public static DisposeAnalysisResult TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
ImmutableHashSet <INamedTypeSymbol> disposeOwnershipTransferLikelyTypes,
bool trackInstanceFields,
bool exceptionPathsAnalysis,
CancellationToken cancellationToken,
out PointsToAnalysisResult pointsToAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate interproceduralAnalysisPredicateOpt = null,
bool defaultDisposeOwnershipTransferAtConstructor = false)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, interproceduralAnalysisKind, cancellationToken);
var disposeOwnershipTransferAtConstructor = analyzerOptions.GetDisposeOwnershipTransferAtConstructorOption(
rule, defaultValue: defaultDisposeOwnershipTransferAtConstructor, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
interproceduralAnalysisConfig, interproceduralAnalysisPredicateOpt,
disposeOwnershipTransferLikelyTypes, disposeOwnershipTransferAtConstructor, trackInstanceFields, exceptionPathsAnalysis,
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, defaultValue: performCopyAnalysisIfNotUserConfigured, cancellationToken),
out pointsToAnalysisResult));
}
/// <summary>
/// Performs global flow state analysis and returns the analysis result.
/// </summary>
/// <param name="cfg">Control flow graph to analyze.</param>
/// <param name="owningSymbol">Owning symbol for the analyzed <paramref name="cfg"/>.</param>
/// <param name="createOperationVisitor">Delegate to create a <see cref="GlobalFlowStateDataFlowOperationVisitor"/> that performs the core analysis.</param>
/// <param name="wellKnownTypeProvider">Well-known type provider for the compilation.</param>
/// <param name="analyzerOptions">Analyzer options for analysis</param>
/// <param name="rule"><see cref="DiagnosticDescriptor"/> for fetching any rule specific analyzer option values from <paramref name="analyzerOptions"/>.</param>
/// <param name="performValueContentAnalysis">Flag to indicate if <see cref="ValueContentAnalysis.ValueContentAnalysis"/> should be performed.</param>
/// <param name="pessimisticAnalysis">
/// This boolean field determines if we should perform an optimistic OR a pessimistic analysis.
/// For example, invoking a lambda method for which we do not know the target method being invoked can change/invalidate the current global flow state.
/// An optimistic points to analysis assumes that the global flow state doesn't change for such scenarios.
/// A pessimistic points to analysis resets the global flow state to an unknown state for such scenarios.
/// </param>
/// <param name="cancellationToken">Token to cancel analysis.</param>
/// <param name="valueContentAnalysisResult">Optional value content analysis result, if <paramref name="performValueContentAnalysis"/> is true</param>
/// <param name="interproceduralAnalysisKind"><see cref="InterproceduralAnalysisKind"/> for the analysis.</param>
/// <param name="interproceduralAnalysisPredicate">Optional predicate for interprocedural analysis.</param>
/// <param name="additionalSupportedValueTypes">Additional value types for which the caller wants to track stored values during value content analysis.</param>
/// <param name="getValueContentValueForAdditionalSupportedValueTypeOperation">
/// Optional delegate to compute values for <paramref name="additionalSupportedValueTypes"/>.
/// Must be non-null if <paramref name="additionalSupportedValueTypes"/> is non-empty.
/// </param>
/// <returns>Global flow state analysis result, or null if analysis did not succeed.</returns>
public static GlobalFlowStateAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
Func <GlobalFlowStateAnalysisContext, GlobalFlowStateDataFlowOperationVisitor> createOperationVisitor,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
bool performValueContentAnalysis,
bool pessimisticAnalysis,
CancellationToken cancellationToken,
out ValueContentAnalysisResult?valueContentAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null,
ImmutableArray <INamedTypeSymbol> additionalSupportedValueTypes = default,
Func <IOperation, ValueContentAbstractValue>?getValueContentValueForAdditionalSupportedValueTypeOperation = null)
{
if (cfg == null)
{
throw new ArgumentNullException(nameof(cfg));
}
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
var pointsToAnalysisKind = analyzerOptions.GetPointsToAnalysisKindOption(rule, owningSymbol, wellKnownTypeProvider.Compilation,
defaultValue: PointsToAnalysisKind.PartialWithoutTrackingFieldsAndProperties, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, createOperationVisitor, wellKnownTypeProvider, analyzerOptions,
interproceduralAnalysisConfig, interproceduralAnalysisPredicate, pointsToAnalysisKind, pessimisticAnalysis,
performValueContentAnalysis, out valueContentAnalysisResult,
additionalSupportedValueTypes, getValueContentValueForAdditionalSupportedValueTypeOperation));
}
public static FlightEnabledAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
ImmutableArray <IMethodSymbol> flightEnablingMethods,
Func <FlightEnabledAnalysisCallbackContext, FlightEnabledAbstractValue> getValueForFlightEnablingMethodInvocation,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
bool performPointsToAnalysis,
bool performValueContentAnalysis,
CancellationToken cancellationToken,
out PointsToAnalysisResult?pointsToAnalysisResult,
out ValueContentAnalysisResult?valueContentAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
bool pessimisticAnalysis = true,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null)
{
RoslynDebug.Assert(!performValueContentAnalysis || performPointsToAnalysis);
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, owningSymbol, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
if (interproceduralAnalysisConfig.InterproceduralAnalysisKind != InterproceduralAnalysisKind.None)
{
interproceduralAnalysisPredicate ??= new InterproceduralAnalysisPredicate(
skipAnalysisForInvokedMethodPredicateOpt: m => flightEnablingMethods.Contains(m),
skipAnalysisForInvokedLambdaOrLocalFunctionPredicateOpt: null,
skipAnalysisForInvokedContextPredicateOpt: null);
}
return(TryGetOrComputeResult(cfg, owningSymbol, flightEnablingMethods,
getValueForFlightEnablingMethodInvocation, wellKnownTypeProvider, analyzerOptions,
interproceduralAnalysisConfig, interproceduralAnalysisPredicate, pessimisticAnalysis,
performPointsToAnalysis, performValueContentAnalysis, out pointsToAnalysisResult, out valueContentAnalysisResult));
}
public static ValueContentAnalysisResult TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
CancellationToken cancellationToken,
out CopyAnalysisResult copyAnalysisResultOpt,
out PointsToAnalysisResult pointsToAnalysisResultOpt,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
bool pessimisticAnalysis = true,
bool performPointsToAnalysis = true,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate interproceduralAnalysisPredicateOpt = null)
{
Debug.Assert(!owningSymbol.IsConfiguredToSkipAnalysis(analyzerOptions, rule, wellKnownTypeProvider.Compilation, cancellationToken));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, interproceduralAnalysisKind, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, analyzerOptions, wellKnownTypeProvider,
interproceduralAnalysisConfig, out copyAnalysisResultOpt,
out pointsToAnalysisResultOpt, pessimisticAnalysis, performPointsToAnalysis,
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, defaultValue: performCopyAnalysisIfNotUserConfigured, cancellationToken),
interproceduralAnalysisPredicateOpt: interproceduralAnalysisPredicateOpt));
}
public static ValueContentAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
PointsToAnalysisKind defaultPointsToAnalysisKind,
CancellationToken cancellationToken,
out CopyAnalysisResult?copyAnalysisResult,
out PointsToAnalysisResult?pointsToAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
bool pessimisticAnalysis = true,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null,
ImmutableArray <INamedTypeSymbol> additionalSupportedValueTypes = default,
Func <IOperation, ValueContentAbstractValue>?getValueContentValueForAdditionalSupportedValueTypeOperation = null)
{
Debug.Assert(!owningSymbol.IsConfiguredToSkipAnalysis(analyzerOptions, rule, wellKnownTypeProvider.Compilation, cancellationToken));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, owningSymbol, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, analyzerOptions, wellKnownTypeProvider,
pointsToAnalysisKind: analyzerOptions.GetPointsToAnalysisKindOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultPointsToAnalysisKind, cancellationToken),
interproceduralAnalysisConfig, out copyAnalysisResult,
out pointsToAnalysisResult, pessimisticAnalysis,
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: performCopyAnalysisIfNotUserConfigured, cancellationToken),
interproceduralAnalysisPredicate,
additionalSupportedValueTypes,
getValueContentValueForAdditionalSupportedValueTypeOperation));
}
public static ImmutableDictionary <IParameterSymbol, SyntaxNode> GetOrComputeHazardousParameterUsages(
IBlockOperation topmostBlock,
Compilation compilation,
ISymbol owningSymbol,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
CancellationToken cancellationToken,
PointsToAnalysisKind defaultPointsToAnalysisKind = PointsToAnalysisKind.PartialWithoutTrackingFieldsAndProperties,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
uint defaultMaxInterproceduralMethodCallChain = 1, // By default, we only want to track method calls one level down.
