/// <summary> /// Gets a list of all taint flows determined by a flag /// </summary> /// <param name="script">last script</param> /// <param name="flag">flag determining the taint</param> /// <returnslist of taint flows></returns> public List <String> toString(ref String script, Analysis.FlagType flag) { List <string> result = new List <string>(); if (!flow.taint.get(flag)) { return(result); } String thisScript = script; foreach (TaintFlow childFlow in flow.possibleTaintFlows) { String refscript = thisScript; List <String> flows = childFlow.toString(ref refscript, flag); String thisPoint = getThisPoint(ref refscript); foreach (String flowString in flows) { result.Add(flowString + thisPoint); } } if (result.Count == 0) { String refscript = thisScript; String thisPoint = getThisPoint(ref refscript); result.Add(thisPoint); } script = ""; if (flow.point != null && flow.point.OwningScript != null) { script = flow.point.OwningScriptFullName; } return(result); }
public TaintStatus(TaintInfo taintInfo, Analysis.FlagType flag) { this.tainted = taintInfo.taint; this.priority = taintInfo.priority; lines = getLines(taintInfo, flag); }
internal TestCase HasTaintStatus(TaintStatus taintStatus, Analysis.FlagType flag) { _asserts.Add((ppg) => { var output = GetEndOutput(ppg); AnalysisTestUtils.AssertHasTaintStatus(output, VariableName, AssertMessage, taintStatus, flag); }); return(this); }
/// <summary> /// Gets the corresponding value to a flag type /// </summary> /// <param name="flag"></param> /// <returns>true if flag type value is true, false otherwise</returns> public bool get(Analysis.FlagType flag) { if (flag == Analysis.FlagType.HTMLDirty) { return(HTML); } if (flag == Analysis.FlagType.SQLDirty) { return(SQL); } return(FilePath); }
public bool EqualTo(TaintStatus other, Analysis.FlagType flag) { if (this.tainted.get(flag) != other.tainted.get(flag)) { return(false); } if (this.priority.get(flag) != other.priority.get(flag)) { return(false); } if (!checkFlowEquality(other.lines)) { return(false); } return(true); }
public string ToString(Analysis.FlagType flag) { var result = new StringBuilder(); result.AppendLine("Tainted: " + this.tainted.get(flag)); result.AppendLine("Priority: " + this.priority.get(flag)); foreach (List <int> flow in lines) { var flowString = new StringBuilder(); flowString.Append("Flow: "); foreach (int i in flow) { flowString.Append(i + " "); } result.AppendLine(flowString.ToString()); } return(result.ToString()); }
private List <List <int> > getLines(TaintInfo info, Analysis.FlagType flag) { List <List <int> > result = new List <List <int> >(); if ((!info.taint.get(flag) && !info.nullValue) || info.point == null || info.point.Partial == null) { return(result); } int firstLine = info.point.Partial.Position.FirstLine; if (info.possibleTaintFlows.Count == 0) { result.Add(new List <int>() { firstLine }); } foreach (TaintFlow flowPair in info.possibleTaintFlows) { var flow = flowPair.flow; if (!flow.taint.get(flag)) { continue; } List <List <int> > flows = getLines(flow); foreach (List <int> oneFlow in flows) { oneFlow.Add(firstLine); } result.AddRange(flows); } if (result.Count == 0) { result.Add(new List <int>() { firstLine }); } return(result); }
/// <summary> /// Returns a string containing taint flows of the taint specified by a flag /// </summary> /// <param name="flag">flag specifying the taint</param> /// <returns>string containing the taint flows</returns> public String print(Analysis.FlagType flag) { String currentScript = ""; List <String> resultFlows = new List <String>(); if (!taint.get(flag)) { return(print(resultFlows)); } foreach (TaintFlow flow in possibleTaintFlows) { String refScript = currentScript; List <String> flowAsStrings = flow.toString(ref refScript, flag); foreach (String flowAsString in flowAsStrings) { String script = refScript; resultFlows.Add(flowAsString + currentPointString(ref script)); } } return(print(resultFlows)); }
internal static void AssertHasTaintStatus(FlowOutputSet outSet, string variableName, string assertMessage, TaintStatus taintStatus, Analysis.FlagType flag) { var varID = new VariableIdentifier(variableName); var variable = outSet.GetVariable(varID); var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray(); var computedTaintStatus = new TaintStatus(false, true); if (values.Count() == 0) { computedTaintStatus.priority.setAll(false); } foreach (var value in values) { if (!(value is InfoValue <TaintInfo>)) { continue; } TaintInfo valueTaintInfo = (value as InfoValue <TaintInfo>).Data; TaintStatus valueTaintStatus = new TaintStatus(valueTaintInfo, flag); computedTaintStatus.tainted.copyTaint(true, valueTaintStatus.tainted); computedTaintStatus.priority.copyTaint(false, valueTaintStatus.priority); computedTaintStatus.lines.AddRange(valueTaintStatus.lines); } String taintStatusString = taintStatus.ToString(flag); String computedTaintStatusString = computedTaintStatus.ToString(flag); Assert.IsTrue(taintStatus.EqualTo(computedTaintStatus, flag), "Taint status of the taint type {0} of variable ${1} should be {2}, taint analysis computed {3}", flag, variableName, taintStatusString, computedTaintStatusString); }