/// <summary>
/// This method will find the Vulnerabilities in <paramref name="syntaxNode"/>
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var assignmentExpressions = syntaxNode.DescendantNodesAndSelf().OfType <AssignmentExpressionSyntax>();
foreach (var assignment in assignmentExpressions)
{
if (!assignment.ToString().Contains("ServerCertificateValidationCallback") &&
!assignment.ToString().Contains("ServerCertificateCustomValidationCallback"))
{
continue;
}
ISymbol symbol = model.GetSymbol(assignment.Left);
if (symbol == null)
{
continue;
}
if (!CallbackDelegates.Contains(symbol.ContainingType.ToString() + "." + symbol.Name.ToString()))
{
continue;
}
if (IsVulnerable(assignment.Right, model))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, assignment, Enums.ScannerType.CertificateValidation));
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will find the Expressions caused by ProcessInfo Class
/// </summary>
/// <returns></returns>
private IEnumerable <VulnerabilityDetail> FindProcessInfoExpressions()
{
var objectCreations = _syntaxNode.DescendantNodesAndSelf().OfType <ObjectCreationExpressionSyntax>();
foreach (var item in objectCreations)
{
ITypeSymbol typeSymbol = _model.GetTypeSymbol(item);
if (typeSymbol == null || typeSymbol.ToString() != Constants.KnownType.System_Diagnostics_ProcessStartInfo)
{
continue;
}
if (item.ArgumentList == null || item.ArgumentList?.Arguments.Count == 0)
{
continue;
}
foreach (var argument in item.ArgumentList?.Arguments)
{
if (Utils.IsVulnerable(argument.Expression, _model, _solution, null))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, argument, Enums.ScannerType.CommandInjection, messageProcessStartInfo));
}
}
}
return(vulnerabilities);
}
/// <summary>
/// Determines the vulnerabilities in <paramref name="syntaxNode"/>
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var Nodes = syntaxNode.DescendantNodes().Where(obj => obj.IsKind(Microsoft.CodeAnalysis.CSharp.SyntaxKind.ObjectCreationExpression) ||
obj.IsKind(Microsoft.CodeAnalysis.CSharp.SyntaxKind.InvocationExpression));
foreach (var item in Nodes)
{
if (item is InvocationExpressionSyntax invocation)
{
if (!invocation.ToString().Contains("Create"))
{
continue;
}
ISymbol symbol = model.GetSymbol(invocation);
if (symbol == null)
{
continue;
}
if (WeakAlgorithmMethods.Any(obj => obj == symbol.ContainingType.ToString() + "." + symbol.Name.ToString()))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.WeakSymmetricAlgorithm));
}
}
else if (item is ObjectCreationExpressionSyntax objectCreation && Utils.DerivesFromAny(model.GetTypeSymbol(item), WeakAlgorithmTypes))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.WeakSymmetricAlgorithm));
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
IEnumerable <SyntaxNode> classDeclarations = syntaxNode.DescendantNodesAndSelf().OfType <ClassDeclarationSyntax>();
classDeclarations = classDeclarations.Union(syntaxNode.DescendantNodesAndSelf().OfType <StructDeclarationSyntax>());
foreach (var declaration in classDeclarations)
{
var symbol = (INamedTypeSymbol)model.GetDeclaredSymbol(declaration);
if (symbol == null)
{
continue;
}
var fields = symbol.GetMembers().Where(m => m.Kind == SymbolKind.Field).OfType <IFieldSymbol>();
if (!fields.Any())
{
continue;
}
var properties = GetExplictlyDeclaredProperties(symbol);
if (!properties.Any())
{
continue;
}
var propertyToField = new PropertyToField(fields);
var allPropertyData = CollectPropertyData(properties, model.Compilation);
