Sorry and an update

For those that follow this site, sorry for being absent. And now a warning for those that following this site, I will be absent again. I’m not the most reliable blogger I know but that doesn’t prevent me of posting once in a while.

So what have I been doing lately. Well I’ve created an app called IssueFinder. It technically doesn’t find issues but helps in organising them. I am planning to use this corner to post more on progress/ideas.

I should have known better

This whole issue with the SecurityManager is actually a non issue. As it isn’t loaded throught the bootstrapclassloader, I’ve got control over it. A clear case of missing good logging.

Currently I’m trying to figure out how to see which locations are available to the ClassPool as that’s driving javassist with the ability to load a particular class (especially since I’ve got an error loading java.util.concurrent.Callable which is a base interface).

I think that I’ll focus on clear logging for the moment to be able to avoid these type of instances.

After the silence

I’ve been silent a long time. I know. I’m sorry.
I’ve been very busy with my ordinary work, family and OWASP, so this project had to take a back seat. But that didn’t meant that it was completely forgotten.

As I’ve spoken in my previous post I’m dabbling with Gradle as a built environment, which is quite a relief compared to ant or Maven (although I haveĀ  to admit that I’m reverting back to ant and Ivy as soon as stuff goes a bit wonky). Next to Gradle I’ve started with Scala as well. Which is in some perspective even a nicer language than Java itself (although Java still is my default to-go-to language).

Between my last post and this one I’ve also been trying to check any class that implements the java.sql.Statement interface. as in, I want to identify a taint trace in the next bit of code:

	public void testSQL() {
		String sql = "SELECT * FROM contacts WHERE name='"+getUserName()+"'";

		Connection connection;
		try {
			connection = DriverManager.getConnection("jdbc:hsqldb:mem:mymemdb", "SA", "");
			connection.createStatement().executeUpdate("create table contacts (name varchar(45),email varchar(45),phone varchar(45))");
			System.out.println("[*] Database created");
			Statement statement = null;
			ResultSet resultSet = null;

			statement = connection.createStatement();
			// it should fail here 
			resultSet = statement.executeQuery(sql);

			fail("Should not get here");
		} catch (Exception e) {
			System.err.println("Got an exception! ");

for a long time I had been unsuccessful, soully for the reason that I had my test setup wrong. These last months/weeks have been a learning experience about the bootstrap and the other classloaders. But most of all, I’ve learned that if you define your execution path wrong (as in, having the database jar in the bootclasspath instead of the classpath) it goes wrong.

I only discovered that by reverting back to ant and Ivy and tracking it in more detail.

Next I will clean up my code and recreate it using Gradle and also start testing with other languages. Still have to decide which language I’ll focus on next.
Perhaps I’ve played with Scala long enough to choose it as the next target.