public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
return(new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage, fh)
{
UseSummaries = this.UseSummaries
});
}
public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage)
{
return new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage)
{
UseSummaries = this.UseSummaries
};
}
public CFGTaintInfo(IVariableStorage varTaintIn,
IImmutableDictionary <EdgeType, IVariableStorage> varTaintOut)
{
In = ImmutableVariableStorage.CreateFromMutable(varTaintIn);
foreach (var variableStorage in varTaintOut)
{
Out = Out.Add(variableStorage.Key, ImmutableVariableStorage.CreateFromMutable(variableStorage.Value));
}
}
public static IVariableStorage ToMutable(this ImmutableVariableStorage immutableStorage)
{
return(new VariableStorage(
immutableStorage.SuperGlobals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()),
immutableStorage.Globals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()),
immutableStorage.Locals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()),
immutableStorage.ClassVariables.ToDictionary(s => s.Key, s => s.Value.AssignmentClone()),
immutableStorage.LocalAccessibleGlobals.ToDictionary(s => s.Key, s => s.Value.AssignmentClone())));
}
public ImmutableVariableStorage GetTaint()
{
var superglobals = new List <Variable> {
new Variable("_GET", VariableScope.SuperGlobal),
new Variable("_POST", VariableScope.SuperGlobal),
new Variable("_REQUEST", VariableScope.SuperGlobal),
new Variable("_COOKIE", VariableScope.SuperGlobal),
DefaultServerVariable()
};
var globals = new List <Variable> {
new Variable("HTTP_GET_VARS", VariableScope.File),
new Variable("HTTP_POST_VARS", VariableScope.File),
new Variable("HTTP_SERVER_VARS", VariableScope.File),
new Variable("HTTP_COOKIE_VARS", VariableScope.File),
};
Action <Variable> setDefaultTaint = x =>
{
x.Info.NestedVariableDefaultTaintFactory = _taintedTaintFactory;
x.Info.DefaultDimensionTaintFactory = _taintedTaintFactory;
x.Info.NestedVariablePossibleStoredDefaultTaintFactory = _untaintedTaintFactory;
};
globals.ForEach(setDefaultTaint);
superglobals.ForEach(setDefaultTaint);
superglobals.AddRange(new[]
{
new Variable("GLOBALS", VariableScope.SuperGlobal),
new Variable("_FILES", VariableScope.SuperGlobal),
new Variable("_SESSION", VariableScope.SuperGlobal),
new Variable("_ENV", VariableScope.SuperGlobal),
});
var rawPost = new Variable("HTTP_RAW_POST_DATA", VariableScope.File)
{
Info = { Taints = _taintedTaintFactory() }
};
var argv = new Variable("argv", VariableScope.File);
// Docs: "The first argument $argv[0] is always the name that was used to run the script." - goo.gl/hrek2V
argv.Info.Variables.Add(new VariableTreeDimension()
{
Index = 0, Key = "0"
}, new Variable("0", VariableScope.Instance));
globals.AddRange(new[] { rawPost, argv });
var varStorage = new VariableStorage();
varStorage.SuperGlobals.AddRange(superglobals.ToDictionary(s => s.Name, s => s));
varStorage.GlobalVariables.AddRange(globals.ToDictionary(g => g.Name, g => g));
return(ImmutableVariableStorage.CreateFromMutable(varStorage));
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList <ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for (int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function)
{
Info = paramActualVals[i - 1].ValueInfo
};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack, _funcHandler);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return(exprInfoAll);
}
public FunctionAndMethodAnalyzer(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
this._varStorage = variableStorage;
this._incResolver = incResolver;
this._stacks = stacks;
this._customFunctionHandler = customFuncHandler;
this._vulnerabilityStorage = vulnerabilityStorage;
this._funcHandler = fh;
}
public ImmutableVariableStorage Analyze(XmlNode node, ImmutableVariableStorage knownTaint)
{
Preconditions.NotNull(knownTaint, "knownTaint");
_variableStorage = knownTaint.ToMutable();