// Check that if there is a single matching field name it is used by the property
foreach (var data in allPropertyData)
{
var expectedField = propertyToField.GetMatchingField(data.PropertySymbol);
if (expectedField != null)
{
SyntaxNodeOrToken unsafeNodeOrToken = null;
if (!data.IgnoreGetter)
{
unsafeNodeOrToken = CheckExpectedFieldIsUsed(data.PropertySymbol.GetMethod, expectedField, data.ReadFields);
if (unsafeNodeOrToken != null)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, unsafeNodeOrToken, Enums.ScannerType.PropertyAccessor,
string.Format(message, "getter", unsafeNodeOrToken)));
}
}
if (!data.IgnoreSetter)
{
unsafeNodeOrToken = CheckExpectedFieldIsUsed(data.PropertySymbol.SetMethod, expectedField, data.UpdatedFields);
if (unsafeNodeOrToken != null)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, unsafeNodeOrToken, Enums.ScannerType.PropertyAccessor,
string.Format(message, "setter", unsafeNodeOrToken)));
}
}
}
}
}
return(vulnerabilities);
}
/// <summary>
/// Determines the Cors AllowAnyOrigin vulnerabilities in <paramref name="syntaxNode"/>
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var invocations = syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
//System.Console.WriteLine(filePath);
foreach (var item in invocations)
{
if (!item.ToString().Contains("AllowAnyOrigin"))
{
continue;
}
ISymbol symbol = model.GetSymbol(item);
if (symbol == null || symbol is IErrorTypeSymbol)
{
continue;
}
if (symbol.ContainingType.ToString() == Constants.KnownType.Microsoft_AspNetCore_Cors_Infrastructure_CorsPolicyBuilder &&
symbol.Name.ToString() == "AllowAnyOrigin")
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.CorsAllowAnyOrigin));
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var classDeclarations = syntaxNode.DescendantNodesAndSelf().OfType <ClassDeclarationSyntax>();
foreach (var classDeclaration in classDeclarations)
{
if (classDeclaration.AttributeLists.Count == 0)
{
continue;
}
var classSymbol = model.GetDeclaredSymbol(classDeclaration);
if (classSymbol == null || !HasPartCreationPolicyAttribute(classSymbol))
{
continue;
}
if (classSymbol.GetAttributes().Any(attr => Utils.DerivesFrom(attr.AttributeClass, KnownType.System_ComponentModel_Composition_ExportAttribute)) || HasInheritExportAttribute(classSymbol))
{
continue;
}
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, classDeclaration.Identifier, Enums.ScannerType.PartCreationPolicyNonExport));
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var binaryExpressions = syntaxNode.DescendantNodesAndSelf()
.Where(expr => expr.IsKind(SyntaxKind.LeftShiftExpression) || expr.IsKind(SyntaxKind.RightShiftExpression))
.OfType <BinaryExpressionSyntax>();
var assignmentExpressions = syntaxNode.DescendantNodesAndSelf()
.Where(expr => expr.IsKind(SyntaxKind.LeftShiftAssignmentExpression) || expr.IsKind(SyntaxKind.RightShiftAssignmentExpression))
.OfType <AssignmentExpressionSyntax>();
_model = model;
foreach (var binary in binaryExpressions)
{
if (CheckExpression(binary.Left, binary.Right))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, binary.Right, Enums.ScannerType.RightShiftNotNumber,
string.Format(message, binary.Right)));
}
}
foreach (var assignment in assignmentExpressions)
{
if (CheckExpression(assignment.Left, assignment.Right))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, assignment.Right, Enums.ScannerType.RightShiftNotNumber,
string.Format(message, assignment.Right)));
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will find the Insecure Deserialization Methods.
