//public static void addMappedView()
public static string saveStrutsMappings(IStrutsMappings strutsMappings, string targetFileOrFolder)
{
if (strutsMappings == null)
{
return("");
}
if (Directory.Exists(targetFileOrFolder))
{
targetFileOrFolder = Path.Combine(targetFileOrFolder, Files.getTempFileName() + strutsMappingExtension);
}
else if (false == Directory.Exists(Path.GetDirectoryName(targetFileOrFolder)))
{
PublicDI.log.error("Invalid filename supplied since that directly doesnt exist: {0}", targetFileOrFolder);
return("");
}
if (Serialize.createSerializedBinaryFileFromObject(strutsMappings, targetFileOrFolder))
{
PublicDI.log.info("Serialized Struts Mapping object saved to: {0}", targetFileOrFolder);
}
else
{
PublicDI.log.error("There was a problem serializing Struts Mapping object saved to: {0}", targetFileOrFolder);
}
return(targetFileOrFolder);
}
public static void createFindingsFromStrutsMappings(IStrutsMappings strutsMappings, ascx_FindingsViewer findingsViewer_ToLoadResults)
{
var createdFindings = StrutsMappingHelpers.createFindingsFromStrutsMappings(strutsMappings);
findingsViewer_ToLoadResults.setTraceTreeViewVisibleStatus(true);
findingsViewer_ToLoadResults.setFilter2Value("(no filter)");
findingsViewer_ToLoadResults.loadO2Findings(createdFindings, true);
}
private List <IO2Finding> mapStrutsFindings(IStrutsMappings strutsMappingsObject, List <IO2Finding> o2Findings, bool createConsolidatedView)
{
// calculate findings from strutsMappings
var strutsFindings = StrutsMappingHelpers.createFindingsFromStrutsMappings(strutsMappingsObject);
// creates a dictionary with the O2JoinSinks as the key (containing a list of Findings that match that key (i.e. O2LostSink))
var joinSinksDictionary = OzasmtSearch.getDictionaryWithJoinSinks(strutsFindings);
// creates a list of findings with the root node as the key (containing a list of Findings that match that key (i.e. root node))
var rootFunctions = new Dictionary <string, List <IO2Finding> >();
foreach (var o2Finding in o2Findings)
{
if (o2Finding.o2Traces.Count > 0)
{
var rootFunction = o2Finding.o2Traces[0].clazz;
if (rootFunction.StartsWith("jsp_servlet"))
{
rootFunction = rootFunction.Replace("jsp_servlet", "").
Replace("_45_", "-").
Replace(".__", "/").
Replace("._", "/") + ".jsp";
}
if (rootFunction != "")
{
if (false == rootFunctions.ContainsKey(rootFunction))
{
rootFunctions.Add(rootFunction, new List <IO2Finding>());
}
rootFunctions[rootFunction].Add(o2Finding);
}
}
}
// now map the JoinSinks with the Root Functions
if (createConsolidatedView)
{
return(StrutsMappingHelpers.joinTracesUsingConsolidatedView(joinSinksDictionary, rootFunctions));
}
return(joinTracesUsingExpandedView(o2Findings, joinSinksDictionary, rootFunctions));
/*foreach (var values in rootFunctions.Values)
* foreach (var o2Finding in values)
* {
* var modifiedFinding = (O2Finding)OzasmtCopy.createCopy(o2Finding);
* var currentSource = modifiedFinding.getSource();
* currentSource.traceType = TraceType.Type_4;
* modifiedFinding.o2Traces[0].traceType = TraceType.Source;
* mappedFindings.Add(modifiedFinding);
* }
*/
}
public void calculateFinalResults(
string taintSources_SourceRegEx, string taintSources_SinkRegEx, string finalSinks_SourceRegEx, string finalSinks_SinkRegEx)
{
if (findingsWith_BaseO2Findings == null)
{
findingsWith_BaseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(BaseO2Findings);
}
// calculate TaintSources
findingsWith_FindingsFromTaintSources = O2FindingsHelpers.calculateFindings(
findingsWith_BaseO2Findings,
taintSources_SourceRegEx,
taintSources_SinkRegEx,
XUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks);
// calculate FinalSinks
findingsWith_FindingsToFinalSinks = O2FindingsHelpers.calculateFindings(
findingsWith_BaseO2Findings,
FinalSinks_SourceRegEx,