_varResolver = new VariableResolver(_variableStorage, _analysisScope);
Analyze(node);
return ImmutableVariableStorage.CreateFromMutable(_variableStorage);
}
public TaintAnalysis(TaintBlockAnalyzer blockAnalyzer, ConditionTaintAnalyser condAnalyser, ImmutableVariableStorage initialTaint)
{
Preconditions.NotNull(blockAnalyzer, "blockAnalyzer");
Preconditions.NotNull(initialTaint, "initialTaint");
Preconditions.NotNull(condAnalyser, "condAnalyzer");
this._blockAnalyzer = blockAnalyzer;
this._conditionTaintAnalyser = condAnalyser;
this.initialTaint = initialTaint;
this._taints = new Dictionary <CFGBlock, CFGTaintInfo>();
}
public TaintAnalysis(TaintBlockAnalyzer blockAnalyzer, ConditionTaintAnalyser condAnalyser, ImmutableVariableStorage initialTaint)
{
Preconditions.NotNull(blockAnalyzer, "blockAnalyzer");
Preconditions.NotNull(initialTaint, "initialTaint");
Preconditions.NotNull(condAnalyser, "condAnalyzer");
this._blockAnalyzer = blockAnalyzer;
this._conditionTaintAnalyser = condAnalyser;
this.initialTaint = initialTaint;
this._taints = new Dictionary<CFGBlock, CFGTaintInfo>();
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for(int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return exprInfoAll;
}
public IImmutableDictionary<EdgeType, ImmutableVariableStorage> AnalyzeCond(XmlNode node, ImmutableVariableStorage knownTaint)
{
Preconditions.NotNull(knownTaint, "knownTaint");
_variables.Remove(EdgeType.Normal);
_variables.Add(EdgeType.Normal, knownTaint.ToMutable());
_varResolver = new VariableResolver(_variables[EdgeType.Normal], _analysisScope);
_variables.Remove(EdgeType.False);
_variables.Remove(EdgeType.True);
Analyze(node);
isConditional = false;
var variablestore = _variables.Keys.ToDictionary(edgetype => edgetype, edgetype => ImmutableVariableStorage.CreateFromMutable(_variables[edgetype]));
return ImmutableDictionary<EdgeType, ImmutableVariableStorage>.Empty.AddRange(variablestore);
}
public ImmutableVariableStorage GetTaint()
{
var defaultTaint = new DefaultTaintProvider().GetTaint();
var variableStorage = defaultTaint.ToMutable();
foreach (var superGlobal in variableStorage.SuperGlobals)
{
foreach (var var in superGlobal.Value.Info.Variables)
{
var newTaint = var.Value.Info.Taints.DeepClone();
if (newTaint.SqliTaint.Single().TaintTag > SQLITaint.SQL_NoQ)
{
newTaint.SqliTaint.Clear();
newTaint.SqliTaint.Add(new SQLITaintSet(SQLITaint.SQL_NoQ));
}
var.Value.Info.Taints = newTaint;
var.Value.Info.DefaultDimensionTaintFactory = () =>
new TaintSets(new SQLITaintSet(SQLITaint.SQL_NoQ), new XSSTaintSet(XSSTaint.XSS_ALL));
var.Value.Info.NestedVariableDefaultTaintFactory = var.Value.Info.DefaultDimensionTaintFactory;
}
}
var wpdbGlobal = new Variable("wpdb", VariableScope.File);
var prefixVar = new Variable("prefix", VariableScope.Instance)
{
Info = { Value = "Eir_" }
};
wpdbGlobal.Info.Variables.Add(new VariableTreeDimension()
{
Key = "prefix"
}, prefixVar);
wpdbGlobal.Info.ClassNames.Add("wpdb");
variableStorage.GlobalVariables.Add("wpdb", wpdbGlobal);
return(ImmutableVariableStorage.CreateFromMutable(variableStorage));
}
public IImmutableDictionary <EdgeType, ImmutableVariableStorage> AnalyzeCond(XmlNode node, ImmutableVariableStorage knownTaint)
{
Preconditions.NotNull(knownTaint, "knownTaint");
_variables.Remove(EdgeType.Normal);
_variables.Add(EdgeType.Normal, knownTaint.ToMutable());
_varResolver = new VariableResolver(_variables[EdgeType.Normal], _analysisScope);
_variables.Remove(EdgeType.False);
_variables.Remove(EdgeType.True);
Analyze(node);
isConditional = false;
var variablestore = _variables.Keys.ToDictionary(edgetype => edgetype, edgetype => ImmutableVariableStorage.CreateFromMutable(_variables[edgetype]));
return(ImmutableDictionary <EdgeType, ImmutableVariableStorage> .Empty.AddRange(variablestore));
}
public CFGTaintInfo(ImmutableVariableStorage varTaintIn,
IImmutableDictionary <EdgeType, ImmutableVariableStorage> varTaintOut)
{
In = varTaintIn;
Out = varTaintOut.ToImmutableDictionary();
}
