Inheritance: ITaintProvider
Esempio n. 1
0
        public ImmutableVariableStorage GetTaint()
        {
            var defaultTaint = new DefaultTaintProvider().GetTaint();

            var variableStorage = defaultTaint.ToMutable();

            foreach (var superGlobal in variableStorage.SuperGlobals)
            {
                foreach (var var in superGlobal.Value.Info.Variables)
                {
                    var newTaint = var.Value.Info.Taints.DeepClone();
                    if (newTaint.SqliTaint.Single().TaintTag > SQLITaint.SQL_NoQ)
                    {
                        newTaint.SqliTaint.Clear();
                        newTaint.SqliTaint.Add(new SQLITaintSet( SQLITaint.SQL_NoQ));
                    }

                    var.Value.Info.Taints = newTaint;
                    var.Value.Info.DefaultDimensionTaintFactory = () =>
                        new TaintSets(new SQLITaintSet(SQLITaint.SQL_NoQ), new XSSTaintSet(XSSTaint.XSS_ALL));
                    var.Value.Info.NestedVariableDefaultTaintFactory = var.Value.Info.DefaultDimensionTaintFactory;
                }
            }

            var wpdbGlobal = new Variable("wpdb", VariableScope.File);
            var prefixVar = new Variable("prefix", VariableScope.Instance) { Info = { Value = "Eir_" } };
            wpdbGlobal.Info.Variables.Add(new VariableTreeDimension() { Key = "prefix" }, prefixVar);
            wpdbGlobal.Info.ClassNames.Add("wpdb");

            variableStorage.GlobalVariables.Add("wpdb", wpdbGlobal);

            return ImmutableVariableStorage.CreateFromMutable(variableStorage);
        }
Esempio n. 2
0
        private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
        {
            var extractedFuncs = PHPParseUtils.ParseAndIterate<ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;
            FunctionsHandler.Instance.CustomFunctions.AddRange(extractedFuncs);

            var cfg = PHPParseUtils.ParseAndIterate<CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;

            var incResolver = new IncludeResolver(new List<File>());
            var fileStack = new Stack<File>();
            fileStack.Push(new File() { FullPath = @"C:\TestFile.txt" });
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack);

            var funcMock = new Mock<Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage>>();
            var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver, AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory());
            var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
            var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
            var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
            taintAnalysis.Analyze(cfg);
        }
Esempio n. 3
0
        private static void ScanUnscannedSubroutines(List<File> filesCollection, Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage)
        {
            var defaultTaint = new DefaultTaintProvider().GetTaint();

            foreach (var file in filesCollection)
            {
                var analysisStacks = new AnalysisStacks(file);
                var analyser = new FunctionAndMethodAnalyzer(defaultTaint,
                    new IncludeResolver(filesCollection), analysisStacks,
                    new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory), vulnerabilityStorage);

                foreach (var function in file.Functions.SelectMany(f => f.Value).Except(FunctionsHandler.Instance.ScannedFunctions))
                {
                    var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0);
                    analysisStacks.CallStack.Push(functionCall);

                    analyser.AnalyzeFunctionCall(functionCall, new List<ExpressionInfo>());
                }
                foreach (var @class in file.Classes.SelectMany(c => c.Value))
                {
                    foreach (var method in @class.Methods.Except(FunctionsHandler.Instance.ScannedFunctions))
                    {
                        var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0);
                        analysisStacks.CallStack.Push(methodCall);

                        analyser.AnalyzeMethodCall(methodCall, new List<ExpressionInfo>());
                    }
                }
            }
        }
Esempio n. 4
0
        private void AssertNoOfVulnsInMultipleCodeFiles(Tuple<string, string>[] codeFiles, int numberOfVulns)
        {
            var vulnStorage = new Mock<IVulnerabilityStorage>();

            var parsedFiles = codeFiles.Select(code => new File(PHPParseUtils.ParsePHPCode(code.Item2, Config.PHPSettings.PHPParserPath)) 
                                                       {
                                                            FullPath = code.Item1,
                                                            CFG =  PHPParseUtils.ParseAndIterate<CFGCreator>(code.Item2, Config.PHPSettings.PHPParserPath).Graph
                                                       }).ToArray();

            Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer = null;
            fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
            {
                Preconditions.NotNull(varStorage, "varStorage");
                Preconditions.NotNull(inclResolver, "inclResolver");
                var fileToAnalyze = stacks.IncludeStack.Peek();
                var blockAnalyzer = new TaintBlockAnalyzer(vulnStorage.Object, inclResolver, scope, fileTaintAnalyzer, stacks, new FunctionAndMethodAnalyzerFactory());
                var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack);
                var cfgTaintAnalysis = new PHPAnalysis.Analysis.CFG.TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
                var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));
                
                analyzer.Analyze(fileToAnalyze.CFG);
                return cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal];
            };

            foreach (var file in parsedFiles)
            {
                var inclusionResolver = new IncludeResolver(parsedFiles);
                var fileStack = new Stack<File>();
                fileStack.Push(file);
                var immutableInitialTaint = new DefaultTaintProvider().GetTaint();

                var stacks = new AnalysisStacks(fileStack);
                fileTaintAnalyzer(immutableInitialTaint, inclusionResolver, AnalysisScope.File, stacks);
            }

            vulnStorage.Verify(x => x.AddVulnerability(It.IsAny<IVulnerabilityInfo>()), Times.Exactly(numberOfVulns));
        }
Esempio n. 5
0
        private static ImmutableVariableStorage GetDefaultTaint()
        {
            var defaultTaint = new DefaultTaintProvider().GetTaint();
            if (_components.TaintProviders.Count == 1)
            {
                return _components.TaintProviders.Single().GetTaint();
            }
            if (_components.TaintProviders.Count > 1)
            {
                Console.WriteLine("Found multiple taint providers. Can't decide which one to use. Using builtin default taint.");
            }

            return defaultTaint;
        }