bool pessimisticAnalysis = false)
{
Debug.Assert(!analyzerOptions.IsConfiguredToSkipAnalysis(rule, owningSymbol, compilation, cancellationToken));
var cfg = topmostBlock.GetEnclosingControlFlowGraph();
if (cfg == null)
{
return(ImmutableDictionary <IParameterSymbol, SyntaxNode> .Empty);
}
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, compilation, interproceduralAnalysisKind, cancellationToken, defaultMaxInterproceduralMethodCallChain);
var performCopyAnalysis = analyzerOptions.GetCopyAnalysisOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, defaultValue: false, cancellationToken);
var nullCheckValidationMethods = analyzerOptions.GetNullCheckValidationMethodsOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, cancellationToken);
var pointsToAnalysisKind = analyzerOptions.GetPointsToAnalysisKindOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, defaultPointsToAnalysisKind, cancellationToken);
return(GetOrComputeHazardousParameterUsages(cfg, compilation, owningSymbol, analyzerOptions,
nullCheckValidationMethods, pointsToAnalysisKind, interproceduralAnalysisConfig, performCopyAnalysis, pessimisticAnalysis));
}
internal static TaintedDataAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
Compilation compilation,
ISymbol containingMethod,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
TaintedDataSymbolMap <SourceInfo> taintedSourceInfos,
TaintedDataSymbolMap <SanitizerInfo> taintedSanitizerInfos,
TaintedDataSymbolMap <SinkInfo> taintedSinkInfos)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, compilation, InterproceduralAnalysisKind.ContextSensitive);
return(TryGetOrComputeResult(cfg, compilation, containingMethod, analyzerOptions, taintedSourceInfos,
taintedSanitizerInfos, taintedSinkInfos, interproceduralAnalysisConfig));
}
public static ImmutableDictionary <IParameterSymbol, SyntaxNode> GetOrComputeHazardousParameterUsages(
IBlockOperation topmostBlock,
Compilation compilation,
ISymbol owningSymbol,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
CancellationToken cancellationToken,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
uint defaultMaxInterproceduralMethodCallChain = 1, // By default, we only want to track method calls one level down.
bool pessimisticAnalysis = true)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, interproceduralAnalysisKind, cancellationToken, defaultMaxInterproceduralMethodCallChain);
return(GetOrComputeHazardousParameterUsages(topmostBlock, compilation, owningSymbol,
interproceduralAnalysisConfig, pessimisticAnalysis));
}
internal static TaintedDataAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
Compilation compilation,
ISymbol containingMethod,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
TaintedDataSymbolMap <SourceInfo> taintedSourceInfos,
TaintedDataSymbolMap <SanitizerInfo> taintedSanitizerInfos,
TaintedDataSymbolMap <SinkInfo> taintedSinkInfos,
CancellationToken cancellationToken,
uint defaultMaxInterproceduralMethodCallChain,
uint defaultMaxInterproceduralLambdaOrLocalFunctionCallChain)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, compilation, InterproceduralAnalysisKind.ContextSensitive, cancellationToken, defaultMaxInterproceduralMethodCallChain, defaultMaxInterproceduralLambdaOrLocalFunctionCallChain);
return(TryGetOrComputeResult(cfg, compilation, containingMethod, analyzerOptions, taintedSourceInfos,
taintedSanitizerInfos, taintedSinkInfos, interproceduralAnalysisConfig));
}
public static ImmutableDictionary<IParameterSymbol, SyntaxNode> GetOrComputeHazardousParameterUsages(
IBlockOperation topmostBlock,
Compilation compilation,
ISymbol owningSymbol,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
CancellationToken cancellationToken,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
uint defaultMaxInterproceduralMethodCallChain = 1, // By default, we only want to track method calls one level down.
bool pessimisticAnalysis = true)
{
Debug.Assert(!owningSymbol.IsConfiguredToSkipAnalysis(analyzerOptions, rule, compilation, cancellationToken));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, topmostBlock.Syntax.SyntaxTree, compilation, interproceduralAnalysisKind, cancellationToken, defaultMaxInterproceduralMethodCallChain);
var performCopyAnalysis = analyzerOptions.GetCopyAnalysisOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, defaultValue: false, cancellationToken);
var nullCheckValidationMethods = analyzerOptions.GetNullCheckValidationMethodsOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, cancellationToken);
return GetOrComputeHazardousParameterUsages(topmostBlock, compilation, owningSymbol, analyzerOptions,
nullCheckValidationMethods, interproceduralAnalysisConfig, performCopyAnalysis, pessimisticAnalysis);
}
public static DisposeAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
ImmutableHashSet <INamedTypeSymbol> disposeOwnershipTransferLikelyTypes,
PointsToAnalysisKind defaultPointsToAnalysisKind,
bool trackInstanceFields,
bool exceptionPathsAnalysis,
CancellationToken cancellationToken,
out PointsToAnalysisResult?pointsToAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null,
bool defaultDisposeOwnershipTransferAtConstructor = false,
bool defaultDisposeOwnershipTransferAtMethodCall = false)
{
if (cfg == null)
{
throw new ArgumentNullException(nameof(cfg));
}
Debug.Assert(!analyzerOptions.IsConfiguredToSkipAnalysis(rule, owningSymbol, wellKnownTypeProvider.Compilation, cancellationToken));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
var disposeOwnershipTransferAtConstructor = analyzerOptions.GetDisposeOwnershipTransferAtConstructorOption(
rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: defaultDisposeOwnershipTransferAtConstructor, cancellationToken);
var disposeOwnershipTransferAtMethodCall = analyzerOptions.GetDisposeOwnershipTransferAtMethodCall(
rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: defaultDisposeOwnershipTransferAtMethodCall, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, analyzerOptions, wellKnownTypeProvider,
interproceduralAnalysisConfig, interproceduralAnalysisPredicate,
disposeOwnershipTransferLikelyTypes, disposeOwnershipTransferAtConstructor,
disposeOwnershipTransferAtMethodCall, trackInstanceFields, exceptionPathsAnalysis,
pointsToAnalysisKind: analyzerOptions.GetPointsToAnalysisKindOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultPointsToAnalysisKind, cancellationToken),
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: performCopyAnalysisIfNotUserConfigured, cancellationToken),
isConfiguredToSkipAnalysis: (ISymbol symbol) => analyzerOptions.IsConfiguredToSkipAnalysis(rule, symbol, owningSymbol, wellKnownTypeProvider.Compilation, cancellationToken),
out pointsToAnalysisResult));
}
public static GlobalFlowStateAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
Func <GlobalFlowStateAnalysisContext, GlobalFlowStateDataFlowOperationVisitor> createOperationVisitor,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
bool performValueContentAnalysis,
CancellationToken cancellationToken,
out ValueContentAnalysisResult?valueContentAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
bool pessimisticAnalysis = true,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, owningSymbol, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, createOperationVisitor, wellKnownTypeProvider, analyzerOptions,
interproceduralAnalysisConfig, interproceduralAnalysisPredicate, pessimisticAnalysis,
performValueContentAnalysis, out valueContentAnalysisResult));
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
if (!compilationStartAnalysisContext.Compilation.TryGetOrCreateTypeByMetadataName(WellKnownTypeNames.SystemWebHttpCookie,
out INamedTypeSymbol? httpCookieSymbol))
{
return;
}
PooledHashSet <(IOperation Operation, ISymbol ContainingSymbol)> rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
ISymbol owningSymbol = operationBlockStartAnalysisContext.OwningSymbol;
if (owningSymbol.IsConfiguredToSkipAnalysis(
operationBlockStartAnalysisContext.Options,
Rule,
operationBlockStartAnalysisContext.Compilation,
operationBlockStartAnalysisContext.CancellationToken))
{
return;
}
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
ISimpleAssignmentOperation simpleAssignmentOperation =
(ISimpleAssignmentOperation)operationAnalysisContext.Operation;
if (simpleAssignmentOperation.Target is IPropertyReferenceOperation propertyReferenceOperation &&
httpCookieSymbol.Equals(propertyReferenceOperation.Property.ContainingType) &&
propertyReferenceOperation.Property.Name == "HttpOnly" &&
simpleAssignmentOperation.Value.ConstantValue.HasValue &&
simpleAssignmentOperation.Value.ConstantValue.Value.Equals(false))
{
operationAnalysisContext.ReportDiagnostic(
simpleAssignmentOperation.CreateDiagnostic(
Rule));
}
},
OperationKind.SimpleAssignment);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IReturnOperation returnOperation = (IReturnOperation)operationAnalysisContext.Operation;
if (httpCookieSymbol.Equals(returnOperation.ReturnedValue?.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(
(returnOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Return);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IArgumentOperation argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (httpCookieSymbol.Equals(argumentOperation.Value.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(
(argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
compilationAnalysisContext.Options,
WellKnownTypeNames.SystemWebHttpCookie,
ConstructorMapper,
PropertyMappers,
HazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
if (kvp.Value == HazardousUsageEvaluationResult.Flagged)
{
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
Rule,
kvp.Key.Location));
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
// If there are more classes implement IResponseCookies, add them here later.
