private XmlTextReaderEnvironment AnalyzeObjectCreationForXmlTextReader(IMethodSymbol symbol, SyntaxNode node, SemanticModel model)
{
var env = new XmlTextReaderEnvironment(AreDefaultsSecure, symbol, node);
if (!ReferenceEquals(symbol.ContainingType, XmlTypes.XmlTextReader))
{
// We assume the design of derived type is secure
env.IsDtdProcessingDisabled = true;
env.IsSecureResolver = true;
}
foreach (SyntaxNode arg in SyntaxNodeHelper.GetObjectInitializerExpressionNodes(node))
{
SyntaxNode argLhs = SyntaxNodeHelper.GetAssignmentLeftNode(arg);
SyntaxNode argRhs = SyntaxNodeHelper.GetAssignmentRightNode(arg);
ISymbol argLhsSymbol = SyntaxNodeHelper.GetSymbol(argLhs, model);
if (SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverPropertyDerived(argLhsSymbol, XmlTypes))
{
env.IsSecureResolver = SyntaxNodeHelper.NodeHasConstantValueNull(argRhs, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(argRhs).Type, XmlTypes);
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingPropertyDerived(argLhsSymbol, XmlTypes))
{
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(argRhs, model, 2 /*DtdProcessing.Parse*/);
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderProhibitDtdPropertyDerived(argLhsSymbol, XmlTypes))
{
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(argRhs, model, false);
}
}
return(env);
}
private void AnalyzeObjectCreationForXmlTextReader(OperationAnalysisContext context, ISymbol variable, IObjectCreationOperation objCreation)
{
if (variable == null || !_xmlTextReaderEnvironments.TryGetValue(variable, out XmlTextReaderEnvironment env))
{
env = new XmlTextReaderEnvironment(_isFrameworkSecure)
{
XmlTextReaderDefinition = objCreation.Syntax
};
}
if (objCreation.Constructor.ContainingType != _xmlTypes.XmlTextReader)
{
env.IsDtdProcessingDisabled = true;
env.IsSecureResolver = true;
}
if (objCreation.Initializer != null)
{
foreach (IOperation init in objCreation.Initializer.Initializers)
{
if (init is IAssignmentOperation assign)
{
var propValue = assign.Value;
IPropertySymbol prop = context.Compilation.GetSemanticModel(context.Operation.Syntax.SyntaxTree)?.GetSymbolInfo(assign.Target.Syntax).Symbol as IPropertySymbol;
if (prop == null)
{
continue;
}
if (propValue is IConversionOperation operation &&
SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverPropertyDerived(prop, _xmlTypes))
{
env.IsXmlResolverSet = true;
if (SecurityDiagnosticHelpers.IsXmlSecureResolverType(operation.Operand.Type, _xmlTypes))
{
env.IsSecureResolver = true;
}
else if (SecurityDiagnosticHelpers.IsExpressionEqualsNull(operation.Operand))
{
env.IsSecureResolver = true;
}
else
{
env.IsSecureResolver = false;
}
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingPropertyDerived(prop, _xmlTypes))
{
env.IsDtdProcessingSet = true;
env.IsDtdProcessingDisabled = !SecurityDiagnosticHelpers.IsExpressionEqualsDtdProcessingParse(propValue);
}
}
}
}
private void AnalyzeObjectCreationForXmlTextReader(OperationAnalysisContext context, ISymbol variable, IObjectCreationExpression objCreation)
{
if (variable == null || !_xmlTextReaderEnvironments.TryGetValue(variable, out XmlTextReaderEnvironment env))
{
env = new XmlTextReaderEnvironment(_isFrameworkSecure)
{
XmlTextReaderDefinition = objCreation.Syntax
};
}
if (objCreation.Constructor.ContainingType != _xmlTypes.XmlTextReader)
{
env.IsDtdProcessingDisabled = true;
env.IsSecureResolver = true;
}
foreach (ISymbolInitializer init in objCreation.MemberInitializers)
{
if (init is IPropertyInitializer prop)
{
if (prop.Value is IConversionExpression operation && SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverPropertyDerived(prop.InitializedProperty, _xmlTypes))
{
env.IsXmlResolverSet = true;
if (SecurityDiagnosticHelpers.IsXmlSecureResolverType(operation.Operand.Type, _xmlTypes))