/// </summary>
/// <returns></returns>
private List <VulnerabilityDetail> FindVulnerableInvocations(SemanticModel model)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var invocationExpressions = _syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
foreach (var item in invocationExpressions)
{
ISymbol symbol = _model.GetSymbol(item);
if (symbol == null)
{
continue;
}
if (BinaryFormatter_Methods.Contains(symbol.ContainingType + "." + symbol.Name))
{
if (item.Expression is MemberAccessExpressionSyntax memberAccess && IsVulnerable_BinaryFormatter(memberAccess.Expression, model))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
}
}
else if (_insecureMethods.Contains(symbol.ContainingType + "." + symbol.Name))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var lockStatements = syntaxNode.DescendantNodesAndSelf().OfType <LockStatementSyntax>();
foreach (var item in lockStatements)
{
if (IsWeakIdentity(item.Expression, model))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item.Expression, Enums.ScannerType.SharedObjectLock));
}
}
var invocations = syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
foreach (var item in invocations)
{
var methodName = item.Expression.GetName();
if ((methodName != "Enter" && methodName != "TryEnter") || item.ArgumentList.Arguments.Count == 0)
{
continue;
}
if (!(model.GetSymbol(item) is IMethodSymbol method) || method.ContainingType.ToString() != KnownType.System_Threading_Monitor)
{
continue;
}
if (IsWeakIdentity(item.ArgumentList.Arguments[0].Expression, model))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item.ArgumentList.Arguments[0].Expression, Enums.ScannerType.SharedObjectLock));
}
}
return(vulnerabilities);
}
private void FindVariableDeclarators(SyntaxNode syntaxNode, SemanticModel model, ref List <VulnerabilityDetail> vulnerabilities)
{
var variableDeclarators = syntaxNode.DescendantNodes().OfType <VariableDeclaratorSyntax>();
foreach (var declarator in variableDeclarators)
{
if (!IsStringType(declarator, model))
{
continue;
}
string variableValue = declarator.Initializer?.Value.GetStringValue();;
if (string.IsNullOrWhiteSpace(variableValue) || variableValue.Contains(" "))
{
continue;
}
var bannedWords = FindCredentialWords(declarator.Identifier.ValueText, variableValue);
if (bannedWords.Any())
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, declarator, ScannerType.HardcodePassword, string.Format(MessageFormatCredential, bannedWords.JoinStr(", "))));
}
else if (ContainsUriUserInfo(variableValue))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, declarator, ScannerType.HardcodePassword, MessageUriUserInfo));
}
}
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var nullLiteralExpressions = syntaxNode.DescendantNodesAndSelf().Where(obj => obj.IsKind(SyntaxKind.NullLiteralExpression)).OfType <LiteralExpressionSyntax>();
foreach (var nullLiteral in nullLiteralExpressions)
{
SyntaxNode expression = nullLiteral.GetFirstNonParenthesizedParent();
if (!expression.IsKind(SyntaxKind.ArrowExpressionClause) && !expression.IsKind(SyntaxKind.ReturnStatement))
{
continue;
}
var enclosingMember = GetEnclosingMember(nullLiteral);
if (enclosingMember == null || enclosingMember.IsKind(SyntaxKind.VariableDeclaration))
{
continue;
}
if (IsInvalidEnclosingSymbolContext(enclosingMember, model))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, nullLiteral, Enums.ScannerType.NonAsyncTaskNull));
}
}
return(vulnerabilities);
}
/// <summary>
/// Determines ViewstateMac Vulnerabilities.