HazardousUsageEvaluatorCollection hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
new HazardousUsageEvaluator(
WellKnownTypeNames.MicrosoftAspNetCoreHttpInternalResponseCookies,
"Append",
"options",
HazardousUsageCallback));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(
WellKnownTypeNames.MicrosoftAspNetCoreHttpIResponseCookies,
out var iResponseCookiesTypeSymbol))
{
return;
}
wellKnownTypeProvider.TryGetTypeByMetadataName(
WellKnownTypeNames.MicrosoftAspNetCoreHttpCookieOptions,
out var cookieOptionsTypeSymbol);
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
var methodSymbol = invocationOperation.TargetMethod;
if (methodSymbol.ContainingType is INamedTypeSymbol namedTypeSymbol &&
namedTypeSymbol.Interfaces.Contains(iResponseCookiesTypeSymbol) &&
invocationOperation.TargetMethod.Name == "Append")
{
if (methodSymbol.Parameters.Length < 3)
{
operationAnalysisContext.ReportDiagnostic(
invocationOperation.CreateDiagnostic(
DefinitelyUseSecureCookiesASPNetCoreRule));
}
else
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (argumentOperation.Parameter.Type.Equals(cookieOptionsTypeSymbol))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
WellKnownTypeNames.MicrosoftAspNetCoreHttpCookieOptions,
constructorMapper,
PropertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = DefinitelyUseSecureCookiesASPNetCoreRule;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = MaybeUseSecureCookiesASPNetCoreRule;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze);
context.RegisterCompilationStartAction(compilationContext =>
{
if (!DisposeAnalysisHelper.TryGetOrCreate(compilationContext.Compilation, out DisposeAnalysisHelper? disposeAnalysisHelper))
{
return;
}
var fieldDisposeValueMap = new ConcurrentDictionary <IFieldSymbol, /*disposed*/ bool>();
void addOrUpdateFieldDisposedValue(IFieldSymbol field, bool disposed)
{
Debug.Assert(!field.IsStatic);
Debug.Assert(disposeAnalysisHelper !.IsDisposable(field.Type));
fieldDisposeValueMap.AddOrUpdate(field,
addValue: disposed,
updateValueFactory: (f, currentValue) => currentValue || disposed);
};
var hasErrors = false;
compilationContext.RegisterOperationAction(_ => hasErrors = true, OperationKind.Invalid);
// Disposable fields with initializer at declaration must be disposed.
compilationContext.RegisterOperationAction(operationContext =>
{
if (!ShouldAnalyze(operationContext.ContainingSymbol.ContainingType))
{
return;
}
var initializedFields = ((IFieldInitializerOperation)operationContext.Operation).InitializedFields;
foreach (var field in initializedFields)
{
if (!field.IsStatic &&
disposeAnalysisHelper.GetDisposableFields(field.ContainingType).Contains(field))
{
addOrUpdateFieldDisposedValue(field, disposed: false);
}
}
},
OperationKind.FieldInitializer);
// Instance fields initialized in constructor/method body with a locally created disposable object must be disposed.
compilationContext.RegisterOperationBlockStartAction(operationBlockStartContext =>
{
if (!(operationBlockStartContext.OwningSymbol is IMethodSymbol containingMethod) ||
!ShouldAnalyze(containingMethod.ContainingType))
{
return;
}
if (disposeAnalysisHelper.HasAnyDisposableCreationDescendant(operationBlockStartContext.OperationBlocks, containingMethod))
{
PointsToAnalysisResult?lazyPointsToAnalysisResult = null;
operationBlockStartContext.RegisterOperationAction(operationContext =>
{
var fieldReference = (IFieldReferenceOperation)operationContext.Operation;
var field = fieldReference.Field;
// Only track instance fields on the current instance.
if (field.IsStatic || fieldReference.Instance?.Kind != OperationKind.InstanceReference)
{
return;
}
// Check if this is a Disposable field that is not currently being tracked.
if (fieldDisposeValueMap.ContainsKey(field) ||
!disposeAnalysisHelper.GetDisposableFields(field.ContainingType).Contains(field))
{
return;
}
// We have a field reference for a disposable field.
// Check if it is being assigned a locally created disposable object.
if (fieldReference.Parent is ISimpleAssignmentOperation simpleAssignmentOperation &&
simpleAssignmentOperation.Target == fieldReference)
{
if (lazyPointsToAnalysisResult == null)
{
var cfg = operationBlockStartContext.OperationBlocks.GetControlFlowGraph();
if (cfg == null)
{
hasErrors = true;
return;
}
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(operationContext.Compilation);
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
operationBlockStartContext.Options, Rule, InterproceduralAnalysisKind.None, operationBlockStartContext.CancellationToken);
var pointsToAnalysisResult = PointsToAnalysis.TryGetOrComputeResult(cfg,
containingMethod, operationBlockStartContext.Options, wellKnownTypeProvider, interproceduralAnalysisConfig,
interproceduralAnalysisPredicateOpt: null,
pessimisticAnalysis: false, performCopyAnalysis: false);
if (pointsToAnalysisResult == null)
{
hasErrors = true;
return;
}
Interlocked.CompareExchange(ref lazyPointsToAnalysisResult, pointsToAnalysisResult, null);
}
PointsToAbstractValue assignedPointsToValue = lazyPointsToAnalysisResult[simpleAssignmentOperation.Value.Kind, simpleAssignmentOperation.Value.Syntax];
foreach (var location in assignedPointsToValue.Locations)
{
if (disposeAnalysisHelper.IsDisposableCreationOrDisposeOwnershipTransfer(location, containingMethod))
{
addOrUpdateFieldDisposedValue(field, disposed: false);
break;
}
}
}
},
OperationKind.FieldReference);
}
// Mark fields disposed in Dispose method(s).