{
env.IsSecureResolver = true;
}
else if (SecurityDiagnosticHelpers.IsExpressionEqualsNull(operation.Operand))
{
env.IsSecureResolver = true;
}
else
{
env.IsSecureResolver = false;
}
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingPropertyDerived(prop.InitializedProperty, _xmlTypes))
{
env.IsDtdProcessingSet = true;
env.IsDtdProcessingDisabled = !SecurityDiagnosticHelpers.IsExpressionEqualsDtdProcessingParse(prop.Value);
}
}
}
private void AnalyzePropertyAssignment(IPropertySymbol symbol, SyntaxNode lhs, SyntaxNode rhs, SemanticModel model)
{
if (SecurityDiagnosticHelpers.IsXmlDocumentXmlResolverPropertyDerived(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlDocumentEnvironments, TempXmlDocumentEnvironments);
bool oldIsSecureResolver = env.IsSecureResolver;
env.IsSecureResolver = SyntaxNodeHelper.NodeHasConstantValueNull(rhs, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(rhs).Type, XmlTypes);
if (oldIsSecureResolver && !env.IsSecureResolver)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverPropertyDerived(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlTextReaderEnvironments, TempXmlTextReaderEnvironments);
bool oldIsSecureResolver = env.IsSecureResolver;
env.IsSecureResolver = SyntaxNodeHelper.NodeHasConstantValueNull(rhs, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(rhs).Type, XmlTypes);
if (oldIsSecureResolver && !env.IsSecureResolver)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingPropertyDerived(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlTextReaderEnvironments, TempXmlTextReaderEnvironments);
bool oldIsDtdProcessingDisabled = env.IsDtdProcessingDisabled;
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(rhs, model, 2 /*DtdProcessing.Parse*/);
if (oldIsDtdProcessingDisabled && !env.IsDtdProcessingDisabled)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlTextReaderProhibitDtdPropertyDerived(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlTextReaderEnvironments, TempXmlTextReaderEnvironments);
bool oldIsDtdProcessingDisabled = env.IsDtdProcessingDisabled;
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(rhs, model, false);
if (oldIsDtdProcessingDisabled && !env.IsDtdProcessingDisabled)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlReaderSettingsDtdProcessingProperty(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlReaderSettingsEnvironments, TempXmlReaderSettingsEnvironments);
bool oldIsDtdProcessingDisabled = env.IsDtdProcessingDisabled;
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(rhs, model, 2 /*DtdProcessing.Parse*/);
if (oldIsDtdProcessingDisabled && !env.IsDtdProcessingDisabled)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlReaderSettingsProhibitDtdProperty(symbol, XmlTypes))
{
var lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlReaderSettingsEnvironments, TempXmlReaderSettingsEnvironments);
bool oldIsDtdProcessingDisabled = env.IsDtdProcessingDisabled;
env.IsDtdProcessingDisabled = !SyntaxNodeHelper.NodeHasConstantValue(rhs, model, false);
if (oldIsDtdProcessingDisabled && !env.IsDtdProcessingDisabled)
{
env.Definition = rhs;
}
}
else if (SecurityDiagnosticHelpers.IsXmlReaderSettingsMaxCharactersFromEntitiesProperty(symbol, XmlTypes))
{
ISymbol lhsExpressionSymbol = SyntaxNodeHelper.GetSymbol(lhs, model);
if (lhsExpressionSymbol == null)
{
return;
}
var env = GetEnvironment(lhsExpressionSymbol, lhs, XmlReaderSettingsEnvironments, TempXmlReaderSettingsEnvironments);
//bool oldIsMaxCharactersFromEntitiesLimited = env.IsMaxCharactersFromEntitiesLimited;
env.IsMaxCharactersFromEntitiesLimited = !SyntaxNodeHelper.NodeHasConstantValue(rhs, model, 0);
//if (!env.IsMaxCharactersFromEntitiesLimited)
// env.Definition = rhs;
}
}