 */
-	private Set<Abstraction> computeWrapperTaints(Abstraction d1, final Stmt iStmt, Abstraction source) {
+	private Set<Abstraction> computeWrapperTaints(Abstraction d1, final Stmt iStmt, Abstraction source,
+												  ByReferenceBoolean killSource) {
 		// Do not process zero abstractions
 		if (source == getZeroValue())
 			return null;
@@ -102,6 +103,10 @@ private Set<Abstraction> computeWrapperTaints(Abstraction d1, final Stmt iStmt,
 			res = resWithAliases;
 		}
 
+		// We assume that a taint wrapper returns the complete set of taints for exclusive methods. Thus, if the
+		// incoming taint should be kept alive, the taint wrapper needs to add it to the outgoing set.
+		killSource.value = manager.getTaintWrapper() != null && manager.getTaintWrapper().isExclusive(iStmt, source);
+
 		return res;
 	}
 
@@ -145,20 +150,7 @@ protected void checkAndPropagateAlias(Abstraction d1, final Stmt iStmt, Set<Abst
 	public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstraction source, Stmt stmt,
 			ByReferenceBoolean killSource, ByReferenceBoolean killAll) {
 		// Compute the taint wrapper taints
-		Collection<Abstraction> wrapperTaints = computeWrapperTaints(d1, stmt, source);
-		if (wrapperTaints != null) {
-			// If the taint wrapper generated an abstraction for
-			// the incoming access path, we assume it to be handled
-			// and do not pass on the incoming abstraction on our own
-			for (Abstraction wrapperAbs : wrapperTaints)
-				if (wrapperAbs.getAccessPath().equals(source.getAccessPath())) {
-					if (wrapperAbs != source)
-						killSource.value = true;
-					break;
-				}
-		}
-
-		return wrapperTaints;
+		return computeWrapperTaints(d1, stmt, source, killSource);
 	}
 
 	@Override