if (IsDisposeMethod(containingMethod))
{
var disposableFields = disposeAnalysisHelper.GetDisposableFields(containingMethod.ContainingType);
if (!disposableFields.IsEmpty)
{
if (disposeAnalysisHelper.TryGetOrComputeResult(operationBlockStartContext.OperationBlocks, containingMethod,
operationBlockStartContext.Options, Rule, trackInstanceFields: true, trackExceptionPaths: false, cancellationToken: operationBlockStartContext.CancellationToken,
disposeAnalysisResult: out var disposeAnalysisResult, pointsToAnalysisResult: out var pointsToAnalysisResult))
{
RoslynDebug.Assert(disposeAnalysisResult.TrackedInstanceFieldPointsToMap != null);
BasicBlock exitBlock = disposeAnalysisResult.ControlFlowGraph.GetExit();
foreach (var fieldWithPointsToValue in disposeAnalysisResult.TrackedInstanceFieldPointsToMap)
{
IFieldSymbol field = fieldWithPointsToValue.Key;
PointsToAbstractValue pointsToValue = fieldWithPointsToValue.Value;
Debug.Assert(disposeAnalysisHelper.IsDisposable(field.Type));
ImmutableDictionary <AbstractLocation, DisposeAbstractValue> disposeDataAtExit = disposeAnalysisResult.ExitBlockOutput.Data;
var disposed = false;
foreach (var location in pointsToValue.Locations)
{
if (disposeDataAtExit.TryGetValue(location, out DisposeAbstractValue disposeValue))
{
switch (disposeValue.Kind)
{
// For MaybeDisposed, conservatively mark the field as disposed as we don't support path sensitive analysis.
case DisposeAbstractValueKind.MaybeDisposed:
case DisposeAbstractValueKind.Unknown:
case DisposeAbstractValueKind.Escaped:
case DisposeAbstractValueKind.Disposed:
disposed = true;
addOrUpdateFieldDisposedValue(field, disposed);
break;
}
}
if (disposed)
{
break;
}
}
}
}
}
}
});
compilationContext.RegisterCompilationEndAction(compilationEndContext =>
{
if (hasErrors)
{
return;
}
foreach (var kvp in fieldDisposeValueMap)
{
IFieldSymbol field = kvp.Key;
bool disposed = kvp.Value;
// Flag non-disposed fields only if the containing type has a Dispose method implementation.
if (!disposed &&
HasDisposeMethod(field.ContainingType))
{
// '{0}' contains field '{1}' that is of IDisposable type '{2}', but it is never disposed. Change the Dispose method on '{0}' to call Close or Dispose on this field.
var arg1 = field.ContainingType.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat);
var arg2 = field.Name;
var arg3 = field.Type.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat);
var diagnostic = field.CreateDiagnostic(Rule, arg1, arg2, arg3);
compilationEndContext.ReportDiagnostic(diagnostic);
}
}
});
return;
// Local functions
bool ShouldAnalyze(INamedTypeSymbol namedType)
{
// We only want to analyze types which are disposable (implement System.IDisposable directly or indirectly)
// and have at least one disposable field.
return(!hasErrors &&
disposeAnalysisHelper !.IsDisposable(namedType) &&
!disposeAnalysisHelper.GetDisposableFields(namedType).IsEmpty&&
!namedType.IsConfiguredToSkipAnalysis(compilationContext.Options, Rule, compilationContext.Compilation, compilationContext.CancellationToken));
}
bool IsDisposeMethod(IMethodSymbol method)
=> disposeAnalysisHelper !.GetDisposeMethodKind(method) != DisposeMethodKind.None;
bool HasDisposeMethod(INamedTypeSymbol namedType)
{
foreach (var method in namedType.GetMembers().OfType <IMethodSymbol>())
{
if (IsDisposeMethod(method))
{
return(true);
}
}
return(false);
}
});
}
public sealed override void Initialize(AnalysisContext context)
{
ImmutableHashSet <string> cachedDeserializationMethodNames = this.DeserializationMethodNames;
Debug.Assert(!string.IsNullOrWhiteSpace(this.DeserializerTypeMetadataName));
Debug.Assert(!string.IsNullOrWhiteSpace(this.SerializationBinderPropertyMetadataName));
Debug.Assert(!cachedDeserializationMethodNames.IsEmpty);
Debug.Assert(this.BinderDefinitelyNotSetDescriptor != null);
Debug.Assert(this.BinderMaybeNotSetDescriptor != null);
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
// For PropertySetAnalysis dataflow analysis.
PropertyMapperCollection propertyMappers = new PropertyMapperCollection(
new PropertyMapper(
this.SerializationBinderPropertyMetadataName,
PropertySetCallbacks.FlagIfNull));
HazardousUsageEvaluatorCollection hazardousUsageEvaluators =
new HazardousUsageEvaluatorCollection(
cachedDeserializationMethodNames.Select(
methodName => new HazardousUsageEvaluator(
methodName,
PropertySetCallbacks.HazardousIfAllFlaggedOrAllUnknown)));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
if (!compilationStartAnalysisContext.Compilation.TryGetOrCreateTypeByMetadataName(
this.DeserializerTypeMetadataName,
out INamedTypeSymbol? deserializerTypeSymbol))
{
return;
}
PooledHashSet <(IOperation Operation, ISymbol ContainingSymbol)> rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
var owningSymbol = operationBlockStartAnalysisContext.OwningSymbol;
// TODO: Handle case when exactly one of the below rules is configured to skip analysis.
if (owningSymbol.IsConfiguredToSkipAnalysis(operationBlockStartAnalysisContext.Options,
BinderDefinitelyNotSetDescriptor !, operationBlockStartAnalysisContext.Compilation, operationBlockStartAnalysisContext.CancellationToken) &&
owningSymbol.IsConfiguredToSkipAnalysis(operationBlockStartAnalysisContext.Options,
BinderMaybeNotSetDescriptor !, operationBlockStartAnalysisContext.Compilation, operationBlockStartAnalysisContext.CancellationToken))
{
return;
}
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IObjectCreationOperation creationOperation =
(IObjectCreationOperation)operationAnalysisContext.Operation;
if (deserializerTypeSymbol.Equals(creationOperation.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.ObjectCreation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IInvocationOperation invocationOperation =
(IInvocationOperation)operationAnalysisContext.Operation;
if (Equals(invocationOperation.Instance?.Type, deserializerTypeSymbol) &&
cachedDeserializationMethodNames.Contains(invocationOperation.TargetMethod.Name))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IMethodReferenceOperation methodReferenceOperation =
(IMethodReferenceOperation)operationAnalysisContext.Operation;
if (Equals(methodReferenceOperation.Instance?.Type, deserializerTypeSymbol) &&
cachedDeserializationMethodNames.Contains(
methodReferenceOperation.Method.MetadataName))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.MethodReference);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
compilationAnalysisContext.Options,
this.DeserializerTypeMetadataName,
DoNotUseInsecureDeserializerWithoutBinderBase.ConstructorMapper,
propertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
rootOperationsNeedingAnalysis.First().Operation.Syntax.SyntaxTree,
compilationAnalysisContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = this.BinderDefinitelyNotSetDescriptor !;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = this.BinderMaybeNotSetDescriptor !;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
RoslynDebug.Assert(kvp.Key.Method != null); // HazardousUsageEvaluations only for invocations.
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationAnalysisContext.CancellationToken);
allResults?.Free(compilationAnalysisContext.CancellationToken);
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
HazardousUsageEvaluatorCollection hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
SecurityHelpers.JavaScriptSerializerDeserializationMethods.Select(
(string methodName) => new HazardousUsageEvaluator(methodName, HazardousUsageCallback)));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemWebScriptSerializationJavaScriptSerializer, out INamedTypeSymbol javaScriptSerializerSymbol) ||
!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemWebScriptSerializationJavaScriptTypeResolver, out INamedTypeSymbol javaScriptTypeResolverSymbol) ||
!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemWebScriptSerializationSimpleTypeResolver, out INamedTypeSymbol simpleTypeResolverSymbol))
{
return;
}
// If JavaScriptSerializer is initialized with a SimpleTypeResolver, then that instance is flagged.
