public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver, AnalysisStacks stacks, CustomFunctionHandler customFuncHandler, IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh) { return(new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage, fh) { UseSummaries = this.UseSummaries }); }
public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver, AnalysisStacks stacks, CustomFunctionHandler customFuncHandler, IVulnerabilityStorage vulnerabilityStorage) { return new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage) { UseSummaries = this.UseSummaries }; }
public CFGTaintInfo(IVariableStorage varTaintIn, IImmutableDictionary <EdgeType, IVariableStorage> varTaintOut) { In = ImmutableVariableStorage.CreateFromMutable(varTaintIn); foreach (var variableStorage in varTaintOut) { Out = Out.Add(variableStorage.Key, ImmutableVariableStorage.CreateFromMutable(variableStorage.Value)); } }
public static IVariableStorage ToMutable(this ImmutableVariableStorage immutableStorage) { return(new VariableStorage( immutableStorage.SuperGlobals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()), immutableStorage.Globals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()), immutableStorage.Locals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()), immutableStorage.ClassVariables.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()), immutableStorage.LocalAccessibleGlobals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()))); }
public ImmutableVariableStorage GetTaint() { var superglobals = new List <Variable> { new Variable("_GET", VariableScope.SuperGlobal), new Variable("_POST", VariableScope.SuperGlobal), new Variable("_REQUEST", VariableScope.SuperGlobal), new Variable("_COOKIE", VariableScope.SuperGlobal), DefaultServerVariable() }; var globals = new List <Variable> { new Variable("HTTP_GET_VARS", VariableScope.File), new Variable("HTTP_POST_VARS", VariableScope.File), new Variable("HTTP_SERVER_VARS", VariableScope.File), new Variable("HTTP_COOKIE_VARS", VariableScope.File), }; Action <Variable> setDefaultTaint = x => { x.Info.NestedVariableDefaultTaintFactory = _taintedTaintFactory; x.Info.DefaultDimensionTaintFactory = _taintedTaintFactory; x.Info.NestedVariablePossibleStoredDefaultTaintFactory = _untaintedTaintFactory; }; globals.ForEach(setDefaultTaint); superglobals.ForEach(setDefaultTaint); superglobals.AddRange(new[] { new Variable("GLOBALS", VariableScope.SuperGlobal), new Variable("_FILES", VariableScope.SuperGlobal), new Variable("_SESSION", VariableScope.SuperGlobal), new Variable("_ENV", VariableScope.SuperGlobal), }); var rawPost = new Variable("HTTP_RAW_POST_DATA", VariableScope.File) { Info = { Taints = _taintedTaintFactory() } }; var argv = new Variable("argv", VariableScope.File); // Docs: "The first argument $argv[0] is always the name that was used to run the script." - goo.gl/hrek2V argv.Info.Variables.Add(new VariableTreeDimension() { Index = 0, Key = "0" }, new Variable("0", VariableScope.Instance)); globals.AddRange(new[] { rawPost, argv }); var varStorage = new VariableStorage(); varStorage.SuperGlobals.AddRange(superglobals.ToDictionary(s => s.Name, s => s)); varStorage.GlobalVariables.AddRange(globals.ToDictionary(g => g.Name, g => g)); return(ImmutableVariableStorage.CreateFromMutable(varStorage)); }
/// <summary> /// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters. /// </summary> /// <returns>A TainSets for the custom function that is being analyzed</returns> /// <param name="customFunction">Custom function object to perform the analysis on</param> /// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param> /// <param name="paramActualVals">Parameter actual values</param> /// <param name="resolver">File inclusion resolver</param> /// <param name="includeStack">Currently known includes</param> /// <param name="functionCalls">Currently known function calls</param> internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage, IList <ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks) { var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild; var traverser = new XmlTraverser(); var cfgcreator = new CFGCreator(); traverser.AddVisitor(cfgcreator); traverser.Traverse(stmts); var cfgPruner = new CFGPruner(); cfgPruner.Prune(cfgcreator.Graph); var initialTaint = varStorage.ToMutable(); initialTaint.SuperGlobals.Clear(); initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals); initialTaint.LocalVariables.Clear(); initialTaint.LocalAccessibleGlobals.Clear(); for (int i = 1; i <= paramActualVals.Count; i++) { var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i); if (paramFormal.Value == null) { continue; } var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) { Info = paramActualVals[i - 1].ValueInfo }; initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var); } var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler); blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions); var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack, _funcHandler); var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint)); //var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist()); var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph)); taintAnalysis.Analyze(cfgcreator.Graph); var exprInfoAll = new ExpressionInfo(); foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos) { exprInfoAll = exprInfoAll.Merge(exprInfo); } return(exprInfoAll); }
public FunctionAndMethodAnalyzer(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver, AnalysisStacks stacks, CustomFunctionHandler customFuncHandler, IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh) { this._varStorage = variableStorage; this._incResolver = incResolver; this._stacks = stacks; this._customFunctionHandler = customFuncHandler; this._vulnerabilityStorage = vulnerabilityStorage; this._funcHandler = fh; }
