private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
{
FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings);
fh.LoadJsonSpecifications();
var extractedFuncs = PHPParseUtils.ParseAndIterate <ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;
fh.CustomFunctions.AddRange(extractedFuncs);
var cfg = PHPParseUtils.ParseAndIterate <CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;
var incResolver = new IncludeResolver(new List <File>());
var fileStack = new Stack <File>();
fileStack.Push(new File()
{
FullPath = @"C:\TestFile.txt"
});
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack, fh);
var funcMock = new Mock <Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> >();
var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver,
AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory(), fh);
var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
taintAnalysis.Analyze(cfg);
}
public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
return(new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage, fh)
{
UseSummaries = this.UseSummaries
});
}
public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage)
{
return new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage)
{
UseSummaries = this.UseSummaries
};
}
public FunctionAndMethodAnalyzer(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
{
this._varStorage = variableStorage;
this._incResolver = incResolver;
this._stacks = stacks;
this._customFunctionHandler = customFuncHandler;
this._vulnerabilityStorage = vulnerabilityStorage;
this._funcHandler = fh;
}
private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
IVulnerabilityStorage storage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
if (_getOptionsFunctions.Contains(call.Name))
{
return(HandleGetOptions(call, argumentInfos, exprInfo));
}
else if (_updateOptionFunctions.Contains(call.Name) ||
_addOptionFunctions.Contains(call.Name))
{
return(HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks));
}
return(exprInfo);
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks);
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return HandleHookCall(node, exprInfo, varStorage, analysisStacks);
}
return exprInfo;
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for(int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return exprInfoAll;
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return(HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks));
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return(HandleHookCall(node, exprInfo, varStorage, analysisStacks));
}
return(exprInfo);
}
public TaintBlockAnalyzer(IVulnerabilityStorage vulnerabilityStorage, IIncludeResolver inclusionResolver, AnalysisScope scope,
Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> analyzeTaint,
AnalysisStacks stacks, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory)
: this()
{
Preconditions.NotNull(vulnerabilityStorage, "vulnerabilityStorage");
Preconditions.NotNull(inclusionResolver, "inclusionResolver");
Preconditions.NotNull(analyzeTaint, "analyzeTaint");
Preconditions.NotNull(stacks, "stacks");
Preconditions.NotNull(subroutineAnalyzerFactory, "subroutineAnalyzerFactory");
this._vulnerabilityStorage = vulnerabilityStorage;
this._inclusionResolver = inclusionResolver;
this._analyzer = analyzeTaint;
this._analysisScope = scope;
this.ReturnInfos = new List<ExpressionInfo>();
this._analysisStacks = stacks;
this._subroutineAnalyzerFactory = subroutineAnalyzerFactory;
}
private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
{
var extractedFuncs = PHPParseUtils.ParseAndIterate<ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;
FunctionsHandler.Instance.CustomFunctions.AddRange(extractedFuncs);
var cfg = PHPParseUtils.ParseAndIterate<CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;
var incResolver = new IncludeResolver(new List<File>());
var fileStack = new Stack<File>();
fileStack.Push(new File() { FullPath = @"C:\TestFile.txt" });
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack);
var funcMock = new Mock<Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage>>();
var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver, AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory());
var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
taintAnalysis.Analyze(cfg);
}
public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
{
return exprInfo;
}
private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
XmlNode firstArgument;
XmlNode secondArgument;
string optionKeyValue;
if (call.Arguments.TryGetValue(1, out firstArgument) &&
call.Arguments.TryGetValue(2, out secondArgument) &&
TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
{
foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
{
if (sqliTaintSet.TaintTag == SQLITaint.None)
{
continue;
}
string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.SQL,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
}
});
}
foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
{
if (xssTaintSet.TaintTag == XSSTaint.None)
{
continue;
}
string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.XSS,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
}
});
}
}
return exprInfo;
}
private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
IVulnerabilityStorage storage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
if (_getOptionsFunctions.Contains(call.Name))
{
return HandleGetOptions(call, argumentInfos, exprInfo);
}
else if (_updateOptionFunctions.Contains(call.Name) ||
_addOptionFunctions.Contains(call.Name))
{
return HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks);
}
return exprInfo;
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList <ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for (int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function)
{
Info = paramActualVals[i - 1].ValueInfo
};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack, _funcHandler);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return(exprInfoAll);
}
public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
{
return(exprInfo);
}
private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
XmlNode firstArgument;
XmlNode secondArgument;
string optionKeyValue;
if (call.Arguments.TryGetValue(1, out firstArgument) &&
call.Arguments.TryGetValue(2, out secondArgument) &&
TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
{
foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
{
if (sqliTaintSet.TaintTag == SQLITaint.None)
{
continue;
}
string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.SQL,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
}
});
}
foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
{
if (xssTaintSet.TaintTag == XSSTaint.None)
{
continue;
}
string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.XSS,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
}
});
}
}
return(exprInfo);
}