ConstructorMapper constructorMapper = new ConstructorMapper(
(IMethodSymbol constructorMethod, IReadOnlyList <PointsToAbstractValue> argumentPointsToAbstractValues) =>
{
PropertySetAbstractValueKind kind;
if (constructorMethod.Parameters.Length == 0)
{
kind = PropertySetAbstractValueKind.Unflagged;
}
else if (constructorMethod.Parameters.Length == 1 &&
javaScriptTypeResolverSymbol.Equals(constructorMethod.Parameters[0].Type))
{
PointsToAbstractValue pointsTo = argumentPointsToAbstractValues[0];
switch (pointsTo.Kind)
{
case PointsToAbstractValueKind.Invalid:
case PointsToAbstractValueKind.UnknownNull:
case PointsToAbstractValueKind.Undefined:
kind = PropertySetAbstractValueKind.Unflagged;
break;
case PointsToAbstractValueKind.KnownLocations:
if (pointsTo.Locations.Any(l => !l.IsNull && simpleTypeResolverSymbol.Equals(l.LocationTypeOpt)))
{
kind = PropertySetAbstractValueKind.Flagged;
}
else if (pointsTo.Locations.Any(l =>
!l.IsNull &&
javaScriptTypeResolverSymbol.Equals(l.LocationTypeOpt) &&
(l.CreationOpt == null || l.CreationOpt.Kind != OperationKind.ObjectCreation)))
{
// Points to a JavaScriptTypeResolver, but we don't know if the instance is a SimpleTypeResolver.
kind = PropertySetAbstractValueKind.MaybeFlagged;
}
else
{
kind = PropertySetAbstractValueKind.Unflagged;
}
break;
case PointsToAbstractValueKind.UnknownNotNull:
case PointsToAbstractValueKind.Unknown:
kind = PropertySetAbstractValueKind.MaybeFlagged;
break;
default:
Debug.Fail($"Unhandled PointsToAbstractValueKind {pointsTo.Kind}");
kind = PropertySetAbstractValueKind.Unflagged;
break;
}
}
else
{
Debug.Fail($"Unhandled JavaScriptSerializer constructor {constructorMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)}");
kind = PropertySetAbstractValueKind.Unflagged;
}
return(PropertySetAbstractValue.GetInstance(kind));
});
PooledHashSet <(IOperation Operation, ISymbol ContainingSymbol)> rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IInvocationOperation invocationOperation =
(IInvocationOperation)operationAnalysisContext.Operation;
if ((javaScriptSerializerSymbol.Equals(invocationOperation.Instance?.Type) &&
SecurityHelpers.JavaScriptSerializerDeserializationMethods.Contains(invocationOperation.TargetMethod.Name)) ||
simpleTypeResolverSymbol.Equals(invocationOperation.TargetMethod.ReturnType) ||
javaScriptTypeResolverSymbol.Equals(invocationOperation.TargetMethod.ReturnType))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IMethodReferenceOperation methodReferenceOperation =
(IMethodReferenceOperation)operationAnalysisContext.Operation;
if (javaScriptSerializerSymbol.Equals(methodReferenceOperation.Instance?.Type) &&
SecurityHelpers.JavaScriptSerializerDeserializationMethods.Contains(methodReferenceOperation.Method.Name))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.MethodReference);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
WellKnownTypeNames.SystemWebScriptSerializationJavaScriptSerializer,
constructorMapper,
PropertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = DefinitelyWithSimpleTypeResolver;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = MaybeWithSimpleTypeResolver;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(compilationStartAnalysisContext =>
{
var microsoftWindowsAzureStorageNamespaceSymbol = compilationStartAnalysisContext
.Compilation
.GlobalNamespace
.GetMembers("Microsoft")
.FirstOrDefault()
?.GetMembers("WindowsAzure")
.OfType <INamespaceSymbol>()
.FirstOrDefault()
?.GetMembers("Storage")
.OfType <INamespaceSymbol>()
.FirstOrDefault();
if (microsoftWindowsAzureStorageNamespaceSymbol == null)
{
return;
}
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
wellKnownTypeProvider.TryGetTypeByMetadataName(
WellKnownTypeNames.MicrosoftWindowsAzureStorageCloudStorageAccount,
out INamedTypeSymbol cloudStorageAccountTypeSymbol);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemNullable1, out INamedTypeSymbol nullableTypeSymbol) ||
!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.MicrosoftWindowsAzureStorageSharedAccessProtocol, out INamedTypeSymbol sharedAccessProtocolTypeSymbol))
{
return;
}
compilationStartAnalysisContext.RegisterOperationBlockStartAction(operationBlockStartContext =>
{
var owningSymbol = operationBlockStartContext.OwningSymbol;
if (owningSymbol.IsConfiguredToSkipAnalysis(operationBlockStartContext.Options, Rule,
operationBlockStartContext.Compilation, operationBlockStartContext.CancellationToken))
{
return;
}
operationBlockStartContext.RegisterOperationAction(operationAnalysisContext =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
var methodSymbol = invocationOperation.TargetMethod;
if (methodSymbol.Name != "GetSharedAccessSignature")
{
return;
}
var namespaceSymbol = methodSymbol.ContainingNamespace;
while (namespaceSymbol != null)
{
if (namespaceSymbol.Equals(microsoftWindowsAzureStorageNamespaceSymbol))
{
break;
}
namespaceSymbol = namespaceSymbol.ContainingNamespace;
}
if (namespaceSymbol == null)
{
return;
}
var typeSymbol = methodSymbol.ContainingType;
if (!typeSymbol.Equals(cloudStorageAccountTypeSymbol))
{
var protocolsArgumentOperation = invocationOperation.Arguments.FirstOrDefault(s => s.Parameter.Name == "protocols" &&
s.Parameter.Type is INamedTypeSymbol namedTypeSymbol &&
namedTypeSymbol.IsGenericType &&
namedTypeSymbol.ConstructedFrom.Equals(nullableTypeSymbol) &&
namedTypeSymbol.TypeArguments.Length == 1 &&
namedTypeSymbol.TypeArguments.Contains(sharedAccessProtocolTypeSymbol));
if (protocolsArgumentOperation != null)
{
var cfg = invocationOperation.GetTopmostParentBlock()?.GetEnclosingControlFlowGraph();
if (cfg != null)
{
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
operationBlockStartContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.None,
cancellationToken: operationBlockStartContext.CancellationToken,
defaultMaxInterproceduralMethodCallChain: 1);
var valueContentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
cfg,
owningSymbol,
operationAnalysisContext.Options,
wellKnownTypeProvider,
interproceduralAnalysisConfig,
out var copyAnalysisResult,
out var pointsToAnalysisResult);
if (valueContentAnalysisResult == null)
{
return;
}
var protocolsArgument = valueContentAnalysisResult[protocolsArgumentOperation.Kind, protocolsArgumentOperation.Syntax];
if (protocolsArgument.IsLiteralState &&
!protocolsArgument.LiteralValues.Contains(SharedAccessProtocolHttpsOnly))
{
operationAnalysisContext.ReportDiagnostic(
invocationOperation.CreateDiagnostic(
Rule));
}
}
}
}
}, OperationKind.Invocation);
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
Compilation compilation = compilationStartAnalysisContext.Compilation;
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
if (!wellKnownTypeProvider.TryGetOrCreateTypeByMetadataName(ValidatorTypeName, out var validatorType))
{
return;
}
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(RuleRequiredPasswordValidators, owningSymbol, compilation, cancellationToken))
{
return;
}
operationBlockStartContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var returnOperation = (IReturnOperation)operationAnalysisContext.Operation;
if (validatorType.Equals(returnOperation.ReturnedValue?.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(
(returnOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Return);
operationBlockStartContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (argumentOperation.Parameter.Type.Equals(validatorType))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
operationBlockStartContext.RegisterOperationAction(
ctx =>
{
var operation = (IObjectCreationOperation)ctx.Operation;
if (validatorType.Equals(operation.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operation.GetRoot(), ctx.ContainingSymbol));
}
}
},
OperationKind.ObjectCreation);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?GetHazardousUsages(
ConstructorMapper constructorMapper,
PropertyMapperCollection propertyMappers,
HazardousUsageEvaluatorCollection hazardousUsageEvaluators)
{
return(PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
compilationAnalysisContext.Options,
ValidatorTypeName,
constructorMapper,
propertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
rootOperationsNeedingAnalysis.First().Item1,
compilationAnalysisContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken)));
}
var configuration = Configuration.GetOrCreate(compilationStartAnalysisContext);
foreach (var requiredProperty in configuration.PasswordValidatorRequiredProperties)
{
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers, ConstructorMapper constructorMapper) =
