Exemple #1
0
        private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
        {
            FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings);

            fh.LoadJsonSpecifications();

            var extractedFuncs = PHPParseUtils.ParseAndIterate <ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;

            fh.CustomFunctions.AddRange(extractedFuncs);

            var cfg = PHPParseUtils.ParseAndIterate <CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;

            var incResolver = new IncludeResolver(new List <File>());
            var fileStack   = new Stack <File>();

            fileStack.Push(new File()
            {
                FullPath = @"C:\TestFile.txt"
            });
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack, fh);

            var funcMock      = new Mock <Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> >();
            var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver,
                                                       AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory(), fh);
            var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
            var cfgTaintAnalysis      = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
            var taintAnalysis         = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());

            taintAnalysis.Analyze(cfg);
        }
Exemple #2
0
        public void ResolveInclude(string phpCode, string[] existingFiles, bool shouldResolve)
        {
            var includeResolver = new IncludeResolver(existingFiles.Select(f => new File()
            {
                FullPath = f
            }).ToList());

            var ast = PHPParseUtils.ParsePHPCode(phpCode, Config.PHPSettings.PHPParserPath);

            ast.IterateAllNodes(node =>
            {
                if (node.Name == AstConstants.Node + ":" + AstConstants.Nodes.Expr_Include)
                {
                    File file;
                    if (includeResolver.TryResolveInclude(node, out file))
                    {
                        Assert.IsTrue(shouldResolve);
                    }
                    else
                    {
                        Assert.IsFalse(shouldResolve);
                    }
                }
                return(true);
            });
        }
Exemple #3
0
        public void ResolveMultipleArrayElements(string phpCode)
        {
            XmlNode ast = PHPParseUtils.ParsePHPCode(phpCode, Config.PHPSettings.PHPParserPath).FirstChild.NextSibling;

            var xmlNodes = ast.FirstChild.Cast <XmlNode>().ToList();
            var varNodes = xmlNodes.Where(node => node.LocalName == AstConstants.Nodes.Expr_ArrayDimFetch);

            var varResolver = new VariableResolver(new VariableStorage(), AnalysisScope.File);

            var firstVar = varNodes.First();
            var result   = varResolver.ResolveVariable(firstVar);

            result = varResolver.ResolveVariable(firstVar);
            Assert.IsFalse(result.IsNew, "Var");
            result = varResolver.ResolveVariable(varNodes.ElementAt(1));
            Assert.IsTrue(result.IsNew, "First lookup of second var");
        }
Exemple #4
0
        private void AssertNoOfVulnsInMultipleCodeFiles(Tuple <string, string>[] codeFiles, int numberOfVulns)
        {
            FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings);

            fh.LoadJsonSpecifications();

            var vulnStorage = new Mock <IVulnerabilityStorage>();

            var parsedFiles = codeFiles.Select(code => new File(PHPParseUtils.ParsePHPCode(code.Item2, Config.PHPSettings.PHPParserPath))
            {
                FullPath = code.Item1,
                CFG      = PHPParseUtils.ParseAndIterate <CFGCreator>(code.Item2, Config.PHPSettings.PHPParserPath).Graph
            }).ToArray();

            Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer = null;

            fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
            {
                Preconditions.NotNull(varStorage, "varStorage");
                Preconditions.NotNull(inclResolver, "inclResolver");
                var fileToAnalyze = stacks.IncludeStack.Peek();
                var blockAnalyzer = new TaintBlockAnalyzer(vulnStorage.Object, inclResolver,
                                                           scope, fileTaintAnalyzer, stacks, new FunctionAndMethodAnalyzerFactory(), fh);
                var condAnalyser     = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack, fh);
                var cfgTaintAnalysis = new PHPAnalysis.Analysis.CFG.TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
                var analyzer         = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));

                analyzer.Analyze(fileToAnalyze.CFG);
                return(cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]);
            };

            foreach (var file in parsedFiles)
            {
                var inclusionResolver = new IncludeResolver(parsedFiles);
                var fileStack         = new Stack <File>();
                fileStack.Push(file);
                var immutableInitialTaint = new DefaultTaintProvider().GetTaint();

                var stacks = new AnalysisStacks(fileStack);
                fileTaintAnalyzer(immutableInitialTaint, inclusionResolver, AnalysisScope.File, stacks);
            }

