public ExtractFunctionCall ( |
||
node | ||
return | FunctionCall |
private ExpressionInfo Node_FuncCall(XmlNode node) { var functionCallExtractor = new FunctionCallExtractor(); var functionCall = functionCallExtractor.ExtractFunctionCall(node); bool isAlreadyInStack = _analysisStacks.CallStack.Any(x => x.Name == functionCall.Name); _analysisStacks.CallStack.Push(functionCall); var argInfos = new List<ExpressionInfo>(); //Actually extract the arguments for (uint index = 1; index <= functionCall.Arguments.Count; index++) { var item = functionCall.Arguments.FirstOrDefault(x => x.Key == index); var exprInfo = this.Analyze(item.Value); if (_varResolver.IsResolvableNode(item.Value)) { var variableResolveResult = _varResolver.ResolveVariable(item.Value); exprInfo.ValueInfo = variableResolveResult.Variable.Info; } argInfos.Add(exprInfo); } if (functionCall.Name == "") { var expr_info = new ExpressionInfo(); _analysisStacks.CallStack.Pop(); return argInfos.Aggregate(expr_info, (current, info) => current.Merge(info)); } var customFunctionHandler = new CustomFunctionHandler(this._analyzer, _subroutineAnalyzerFactory); customFunctionHandler.AnalysisExtensions.AddRange(this.AnalysisExtensions); var immutableVariableStorage = ImmutableVariableStorage.CreateFromMutable(_variableStorage); var functionMethodAnalyzer = this._subroutineAnalyzerFactory.Create(immutableVariableStorage, _inclusionResolver, _analysisStacks, customFunctionHandler, _vulnerabilityStorage); var resultTaintSet = new ExpressionInfo(); if (!isAlreadyInStack) { resultTaintSet = functionMethodAnalyzer.AnalyzeFunctionCall(functionCall, argInfos); } FunctionsHandler fh = FunctionsHandler.Instance; var sqlSaniFunc = fh.FindSQLSanitizerByName(functionCall.Name); var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name); var xssSaniFunc = fh.FindXSSSanitizerByName(functionCall.Name); var xssSinkFunc = fh.FindXSSSinkByName(functionCall.Name); if(sqlSaniFunc != null && sqlSaniFunc.DefaultStatus == SQLITaint.None) { resultTaintSet.ExpressionTaint.SqliTaint.Clear(); resultTaintSet.ValueInfo.Taints.SqliTaint.Clear(); resultTaintSet.ExpressionStoredTaint.Taint.SqliTaint.Clear(); } if (xssSaniFunc != null && xssSaniFunc.DefaultStatus == XSSTaint.None) { resultTaintSet.ExpressionTaint.XssTaint.Clear(); resultTaintSet.ValueInfo.Taints.XssTaint.Clear(); resultTaintSet.ExpressionStoredTaint.Taint.XssTaint.Clear(); } if (sqlSinkFunc != null) { var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key); var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key)); foreach (var parameter in param) { var argInfo = argInfos.ElementAt((int) (parameter.Key - 1)); CheckForSQLVulnerabilities(argInfo, parameter.Value); } } if (xssSinkFunc != null) { var vulnerableXssParams = xssSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key); var param = functionCall.Arguments.Where(x => vulnerableXssParams.Keys.Any(z => z.Item1 == x.Key)); foreach (var parameter in param) { var argInfo = argInfos.ElementAt((int)(parameter.Key - 1)); CheckForXssVulnerabilities(argInfo, parameter.Value); } } resultTaintSet = StoredFuncHandler(resultTaintSet, node, argInfos); var argumentInfoWithIndex = argInfos.Select((a, i) => new { Info = a, Index = (uint)i + 1 }) .ToDictionary(a => a.Index, a => a.Info); resultTaintSet = ApplyAnalysisExtensionsToFuncCall(node, resultTaintSet, argumentInfoWithIndex); _analysisStacks.CallStack.Pop(); return resultTaintSet; }
private TaintSets Node_FuncCall(XmlNode node) { if (!isConditional) { return null; } // We use the True scope as both True and False are the same at this point in time var functionCallExtractor = new FunctionCallExtractor(); var functionCall = functionCallExtractor.ExtractFunctionCall(node); FunctionsHandler fh = FunctionsHandler.Instance; var condSaniFunc = fh.FindCondSanitizerByName(functionCall.Name); if (condSaniFunc != null) { var parameter = functionCall.Arguments; var varResolverFalse = new VariableResolver(_variables[EdgeType.False]); if (parameter.Any(x => varResolverFalse.IsResolvableNode(x.Value)) && condSaniFunc.DefaultStatus == MixedStatus.XSSSQL_SAFE) { if (isNegated) { var var = varResolverFalse.ResolveVariable(parameter.First(x => varResolverFalse.IsResolvableNode(x.Value)).Value); var.Variable.Info.Taints = new TaintSets().ClearTaint(); } else { var varResolverTrue = new VariableResolver(_variables[EdgeType.True]); var var = varResolverTrue.ResolveVariable(parameter.First(x => varResolverTrue.IsResolvableNode(x.Value)).Value); var.Variable.Info.Taints = new TaintSets().ClearTaint(); } } } return new TaintSets().ClearTaint(); }
