public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax)
{
if (!syntax.ToString().Contains("FilePathResult"))
{
return(false);
}
var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
if (symbol.IsCtorFor("System.Web.Mvc.FilePathResult"))
{
if (syntax.ArgumentList.Arguments.Count > 0)
{
var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(argSyntax);
if (expressionAnalyzer.CanSuppress(model, argSyntax))
{
return(false);
}
//TODO: if still vulnerable after eliminating any low hanging fruit - then we need to perform data flow analysis
}
return(true);
}
return(false);
}
public bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax)
{
if (!syntax.ToString().Contains("Redirect"))
{
return(false);
}
var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
if (symbol?.Name == "Redirect" && symbol?.ReceiverType.ToString() == "System.Web.Mvc.Controller")
{
if (syntax.ArgumentList.Arguments.Count == 1)
{
var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(argSyntax);
if (expressionAnalyzer.CanSuppress(model, argSyntax))
{
return(false);
}
//TODO: if still vulnerable after eliminating any low hanging fruit - then we need to perform data flow analysis
}
return(true);
}
return(false);
}
public bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax)
{
if (!ContainsFileOpenCommands(syntax))
{
return(false);
}
var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
if (!IsFileOpenCommand(symbol))
{
return(false);
}
if (syntax.ArgumentList.Arguments.Count > 0)
{
var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(argSyntax);
if (expressionAnalyzer.CanSuppress(model, argSyntax))
{
return(false);
}
//TODO: if still vulnerable after eliminating any low hanging fruit - then we need to perform data flow analysis
}
return(true);
}
public bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax)
{
if (ContainsSearchCommands(syntax))
{
var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
if (IsSearchCommand(symbol))
{
var memberAccess = syntax.Expression as MemberAccessExpressionSyntax;
var identifier = memberAccess?.Expression as IdentifierNameSyntax;
var containingBlock = syntax.FirstAncestorOrSelf <BlockSyntax>();
if (containingBlock == null)
{
return(false);
}
var filter = GetFilterFromConstructor(model, containingBlock, identifier) ??
GetFilterFromAssignment(containingBlock, identifier);
if (filter != null)
{
var expressionSyntax = filter as ExpressionSyntax;
if (expressionSyntax != null)
{
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(expressionSyntax);
return(!expressionAnalyzer.CanSuppress(model, expressionSyntax));
}
}
return(true);
}
}
return(false);
}
public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax)
{
if (!syntax.ToString().Contains("DirectoryEntry"))
{
return(false);
}
var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
if (symbol.IsCtorFor("System.DirectoryServices.DirectoryEntry"))
{
if (syntax.ArgumentList?.Arguments.Count > 0)
{
var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(argSyntax);
if (expressionAnalyzer.CanSuppress(model, argSyntax))
{
return(false);
}
}
var filter = syntax.Initializer?.Expressions.OfType <AssignmentExpressionSyntax>()
.FirstOrDefault(p => (p.Left as IdentifierNameSyntax)?.Identifier.ValueText == "Path");
if (filter != null)
{
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(filter.Right);
if (expressionAnalyzer.CanSuppress(model, filter.Right))
{
return(false);
}
}
if (filter == null && syntax.ArgumentList?.Arguments.Count == 0)
{
return(false);
}
return(true);
}
return(false);
}
public bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax)
{
var leftSyntax = syntax?.Left as MemberAccessExpressionSyntax;
if (leftSyntax == null || leftSyntax.Name.Identifier.ValueText.ToLower() != "text")
{
return(false);
}
var leftSymbol = model.GetSymbolInfo(leftSyntax).Symbol;
if (!leftSymbol.ToString().StartsWith("System.Web.UI.WebControls.Label.Text"))
{
return(false);
}
var expressionAnalyzer = ExpressionSyntaxAnalyzerFactory.Create(syntax.Right);
return(!expressionAnalyzer.CanSuppress(model, syntax.Right));
}