/// </summary>
/// <param name="filePath"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(string filePath)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
XPathNavigator element = XMLParser.CreateNavigator(filePath, Pages_Node);
if (element != null && element.HasAttributes)
{
bool vulnerable = false;
element.MoveToFirstAttribute();
do
{
if (element.Name.Equals("enableViewStateMac", StringComparison.OrdinalIgnoreCase))
{
if (element.Value.Equals("false", StringComparison.OrdinalIgnoreCase))
{
vulnerable = true;
}
break;
}
}while (element.MoveToNextAttribute());
if (vulnerable)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, element, Enums.ScannerType.ViewStateMac));
}
}
return(vulnerabilities);
}
private void FindAssignments(SyntaxNode syntaxNode, SemanticModel model, ref List <VulnerabilityDetail> vulnerabilities)
{
var assignments = syntaxNode.DescendantNodes().OfType <AssignmentExpressionSyntax>();
foreach (var assignment in assignments)
{
if (!IsStringType(assignment, model))
{
continue;
}
string variableValue = assignment.Right.GetStringValue();
if (string.IsNullOrWhiteSpace(variableValue) || variableValue.Contains(" "))
{
continue;
}
var bannedWords = FindCredentialWords((assignment.Left as IdentifierNameSyntax)?.Identifier.ValueText, variableValue);
if (bannedWords.Any())
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, assignment, ScannerType.HardcodePassword, string.Format(MessageFormatCredential, bannedWords.JoinStr(", "))));
}
else if (ContainsUriUserInfo(variableValue))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, assignment, ScannerType.HardcodePassword, MessageUriUserInfo));
}
}
}
private void FindStringLiterals(SyntaxNode syntaxNode, SemanticModel model, ref List <VulnerabilityDetail> vulnerabilities)
{
var literals = syntaxNode.DescendantNodes().OfType <LiteralExpressionSyntax>().Where(obj => obj.IsKind(SyntaxKind.StringLiteralExpression));
foreach (var literal in literals)
{
if (!ShouldConsider(literal, model))
{
continue;
}
string variableValue = literal.GetStringValue();
if (string.IsNullOrWhiteSpace(variableValue) || variableValue.Contains(" "))
{
continue;
}
var bannedWords = FindCredentialWords(null, variableValue);
if (bannedWords.Any())
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, literal, ScannerType.HardcodePassword, string.Format(MessageFormatCredential, bannedWords.JoinStr(", "))));
}
else if (ContainsUriUserInfo(variableValue))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, literal, ScannerType.HardcodePassword, MessageUriUserInfo));
}
}
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
//List<SyntaxToken> syntaxTokens = new List<SyntaxToken>();
var invocationExpressions = syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
foreach (var invocation in invocationExpressions)
{
if (!invocation.Expression.ToString().Contains(BeginInvoke))
{
continue;
}
_model = model;
if (GetCallbackArg(invocation) is { } callbackArg &&
GetMethodSymbol(invocation) is { } methodSymbol &&
methodSymbol.Name == BeginInvoke &&
IsDelegate(methodSymbol) &&
(callbackArg.IsKind(SyntaxKind.NullLiteralExpression) || !CallbackMayContainEndInvoke(callbackArg)) &&
!ParentMethodContainsEndInvoke(invocation))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, (SyntaxToken)invocation.GetMethodCallIdentifier(), Enums.ScannerType.BeginEndInvoke));
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will FInd JWT Token vulnerabilities from assignments.
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="model"></param>
/// <param name="vulnerabilities"></param>
private void FindTokenParameters(SyntaxNode syntaxNode, SemanticModel model, ref List <VulnerabilityDetail> vulnerabilities)
{
var assignments = syntaxNode.DescendantNodes().OfType <AssignmentExpressionSyntax>();
foreach (var assignment in assignments)
{
if (!ValidationProps.Any(obj => assignment.Left.ToString().Contains(obj)))
{
continue;
}
var leftSymbol = model.GetSymbol(assignment.Left);
