internal static void AssertIsXSSDirty(FlowOutputSet outSet, string variableName, string assertMessage)
{
var variable = outSet.GetVariable(new VariableIdentifier(variableName));
var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray();
if (!FlagsHandler.IsDirty(values, FlagType.SQLDirty))
{
Assert.Fail("No possible value for variable ${0} is dirty", variableName);
}
}
/// <summary>
/// Models constructor of native object
/// </summary>
/// <param name="flow">FlowController</param>
public void initObject(FlowController flow)
{
var nativeClass = NativeObjectAnalyzer.GetInstance(flow.OutSet).GetClass(ObjectName);
var fields = nativeClass.Fields;
var thisVariable = flow.OutSet.GetVariable(new VariableIdentifier("this"));
List <Value> inputValues = new List <Value>();
foreach (var argument in getArguments(flow))
{
inputValues.AddRange(argument.PossibleValues);
}
MethodIdentifier methodIdentifier = new MethodIdentifier(ObjectName, Method.Name.Name);
if (NativeObjectAnalyzer.ReportingFunctions.ContainsKey(methodIdentifier))
{
foreach (var flag in NativeObjectAnalyzer.ReportingFunctions[methodIdentifier])
{
if (FlagsHandler.IsDirty(inputValues, flag))
{
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisSecurityWarning(NativeAnalyzerUtils.GetCallerScript(flow.OutSet), flow.CurrentPartial, flow.CurrentProgramPoint, flag, methodIdentifier.Name.ToString()));
break;
}
}
}
foreach (FieldInfo field in fields.Values)
{
if (field.IsStatic == false)
{
MemoryEntry fieldValues = NativeAnalyzerUtils.ResolveReturnValue(field.Type, flow);
fieldValues = new MemoryEntry(FlagsHandler.CopyFlags(inputValues, fieldValues.PossibleValues));
var fieldEntry = thisVariable.ReadField(flow.OutSet.Snapshot, new VariableIdentifier(field.Name.Value));
fieldEntry.WriteMemory(flow.OutSet.Snapshot, fieldValues);
}
}
}
public static void IsDirty(IEnumerable <Value> values)
{
Debug.Assert(FlagsHandler.IsDirty(values, FlagType.SQLDirty) && FlagsHandler.IsDirty(values, FlagType.HTMLDirty) && FlagsHandler.IsDirty(values, FlagType.FilePathDirty));
}
/// <summary>
/// Is called after each include/require/include_once/require_once expression (can be resolved according to flow.CurrentPartial)
/// </summary>
/// <param name="flow">Flow controller where include extensions can be stored</param>
/// <param name="includeFile">File argument of include statement</param>
public override void Include(FlowController flow, MemoryEntry includeFile)
{
if (FlagsHandler.IsDirty(includeFile.PossibleValues, FlagType.FilePathDirty))
{
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisSecurityWarning(flow.CurrentScript.FullName, flow.CurrentPartial, flow.CurrentProgramPoint, FlagType.FilePathDirty, ""));
}
bool isAlwaysConcrete = true;
//extend current program point as Include
List <string> files = FunctionResolver.GetFunctionNames(includeFile, flow, out isAlwaysConcrete);
if (isAlwaysConcrete == false)
{
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "Couldn't resolve all possible includes", flow.CurrentPartial, flow.CurrentProgramPoint, AnalysisWarningCause.COULDNT_RESOLVE_ALL_INCLUDES));
}
IncludingEx includeExpression = flow.CurrentPartial as IncludingEx;
foreach (var branchKey in flow.ExtensionKeys)
{
if (!files.Remove(branchKey as string))
{
//this include is now not resolved as possible include branch
flow.RemoveExtension(branchKey);
}
}
int numberOfWarnings = 0;
var includedFiles = flow.OutSet.GetControlVariable(new VariableName(".includedFiles")).ReadMemory(flow.OutSet.Snapshot);
foreach (var file in files)
{
var fileInfo = findFile(flow, file);
if (fileInfo == null)
{
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "The file " + file + " to be included not found", flow.CurrentProgramPoint.Partial, flow.CurrentProgramPoint, AnalysisWarningCause.FILE_TO_BE_INCLUDED_NOT_FOUND));
numberOfWarnings++;
continue;
}
string fileName = fileInfo.FullName;
// Handling include_once, require_once
var varIncluded = flow.OutSet.GetControlVariable(new VariableName(fileName));
if (includeExpression.InclusionType == InclusionTypes.IncludeOnce || includeExpression.InclusionType == InclusionTypes.RequireOnce)
{
var includedInfo = varIncluded.ReadMemory(flow.OutSet.Snapshot);
if (includedInfo != null)
{
var includeType = (includeExpression.InclusionType == InclusionTypes.IncludeOnce) ? "include_once" : "require_once";
if (includedInfo.PossibleValues.Count() > 1)
{
//TODO: report or not?
