/// <summary>
/// Make sure that hardcoded callback functions are analyzed.
/// </summary>
private ExpressionInfo HandleHookCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, AnalysisStacks analysisStacks)
{
var functionCall = new FunctionCallExtractor().ExtractFunctionCall(node);
var result = new ExpressionInfo();
foreach (var argument in functionCall.Arguments.Where(a => a.Value.LocalName == AstConstants.Nodes.Scalar_String))
{
var stringValue = ScalarNode.GetStringValue(argument.Value);
var functionAnalyzer = FunctionMethodAnalyzerFactory(currentStorage);
var functions = functionAnalyzer.FunctionsHandler.LookupFunction(stringValue);
if (functions.Any())
{
//Console.WriteLine("FOUND " + functions.Count() + " functions with name: " + stringValue);
var call = new FunctionCall(stringValue, null, AstNode.GetStartLine(node), AstNode.GetEndLine(node));
if (analysisStacks.CallStack.Any(c => c.Name == call.Name))
{
// Avoid recursive registrations.
continue;
}
analysisStacks.CallStack.Push(call);
var funcCallResult = functionAnalyzer.AnalyzeFunctionCall(call, new ExpressionInfo[0]);
analysisStacks.CallStack.Pop();
result = result.Merge(funcCallResult);
}
// https://codex.wordpress.org/Function_Reference/add_submenu_page
// If a method is called, it is called with: array( $this, 'function_name' ) or array( __CLASS__, 'function_name' )
}
return(result);
}
public VariableResolver(IVariableStorage varStorage, AnalysisScope scope = AnalysisScope.File)
{
Preconditions.NotNull(varStorage, "varStorage");
this._variableStorage = varStorage;
this._scope = scope;
variableScope = scope == AnalysisScope.File ? VariableScope.File : VariableScope.Function;
}
public GuildPrefixManager(IVariableStorage variables, IConfiguration configuration)
{
this.variables = variables;
this.cachedPrefixes = new Dictionary <ulong, string>();
this.defaultPrefix = configuration.GetSection("Discord")["DefaultPrefix"];
}
public VariableResolver(IVariableStorage varStorage, AnalysisScope scope = AnalysisScope.File)
{
Preconditions.NotNull(varStorage, "varStorage");
this._variableStorage = varStorage;
this._scope = scope;
variableScope = scope == AnalysisScope.File ? VariableScope.File : VariableScope.Function;
}
public CFGTaintInfo(IVariableStorage varTaintIn,
IImmutableDictionary <EdgeType, IVariableStorage> varTaintOut)
{
In = ImmutableVariableStorage.CreateFromMutable(varTaintIn);
foreach (var variableStorage in varTaintOut)
{
Out = Out.Add(variableStorage.Key, ImmutableVariableStorage.CreateFromMutable(variableStorage.Value));
}
}
public MethodCall ExtractMethodCall(XmlNode node, IVariableStorage varStorage, AnalysisScope scope = AnalysisScope.File)
{
int startLine = AstNode.GetStartLine(node);
int endLine = AstNode.GetEndLine(node);
string methodName = "";
//Get the varNode which includes either (new ClassName())->MethodName or $var->MethodName
var varNode = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Var);
var classNames = new List<string>();
if (varNode.FirstChild.LocalName == AstConstants.Nodes.Expr_New)
{
//PHP: (new ClassName(args))->MethodName(args);
//Extract the ClassName directly, in this case there can be only one ClassName!
var className = varNode.FirstChild
.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Class)
.GetSubNode(AstConstants.Node + ":" + AstConstants.Nodes.Name)
.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts).FirstChild.FirstChild.InnerText;
classNames.Add(className);
methodName = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).InnerText;
return new MethodCall(methodName, classNames, node, startLine, endLine) { Arguments = ExtractArgumentNodes(node) };
}
else
{
//PHP: $var->MethodName(args);
//Resolve the variable, and get all the possible class names!