if (leftSymbol == null || !(leftSymbol.ContainingNamespace.ToString() == KnownType.Microsoft_IdentityModel_Tokens))
{
continue;
}
var constant = model.GetConstantValue(assignment.Right);
//If right side if assignment is false or constant value as false
if (constant.HasValue && constant.Value is bool value && !value)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, assignment, Enums.ScannerType.JWTValidation));
}
}
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var expressionStatements = syntaxNode.DescendantNodesAndSelf().OfType <ExpressionStatementSyntax>();
foreach (var statement in expressionStatements)
{
var collectionIdentifier = GetCollectionIdentifier(statement);
var indexOrKey = GetIndexOrKey(statement);
if (collectionIdentifier == null || indexOrKey == null ||
!IsIdentifierOrLiteral(indexOrKey) || !IsDictionaryOrCollection(collectionIdentifier, model))
{
continue;
}
var previousSet = GetPreviousStatements(statement)
.TakeWhile(IsSameCollection(collectionIdentifier))
.FirstOrDefault(IsSameIndexOrKey(indexOrKey));
if (previousSet != null)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, statement, Enums.ScannerType.OverwriteCollectionElement));
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var invocations = syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
foreach (var invocation in invocations)
{
if (invocation.Expression.GetName() != "UseDeveloperExceptionPage" && invocation.Expression.GetName() != "UseDatabaseErrorPage")
{
continue;
}
var methodSymbol = model.GetSymbol(invocation) as IMethodSymbol;
if (methodSymbol == null || !MethodsToCheck.Contains(methodSymbol.ContainingType.ToString() + "." + methodSymbol.Name))
{
continue;
}
if (IsInvokedConditionally(invocation, model))
{
continue;
}
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, invocation, Enums.ScannerType.EnableDebugMode));
}
return(vulnerabilities);
}
/// <summary>
/// This method will find Insecure Settings by Attibute
/// </summary>
/// <returns></returns>
private List <VulnerabilityDetail> FindVulnerableAttributes()
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var attributeArguments = _syntaxNode.DescendantNodesAndSelf().OfType <AttributeSyntax>();
foreach (var argument in attributeArguments)
{
ITypeSymbol typeSymbol = _model.GetTypeSymbol(argument.Name);
if (typeSymbol == null || typeSymbol.ToString() != KnownType.Newtonsoft_Json_JsonPropertyAttribute)
{
continue;
}
foreach (var item in argument.ArgumentList.Arguments)
{
if (item.NameEquals.Name.ToString() == "TypeNameHandling")
{
Optional <object> value = _model.GetConstantValue(item.Expression);
if (value.HasValue && ((int)value.Value != 0))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
break;
}
}
}
}
return(vulnerabilities);
}
/// <summary>
/// Determines the vulnerabilities in <paramref name="syntaxNode"/>
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
this.solution = solution;
this.model = model;
this.syntaxNode = syntaxNode;
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
HashSet <SyntaxNode> lstVulnerableCheck = new HashSet <SyntaxNode>();
var methods = syntaxNode.DescendantNodes().OfType <InvocationExpressionSyntax>();
foreach (var method in methods)
{
if (!(method.Expression is MemberAccessExpressionSyntax memberAccessExpression))
{
continue;
}
ITypeSymbol symbol = model.GetTypeSymbol(memberAccessExpression.Expression);
if (symbol == null)
{
continue;
}
if (!MethodsToCheck.Any(obj => obj == symbol.ToString() + "." + memberAccessExpression.Name.ToString()))
{
continue;
}
foreach (var argument in method.ArgumentList.Arguments)
{
if (IsVulnerable(argument.Expression))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, argument, Enums.ScannerType.XPath));
break;
}
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will find JWT Decode Method vulnerabilities
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="model"></param>
/// <param name="vulnerabilities"></param>