finalSinks_SinkRegEx,
XUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources);
// calculate strutsMapping object and findings
if (StrutsMappings == null)
{
StrutsMappings = (IStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(StrutsMappingsFile, typeof(KStrutsMappings));
}
findingsWith_StrutsMappings = StrutsMappingHelpers.createFindingsFromStrutsMappings(StrutsMappings);
calculateResults();
// results = xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks(results);
/*runFilterFor_TaintSources(
* taintSources_SourceRegEx, taintSources_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
* xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks, filteredFindings_TaintSources);
* runFilterFor_FinalSinks(
* finalSinks_SourceRegEx, finalSinks_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
* xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources, filteredFindings_FinalSinks);
*
*
* /* runFilterFor_TaintSources(
* taintSources_SourceRegEx, taintSources_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
* xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks, filteredFindings_TaintSources);
* runFilterFor_FinalSinks(
* finalSinks_SourceRegEx, finalSinks_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
* xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources, filteredFindings_FinalSinks);
*/
/*
* createFindingsFromStrutsMappings(strutsMappingsControl, findingsViewer_FromStrutsMappings);
*
* calculateResults(strutsMappingsControl,filteredFindings_TaintSources, filteredFindings_FinalSinks, findingsViewer_FinalFindings);
*/
}
public void showStrutsMappings(IStrutsMappings strutsMappings)
{
if (strutsMappings == null)
{
PublicDI.log.error("in showStrutsMappings, strutsMappings == null");
return;
}
StrutsMappings = strutsMappings;
tvStrutsMappings.Tag = strutsMappings;
tvStrutsMappings.invokeOnThread(() => refreshTreeView());
}
public void showStrutsMappings(IStrutsMappings strutsMappings)
{
if (strutsMappings == null)
{
DI.log.error("in showStrutsMappings, strutsMappings == null");
return;
}
tvStrutsMappings.Tag = strutsMappings;
tvStrutsMappings.invokeOnThread(() => refreshTreeView());
}
public static List<IO2Finding> executeStrutsRule(List<IO2Finding> baseO2Findings, IStrutsMappings strutsMappings,string taintSources_SourceRegEx, string taintSources_SinkRegEx, string finalSinks_SourceRegEx, string finalSinks_SinkRegEx)
{
var xRulesObject = XUtils_Struts_Joins_V0_1_Helpers.executeRule_AndReturn_XRuleStrutsObject(
baseO2Findings, strutsMappings, taintSources_SourceRegEx, taintSources_SinkRegEx,
finalSinks_SourceRegEx, finalSinks_SinkRegEx, joinPointFilter);
if (showResultsInO2RulesStrutsGUI)
xRulesObject.showFinalResultsIn_O2RulesStrutsGUI();
if (showResultsInNewFindingsViewer)
xRulesObject.showFinalResultsIn_fidingsViewer();
return xRulesObject.getResults();
}
private List<IO2Finding> mapStrutsFindings(IStrutsMappings strutsMappingsObject, List<IO2Finding> o2Findings, bool createConsolidatedView)
{
// calculate findings from strutsMappings
var strutsFindings = StrutsMappingHelpers.createFindingsFromStrutsMappings(strutsMappingsObject);
// creates a dictionary with the O2JoinSinks as the key (containing a list of Findings that match that key (i.e. O2LostSink))
var joinSinksDictionary = OzasmtSearch.getDictionaryWithJoinSinks(strutsFindings);
// creates a list of findings with the root node as the key (containing a list of Findings that match that key (i.e. root node))
var rootFunctions = new Dictionary<string, List<IO2Finding>>();
foreach(var o2Finding in o2Findings)
{
if (o2Finding.o2Traces.Count > 0)
{
var rootFunction = o2Finding.o2Traces[0].clazz;
if (rootFunction.StartsWith("jsp_servlet"))
rootFunction = rootFunction.Replace("jsp_servlet", "").
Replace("_45_", "-").
Replace(".__", "/").