BuildRequiredPropertiesMappers((x) => PropertySetToTrueCallback(x, configuration.AuditMode), requiredProperty);
allResults = GetHazardousUsages(constructorMapper, propertyMappers, HazardousUsageEvaluators);
ReportDiagnostics(
RuleRequiredPasswordValidators,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
requiredProperty);
}
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers2, ConstructorMapper constructorMapper2) =
BuildRequiredPropertiesMappers((x) => PropertyLenCallback(x, configuration.AuditMode, configuration.PasswordValidatorRequiredLength), "RequiredLength");
allResults = GetHazardousUsages(constructorMapper2, propertyMappers2, HazardousUsageEvaluators);
ReportDiagnostics(
RulePasswordLength,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
configuration.PasswordValidatorRequiredLength);
var hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Return,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)),
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Initialization,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)),
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Argument,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)));
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers3, ConstructorMapper constructorMapper3) =
BuildRequiredPropertiesMappers((x) => PropertySetToTrueCallback(x, configuration.AuditMode), AllPropertyNames);
allResults = GetHazardousUsages(constructorMapper3, propertyMappers3, hazardousUsageEvaluators);
ReportDiagnostics(
RulePasswordValidators,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
configuration.MinimumPasswordValidatorProperties);
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationAnalysisContext.CancellationToken);
allResults?.Free(compilationAnalysisContext.CancellationToken);
}
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
var config = Configuration.GetOrCreate(compilationContext);
if (config.AuditMode)
{
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
void CreateWarning(OperationAnalysisContext operationAnalysisContext, Location location, ISymbol paramSymbol, ISymbol symbol)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
location,
additionalLocations: new Location[] { location },
messageArgs: new object[] {
paramSymbol.Name,
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationAnalysisContext.ReportDiagnostic(diagnostic);
}
bool IsConstant(IOperation operation, IOperation value, OperationAnalysisContext operationAnalysisContext)
{
if (value.ConstantValue.HasValue || value is ITypeOfOperation)
{
return(true);
}
if (!operation.TryGetEnclosingControlFlowGraph(out var cfg))
{
return(false);
}
var valueContentResult = ValueContentAnalysis.TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
operationAnalysisContext.Options, TaintedDataEnteringSinkDescriptor, PointsToAnalysisKind.Complete, operationAnalysisContext.CancellationToken);
if (valueContentResult == null)
{
return(false);
}
ValueContentAbstractValue abstractValue = valueContentResult[value.Kind, value.Syntax];
return(abstractValue.NonLiteralState == ValueContainsNonLiteralState.No);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IAssignmentOperation operation = (IAssignmentOperation)operationAnalysisContext.Operation;
if (!(operation.Target is IPropertyReferenceOperation propertyReferenceOperation))
{
return;
}
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(propertyReferenceOperation.Member.ContainingType);
if (infosForType != null &&
infosForType.Any(x => x.SinkProperties.Contains(propertyReferenceOperation.Member.MetadataName)) &&
!IsConstant(operation, operation.Value, operationAnalysisContext))
{
CreateWarning(
operationAnalysisContext,
propertyReferenceOperation.Syntax.GetLocation(),
operation.Value.Type,
propertyReferenceOperation.Member);
}
},
OperationKind.SimpleAssignment);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.TargetMethod.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => !IsConstant(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.TargetMethod.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.TargetMethod);
return;
}
}
}
},
OperationKind.Invocation);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IObjectCreationOperation invocationOperation = (IObjectCreationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.Constructor.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => !IsConstant(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.IsAnyStringParameterInConstructorASink &&
taintedArgument.Parameter.Type.SpecialType == SpecialType.System_String)
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.Constructor);
return;
}
else if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.Constructor.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.Constructor);
return;
}
}
}
},
OperationKind.ObjectCreation);
});
}
else
{
TaintedDataSymbolMap <SourceInfo> sourceInfoSymbolMap = config.TaintConfiguration.GetSourceSymbolMap(this.SinkKind);
if (sourceInfoSymbolMap.IsEmpty)
{
return;
}
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
Lazy <ControlFlowGraph?> controlFlowGraphFactory = new Lazy <ControlFlowGraph?>(
() => operationBlockStartContext.OperationBlocks.GetControlFlowGraph());
Lazy <PointsToAnalysisResult?> pointsToFactory = new Lazy <PointsToAnalysisResult?>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: cancellationToken,
defaultMaxInterproceduralMethodCallChain: config.MaxInterproceduralMethodCallChain,
defaultMaxInterproceduralLambdaOrLocalFunctionCallChain: config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
return(PointsToAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
interproceduralAnalysisPredicate: null));
});
Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)> valueContentFactory = new Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null, null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: cancellationToken,
defaultMaxInterproceduralMethodCallChain: config.MaxInterproceduralMethodCallChain,
defaultMaxInterproceduralLambdaOrLocalFunctionCallChain: config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
ValueContentAnalysisResult?valuecontentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
out _,
out PointsToAnalysisResult? p);
return(p, valuecontentAnalysisResult);
});
var rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IPropertyReferenceOperation propertyReferenceOperation = (IPropertyReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceProperty(propertyReferenceOperation.Property))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(propertyReferenceOperation.GetRoot());
}
}
},
OperationKind.PropertyReference);
if (sourceInfoSymbolMap.RequiresFieldReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IFieldReferenceOperation fieldReferenceOperation = (IFieldReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceField(fieldReferenceOperation.Field))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(fieldReferenceOperation.GetRoot());
}
}
},
OperationKind.FieldReference);
}
if (sourceInfoSymbolMap.RequiresParameterReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IParameterReferenceOperation parameterReferenceOperation = (IParameterReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceParameter(parameterReferenceOperation.Parameter, wellKnownTypeProvider))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(parameterReferenceOperation.GetRoot());
}
}
},
OperationKind.ParameterReference);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceMethod(
invocationOperation.TargetMethod,
invocationOperation.Arguments,
pointsToFactory,
valueContentFactory,
out _))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(invocationOperation.GetRoot());
}
}
},
OperationKind.Invocation);
if (config.TaintConfiguration.HasTaintArraySource(SinkKind, config))
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (arrayInitializerOperation.GetAncestor <IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol &&
sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol, arrayInitializerOperation))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
}
}
},
OperationKind.ArrayInitializer);
}
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
if (controlFlowGraphFactory.Value == null)
{
return;
}
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
TaintedDataAnalysisResult?taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
sourceInfoSymbolMap,
config.TaintConfiguration.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap,
operationBlockAnalysisContext.CancellationToken,
config.MaxInterproceduralMethodCallChain,
