public static List <IO2Finding> mapJoinPoints_HashTagsOn_Sources(List <IO2Finding> o2findings)
{
var results = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2findings)
{
var hashTagName = JoinOnAttributes.extractNameFromContext(o2Finding.SourceContext, "\"", "\"");
// make this the first trace
if (hashTagName != "")
{
//var newO2Trace = new O2Trace(hashTagName, TraceType.O2JoinSource);
var copyOfO2Finding = (O2Finding)OzasmtCopy.createCopy(o2Finding);
var joinLocation = copyOfO2Finding.o2Traces[0].file;
// insert JoinSource
copyOfO2Finding.insertTrace(hashTagName, TraceType.O2JoinSource);
// insert Location
copyOfO2Finding.insertTrace(joinLocation, TraceType.O2JoinLocation);
//newO2Trace.childTraces.AddRange(o2Finding.o2Traces);
//copyOfO2Finding.o2Traces = new List<IO2Trace> { newO2Trace };
results.Add(copyOfO2Finding);
}
}
return(results);
}
public static List <IO2Finding> mapJoinPoints_HashTagsOn_Sinks(List <IO2Finding> o2findings)
{
var results = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2findings)
{
var hashTagName = JoinOnAttributes.extractNameFromContext(o2Finding.SinkContext, "\"", "\"");
// make this the last trace
if (hashTagName != "")
{
var copyOfO2Finding = (O2Finding)OzasmtCopy.createCopy(o2Finding);
var joinLocation = copyOfO2Finding.o2Traces[0].file;
// insert JoinSink
copyOfO2Finding.addTrace(copyOfO2Finding.getSink(), hashTagName, TraceType.O2JoinSink);
// insert Location
copyOfO2Finding.insertTrace(joinLocation, TraceType.O2JoinLocation);
results.Add(copyOfO2Finding);
}
}
return(results);
}
public void calculateResults()
/*ascx_StrutsMappings strutsMappingsControl,
* ascx_FilteredFindings filteredFindings_TaintSources,
* ascx_FilteredFindings filteredFindings_FinalSinks,
* ascx_FindingsViewer findingsViewer_FinalFindings
* )*/
{
//const string controlTypePrefixString = "Controller Type: ";
//const string viewPrefixString = "view: ";
var results = new List <IO2Finding>();
// need to build 4 dictionaries
PublicDI.log.debug("building 4 dictionaries with sources,sinks and Join points");
// JoinSink in taintSources
var taintSourcesJoinSinks = new Dictionary <string, List <IO2Finding> >();
//foreach (O2Finding o2Finding in filteredFindings_TaintSources.getResults())
foreach (O2Finding o2Finding in findingsWith_FindingsFromTaintSources)
{
var joinSinks = o2Finding.JoinSinks();
if (joinSinks.Count == 1)
{
var joinSink = joinSinks[0]; // we currenty only support the case where there is one JoinSink
if (false == taintSourcesJoinSinks.ContainsKey(joinSink))
{
taintSourcesJoinSinks.Add(joinSink, new List <IO2Finding>());
}
taintSourcesJoinSinks[joinSink].Add(o2Finding);
}
}
// var taintSourcesJoinLocations
var taintSourcesJoinLocations = new Dictionary <string, List <IO2Finding> >();
//foreach (O2Finding o2Finding in filteredFindings_TaintSources.getResults())
foreach (O2Finding o2Finding in findingsWith_FindingsFromTaintSources)
{
var joinLocations = o2Finding.getJoinLocations();
if (joinLocations.Count == 1)
{
var joinLocation = joinLocations[0].signature; // we currenty only support the case where there is one JoinLocation
if (false == taintSourcesJoinLocations.ContainsKey(joinLocation))
{
taintSourcesJoinLocations.Add(joinLocation, new List <IO2Finding>());
}
taintSourcesJoinLocations[joinLocation].Add(o2Finding);
}
}
// JoinSources in final Sinks
var finalSinksTaintSources = new Dictionary <string, List <IO2Finding> >();
//foreach (O2Finding o2Finding in filteredFindings_FinalSinks.getResults())
foreach (O2Finding o2Finding in findingsWith_FindingsToFinalSinks)
{
var joinSources = o2Finding.JoinSources();
if (joinSources.Count == 1)
{
var joinSource = joinSources[0]; // we currenty only support the case where there is one JoinSource
if (false == finalSinksTaintSources.ContainsKey(joinSource))
{
finalSinksTaintSources.Add(joinSource, new List <IO2Finding>());
}
finalSinksTaintSources[joinSource].Add(o2Finding);
}
}
// var finalSinksJoinLocations
var finalSinksJoinLocations = new Dictionary <string, List <IO2Finding> >();
//foreach (O2Finding o2Finding in filteredFindings_FinalSinks.getResults())
foreach (O2Finding o2Finding in findingsWith_FindingsToFinalSinks)
{
var joinLocations = o2Finding.getJoinLocations();