Replace("._", "/") + ".jsp";
if (rootFunction != "")
{
if (false == rootFunctions.ContainsKey(rootFunction))
rootFunctions.Add(rootFunction, new List<IO2Finding>());
rootFunctions[rootFunction].Add(o2Finding);
}
}
}
// now map the JoinSinks with the Root Functions
if (createConsolidatedView)
return StrutsMappingHelpers.joinTracesUsingConsolidatedView(joinSinksDictionary, rootFunctions);
return joinTracesUsingExpandedView(o2Findings, joinSinksDictionary, rootFunctions);
/*foreach (var values in rootFunctions.Values)
foreach (var o2Finding in values)
{
var modifiedFinding = (O2Finding)OzasmtCopy.createCopy(o2Finding);
var currentSource = modifiedFinding.getSource();
currentSource.traceType = TraceType.Type_4;
modifiedFinding.o2Traces[0].traceType = TraceType.Source;
mappedFindings.Add(modifiedFinding);
}
*/
}
public static List<IO2Finding> strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(List<IO2Finding> baseO2Findings, IStrutsMappings strutsMappings)
{
PublicDI.log.info("executing rule: StrutsRule.from.GetParameter.to.Print.via.SetGetAttributeJoins with {0} fingings and {1} action servlets",
baseO2Findings.Count, strutsMappings.actionServlets.Count);
var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)";
var taintSources_SinkRegEx = @"setAttribute\(java.lang.String";
var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)";
var finalSinks_SinkRegEx = @"print";
var results = executeStrutsRule(baseO2Findings, strutsMappings, taintSources_SourceRegEx, taintSources_SinkRegEx, finalSinks_SourceRegEx, finalSinks_SinkRegEx);
return results;
}
public static List <IO2Finding> createFindingsFromStrutsMappings(IStrutsMappings iStrutsMappings)
{
var newO2Findings = new List <IO2Finding>();
foreach (var actionServlet in iStrutsMappings.actionServlets)
{
foreach (var controler in actionServlet.controllers.Values)
{
var o2Finding = new O2Finding
{
vulnType = "Struts.Finding : " + controler.type,
vulnName = controler.type ?? ""
};
var o2RootTrace = (O2Trace)o2Finding.addTrace("Struts Mapping", TraceType.O2JoinSource);
o2RootTrace.addTrace("Controller Type: " + controler.type, TraceType.O2JoinSink);
// add formbean
if (controler.formBean != null)
{
var beanTrace = (O2Trace)o2RootTrace.addTrace("Form Bean : " + controler.formBean.name, TraceType.O2Info);
beanTrace.addTrace("has validation mapping" + controler.formBean.hasValidationMapping);
foreach (var field in controler.formBean.fields)
{
beanTrace.addTrace(field.Value.name);
}
}
var pathsTrace = (O2Trace)o2RootTrace.addTrace("paths:", TraceType.O2Info);
foreach (var path in controler.paths)
{
var pathTrace = (O2Trace)pathsTrace.addTrace("url: " + path.path);
pathTrace.addTrace("controller: " + controler.type + " <- ");
pathTrace.addTraces("view: ", TraceType.O2JoinSink, path.resolvedViews.ToArray());
}
//o2Finding.o2Traces.Add(o2RootTrace);
newO2Findings.Add(o2Finding);
}
}
return(newO2Findings);
}
public static XUtils_Struts_Joins_V0_1 executeRule_AndReturn_XRuleStrutsObject(
List <IO2Finding> baseO2Findings, IStrutsMappings strutsMappings, string taintSources_SourceRegEx, string taintSources_SinkRegEx,
string finalSinks_SourceRegEx, string finalSinks_SinkRegEx, Func <string, string> joinPointFilter)
{
var xRuleStuts = new XUtils_Struts_Joins_V0_1()
{
findingsWith_BaseO2Findings = baseO2Findings,
StrutsMappings = strutsMappings,
TaintSources_SourceRegEx = taintSources_SourceRegEx,
TaintSources_SinkRegEx = taintSources_SinkRegEx,
FinalSinks_SourceRegEx = finalSinks_SourceRegEx,
FinalSinks_SinkRegEx = finalSinks_SinkRegEx,
JoinPointFilter = joinPointFilter
};
xRuleStuts.calculateFindings();
return(xRuleStuts);
}
public static XUtils_Struts_Joins_V0_1 executeRule_AndReturn_XRuleStrutsObject(
List<IO2Finding> baseO2Findings, IStrutsMappings strutsMappings, string taintSources_SourceRegEx, string taintSources_SinkRegEx,