config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.Name,
sourceSink.Sink.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationContext.CancellationToken);
}
});
});
}
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
HazardousUsageEvaluatorCollection hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
new HazardousUsageEvaluator("GetBytes", HazardousUsageCallback));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemSecurityCryptographyRfc2898DeriveBytes, out var rfc2898DeriveBytesTypeSymbol))
{
return;
}
var cancellationToken = compilationStartAnalysisContext.CancellationToken;
var sufficientIterationCount = compilationStartAnalysisContext.Options.GetUnsignedIntegralOptionValue(
optionName: EditorConfigOptionNames.SufficientIterationCountForWeakKDFAlgorithm,
rule: DefinitelyUseWeakKDFInsufficientIterationCountRule,
defaultValue: 100000,
cancellationToken: cancellationToken);
var constructorMapper = new ConstructorMapper(
(IMethodSymbol constructorMethod, IReadOnlyList <ValueContentAbstractValue> argumentValueContentAbstractValues,
IReadOnlyList <PointsToAbstractValue> argumentPointsToAbstractValues) =>
{
var kind = DefaultIterationCount >= sufficientIterationCount ? PropertySetAbstractValueKind.Unflagged : PropertySetAbstractValueKind.Flagged;
if (constructorMethod.Parameters.Length >= 3)
{
if (constructorMethod.Parameters[2].Name == "iterations" &&
constructorMethod.Parameters[2].Type.SpecialType == SpecialType.System_Int32)
{
kind = PropertySetAnalysis.EvaluateLiteralValues(argumentValueContentAbstractValues[2], o => Convert.ToInt32(o) < sufficientIterationCount);
}
}
return(PropertySetAbstractValue.GetInstance(kind));
});
var propertyMappers = new PropertyMapperCollection(
new PropertyMapper(
"IterationCount",
(ValueContentAbstractValue valueContentAbstractValue) =>
{
return(PropertySetAnalysis.EvaluateLiteralValues(valueContentAbstractValue, o => Convert.ToInt32(o) < sufficientIterationCount));
}));
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (rfc2898DeriveBytesTypeSymbol.Equals(invocationOperation.Instance?.Type) &&
invocationOperation.TargetMethod.Name == "GetBytes")
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (rfc2898DeriveBytesTypeSymbol.Equals(argumentOperation.Parameter.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
WellKnownTypeNames.SystemSecurityCryptographyRfc2898DeriveBytes,
constructorMapper,
propertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: cancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = DefinitelyUseWeakKDFInsufficientIterationCountRule;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = MaybeUseWeakKDFInsufficientIterationCountRule;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
sufficientIterationCount));
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
HazardousUsageEvaluatorCollection hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
new HazardousUsageEvaluator("Add", HazardousUsageCallback));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemSecurityCryptographyX509CertificatesX509Store, out var x509TypeSymbol))
{
return;
}
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemSecurityCryptographyX509CertificatesStoreName, out var storeNameTypeSymbol))
{
return;
}
// If X509Store is initialized with Root store, then that instance is flagged.
var constructorMapper = new ConstructorMapper(
(IMethodSymbol constructorMethod, IReadOnlyList <ValueContentAbstractValue> argumentValueContentAbstractValues,
IReadOnlyList <PointsToAbstractValue> argumentPointsToAbstractValues) =>
{
var kind = PropertySetAbstractValueKind.Unflagged;
if (constructorMethod.Parameters.Length > 0)
{
if (constructorMethod.Parameters[0].Type.Equals(storeNameTypeSymbol))
{
kind = PropertySetCallbacks.EvaluateLiteralValues(argumentValueContentAbstractValues[0], o => o.Equals(6));
}
else if (constructorMethod.Parameters[0].Type.SpecialType == SpecialType.System_String)
{
kind = PropertySetCallbacks.EvaluateLiteralValues(
argumentValueContentAbstractValues[0],
s => string.Equals(s.ToString(), "root", StringComparison.OrdinalIgnoreCase));
}
}
return(PropertySetAbstractValue.GetInstance(kind));
});
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (x509TypeSymbol.Equals(invocationOperation.Instance?.Type) &&
invocationOperation.TargetMethod.Name == "Add")
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (x509TypeSymbol.Equals(argumentOperation.Parameter.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
WellKnownTypeNames.SystemSecurityCryptographyX509CertificatesX509Store,
constructorMapper,
PropertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = DefinitelyInstallRootCertRule;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = MaybeInstallRootCertRule;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
Compilation compilation = compilationContext.Compilation;
TaintedDataConfig taintedDataConfig = TaintedDataConfig.GetOrCreate(compilation);
TaintedDataSymbolMap <SourceInfo> sourceInfoSymbolMap = taintedDataConfig.GetSourceSymbolMap(this.SinkKind);
if (sourceInfoSymbolMap.IsEmpty)
{
return;
}
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = taintedDataConfig.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
Lazy <ControlFlowGraph?> controlFlowGraphFactory = new Lazy <ControlFlowGraph?>(
() => operationBlockStartContext.OperationBlocks.GetControlFlowGraph());
Lazy <PointsToAnalysisResult?> pointsToFactory = new Lazy <PointsToAnalysisResult?>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive);
return(PointsToAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
interproceduralAnalysisPredicate: null));
});
Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)> valueContentFactory = new Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null, null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive);
ValueContentAnalysisResult?valuecontentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
out _,
out PointsToAnalysisResult? p);
return(p, valuecontentAnalysisResult);
});
PooledHashSet <IOperation> rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IPropertyReferenceOperation propertyReferenceOperation = (IPropertyReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceProperty(propertyReferenceOperation.Property))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(propertyReferenceOperation.GetRoot());
}
}
},
OperationKind.PropertyReference);
if (sourceInfoSymbolMap.RequiresParameterReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IParameterReferenceOperation parameterReferenceOperation = (IParameterReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceParameter(parameterReferenceOperation.Parameter, wellKnownTypeProvider))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(parameterReferenceOperation.GetRoot());
}
}
},
OperationKind.ParameterReference);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceMethod(
invocationOperation.TargetMethod,
invocationOperation.Arguments,
pointsToFactory,
valueContentFactory,
out _))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(invocationOperation.GetRoot());
}
}
},
OperationKind.Invocation);
if (TaintedDataConfig.HasTaintArraySource(SinkKind))
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (arrayInitializerOperation.GetAncestor <IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol &&
sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol, arrayInitializerOperation))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
}
}
},
OperationKind.ArrayInitializer);
}
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
if (controlFlowGraphFactory.Value == null)
{
return;
}
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
TaintedDataAnalysisResult?taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
sourceInfoSymbolMap,
taintedDataConfig.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceSink.Sink.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationContext.CancellationToken);
}
});
});
});
}
public sealed override void Initialize(AnalysisContext context)
{
ImmutableHashSet <string> cachedDeserializationMethodNames = this.DeserializationMethodNames;
Debug.Assert(!String.IsNullOrWhiteSpace(this.DeserializerTypeMetadataName));
Debug.Assert(!String.IsNullOrWhiteSpace(this.SerializationBinderPropertyMetadataName));
Debug.Assert(cachedDeserializationMethodNames != null);
Debug.Assert(!cachedDeserializationMethodNames.IsEmpty);
Debug.Assert(this.BinderDefinitelyNotSetDescriptor != null);
Debug.Assert(this.BinderMaybeNotSetDescriptor != null);
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
// For PropertySetAnalysis dataflow analysis.