private ExpressionInfo StoredFuncHandler(ExpressionInfo exprInfo, XmlNode node, List<ExpressionInfo> argInfos) { var resultExpr = new ExpressionInfo(); var functionCallExtractor = new FunctionCallExtractor(); var functionCall = functionCallExtractor.ExtractFunctionCall(node); var fh = FunctionsHandler.Instance; var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name); if (sqlSinkFunc != null) { var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key); var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key)); foreach (var arg in argInfos) { exprInfo = arg; if (exprInfo.ValueInfo.Value == null) { continue; } if (StringAnalysis.IsSQLInsertionStmt(exprInfo.ValueInfo.Value)) { exprInfo.ExpressionStoredTaint = new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node)) { Taint = exprInfo.ExpressionTaint, ICantFeelIt = IsItInYet.YesItsGoingIn }; InsertIntoStoredLocation(exprInfo, node); exprInfo = new ExpressionInfo(); } else if(StringAnalysis.IsSQLRetrieveStmt(exprInfo.ValueInfo.Value)) { exprInfo.ExpressionStoredTaint = new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node)) { Taint = new DefaultTaintProvider().GetTaintedTaintSet(), ICantFeelIt = IsItInYet.NoImPullingOut }; resultExpr.ValueInfo.NestedVariablePossibleStoredDefaultTaintFactory = () => new DefaultTaintProvider().GetTaintedTaintSet(); } resultExpr.ExpressionStoredTaint = resultExpr.ExpressionStoredTaint.Merge(exprInfo.ExpressionStoredTaint); } } else { return exprInfo; } return resultExpr; }
private void FunctionMethodEnter(XmlNode node) { var ext = new FunctionCallExtractor (); Function f = null; string methodName = ext.ExtractFunctionCall (node).Name; string functionName = null; if (node.LocalName == AstConstants.Nodes.Expr_FuncCall) f = FunctionsHandler.Instance.CustomFunctions.Find (x => x.Name == ext.ExtractFunctionCall (node).Name || x.Aliases.Any (y => y == ext.ExtractFunctionCall (node).Name)); else if (node.LocalName == AstConstants.Nodes.Expr_MethodCall) { var varNode = node.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Var); string className = ""; //PHP: (new ClassName(args))->MethodName(args); //Extract the ClassName directly, in this case there can be only one ClassName! if (varNode.FirstChild.LocalName == AstConstants.Nodes.Expr_New) { className = varNode.FirstChild .GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Class) .GetSubNode (AstConstants.Node + ":" + AstConstants.Nodes.Name) .GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts).FirstChild.FirstChild.InnerText; } //Look up the function name in the list of variables else { try {classVarList.TryGetValue (varNode.FirstChild .GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).InnerText, out className);} catch {} } methodName = node.GetSubNode (AstConstants.Subnode + ":" + AstConstants.Subnodes.Name).FirstChild.InnerText; functionName = className + "->" + methodName; f = FunctionsHandler.Instance.CustomFunctions.Find (x => x.Name == functionName || x.Aliases.Any (y => y == functionName)); } if (CurrentBlock.BreaksOutOfScope) { CurrentBlock = new CFGBlock (); Graph.AddVertex (CurrentBlock); } else { CurrentBlock = ConnectNewBlockTo (CurrentBlock, EdgeType.Normal); } CurrentBlock.AstEntryNode = node; if (f==null) f = HandleWPFunctions(methodName, node, functionName); if (f != null && !inFunctions.Contains(f)) { inFunctions.Add(f); foreach (XmlNode n in f.AstNode.ChildNodes) { if (n.LocalName == "stmts") foreach (XmlNode s in n.FirstChild.ChildNodes) { DepthFirstImpl (s); } } inFunctions.Remove(f); } //else throw new NullReferenceException("The function did not exist"); //This should never happen }