string finalSinks_SourceRegEx, string finalSinks_SinkRegEx, Func<string, string> joinPointFilter)
{
var xRuleStuts = new XUtils_Struts_Joins_V0_1()
{
findingsWith_BaseO2Findings = baseO2Findings,
StrutsMappings = strutsMappings,
TaintSources_SourceRegEx = taintSources_SourceRegEx,
TaintSources_SinkRegEx = taintSources_SinkRegEx,
FinalSinks_SourceRegEx = finalSinks_SourceRegEx,
FinalSinks_SinkRegEx = finalSinks_SinkRegEx,
JoinPointFilter = joinPointFilter
};
xRuleStuts.calculateFindings();
return xRuleStuts;
}
public static List<IO2Finding> createFindingsFromStrutsMappings(IStrutsMappings iStrutsMappings)
{
var newO2Findings = new List<IO2Finding>();
foreach (var actionServlet in iStrutsMappings.actionServlets)
foreach (var controler in actionServlet.controllers.Values)
{
var o2Finding = new O2Finding
{
vulnType = "Struts.Finding : " + controler.type,
vulnName = controler.type ?? ""
};
var o2RootTrace = (O2Trace)o2Finding.addTrace("Struts Mapping", TraceType.O2JoinSource);
o2RootTrace.addTrace("Controller Type: " + controler.type, TraceType.O2JoinSink);
// add formbean
if (controler.formBean != null)
{
var beanTrace = (O2Trace)o2RootTrace.addTrace("Form Bean : " + controler.formBean.name, TraceType.O2Info);
beanTrace.addTrace("has validation mapping" + controler.formBean.hasValidationMapping);
foreach (var field in controler.formBean.fields)
beanTrace.addTrace(field.Value.name);
}
var pathsTrace = (O2Trace)o2RootTrace.addTrace("paths:", TraceType.O2Info);
foreach (var path in controler.paths)
{
var pathTrace = (O2Trace)pathsTrace.addTrace("url: " + path.path);
pathTrace.addTrace("controller: " + controler.type + " <- ");
pathTrace.addTraces("view: ", TraceType.O2JoinSink, path.resolvedViews.ToArray());
}
//o2Finding.o2Traces.Add(o2RootTrace);
newO2Findings.Add(o2Finding);
}
return newO2Findings;
}
public static void createFindingsFromStrutsMappings(IStrutsMappings strutsMappings, ascx_FindingsViewer findingsViewer_ToLoadResults)
{
var createdFindings = StrutsMappingHelpers.createFindingsFromStrutsMappings(strutsMappings);
findingsViewer_ToLoadResults.setTraceTreeViewVisibleStatus(true);
findingsViewer_ToLoadResults.setFilter2Value("(no filter)");
findingsViewer_ToLoadResults.loadO2Findings(createdFindings, true);
}
public void loadStrutsMappings(IStrutsMappings strutsMappings)
{
refreshTreeView(strutsMappings);
}
public static void showStrutsMappings(IStrutsMappings strutsMappings)
{
var control = (ascx_StrutsMappings)O2AscxGUI.openAscx(typeof(ascx_StrutsMappings), O2DockState.Float, "Struts Mapping File");
control.loadStrutsMappings(strutsMappings);
}
public void calculateFinalResults(
string taintSources_SourceRegEx, string taintSources_SinkRegEx, string finalSinks_SourceRegEx, string finalSinks_SinkRegEx)
{
if (findingsWith_BaseO2Findings==null)
findingsWith_BaseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(BaseO2Findings);
// calculate TaintSources
findingsWith_FindingsFromTaintSources = O2FindingsHelpers.calculateFindings(
findingsWith_BaseO2Findings,
taintSources_SourceRegEx,
taintSources_SinkRegEx,
XUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks);
// calculate FinalSinks
findingsWith_FindingsToFinalSinks = O2FindingsHelpers.calculateFindings(
findingsWith_BaseO2Findings,
FinalSinks_SourceRegEx,
finalSinks_SinkRegEx,
XUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources);
// calculate strutsMapping object and findings
if (StrutsMappings == null)
StrutsMappings = (IStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(StrutsMappingsFile, typeof(KStrutsMappings));
findingsWith_StrutsMappings = StrutsMappingHelpers.createFindingsFromStrutsMappings(StrutsMappings);
calculateResults();
// results = xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks(results);