private void FindDecoders(SyntaxNode syntaxNode, SemanticModel model, ref List <VulnerabilityDetail> vulnerabilities)
{
var invocations = syntaxNode.DescendantNodes().OfType <InvocationExpressionSyntax>();
foreach (var item in invocations)
{
if (!DecodeMethods.Any(obj => item.Expression.ToString().Contains(obj)))
{
continue;
}
ISymbol symbol = model.GetSymbol(item.Expression);
if (symbol == null)
{
continue;
}
if (!Utils.ImplementsFrom(symbol.ContainingType, KnownType.JWT_IJwtDecoder))
{
continue;
}
if (!DecodeMethods.Contains(symbol.Name))
{
continue;
}
if (item.ArgumentList.Arguments.Count == 1)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, Enums.ScannerType.JWTValidation));
continue;
}
bool vulnerable = false;
int i = -1;
foreach (var argument in item.ArgumentList.Arguments)
{
i++;
if (argument.NameColon != null && argument.NameColon.Name.ToString() != "verify")
{
continue;
}
if (argument.NameColon == null && i != 2)
{
continue;
}
ITypeSymbol typeSymbol = model.GetTypeSymbol(argument.Expression);
if (typeSymbol == null || typeSymbol.SpecialType != SpecialType.System_Boolean)
{
continue;
}
var constant = model.GetConstantValue(argument.Expression);
if (constant.HasValue && constant.Value is bool value && !value)
{
vulnerable = true;
}
}
if (vulnerable)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, Enums.ScannerType.JWTValidation));
}
}
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var classDeclarations = syntaxNode.DescendantNodesAndSelf().OfType <ClassDeclarationSyntax>();
foreach (var item in classDeclarations)
{
if (item.AttributeLists != null && item.AttributeLists.Count == 0)
{
continue;
}
foreach (var attributeList in item.AttributeLists)
{
foreach (var attribute in attributeList.Attributes)
{
//Export
var exportSymbol = model.GetTypeSymbol(attribute);
if (exportSymbol == null || !ExportTypes.Contains(exportSymbol.ToString()))
{
continue;
}
if (attribute.ArgumentList == null || attribute.ArgumentList.Arguments.Count == 0)
{
continue;
}
TypeOfExpressionSyntax typeOfExpression = null;
if (attribute.ArgumentList.Arguments.Count == 1)
{
typeOfExpression = attribute.ArgumentList.Arguments[0].Expression as TypeOfExpressionSyntax;
}
else if (attribute.ArgumentList.Arguments.Count == 2)
{
int i = -1;
foreach (var attributeArgument in attribute.ArgumentList.Arguments)
{
i++;
if (i == 1 && attributeArgument.NameColon == null)
{
typeOfExpression = attributeArgument.Expression as TypeOfExpressionSyntax;
break;
}
else if (attributeArgument.NameColon != null && attributeArgument.NameColon.Name.ToString() == "contractType")
{
typeOfExpression = attributeArgument.Expression as TypeOfExpressionSyntax;
break;
}
}
}
if (typeOfExpression != null && ValidateType(model, typeOfExpression.Type, item))
{
var action = exportSymbol.TypeKind == TypeKind.Interface ? ActionForInterface : ActionForClass;
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, attribute, Enums.ScannerType.ExportInterface,
string.Format(message, action, exportSymbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat), typeOfExpression.Type.ToString())));
}
}
}
}
return(vulnerabilities);
}
/// <summary>
/// Determines the vulnerabilities in <paramref name="syntaxNode"/>
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var objectCreationExpressions = syntaxNode.DescendantNodesAndSelf().OfType <ObjectCreationExpressionSyntax>();
foreach (var objectCreation in objectCreationExpressions)
{
ITypeSymbol typeSymbol = model.GetTypeSymbol(objectCreation);
if (typeSymbol == null || typeSymbol.ToString() != KnownType.System_DirectoryServices_DirectoryEntry)
{
continue;
}
if (objectCreation.ArgumentList == null || objectCreation.ArgumentList.Arguments.Count < 4)
{
continue;
}
// We're considering Argument length of 4 only
// public DirectoryEntry (string path, string username, string password, System.DirectoryServices.AuthenticationTypes authenticationType);
int index = -1;
foreach (var item in objectCreation.ArgumentList.Arguments)
{
index++;
if (item.NameColon == null && index == 3)
{