            vulnStorage.Verify(x => x.AddVulnerability(It.IsAny <IVulnerabilityInfo>()), Times.Exactly(numberOfVulns));
        }
Exemple #5
0
        public void ResolveArrayElement(string phpCode, string varName)
        {
            XmlNode ast = PHPParseUtils.ParsePHPCode(phpCode, Config.PHPSettings.PHPParserPath).FirstChild.NextSibling;

            var xmlNodes = ast.FirstChild.Cast <XmlNode>().ToList();
            var varNodes = xmlNodes.Where(node => node.LocalName == AstConstants.Nodes.Expr_ArrayDimFetch);

            var varResolver = new VariableResolver(new VariableStorage(), AnalysisScope.File);

            foreach (var varNode in varNodes)
            {
                var result = varResolver.ResolveVariable(varNode);
                Assert.AreEqual(varName, result.Variable.Name, "Names should match");
                Assert.IsTrue(result.IsNew, "Variable should be new");
                result = varResolver.ResolveVariable(varNode);
                Assert.AreEqual(varName, result.Variable.Name, "Names should still match");
                Assert.IsFalse(result.IsNew, "Variable is no longer new");
            }
        }
Exemple #6
0
        public void ResolveStaticPropertyFetch(string phpCode, string expectedVarName, string nodeType)
        {
            XmlNode ast = PHPParseUtils.ParsePHPCode(phpCode, Config.PHPSettings.PHPParserPath).FirstChild.NextSibling;

            var xmlNodes = ast.FirstChild.Cast <XmlNode>()
                           .Where(node => node.LocalName == nodeType);

            var propFetch = xmlNodes.First();

            var varResolver = new VariableResolver(new VariableStorage(), AnalysisScope.File);

            var result = varResolver.ResolveVariable(propFetch);

            Assert.AreEqual(expectedVarName, result.Variable.Name, "Name should match");
            Assert.IsTrue(result.IsNew, "New var");
            result = varResolver.ResolveVariable(propFetch);
            Assert.AreEqual(expectedVarName, result.Variable.Name, "Names should still match");
            Assert.IsFalse(result.IsNew, "Variable is no longer new");
        }
Exemple #7
0
        public void ResolveArrayElementMixIndexType()
        {
            string  phpCode = @"<?php $a['1']; $a[1];";
            XmlNode ast     = PHPParseUtils.ParsePHPCode(phpCode, Config.PHPSettings.PHPParserPath).FirstChild.NextSibling;

            var xmlNodes = ast.FirstChild.Cast <XmlNode>().ToList();
            var varNodes = xmlNodes.Where(node => node.LocalName == AstConstants.Nodes.Expr_ArrayDimFetch);

            var varResolver = new VariableResolver(new VariableStorage(), AnalysisScope.File);

            var arrayfetch = varNodes.First();

            var result = varResolver.ResolveVariable(arrayfetch);

            Assert.AreEqual("1", result.Variable.Name, "Names should match");
            Assert.IsTrue(result.IsNew, "Variable should be new");

            result = varResolver.ResolveVariable(varNodes.ElementAt(1));
            Assert.AreEqual("1", result.Variable.Name, "Names should still match");
            Assert.IsFalse(result.IsNew, "Variable is no longer new");
        }
Exemple #8
0
        public void ReversePostOrderAlgorithm1()
        {
            string phpCode = @"<?php 
$i = 0; 

if (true) {
$x;
} else if (true) {
$y;
} else {
$sdf;
}
echo $x;";
            var    cfg     = PHPParseUtils.ParseAndIterate <CFGCreator>(phpCode, Config.PHPSettings.PHPParserPath).Graph;

            new CFGPruner().Prune(cfg);

            //cfg.VisualizeGraph("cfg", Config.GraphSettings);

            var postOrder = new ReversePostOrderAlgorithm(cfg).CalculateReversePostOrder();
        }
 private CFGCreator ParseAndBuildCFG(string php)
 {
     return(PHPParseUtils.ParseAndIterate <CFGCreator>(php, Config.PHPSettings.PHPParserPath));
 }
        private XmlNode ParseAndGetAstStatementContent(string php)
        {
            var ast = PHPParseUtils.ParsePHPCode(php, Config.PHPSettings.PHPParserPath);

            return(ast.FirstChild.NextSibling.FirstChild);
        }
 private ClassAndFunctionExtractor ParseAndExtract(string php)
 {
     return(PHPParseUtils.ParseAndIterate <ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath));
 }