internal static void Run(SyntaxNodeAnalysisContext context, ExpressionSyntax token) { //Check String string id = token.ToFullString(); if (string.IsNullOrWhiteSpace(id)) { return; } //Check BlockSyntax BlockSyntax method = context.Node.FirstAncestorOrSelf <BlockSyntax>(); if (method == null) { return; } try { //Check InvocationExpression case if (token.IsKind(SyntaxKind.InvocationExpression)) { var nodes = method.DescendantNodes(); string s = string.Empty; foreach (SyntaxNode n in nodes) { //Check ExpressionStatement case and have Contains("Appand("). , Build String if (n.IsKind(SyntaxKind.ExpressionStatement) && id.Contains(n.GetFirstToken().Text) && n.ToFullString().Contains("Append(")) { string rm = n.GetFirstToken().Text + ".Append("; s += n.GetText().ToString().Replace(rm, "").Replace(@""")", "").Replace("\r\n", "").Replace(";", "") + " "; s = s.Replace(" \"", string.Empty); } } //Send to class Helper and Report error s = Helper.BuildSqlStringFromIdString(context, s); List <string> errorlist = SqlParser.Parse(s); string errorlistText = String.Join("\r\n", errorlist); var diagnostic2 = Diagnostic.Create(Rule, context.Node.GetLocation(), errorlistText); context.ReportDiagnostic(diagnostic2); return; } //DescendantTokens where SyntaxToken t = method.DescendantTokens().Where <SyntaxToken>(tk => tk.ValueText != null && tk.IsKind(SyntaxKind.IdentifierToken) && tk.ValueText == id).First <SyntaxToken>(); if (string.IsNullOrWhiteSpace(t.ValueText)) { return; } sql = t.GetNextToken().GetNextToken().Value.ToString(); if (sql != null) { AzureML(sql); SendData(getJson); while (getResult == "") { } Deserialize(getResult); getResult = ""; } if (string.IsNullOrWhiteSpace(sql)) { return; } List <string> errors = SqlParser.Parse(sql); if (errors.Count == 0) { //Check BinaryExpression case var binaryExpressions = method.DescendantNodesAndSelf().OfType <BinaryExpressionSyntax>().First <BinaryExpressionSyntax>(); if (binaryExpressions != null) { //Send to class BinaryExpressionDiagnostic BinaryExpressionDiagnostic.Run(context, binaryExpressions); return; } return; } //Report error string errorText = String.Join("\r\n", errors); var diagnostic = Diagnostic.Create(Rule, t.GetNextToken().GetNextToken().GetLocation(), errorText); context.ReportDiagnostic(diagnostic); } catch (Exception ex) { System.Diagnostics.Debug.WriteLine("don't handle syntax yet: " + ex.Message); } //Report warning union query injection if (reportWarningUnionquery != "0") { Diagnostics.UnionQueryExpression.Run(context, t); } //Report warning illegal query injection if (reportWarningIllegalquery != "0") { Diagnostics.IllegalExpression.Run(context, t); } //Report warning piggybacked query injection if (reportWarningPiggybackedquery != "0") { Diagnostics.PiggyBackedExpression.Run(context, t); } }
internal static void Run(SyntaxNodeAnalysisContext context, ExpressionSyntax token) { string id = token.ToFullString(); if (string.IsNullOrWhiteSpace(id)) { return; } BlockSyntax method = context.Node.FirstAncestorOrSelf <BlockSyntax>(); if (method == null) { return; } try { if (token.IsKind(SyntaxKind.InvocationExpression)) { var nodes = method.DescendantNodes(); string s = string.Empty; foreach (SyntaxNode n in nodes) { if (n.IsKind(SyntaxKind.ExpressionStatement) && id.Contains(n.GetFirstToken().Text) && n.ToFullString().Contains("Append(")) { string rm = n.GetFirstToken().Text + ".Append("; s += n.GetText().ToString().Replace(rm, "").Replace(@""")", "").Replace("\r\n", "").Replace(";", "") + " "; s = s.Replace(" \"", string.Empty); } } s = Helper.BuildSqlStringFromIdString(context, s); List <string> errorlist = SqlParser.Parse(s); string errorlistText = String.Join("\r\n", errorlist); var diagnostic2 = Diagnostic.Create(RuleParam, context.Node.GetLocation(), errorlistText); context.ReportDiagnostic(diagnostic2); return; } var t = method.DescendantTokens().Where <SyntaxToken>(tk => tk.ValueText != null && tk.IsKind(SyntaxKind.IdentifierToken) && tk.ValueText == id).First <SyntaxToken>(); if (string.IsNullOrWhiteSpace(t.ValueText)) { return; } string sql = t.GetNextToken().GetNextToken().Value.ToString(); if (string.IsNullOrWhiteSpace(sql)) { return; } List <string> errors = SqlParser.Parse(sql); if (errors.Count == 0) { var binaryExpressions = method.DescendantNodesAndSelf().OfType <BinaryExpressionSyntax>().First <BinaryExpressionSyntax>(); if (binaryExpressions != null) { BinaryExpressionDiagnostic.Run(context, binaryExpressions); return; } return; } string errorText = String.Join("\r\n", errors); var diagnostic = Diagnostic.Create(RuleParam, t.GetNextToken().GetNextToken().GetLocation(), errorText); context.ReportDiagnostic(diagnostic); } catch (Exception ex) { System.Diagnostics.Debug.WriteLine("don't handle syntax yet: " + ex.Message); } }