if (IsVulnerable(model, item.Expression))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.LdapSecureConnection));
}
}
else if (item.NameColon != null && item.NameColon.Name.ToString() == "authenticationType")
{
if (IsVulnerable(model, item.Expression))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.LdapSecureConnection));
}
}
}
}
var assignmentExpressions = syntaxNode.DescendantNodesAndSelf().OfType <AssignmentExpressionSyntax>();
foreach (var assignmentExpression in assignmentExpressions)
{
ISymbol symbol = model.GetSymbol(assignmentExpression.Left);
if (symbol == null || symbol.ToString() != KnownType.System_DirectoryServices_DirectoryEntry_AuthenticationType)
{
continue;
}
if (IsVulnerable(model, assignmentExpression.Right))
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, assignmentExpression.Right, Enums.ScannerType.LdapSecureConnection));
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will find the Expressions caused by Process Class
/// </summary>
/// <returns></returns>
private IEnumerable <VulnerabilityDetail> FindProcessExpressions()
{
var invocationExpressions = _syntaxNode.DescendantNodesAndSelf().OfType <InvocationExpressionSyntax>();
foreach (var item in invocationExpressions)
{
ISymbol symbol = _model.GetSymbol(item);
if (symbol == null || symbol.ContainingType.ToString() + "." + symbol.Name.ToString() != Constants.KnownMethod.System_Diagnostics_Process_Start ||
item.ArgumentList.Arguments.Count == 0)
{
continue;
}
var argumentExpression = item.ArgumentList?.Arguments[0].Expression;
ITypeSymbol typeSymbol = _model.GetTypeSymbol(argumentExpression);
if (typeSymbol == null || typeSymbol.ToString() == Constants.KnownType.System_Diagnostics_ProcessStartInfo)
{
continue;
}
if (item.ArgumentList?.Arguments.Count == 1)
{
if (Utils.IsVulnerable(argumentExpression, _model, _solution))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, Enums.ScannerType.CommandInjection, messageProcess));
}
continue;
}
int index = 0;
bool vulnerable = false;
foreach (var argument in item.ArgumentList.Arguments)
{
if (argument.NameColon is null)
{
if (index <= 1)
{
vulnerable = Utils.IsVulnerable(argument.Expression, _model, _solution);
}
}
else if (argument.NameColon.Name.ToString() == "fileName" || argument.NameColon.Name.ToString() == "arguments")
{
vulnerable = Utils.IsVulnerable(argument.Expression, _model, _solution);
}
if (vulnerable)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, Enums.ScannerType.CommandInjection));
break;
}
index++;
}
}
return(vulnerabilities);
}
/// <summary>
/// Detremines Password Lockout vulnerabilities
/// </summary>
/// <param name="syntaxNode"></param>
/// <param name="filePath"></param>
/// <param name="model"></param>
/// <param name="solution"></param>
/// <returns></returns>
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var invocationExpressions = syntaxNode.DescendantNodes().OfType <InvocationExpressionSyntax>();
foreach (var item in invocationExpressions)
{
if (!(item.Expression is MemberAccessExpressionSyntax memberAccess) || !memberAccess.ToString().Contains("PasswordSignIn"))
{
continue;
}
ISymbol symbol = model.GetSymbol(memberAccess);
if (symbol == null)
{
continue;
}
if (symbol.ContainingNamespace.ToString() != KnownType.Microsoft_AspNet_Identity_Owin &&
symbol.ContainingNamespace.ToString() != KnownType.Microsoft_AspNetCore_Identity)
{
continue;
}
int argCount = symbol.Name == "CheckPasswordSignInAsync" ? 3 : 4;
string parameterName = symbol.ContainingNamespace.ToString() == KnownType.Microsoft_AspNet_Identity_Owin ? "shouldLockout" : "lockoutOnFailure";
if (item.ArgumentList == null || item.ArgumentList.Arguments.Count < argCount)
{
continue;
}
int i = -1;
foreach (var argument in item.ArgumentList.Arguments)
{
i++;
if (argument.NameColon == null && i != argCount - 1)
{
continue;
}
else if (argument.NameColon != null && argument.NameColon.Name.ToString() != parameterName)
{
continue;
}
var lockoutValue = model.GetConstantValue(argument.Expression);
