private static void ScanUnscannedSubroutines(List <File> filesCollection, Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage)
{
var defaultTaint = new DefaultTaintProvider().GetTaint();
foreach (var file in filesCollection)
{
Console.WriteLine("Scanning " + file.Name);
var analysisStacks = new AnalysisStacks(file);
var analyser = new FunctionAndMethodAnalyzer(defaultTaint,
new IncludeResolver(filesCollection), analysisStacks,
new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory, _funcHandler), vulnerabilityStorage, _funcHandler);
foreach (var function in file.Functions.SelectMany(f => f.Value).Except(_funcHandler.ScannedFunctions))
{
Console.WriteLine("> Scanning method " + function.Name);
var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0);
analysisStacks.CallStack.Push(functionCall);
analyser.AnalyzeFunctionCall(functionCall, new List <ExpressionInfo>());
}
foreach (var @class in file.Classes.SelectMany(c => c.Value))
{
foreach (var method in @class.Methods.Except(_funcHandler.ScannedFunctions))
{
Console.WriteLine("> Scanning method " + method.Name);
var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0);
analysisStacks.CallStack.Push(methodCall);
analyser.AnalyzeMethodCall(methodCall, new List <ExpressionInfo>());
}
}
}
}
public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
return(new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage, fh)
{
UseSummaries = this.UseSummaries
});
}
public FunctionAndMethodAnalyzer(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
this._varStorage = variableStorage;
this._incResolver = incResolver;
this._stacks = stacks;
this._customFunctionHandler = customFuncHandler;
this._vulnerabilityStorage = vulnerabilityStorage;
this._funcHandler = fh;
}
private void AssertNoOfVulnsInMultipleCodeFiles(Tuple <string, string>[] codeFiles, int numberOfVulns)
{
FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings);
fh.LoadJsonSpecifications();
var vulnStorage = new Mock <IVulnerabilityStorage>();
var parsedFiles = codeFiles.Select(code => new File(PHPParseUtils.ParsePHPCode(code.Item2, Config.PHPSettings.PHPParserPath))
{
FullPath = code.Item1,
CFG = PHPParseUtils.ParseAndIterate <CFGCreator>(code.Item2, Config.PHPSettings.PHPParserPath).Graph
}).ToArray();
Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer = null;
fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
{
Preconditions.NotNull(varStorage, "varStorage");
Preconditions.NotNull(inclResolver, "inclResolver");
var fileToAnalyze = stacks.IncludeStack.Peek();
var blockAnalyzer = new TaintBlockAnalyzer(vulnStorage.Object, inclResolver,
scope, fileTaintAnalyzer, stacks, new FunctionAndMethodAnalyzerFactory(), fh);
var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack, fh);
var cfgTaintAnalysis = new PHPAnalysis.Analysis.CFG.TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));
analyzer.Analyze(fileToAnalyze.CFG);
return(cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]);
};
foreach (var file in parsedFiles)
{
var inclusionResolver = new IncludeResolver(parsedFiles);
var fileStack = new Stack <File>();
fileStack.Push(file);
var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
var stacks = new AnalysisStacks(fileStack);
fileTaintAnalyzer(immutableInitialTaint, inclusionResolver, AnalysisScope.File, stacks);
}
vulnStorage.Verify(x => x.AddVulnerability(It.IsAny <IVulnerabilityInfo>()), Times.Exactly(numberOfVulns));
}
private static void Analyze(Arguments arguments, Config configuration)
{
Console.WriteLine("Parsing project at: " + arguments.Target);
Console.WriteLine();
foreach (var analysisStartingListener in _components.AnalysisStartingListeners)
{
// TODO - This should probably be a proper event - same goes for EndingEvent (this will also remove the loop(s)).