/*runFilterFor_TaintSources(
taintSources_SourceRegEx, taintSources_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks, filteredFindings_TaintSources);
runFilterFor_FinalSinks(
finalSinks_SourceRegEx, finalSinks_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources, filteredFindings_FinalSinks);
/* runFilterFor_TaintSources(
taintSources_SourceRegEx, taintSources_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sinks, filteredFindings_TaintSources);
runFilterFor_FinalSinks(
finalSinks_SourceRegEx, finalSinks_SinkRegEx, findingsViewer_BaseFindings.currentO2Findings,
xUtils_Findings_v0_1.mapJoinPoints_HashTagsOn_Sources, filteredFindings_FinalSinks);
*/
/*
createFindingsFromStrutsMappings(strutsMappingsControl, findingsViewer_FromStrutsMappings);
calculateResults(strutsMappingsControl,filteredFindings_TaintSources, filteredFindings_FinalSinks, findingsViewer_FinalFindings);
*/
}
public static List <IO2Finding> strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(List <IO2Finding> baseO2Findings, IStrutsMappings strutsMappings)
{
PublicDI.log.info("executing rule: StrutsRule.from.GetParameter.to.Print.via.SetGetAttributeJoins with {0} fingings and {1} action servlets",
baseO2Findings.Count, strutsMappings.actionServlets.Count);
var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)";
var taintSources_SinkRegEx = @"setAttribute\(java.lang.String";
var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)";
var finalSinks_SinkRegEx = @"print";
var results = executeStrutsRule(baseO2Findings, strutsMappings, taintSources_SourceRegEx, taintSources_SinkRegEx, finalSinks_SourceRegEx, finalSinks_SinkRegEx);
return(results);
}
public static void showStrutsMappings(IStrutsMappings strutsMappings)
{
var control = (ascx_StrutsMappings)O2AscxGUI.openAscx(typeof(ascx_StrutsMappings), O2DockState.Float, "Struts Mapping File");
control.loadStrutsMappings(strutsMappings);
}
private void refreshTreeView(IStrutsMappings _strutsMappings)
{
tvStrutsMappings.Tag = _strutsMappings;
refreshTreeView();
}
//public static void addMappedView()
public static string saveStrutsMappings(IStrutsMappings strutsMappings, string targetFileOrFolder)
{
if (strutsMappings == null)
return "";
if (Directory.Exists(targetFileOrFolder))
targetFileOrFolder = Path.Combine(targetFileOrFolder, Files.getTempFileName() + strutsMappingExtension);
else if (false == Directory.Exists(Path.GetDirectoryName(targetFileOrFolder)))
{
DI.log.error("Invalid filename supplied since that directly doesnt exist: {0}", targetFileOrFolder);
return "";
}
if (Serialize.createSerializedBinaryFileFromObject(strutsMappings, targetFileOrFolder))
DI.log.info("Serialized Struts Mapping object saved to: {0}", targetFileOrFolder);
else
DI.log.error("There was a problem serializing Struts Mapping object saved to: {0}", targetFileOrFolder);
return targetFileOrFolder;
}
public void loadStrutsMappings(IStrutsMappings strutsMappings)
{
refreshTreeView(strutsMappings);
}
public static List <IO2Finding> executeStrutsRule(List <IO2Finding> baseO2Findings, IStrutsMappings strutsMappings, string taintSources_SourceRegEx, string taintSources_SinkRegEx, string finalSinks_SourceRegEx, string finalSinks_SinkRegEx)
{
var xRulesObject = XUtils_Struts_Joins_V0_1_Helpers.executeRule_AndReturn_XRuleStrutsObject(
baseO2Findings, strutsMappings, taintSources_SourceRegEx, taintSources_SinkRegEx,
finalSinks_SourceRegEx, finalSinks_SinkRegEx, joinPointFilter);
if (showResultsInO2RulesStrutsGUI)
{
xRulesObject.showFinalResultsIn_O2RulesStrutsGUI();
}
if (showResultsInNewFindingsViewer)
{
xRulesObject.showFinalResultsIn_fidingsViewer();
}
return(xRulesObject.getResults());
}
private void refreshTreeView(IStrutsMappings _strutsMappings)
{
tvStrutsMappings.Tag = _strutsMappings;
refreshTreeView();
}
