|
public ExtractFunctionCall ( |
||
| node | ||
| return | FunctionCall | |
private ExpressionInfo Node_FuncCall(XmlNode node)
{
var functionCallExtractor = new FunctionCallExtractor();
var functionCall = functionCallExtractor.ExtractFunctionCall(node);
bool isAlreadyInStack = _analysisStacks.CallStack.Any(x => x.Name == functionCall.Name);
_analysisStacks.CallStack.Push(functionCall);
var argInfos = new List<ExpressionInfo>();
//Actually extract the arguments
for (uint index = 1; index <= functionCall.Arguments.Count; index++)
{
var item = functionCall.Arguments.FirstOrDefault(x => x.Key == index);
var exprInfo = this.Analyze(item.Value);
if (_varResolver.IsResolvableNode(item.Value))
{
var variableResolveResult = _varResolver.ResolveVariable(item.Value);
exprInfo.ValueInfo = variableResolveResult.Variable.Info;
}
argInfos.Add(exprInfo);
}
if (functionCall.Name == "")
{
var expr_info = new ExpressionInfo();
_analysisStacks.CallStack.Pop();
return argInfos.Aggregate(expr_info, (current, info) => current.Merge(info));
}
var customFunctionHandler = new CustomFunctionHandler(this._analyzer, _subroutineAnalyzerFactory);
customFunctionHandler.AnalysisExtensions.AddRange(this.AnalysisExtensions);
var immutableVariableStorage = ImmutableVariableStorage.CreateFromMutable(_variableStorage);
var functionMethodAnalyzer = this._subroutineAnalyzerFactory.Create(immutableVariableStorage, _inclusionResolver,
_analysisStacks, customFunctionHandler, _vulnerabilityStorage);
var resultTaintSet = new ExpressionInfo();
if (!isAlreadyInStack)
{
resultTaintSet = functionMethodAnalyzer.AnalyzeFunctionCall(functionCall, argInfos);
}
FunctionsHandler fh = FunctionsHandler.Instance;
var sqlSaniFunc = fh.FindSQLSanitizerByName(functionCall.Name);
var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name);
var xssSaniFunc = fh.FindXSSSanitizerByName(functionCall.Name);
var xssSinkFunc = fh.FindXSSSinkByName(functionCall.Name);
if(sqlSaniFunc != null && sqlSaniFunc.DefaultStatus == SQLITaint.None)
{
resultTaintSet.ExpressionTaint.SqliTaint.Clear();
resultTaintSet.ValueInfo.Taints.SqliTaint.Clear();
resultTaintSet.ExpressionStoredTaint.Taint.SqliTaint.Clear();
}
if (xssSaniFunc != null && xssSaniFunc.DefaultStatus == XSSTaint.None)
{
resultTaintSet.ExpressionTaint.XssTaint.Clear();
resultTaintSet.ValueInfo.Taints.XssTaint.Clear();
resultTaintSet.ExpressionStoredTaint.Taint.XssTaint.Clear();
}
if (sqlSinkFunc != null)
{
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
var argInfo = argInfos.ElementAt((int) (parameter.Key - 1));
CheckForSQLVulnerabilities(argInfo, parameter.Value);
}
}
if (xssSinkFunc != null)
{
var vulnerableXssParams = xssSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableXssParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
var argInfo = argInfos.ElementAt((int)(parameter.Key - 1));
CheckForXssVulnerabilities(argInfo, parameter.Value);
}
}
resultTaintSet = StoredFuncHandler(resultTaintSet, node, argInfos);
var argumentInfoWithIndex = argInfos.Select((a, i) => new { Info = a, Index = (uint)i + 1 })
.ToDictionary(a => a.Index, a => a.Info);
resultTaintSet = ApplyAnalysisExtensionsToFuncCall(node, resultTaintSet, argumentInfoWithIndex);
_analysisStacks.CallStack.Pop();
return resultTaintSet;
}
private TaintSets Node_FuncCall(XmlNode node)
{
if (!isConditional)
{
return null;
}
// We use the True scope as both True and False are the same at this point in time
var functionCallExtractor = new FunctionCallExtractor();
var functionCall = functionCallExtractor.ExtractFunctionCall(node);
FunctionsHandler fh = FunctionsHandler.Instance;
var condSaniFunc = fh.FindCondSanitizerByName(functionCall.Name);
if (condSaniFunc != null)
{
var parameter = functionCall.Arguments;
var varResolverFalse = new VariableResolver(_variables[EdgeType.False]);
if (parameter.Any(x => varResolverFalse.IsResolvableNode(x.Value))
&& condSaniFunc.DefaultStatus == MixedStatus.XSSSQL_SAFE)
{
if (isNegated)
{