analysisStartingListener.AnalysisStarting(null, new AnalysisStartingEventArgs(configuration, arguments));
}
var stopwatch = Stopwatch.StartNew();
Console.WriteLine("Building ASTs..");
ParseResult parseResult = ParseTarget(arguments, configuration);
Console.WriteLine(" - AST build for {0} files ({1} failed)..", parseResult.ParsedFiles.Count, parseResult.FilesThatFailedToParse.Count);
Console.WriteLine("Traversing ASTs..");
var filesCollection = new List <File>();
var runningVulnReporter = new CompositeVulneribilityReporter(_components.VulnerabilityReporters);
var vulnerabilityStorage = new ReportingVulnerabilityStorage(runningVulnReporter, _funcHandler);
var progrssIndicator = ProgressIndicatorFactory.CreateProgressIndicator(parseResult.ParsedFiles.Count());
foreach (var parsedFile in parseResult.ParsedFiles)
{
progrssIndicator.Step();
var file = BuildFileCFGAndExtractFileInformation(parsedFile);
filesCollection.Add(file);
}
var subroutineAnalyzerFactory = new FunctionAndMethodAnalyzerFactory {
UseSummaries = arguments.UseFunctionSummaries
};
Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks,
ImmutableVariableStorage> fileTaintAnalyzer = null;
fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
{
Preconditions.NotNull(varStorage, "varStorage");
Preconditions.NotNull(inclResolver, "inclResolver");
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, inclResolver, scope, fileTaintAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);
blockAnalyzer.AnalysisExtensions.AddRange(_components.BlockAnalyzers);
var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack, _funcHandler);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
var fileToAnalyze = stacks.IncludeStack.Peek();
var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));
//var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
analyzer.Analyze(fileToAnalyze.CFG);
return(cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]);
};
foreach (var file in filesCollection)
{
Console.WriteLine(Environment.NewLine + "=============================");
Console.WriteLine("Analyzing {0}..", file.FullPath);
var initialTaint = GetDefaultTaint();
var inclusionResolver = new IncludeResolver(filesCollection);
var stacks = new AnalysisStacks(file);
fileTaintAnalyzer(initialTaint, inclusionResolver, AnalysisScope.File, stacks);
}
Console.WriteLine("Scanned {0}/{1} subroutines. ", _funcHandler.ScannedFunctions.Count, _funcHandler.CustomFunctions.Count, _funcHandler);
if (arguments.ScanAllSubroutines)
{
Console.WriteLine("Scanning remaining subroutines..");
ScanUnscannedSubroutines(filesCollection, fileTaintAnalyzer, subroutineAnalyzerFactory, vulnerabilityStorage);
}
vulnerabilityStorage.CheckForStoredVulnerabilities();
//parseResult.ParsedFiles.Values.First().Save(@"C:\Users\Kenneth\Documents\Uni\TestScript\current\parsedFile");
stopwatch.Stop();
foreach (var analysisEndedListener in _components.AnalysisEndedListeners)
{
analysisEndedListener.AnalysisEnding(null, new AnalysisEndedEventArgs(stopwatch.Elapsed));
}
Console.WriteLine("Time spent: " + stopwatch.Elapsed);
Console.WriteLine("Found {0} vulnerabilities.", runningVulnReporter.NumberOfReportedVulnerabilities);
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList <ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for (int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function)
{
Info = paramActualVals[i - 1].ValueInfo
};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack, _funcHandler);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return(exprInfoAll);
}
/// <summary>
/// Make sure that hardcoded callback functions are analyzed.
/// </summary>
private ExpressionInfo HandleHookCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, AnalysisStacks analysisStacks)
{
var functionCall = new FunctionCallExtractor().ExtractFunctionCall(node);
var result = new ExpressionInfo();
foreach (var argument in functionCall.Arguments.Where(a => a.Value.LocalName == AstConstants.Nodes.Scalar_String))
{
var stringValue = ScalarNode.GetStringValue(argument.Value);
var functionAnalyzer = FunctionMethodAnalyzerFactory(currentStorage);
var functions = functionAnalyzer.FunctionsHandler.LookupFunction(stringValue);
if (functions.Any())
{
//Console.WriteLine("FOUND " + functions.Count() + " functions with name: " + stringValue);
var call = new FunctionCall(stringValue, null, AstNode.GetStartLine(node), AstNode.GetEndLine(node));
if (analysisStacks.CallStack.Any(c => c.Name == call.Name))
{
// Avoid recursive registrations.
continue;
}
analysisStacks.CallStack.Push(call);
var funcCallResult = functionAnalyzer.AnalyzeFunctionCall(call, new ExpressionInfo[0]);
analysisStacks.CallStack.Pop();
result = result.Merge(funcCallResult);
}
// https://codex.wordpress.org/Function_Reference/add_submenu_page
// If a method is called, it is called with: array( $this, 'function_name' ) or array( __CLASS__, 'function_name' )
}
return(result);
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return(HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks));
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return(HandleHookCall(node, exprInfo, varStorage, analysisStacks));
}
return(exprInfo);
}
private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
XmlNode firstArgument;
XmlNode secondArgument;
string optionKeyValue;
if (call.Arguments.TryGetValue(1, out firstArgument) &&
call.Arguments.TryGetValue(2, out secondArgument) &&
TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
{
foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
{
if (sqliTaintSet.TaintTag == SQLITaint.None)
{
continue;
}
string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.SQL,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
}
});
}
foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
{
if (xssTaintSet.TaintTag == XSSTaint.None)
{
continue;
}
string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.XSS,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
}
});
}
}
return(exprInfo);
}
private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
IVulnerabilityStorage storage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
if (_getOptionsFunctions.Contains(call.Name))
{
return(HandleGetOptions(call, argumentInfos, exprInfo));
}
else if (_updateOptionFunctions.Contains(call.Name) ||
_addOptionFunctions.Contains(call.Name))
{
return(HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks));
}
return(exprInfo);
}