public ImmutableVariableStorage Analyze(XmlNode node, ImmutableVariableStorage knownTaint) { Preconditions.NotNull(knownTaint, "knownTaint"); _variableStorage = knownTaint.ToMutable(); _varResolver = new VariableResolver(_variableStorage, _analysisScope); Analyze(node); return ImmutableVariableStorage.CreateFromMutable(_variableStorage); }
public TaintAnalysis(TaintBlockAnalyzer blockAnalyzer, ConditionTaintAnalyser condAnalyser, ImmutableVariableStorage initialTaint) { Preconditions.NotNull(blockAnalyzer, "blockAnalyzer"); Preconditions.NotNull(initialTaint, "initialTaint"); Preconditions.NotNull(condAnalyser, "condAnalyzer"); this._blockAnalyzer = blockAnalyzer; this._conditionTaintAnalyser = condAnalyser; this.initialTaint = initialTaint; this._taints = new Dictionary <CFGBlock, CFGTaintInfo>(); }
public TaintAnalysis(TaintBlockAnalyzer blockAnalyzer, ConditionTaintAnalyser condAnalyser, ImmutableVariableStorage initialTaint) { Preconditions.NotNull(blockAnalyzer, "blockAnalyzer"); Preconditions.NotNull(initialTaint, "initialTaint"); Preconditions.NotNull(condAnalyser, "condAnalyzer"); this._blockAnalyzer = blockAnalyzer; this._conditionTaintAnalyser = condAnalyser; this.initialTaint = initialTaint; this._taints = new Dictionary<CFGBlock, CFGTaintInfo>(); }
/// <summary> /// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters. /// </summary> /// <returns>A TainSets for the custom function that is being analyzed</returns> /// <param name="customFunction">Custom function object to perform the analysis on</param> /// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param> /// <param name="paramActualVals">Parameter actual values</param> /// <param name="resolver">File inclusion resolver</param> /// <param name="includeStack">Currently known includes</param> /// <param name="functionCalls">Currently known function calls</param> internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage, IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks) { var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild; var traverser = new XmlTraverser(); var cfgcreator = new CFGCreator(); traverser.AddVisitor(cfgcreator); traverser.Traverse(stmts); var cfgPruner = new CFGPruner(); cfgPruner.Prune(cfgcreator.Graph); var initialTaint = varStorage.ToMutable(); initialTaint.SuperGlobals.Clear(); initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals); initialTaint.LocalVariables.Clear(); initialTaint.LocalAccessibleGlobals.Clear(); for(int i = 1; i <= paramActualVals.Count; i++) { var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i); if (paramFormal.Value == null) { continue; } var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo}; initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var); } var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory); blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions); var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack); var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint)); //var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist()); var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph)); taintAnalysis.Analyze(cfgcreator.Graph); var exprInfoAll = new ExpressionInfo(); foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos) { exprInfoAll = exprInfoAll.Merge(exprInfo); } return exprInfoAll; }
public IImmutableDictionary<EdgeType, ImmutableVariableStorage> AnalyzeCond(XmlNode node, ImmutableVariableStorage knownTaint) { Preconditions.NotNull(knownTaint, "knownTaint"); _variables.Remove(EdgeType.Normal); _variables.Add(EdgeType.Normal, knownTaint.ToMutable()); _varResolver = new VariableResolver(_variables[EdgeType.Normal], _analysisScope); _variables.Remove(EdgeType.False); _variables.Remove(EdgeType.True); Analyze(node); isConditional = false; var variablestore = _variables.Keys.ToDictionary(edgetype => edgetype, edgetype => ImmutableVariableStorage.CreateFromMutable(_variables[edgetype])); return ImmutableDictionary<EdgeType, ImmutableVariableStorage>.Empty.AddRange(variablestore); }
public ImmutableVariableStorage GetTaint() { var defaultTaint = new DefaultTaintProvider().GetTaint(); var variableStorage = defaultTaint.ToMutable(); foreach (var superGlobal in variableStorage.SuperGlobals) { foreach (var var in superGlobal.Value.Info.Variables) { var newTaint = var.Value.Info.Taints.DeepClone(); if (newTaint.SqliTaint.Single().TaintTag > SQLITaint.SQL_NoQ) { newTaint.SqliTaint.Clear(); newTaint.SqliTaint.Add(new SQLITaintSet(SQLITaint.SQL_NoQ)); } var.Value.Info.Taints = newTaint; var.Value.Info.DefaultDimensionTaintFactory = () => new TaintSets(new SQLITaintSet(SQLITaint.SQL_NoQ), new XSSTaintSet(XSSTaint.XSS_ALL)); var.Value.Info.NestedVariableDefaultTaintFactory = var.Value.Info.DefaultDimensionTaintFactory; } } var wpdbGlobal = new Variable("wpdb", VariableScope.File); var prefixVar = new Variable("prefix", VariableScope.Instance) { Info = { Value = "Eir_" } }; wpdbGlobal.Info.Variables.Add(new VariableTreeDimension() { Key = "prefix" }, prefixVar); wpdbGlobal.Info.ClassNames.Add("wpdb"); variableStorage.GlobalVariables.Add("wpdb", wpdbGlobal); return(ImmutableVariableStorage.CreateFromMutable(variableStorage)); }
public IImmutableDictionary <EdgeType, ImmutableVariableStorage> AnalyzeCond(XmlNode node, ImmutableVariableStorage knownTaint) { Preconditions.NotNull(knownTaint, "knownTaint"); _variables.Remove(EdgeType.Normal); _variables.Add(EdgeType.Normal, knownTaint.ToMutable()); _varResolver = new VariableResolver(_variables[EdgeType.Normal], _analysisScope); _variables.Remove(EdgeType.False); _variables.Remove(EdgeType.True); Analyze(node); isConditional = false; var variablestore = _variables.Keys.ToDictionary(edgetype => edgetype, edgetype => ImmutableVariableStorage.CreateFromMutable(_variables[edgetype])); return(ImmutableDictionary <EdgeType, ImmutableVariableStorage> .Empty.AddRange(variablestore)); }
public CFGTaintInfo(ImmutableVariableStorage varTaintIn, IImmutableDictionary <EdgeType, ImmutableVariableStorage> varTaintOut) { In = varTaintIn; Out = varTaintOut.ToImmutableDictionary(); }