PropertyMapperCollection propertyMappers = new PropertyMapperCollection(
new PropertyMapper(
this.SerializationBinderPropertyMetadataName,
(PointsToAbstractValue pointsToAbstractValue) =>
{
// A null SerializationBinder is what we want to flag as hazardous.
switch (pointsToAbstractValue.NullState)
{
case NullAbstractValue.Null:
return(PropertySetAbstractValueKind.Flagged);
case NullAbstractValue.NotNull:
return(PropertySetAbstractValueKind.Unflagged);
default:
return(PropertySetAbstractValueKind.MaybeFlagged);
}
}));
HazardousUsageEvaluatorCollection hazardousUsageEvaluators =
new HazardousUsageEvaluatorCollection(
cachedDeserializationMethodNames.Select(
methodName => new HazardousUsageEvaluator(methodName, DoNotUseInsecureDeserializerWithoutBinderBase.HazardousIfNull)));
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
WellKnownTypeProvider wellKnownTypeProvider =
WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetTypeByMetadataName(
this.DeserializerTypeMetadataName,
out INamedTypeSymbol deserializerTypeSymbol))
{
return;
}
PooledHashSet <(IOperation Operation, ISymbol ContainingSymbol)> rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IObjectCreationOperation creationOperation =
(IObjectCreationOperation)operationAnalysisContext.Operation;
if (deserializerTypeSymbol.Equals(creationOperation.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.ObjectCreation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IInvocationOperation invocationOperation =
(IInvocationOperation)operationAnalysisContext.Operation;
if (Equals(invocationOperation.Instance?.Type, deserializerTypeSymbol) &&
cachedDeserializationMethodNames.Contains(invocationOperation.TargetMethod.Name))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Invocation);
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
IMethodReferenceOperation methodReferenceOperation =
(IMethodReferenceOperation)operationAnalysisContext.Operation;
if (Equals(methodReferenceOperation.Instance?.Type, deserializerTypeSymbol) &&
cachedDeserializationMethodNames.Contains(
methodReferenceOperation.Method.MetadataName))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operationAnalysisContext.Operation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.MethodReference);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
this.DeserializerTypeMetadataName,
DoNotUseInsecureDeserializerWithoutBinderBase.ConstructorMapper,
propertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = this.BinderDefinitelyNotSetDescriptor;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = this.BinderMaybeNotSetDescriptor;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
allResults?.Free();
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
// Security analyzer - analyze and report diagnostics on generated code.
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
if (!wellKnownTypeProvider.TryGetOrCreateTypeByMetadataName(WellKnownTypeNames.SystemSecurityCryptographySymmetricAlgorithm, out var symmetricAlgorithmTypeSymbol))
{
return;
}
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
(OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
{
var owningSymbol = operationBlockStartAnalysisContext.OwningSymbol;
// TODO: Handle case when exactly one of the below rules is configured to skip analysis.
if (operationBlockStartAnalysisContext.Options.IsConfiguredToSkipAnalysis(DefinitelyUseCreateEncryptorWithNonDefaultIVRule,
owningSymbol, operationBlockStartAnalysisContext.Compilation, operationBlockStartAnalysisContext.CancellationToken) &&
operationBlockStartAnalysisContext.Options.IsConfiguredToSkipAnalysis(MaybeUseCreateEncryptorWithNonDefaultIVRule,
owningSymbol, operationBlockStartAnalysisContext.Compilation, operationBlockStartAnalysisContext.CancellationToken))
{
return;
}
operationBlockStartAnalysisContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
var methodSymbol = invocationOperation.TargetMethod;
if (methodSymbol.ContainingType.GetBaseTypesAndThis().Contains(symmetricAlgorithmTypeSymbol) &&
methodSymbol.Name == "CreateEncryptor")
{
if (methodSymbol.Parameters.IsEmpty)
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
else
{
operationAnalysisContext.ReportDiagnostic(
invocationOperation.CreateDiagnostic(
DefinitelyUseCreateEncryptorWithNonDefaultIVRule));
}
}
},
OperationKind.Invocation);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
compilationAnalysisContext.Options,
WellKnownTypeNames.SystemSecurityCryptographySymmetricAlgorithm,
ConstructorMapper,
PropertyMappers,
HazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
rootOperationsNeedingAnalysis.First().Item1.Syntax.SyntaxTree,
compilationAnalysisContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken));
}
if (allResults == null)
{
return;
}
foreach (KeyValuePair <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
descriptor = DefinitelyUseCreateEncryptorWithNonDefaultIVRule;
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
descriptor = MaybeUseCreateEncryptorWithNonDefaultIVRule;
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
RoslynDebug.Assert(kvp.Key.Method != null); // HazardousUsageEvaluations only for invocations.
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location,
kvp.Key.Method.ToDisplayString(
SymbolDisplayFormat.MinimallyQualifiedFormat)));
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationAnalysisContext.CancellationToken);
allResults?.Free(compilationAnalysisContext.CancellationToken);
}
});
});
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
TaintedDataConfig taintedDataConfig = TaintedDataConfig.GetOrCreate(compilationContext.Compilation);
TaintedDataSymbolMap <SourceInfo> sourceInfoSymbolMap = taintedDataConfig.GetSourceSymbolMap(this.SinkKind);
if (sourceInfoSymbolMap.IsEmpty)
{
return;
}
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = taintedDataConfig.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
if (owningSymbol.IsConfiguredToSkipAnalysis(operationBlockStartContext.Options,
TaintedDataEnteringSinkDescriptor, operationBlockStartContext.Compilation, operationBlockStartContext.CancellationToken))
{
return;
}
PooledHashSet <IOperation> rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IPropertyReferenceOperation propertyReferenceOperation = (IPropertyReferenceOperation)operationAnalysisContext.Operation;
IOperation rootOperation = operationAnalysisContext.Operation.GetRoot();
if (sourceInfoSymbolMap.IsSourceProperty(propertyReferenceOperation.Property))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(rootOperation);
}
}
},
OperationKind.PropertyReference);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
IOperation rootOperation = operationAnalysisContext.Operation.GetRoot();
PooledDictionary <PointsToCheck, ImmutableHashSet <string> > evaluateWithPointsToAnalysis = null;
PooledDictionary <ValueContentCheck, ImmutableHashSet <string> > evaluateWithValueContentAnalysis = null;
PointsToAnalysisResult pointsToAnalysisResult = null;
ValueContentAnalysisResult valueContentAnalysisResult = null;
if (rootOperation.TryGetEnclosingControlFlowGraph(out ControlFlowGraph cfg))
{
pointsToAnalysisResult = PointsToAnalysis.TryGetOrComputeResult(
cfg,
owningSymbol,
operationAnalysisContext.Options,
WellKnownTypeProvider.GetOrCreate(operationAnalysisContext.Compilation),
InterproceduralAnalysisConfiguration.Create(
operationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: operationAnalysisContext.CancellationToken),
interproceduralAnalysisPredicateOpt: null);
if (pointsToAnalysisResult == null)
{
return;
}
}
if (sourceInfoSymbolMap.RequiresValueContentAnalysis)
{
valueContentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
cfg,
owningSymbol,
operationAnalysisContext.Options,
WellKnownTypeProvider.GetOrCreate(operationAnalysisContext.Compilation),
InterproceduralAnalysisConfiguration.Create(
operationAnalysisContext.Options,
SupportedDiagnostics,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: operationAnalysisContext.CancellationToken),
out var copyAnalysisResult,
out pointsToAnalysisResult);
if (valueContentAnalysisResult == null)
{
return;
}
}
try
{
if (sourceInfoSymbolMap.IsSourceMethod(
invocationOperation.TargetMethod,
invocationOperation.Arguments,
invocationOperation.Arguments.Select(o => pointsToAnalysisResult[o.Kind, o.Syntax]).ToImmutableArray(),
invocationOperation.Arguments.Select(o => valueContentAnalysisResult[o.Kind, o.Syntax]).ToImmutableArray(),
out _))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(rootOperation);
}
}
}
finally
{
evaluateWithPointsToAnalysis?.Free();
evaluateWithValueContentAnalysis?.Free();
}
},
OperationKind.Invocation);
if (taintedDataConfig.HasTaintArraySource(SinkKind))
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (arrayInitializerOperation.GetAncestor <IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol &&
sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
}
}
},
OperationKind.ArrayInitializer);
}
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
if (!rootOperation.TryGetEnclosingControlFlowGraph(out var cfg))
{
continue;
}
TaintedDataAnalysisResult taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
cfg,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
sourceInfoSymbolMap,
taintedDataConfig.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap,
operationBlockAnalysisContext.CancellationToken);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceSink.Sink.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free();
}
});
});
});
}