VariableResolver vr = new VariableResolver(varStorage, scope);
VariableResolveResult variableResult = null;
if (vr.IsResolvableNode(varNode.FirstChild))
{
variableResult = vr.ResolveVariable(varNode.FirstChild);
classNames.AddRange(variableResult.Variable.Info.ClassNames.Where(className => !classNames.Contains(className)));
}
var nameSubnode = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Name);
XmlNode nameNode = null;
bool success = nameSubnode.TryGetSubNode(AstConstants.Node + ":" + AstConstants.Nodes.Name, out nameNode);
if (success)
{
methodName = nameNode.InnerText;
}
else
{
if (nameSubnode.FirstChild.LocalName == AstConstants.Scalars.String)
{
methodName = nameSubnode.FirstChild.InnerText;
}
}
return variableResult == null ?
new MethodCall(methodName, classNames, node, startLine, endLine) { Arguments = ExtractArgumentNodes(node) } :
new MethodCall(methodName, classNames, node, startLine, endLine, variableResult.Variable) { Arguments = ExtractArgumentNodes(node) };
}
}
public ImmutableVariableStorage Analyze(XmlNode node, ImmutableVariableStorage knownTaint)
{
Preconditions.NotNull(knownTaint, "knownTaint");
_variableStorage = knownTaint.ToMutable();
_varResolver = new VariableResolver(_variableStorage, _analysisScope);
Analyze(node);
return ImmutableVariableStorage.CreateFromMutable(_variableStorage);
}
public static ImmutableVariableStorage CreateFromMutable(IVariableStorage variableStorage)
{
var result = new ImmutableVariableStorage();
result.SuperGlobals = result.SuperGlobals.AddRange(variableStorage.SuperGlobals);
result.Globals = result.Globals.AddRange(variableStorage.GlobalVariables);
result.Locals = result.Locals.AddRange(variableStorage.LocalVariables);
result.ClassVariables = result.ClassVariables.AddRange(variableStorage.ClassVariables);
result.LocalAccessibleGlobals = result.LocalAccessibleGlobals.AddRange(variableStorage.LocalAccessibleGlobals);
return(result);
}
/// <summary>
///
/// </summary>
/// <param name="vs"></param>
/// <param name="mockBuffer"></param>
public Reader(IVariableStorage vs, string[] mockBuffer = null)
{
if (vs == null)
{
throw new ArgumentException("VariableStorage object must be passed in creator");
}
_vs = vs;
if (mockBuffer != null)
{
_buffer = mockBuffer;
}
}
public string Render(IVariableStorage variableStorage)
{
if (_tokenList.Count == 1)
{
var token = _tokenList[0];
return token.IsVariable ? variableStorage[token.Text] : token.Text;
}
var builder = new StringBuilder();
foreach (var token in _tokenList)
builder.Append(token.IsVariable ? variableStorage[token.Text] : token.Text);
return builder.ToString();
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks);
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return HandleHookCall(node, exprInfo, varStorage, analysisStacks);
}
return exprInfo;
}
public string Render(IVariableStorage variableStorage)
{
if (_tokenList.Count == 1)
{
var token = _tokenList[0];
return(token.IsVariable ? variableStorage[token.Text] : token.Text);
}
var builder = new StringBuilder();
foreach (var token in _tokenList)
{
builder.Append(token.IsVariable ? variableStorage[token.Text] : token.Text);
}
return(builder.ToString());
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return(HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks));
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return(HandleHookCall(node, exprInfo, varStorage, analysisStacks));
}
return(exprInfo);
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private bool InterpretDictionary()
{
_vs = new VariableStorage();
return(_vs.FillData(ref _dict));
}
public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
{
return(exprInfo);
}
private ExpressionInfo Expr_Include(XmlNode node)
{
var inclExpr = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Expr);
Analyze(inclExpr);
File file;
if (_inclusionResolver.TryResolveInclude(node, out file))
{
if (!_analysisStacks.IncludeStack.Contains(file))
{
Console.WriteLine(">> Resolved " + file.Name + ". Starting analysis.");
_analysisStacks.IncludeStack.Push(file);
var result = _analyzer(ImmutableVariableStorage.CreateFromMutable(_variableStorage), _inclusionResolver, _analysisScope, _analysisStacks);
this._variableStorage = result.Merge(ImmutableVariableStorage.CreateFromMutable(this._variableStorage)).ToMutable();
_analysisStacks.IncludeStack.Pop();
Console.WriteLine(">> Finished " + file.Name + ". Continuing.");
}
}
return new ExpressionInfo();
}
public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
{
return exprInfo;
}
private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
IVulnerabilityStorage storage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
if (_getOptionsFunctions.Contains(call.Name))
{
return HandleGetOptions(call, argumentInfos, exprInfo);
}
else if (_updateOptionFunctions.Contains(call.Name) ||
_addOptionFunctions.Contains(call.Name))
{
return HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks);
}
return exprInfo;
}
/// <summary>
/// Make sure that hardcoded callback functions are analyzed.