if (joinLocations.Count == 1)
{
var joinLocation = joinLocations[0].signature; // we currenty only support the case where there is one JoinLocation
if (false == finalSinksJoinLocations.ContainsKey(joinLocation))
{
finalSinksJoinLocations.Add(joinLocation, new List <IO2Finding>());
}
finalSinksJoinLocations[joinLocation].Add(o2Finding);
}
}
PublicDI.log.debug("mapping all data");
//foreach (var actionServlet in strutsMappingsControl.getStrutsMappingObject().actionServlets)
foreach (var actionServlet in StrutsMappings.actionServlets)
{
var controllersToAdd = actionServlet.controllers.Values.Count;
var controllersAdded = 0;
foreach (var controler in actionServlet.controllers.Values)
{
if (controllersAdded++ % 10 == 0)
{
PublicDI.log.debug(" Added [{0}/{1}] controllers ({2} findings so far)", controllersAdded, controllersToAdd, results.Count);
}
foreach (var path in controler.paths)
{
foreach (var view in path.resolvedViews)
{
//DI.log.info("{0} - {1}", controler.type, view);
// now search on the Join Locations
foreach (var taintSourcesJoinLocation in taintSourcesJoinLocations)
{
foreach (var finalSinksJoinLocation in finalSinksJoinLocations)
{
var filteredController = controler.type ?? "";
var filteredView = JoinPointFilter(view); //.Replace("\\", ".").Replace('/', '.');
var filteredTaintSource = JoinPointFilter(taintSourcesJoinLocation.Key);
//.Replace('\\', '.').Replace('/', '.');
var filteredFinalSink = JoinPointFilter(finalSinksJoinLocation.Key);
//.Replace('\\', '.').Replace('/', '.'); ;
if (filteredTaintSource.Contains(filteredController) &&
filteredFinalSink.Contains(filteredView))
{
foreach (O2Finding taintSourceFinding in taintSourcesJoinLocation.Value)
{
foreach (O2Finding finalSinkFinding in finalSinksJoinLocation.Value)
{
if (taintSourceFinding.JoinSinks().Count == 1 &&
finalSinkFinding.JoinSources().Count == 1)
{
if (taintSourceFinding.JoinSinks()[0] ==
finalSinkFinding.JoinSources()[0])
{
// if we have a match , create the finding
var o2Finding = new O2Finding
{
vulnType =
"Struts.Finding : " + controler.type,
vulnName = controler.type ?? ""
};
var o2RootTrace =
(O2Trace)
o2Finding.addTrace("Struts Mapping", TraceType.Root_Call);
var controllerTrace =
o2RootTrace.addTrace("Controller: " + controler.type,
TraceType.O2JoinSink);
if (controler.formBean != null)
{
var beanTrace =
(O2Trace)
o2RootTrace.addTrace(
"Form Bean : " + controler.formBean.name,
TraceType.O2Info);
beanTrace.addTrace("has validation mapping" +
controler.formBean.hasValidationMapping);
// only add the field that matches the current join
var currentJoinPoint = JoinOnAttributes.extractNameFromContext(taintSourceFinding.SourceContext, "\"", "\"");
foreach (var field in controler.formBean.fields)
{
if (field.Key == currentJoinPoint)
{
var joinPoint =
(O2Trace)beanTrace.addTrace(field.Value.name);
joinPoint.addTrace("hasValidationMapping: " +
field.Value.hasValidationMapping);
joinPoint.addTrace_IfNotEmpty("depends: ",
field.Value.depends);
joinPoint.addTrace_IfNotEmpty("initial",
field.Value.initial);
joinPoint.addTrace_IfNotEmpty("type",
field.Value.type);
foreach (var validator in field.Value.validators)
{
joinPoint.addTrace(
string.Format("validator: {0}={1}",
validator.Key, validator.Value));
}
}
}
//var formBeanTrace = o2RootTrace.addTrace( "Form Bean: " + controler.formBean.type ?? "",TraceType.O2Info);
}
controllerTrace.childTraces.AddRange(taintSourceFinding.o2Traces);
var pathsTrace =
(O2Trace)o2RootTrace.addTrace("paths:", TraceType.O2Info);
var pathTrace =
(O2Trace)pathsTrace.addTrace("url: " + path.path);
pathTrace.addTrace("controller: " + controler.type + " <- ");
var viewTrace = pathTrace.addTrace("view: " + filteredView,
TraceType.O2JoinSink);
viewTrace.childTraces.AddRange(finalSinkFinding.o2Traces);
results.Add(o2Finding);
}
}
}
}
/* o2Finding.addTraces(new[]
* {
* filteredController, filteredView, filteredTaintSource,
* filteredFinalSink
* });*/
}
//DI.log.info(" {0} = {1}", filteredController, filteredTaintSource);
//DI.log.info(" {0} = {1}", filteredView, filteredFinalSink);
}
}
}
}
}
}
findingsWith_Results = results;
PublicDI.log.debug("mapping complete");
//findingsViewer_FinalFindings.loadO2Findings(results, true);
}