//AnalysisWarningHandler.SetWarning (flow.OutSet, new AnalysisWarning (flow.CurrentScript.FullName, includeType + " is called more times in some program paths with the file " + fileName, flow.CurrentProgramPoint.Partial, flow.CurrentProgramPoint, AnalysisWarningCause.INCLUDE_REQUIRE_ONCE_CALLED_MORE_TIMES_WITH_SAME_FILE));
// TODO: include the file or not??
continue;
}
else
{
if (!(includedInfo.PossibleValues.First() is UndefinedValue))
{
//TODO: report or not?
//AnalysisWarningHandler.SetWarning (flow.OutSet, new AnalysisWarning (flow.CurrentScript.FullName, includeType + " is called more times with the file " + fileName, flow.CurrentProgramPoint.Partial, flow.CurrentProgramPoint, AnalysisWarningCause.INCLUDE_REQUIRE_ONCE_CALLED_MORE_TIMES_WITH_SAME_FILE));
continue;
}
}
}
}
// Avoid recursive includes
// the file was never included
int numberOfIncludes = -1;
// TODO: optimization - avoid iterating all included files
// - make .includedFiles associative array with names of functions as indexes
foreach (InfoValue <NumberOfCalls <string> > includeInfo in includedFiles.PossibleValues.Where(a => (a is InfoValue <NumberOfCalls <string> >)))
{
if (includeInfo.Data.Callee == fileName)
{
numberOfIncludes = Math.Max(numberOfIncludes, includeInfo.Data.TimesCalled);
}
}
if (numberOfIncludes >= 0)
{
if (numberOfIncludes > 2 || sharedFiles.Contains(fileName))
{
if (sharedFiles.Contains(fileName))
{
//set graph sharing for this function
if (!sharedProgramPoints.ContainsKey(fileName))
{
try
{
//create single graph instance
sharedProgramPoints[fileName] = ProgramPointGraph.FromSource(ControlFlowGraph.ControlFlowGraph.FromFile(fileInfo));
}
catch (ControlFlowGraph.ControlFlowException)
{
numberOfWarnings++;
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "Control flow graph creation error", flow.CurrentPartial, flow.CurrentProgramPoint, AnalysisWarningCause.CFG_EXCEPTION_IN_INCLUDE_OR_EVAL));
}
catch (Parsers.ParserException)
{
numberOfWarnings++;
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "Parser error", flow.CurrentPartial, flow.CurrentProgramPoint, AnalysisWarningCause.PARSER_EXCEPTION_IN_INCLUDE_OR_EVAL));
}
}
//get shared instance of program point graph
flow.AddExtension(fileName, sharedProgramPoints[fileName], ExtensionType.ParallelInclude);
continue;
}
else
{
sharedFiles.Add(fileName);
}
}
}
try
{
// Write information about inclusion of the file
varIncluded.WriteMemory(flow.OutSet.Snapshot, new MemoryEntry(flow.OutSet.Snapshot.CreateBool(true)));
//Create graph for every include - NOTE: we can share pp graphs
var cfg = ControlFlowGraph.ControlFlowGraph.FromFile(fileInfo);
var ppGraph = ProgramPointGraph.FromSource(cfg);
flow.AddExtension(fileName, ppGraph, ExtensionType.ParallelInclude);
}
catch (ControlFlowGraph.ControlFlowException)
{
numberOfWarnings++;
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "Control flow graph creation error", flow.CurrentPartial, flow.CurrentProgramPoint, AnalysisWarningCause.CFG_EXCEPTION_IN_INCLUDE_OR_EVAL));
}
catch (Parsers.ParserException)
{
numberOfWarnings++;
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisWarning(flow.CurrentScript.FullName, "Parser error", flow.CurrentPartial, flow.CurrentProgramPoint, AnalysisWarningCause.PARSER_EXCEPTION_IN_INCLUDE_OR_EVAL));
}
}
if (numberOfWarnings > 0 && (includeExpression.InclusionType == InclusionTypes.Require || includeExpression.InclusionType == InclusionTypes.RequireOnce))
{
if (numberOfWarnings == files.Count && isAlwaysConcrete == true)
{
fatalError(flow, true);
}
else
{
fatalError(flow, false);
}
}
}
/// <summary>
/// Models a called method.