var var = varResolverFalse.ResolveVariable(parameter.First(x => varResolverFalse.IsResolvableNode(x.Value)).Value);
var.Variable.Info.Taints = new TaintSets().ClearTaint();
}
else
{
var varResolverTrue = new VariableResolver(_variables[EdgeType.True]);
var var = varResolverTrue.ResolveVariable(parameter.First(x => varResolverTrue.IsResolvableNode(x.Value)).Value);
var.Variable.Info.Taints = new TaintSets().ClearTaint();
}
}
}
return new TaintSets().ClearTaint();
}
private ExpressionInfo StoredFuncHandler(ExpressionInfo exprInfo, XmlNode node, List<ExpressionInfo> argInfos)
{
var resultExpr = new ExpressionInfo();
var functionCallExtractor = new FunctionCallExtractor();
var functionCall = functionCallExtractor.ExtractFunctionCall(node);
var fh = FunctionsHandler.Instance;
var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name);
if (sqlSinkFunc != null)
{
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var arg in argInfos)
{
exprInfo = arg;
if (exprInfo.ValueInfo.Value == null)
{
continue;
}
if (StringAnalysis.IsSQLInsertionStmt(exprInfo.ValueInfo.Value))
{
exprInfo.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node))
{
Taint = exprInfo.ExpressionTaint,
ICantFeelIt = IsItInYet.YesItsGoingIn
};
InsertIntoStoredLocation(exprInfo, node);
exprInfo = new ExpressionInfo();
}
else if(StringAnalysis.IsSQLRetrieveStmt(exprInfo.ValueInfo.Value))
{
exprInfo.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node))
{
Taint = new DefaultTaintProvider().GetTaintedTaintSet(),
ICantFeelIt = IsItInYet.NoImPullingOut
};
resultExpr.ValueInfo.NestedVariablePossibleStoredDefaultTaintFactory = () => new DefaultTaintProvider().GetTaintedTaintSet();
}
resultExpr.ExpressionStoredTaint = resultExpr.ExpressionStoredTaint.Merge(exprInfo.ExpressionStoredTaint);
}
}
else
{
return exprInfo;
}
return resultExpr;
}
private void FunctionMethodEnter(XmlNode node)
{
var ext = new FunctionCallExtractor ();
Function f = null;
string methodName = ext.ExtractFunctionCall (node).Name;
string functionName = null;
if (node.LocalName == AstConstants.Nodes.Expr_FuncCall)
f = FunctionsHandler.Instance.CustomFunctions.Find (x => x.Name == ext.ExtractFunctionCall (node).Name || x.Aliases.Any (y => y == ext.ExtractFunctionCall (node).Name));
else if (node.LocalName == AstConstants.Nodes.Expr_MethodCall) {
var varNode = node.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Var);
string className = "";
//PHP: (new ClassName(args))->MethodName(args);
//Extract the ClassName directly, in this case there can be only one ClassName!
if (varNode.FirstChild.LocalName == AstConstants.Nodes.Expr_New) {
className = varNode.FirstChild
.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Class)
.GetSubNode (AstConstants.Node + ":" + AstConstants.Nodes.Name)
.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts).FirstChild.FirstChild.InnerText;
}
//Look up the function name in the list of variables
else {
try {classVarList.TryGetValue (varNode.FirstChild
.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).InnerText, out className);} catch {}
}
methodName = node.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).FirstChild.InnerText;
functionName = className + "->" + methodName;
f = FunctionsHandler.Instance.CustomFunctions.Find (x => x.Name == functionName || x.Aliases.Any (y => y == functionName));
}
if (CurrentBlock.BreaksOutOfScope) {
CurrentBlock = new CFGBlock ();
Graph.AddVertex (CurrentBlock);
} else {
CurrentBlock = ConnectNewBlockTo (CurrentBlock, EdgeType.Normal);
}
CurrentBlock.AstEntryNode = node;
if (f==null)
f = HandleWPFunctions(methodName, node, functionName);
if (f != null && !inFunctions.Contains(f)) {
inFunctions.Add(f);
foreach (XmlNode n in f.AstNode.ChildNodes) {
if (n.LocalName == "stmts")
foreach (XmlNode s in n.FirstChild.ChildNodes) {
DepthFirstImpl (s);
}
}
inFunctions.Remove(f);
}
//else throw new NullReferenceException("The function did not exist"); //This should never happen
}