/// </summary>
private ExpressionInfo HandleHookCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, AnalysisStacks analysisStacks)
{
var functionCall = new FunctionCallExtractor().ExtractFunctionCall(node);
var result = new ExpressionInfo();
foreach (var argument in functionCall.Arguments.Where(a => a.Value.LocalName == AstConstants.Nodes.Scalar_String))
{
var stringValue = ScalarNode.GetStringValue(argument.Value);
var functions = FunctionsHandler.Instance.LookupFunction(stringValue);
if (functions.Any())
{
//Console.WriteLine("FOUND " + functions.Count() + " functions with name: " + stringValue);
var functionAnalyzer = this.FunctionMethodAnalyzerFactory(currentStorage);
var call = new FunctionCall(stringValue, null, AstNode.GetStartLine(node), AstNode.GetEndLine(node));
if (analysisStacks.CallStack.Any(c => c.Name == call.Name))
{
// Avoid recursive registrations.
continue;
}
analysisStacks.CallStack.Push(call);
var funcCallResult = functionAnalyzer.AnalyzeFunctionCall(call, new ExpressionInfo[0]);
analysisStacks.CallStack.Pop();
result = result.Merge(funcCallResult);
}
// https://codex.wordpress.org/Function_Reference/add_submenu_page
// If a method is called, it is called with: array( $this, 'function_name' ) or array( __CLASS__, 'function_name' )
}
return result;
}
public MethodCall ExtractMethodCall(XmlNode node, IVariableStorage varStorage, AnalysisScope scope = AnalysisScope.File)
{
int startLine = AstNode.GetStartLine(node);
int endLine = AstNode.GetEndLine(node);
string methodName = "";
//Get the varNode which includes either (new ClassName())->MethodName or $var->MethodName
var varNode = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Var);
var classNames = new List <string>();
if (varNode.FirstChild.LocalName == AstConstants.Nodes.Expr_New)
{
//PHP: (new ClassName(args))->MethodName(args);
//Extract the ClassName directly, in this case there can be only one ClassName!
var className = varNode.FirstChild
.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Class)
.GetSubNode(AstConstants.Node + ":" + AstConstants.Nodes.Name)
.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts).FirstChild.FirstChild.InnerText;
classNames.Add(className);
methodName = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).InnerText;
return(new MethodCall(methodName, classNames, node, startLine, endLine)
{
Arguments = ExtractArgumentNodes(node)
});
}
else
{
//PHP: $var->MethodName(args);
//Resolve the variable, and get all the possible class names!
VariableResolver vr = new VariableResolver(varStorage, scope);
VariableResolveResult variableResult = null;
if (vr.IsResolvableNode(varNode.FirstChild))
{
variableResult = vr.ResolveVariable(varNode.FirstChild);
classNames.AddRange(variableResult.Variable.Info.ClassNames.Where(className => !classNames.Contains(className)));
}
var nameSubnode = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Name);
XmlNode nameNode = null;
bool success = nameSubnode.TryGetSubNode(AstConstants.Node + ":" + AstConstants.Nodes.Name, out nameNode);
if (success)
{
methodName = nameNode.InnerText;
}
else
{
if (nameSubnode.FirstChild.LocalName == AstConstants.Scalars.String)
{
methodName = nameSubnode.FirstChild.InnerText;
}
}
return(variableResult == null ?
new MethodCall(methodName, classNames, node, startLine, endLine)
{
Arguments = ExtractArgumentNodes(node)
} :
new MethodCall(methodName, classNames, node, startLine, endLine, variableResult.Variable)
{
Arguments = ExtractArgumentNodes(node)
});
}
}
private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
IVulnerabilityStorage storage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
if (_getOptionsFunctions.Contains(call.Name))
{
return(HandleGetOptions(call, argumentInfos, exprInfo));
}
else if (_updateOptionFunctions.Contains(call.Name) ||
_addOptionFunctions.Contains(call.Name))
{
return(HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks));
}
return(exprInfo);
}