/// </summary>
/// <param name="flow"></param>
public void Analyze(FlowController flow)
{
if (NativeAnalyzerUtils.checkArgumentsCount(flow, Method))
{
NativeAnalyzerUtils.checkArgumentTypes(flow, Method);
}
MethodIdentifier methodIdentifier = new MethodIdentifier(ObjectName, Method.Name.Name);
var nativeClass = NativeObjectAnalyzer.GetInstance(flow.OutSet).GetClass(ObjectName);
var fields = nativeClass.Fields;
var functionResult = NativeAnalyzerUtils.ResolveReturnValue(Method.ReturnType, flow);
var arguments = getArguments(flow);
var thisVariable = flow.OutSet.GetVariable(new VariableIdentifier("this"));
List <Value> inputValues = new List <Value>();
bool isStaticCall = false;
if (thisVariable.ReadMemory(flow.OutSet.Snapshot).PossibleValues.Count() == 1 && thisVariable.ReadMemory(flow.OutSet.Snapshot).PossibleValues.First() is UndefinedValue)
{
isStaticCall = true;
var fieldsEntries = new List <MemoryEntry>();
foreach (FieldInfo field in fields.Values)
{
var fieldEntry = thisVariable.ReadField(flow.OutSet.Snapshot, new VariableIdentifier(field.Name.Value));
fieldsEntries.Add(fieldEntry.ReadMemory(flow.OutSet.Snapshot));
inputValues.AddRange(fieldEntry.ReadMemory(flow.OutSet.Snapshot).PossibleValues);
}
fieldsEntries.AddRange(arguments);
foreach (FieldInfo field in fields.Values)
{
var fieldEntry = thisVariable.ReadField(flow.OutSet.Snapshot, new VariableIdentifier(field.Name.Value));
MemoryEntry newfieldValues = NativeAnalyzerUtils.ResolveReturnValue(field.Type, flow);
newfieldValues = new MemoryEntry(FlagsHandler.CopyFlags(inputValues, newfieldValues.PossibleValues));
HashSet <Value> newValues = new HashSet <Value>((fieldEntry.ReadMemory(flow.OutSet.Snapshot)).PossibleValues);
foreach (var newValue in newfieldValues.PossibleValues)
{
newValues.Add(newValue);
}
thisVariable.ReadField(flow.OutSet.Snapshot, new VariableIdentifier(field.Name.Value)).WriteMemory(flow.OutSet.Snapshot, new MemoryEntry(newValues));
}
}
foreach (var argument in arguments)
{
inputValues.AddRange(argument.PossibleValues);
}
if (NativeObjectAnalyzer.ReportingFunctions.ContainsKey(methodIdentifier))
{
foreach (var flag in NativeObjectAnalyzer.ReportingFunctions[methodIdentifier])
{
if (FlagsHandler.IsDirty(inputValues, flag))
{
AnalysisWarningHandler.SetWarning(flow.OutSet, new AnalysisSecurityWarning(NativeAnalyzerUtils.GetCallerScript(flow.OutSet), flow.CurrentPartial, flow.CurrentProgramPoint, flag, methodIdentifier.Name.ToString()));
break;
}
}
}
if (isStaticCall == true)
{
thisVariable.WriteMemory(flow.OutSet.Snapshot, new MemoryEntry(FlagsHandler.CopyFlags(inputValues, thisVariable.ReadMemory(flow.OutSet.Snapshot).PossibleValues)));
}
functionResult = new MemoryEntry(FlagsHandler.CopyFlags(inputValues, functionResult.PossibleValues));
if (NativeObjectAnalyzer.CleaningFunctions.ContainsKey(methodIdentifier))
{
foreach (var flag in NativeObjectAnalyzer.CleaningFunctions[methodIdentifier])
{
functionResult = new MemoryEntry(FlagsHandler.Clean(functionResult.PossibleValues, flag));
}
}
flow.OutSet.GetLocalControlVariable(SnapshotBase.ReturnValue).WriteMemory(flow.OutSet.Snapshot, functionResult);
var assigned_aliases = NativeAnalyzerUtils.ResolveAliasArguments(flow, inputValues, (new NativeFunction[1] {
Method
}).ToList());
}