/// <summary>
/// Logic for each method invocation (including constructor)
/// The argument list is required because <code>InvocationExpressionSyntax</code> and
/// <code>ObjectCreationExpressionSyntax</code> do not share a common interface.
/// </summary>
/// <param name="node"></param>
/// <param name="argList"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
{
var symbol = state.GetSymbol(node);
MethodBehavior behavior = behaviorRepo.GetMethodBehavior(symbol);
int i = 0;
if (argList == null)
{
return(new VariableState(VariableTaint.UNKNOWN));
}
foreach (var argument in argList.Arguments)
{
var argumentState = VisitExpression(argument.Expression, state);
if (symbol != null)
{
SGLogging.Log(symbol.ContainingType + "." + symbol.Name + " -> " + argumentState);
}
if (behavior != null && //If the API is at risk
(argumentState.taint == VariableTaint.TAINTED || //Tainted values
argumentState.taint == VariableTaint.UNKNOWN) &&
Array.Exists(behavior.injectablesArguments, element => element == i) //If the current parameter can be injected.
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localeInjection);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if (behavior != null &&
argumentState.taint == VariableTaint.CONSTANT && //Hard coded value
Array.Exists(behavior.passwordArguments, element => element == i) //If the current parameter is a password
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localePassword);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: tainted all object passed in argument
i++;
}
//Additionnal analysis by extension
foreach (var ext in extensions)
{
ext.VisitInvocationAndCreation(node, argList, state);
}
return(new VariableState(VariableTaint.UNKNOWN));
}
private VariableState VisitAssignment(AssignmentExpressionSyntax node, ExecutionState state)
{
var symbol = state.GetSymbol(node.Left);
MethodBehavior behavior = behaviorRepo.GetMethodBehavior(symbol);
var variableState = VisitExpression(node.Right, state);
//Additionnal analysis by extension
foreach (var ext in extensions)
{
ext.VisitAssignment(node, state, behavior, symbol, variableState);
}
//if (node.Left is IdentifierNameSyntax)
// {
// var assignmentIdentifier = node.Left as IdentifierNameSyntax;
// state.MergeValue(ResolveIdentifier(assignmentIdentifier.Identifier), variableState);
// }
IdentifierNameSyntax parentIdentifierSyntax = GetParentIdentifier(node.Left);
if (parentIdentifierSyntax != null)
{
state.MergeValue(ResolveIdentifier(parentIdentifierSyntax.Identifier), variableState);
}
if (behavior != null && //Injection
behavior.isInjectableField &&
variableState.taint != VariableTaint.CONSTANT && //Skip safe values
variableState.taint != VariableTaint.SAFE)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localeInjection);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
if (behavior != null && //Known Password API
behavior.isPasswordField &&
variableState.taint == VariableTaint.CONSTANT //Only constant
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localePassword);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: tainted the variable being assign.
return(variableState);
}
private VariableState VisitAssignment(AssignmentExpressionSyntax node, ExecutionState state)
{
var symbol = state.GetSymbol(node.Left);
MethodBehavior behavior = behaviorRepo.GetInjectableMethodBehavior(symbol);
var variableState = VisitExpression(node.Right, state);
if (node.Left is IdentifierNameSyntax)
{
var assignmentIdentifier = node.Left as IdentifierNameSyntax;
state.UpdateValue(ResolveIdentifier(assignmentIdentifier.Identifier), variableState);
}
if (behavior != null && //If the API is at risk
variableState.taint != VariableTaint.CONSTANT && //Skip safe values
variableState.taint != VariableTaint.SAFE)
{
var newRule = LocaleUtil.GetDescriptor(behavior.vulnerabilityLocale);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
return(variableState);
}