if (lockoutValue.HasValue && lockoutValue.Value is bool value && !value)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, argument, Enums.ScannerType.PasswordLockout));
}
break;
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model = null, Solution solution = null)
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var objectCreations = syntaxNode.DescendantNodesAndSelf().OfType <ObjectCreationExpressionSyntax>();
foreach (var objectCreation in objectCreations)
{
var typeSymbol = model.GetTypeSymbol(objectCreation);
if (typeSymbol == null)
{
continue;
}
if (typeSymbol.DeclaringSyntaxReferences.Length == 0)
{
continue;
}
if (!model.Compilation.SyntaxTrees.Any(obj => obj == typeSymbol.DeclaringSyntaxReferences[0].SyntaxTree))
{
continue;
}
var semanticModel = model.Compilation.GetSemanticModel(typeSymbol.DeclaringSyntaxReferences[0].SyntaxTree);
if (!(typeSymbol.DeclaringSyntaxReferences[0].GetSyntaxAsync().Result is ClassDeclarationSyntax declaration))
{
continue;
}
if (declaration.AttributeLists.Count > 0)
{
foreach (var attributeList in declaration.AttributeLists)
{
foreach (var attribute in attributeList.Attributes)
{
ITypeSymbol attributeSymbol = semanticModel.GetTypeSymbol(attribute.Name);
if (attributeSymbol == null || attributeSymbol.ToString() != PartCreationPolicy_Attribute || attribute.ArgumentList?.Arguments.Count == 0)
{
continue;
}
var optional = semanticModel.GetConstantValue(attribute.ArgumentList?.Arguments.First().Expression);
if (optional.HasValue && optional.Value is int value && value == 1)
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, objectCreation, Enums.ScannerType.SharedInstance));
}
}
}
}
}
return(vulnerabilities);
}
public IEnumerable <VulnerabilityDetail> FindVulnerabilties(SyntaxNode syntaxNode, string filePath, SemanticModel model, Solution solution = null)
{
var catchStatements = syntaxNode.DescendantNodes().OfType <CatchClauseSyntax>();
var vulnerabilities = new List <VulnerabilityDetail>();
foreach (var item in catchStatements)
{
if (!item.Block.DescendantNodes().Any())
{
vulnerabilities.Add(VulnerabilityDetail.Create(filePath, item, Enums.ScannerType.EmptyCatch));
}
}
return(vulnerabilities);
}
/// <summary>
/// This method will find the Insecure Serializer Object Creations
/// </summary>
/// <returns></returns>
private List <VulnerabilityDetail> FindVulnerableObjectCreations()
{
List <VulnerabilityDetail> vulnerabilities = new List <VulnerabilityDetail>();
var objectCreations = _syntaxNode.DescendantNodesAndSelf().OfType <ObjectCreationExpressionSyntax>();
foreach (var item in objectCreations)
{
ITypeSymbol typeSymbol = _model.GetTypeSymbol(item);
if (typeSymbol == null)
{
continue;
}
if (_insecureObjectCreation.Any(obj => obj == typeSymbol.ToString()))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
}
else if (typeSymbol.ToString() == KnownType.System_Web_UI_LosFormatter)
{
if (IsVulnerable_LosFormatter(item))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
}
}
else if (typeSymbol.ToString() == KnownType.System_Web_Script_Serialization_JavaScriptSerializer)
{
if (item.ArgumentList == null)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
continue;
}
var argument = item.ArgumentList.Arguments.FirstOrDefault();
if (argument == null || argument.Expression.Kind() == SyntaxKind.NullLiteralExpression)
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
continue;
}
typeSymbol = _model.GetTypeSymbol(argument.Expression);
if (typeSymbol == null)
{
continue;
}
if (typeSymbol.ToString() == KnownType.System_Web_Script_Serialization_SimpleTypeResolver || IsVulnerable_Resolver(typeSymbol))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item, ScannerType.InsecureDeserialization));
}
}
}
return(vulnerabilities);
}
private void CheckSpaceBetweenStrings(List <StringWrapper> stringWrappers)
{
for (var i = 0; i < stringWrappers.Count - 1; i++)
{
var firstStringText = stringWrappers[i].Text;
var secondString = stringWrappers[i + 1];
var secondStringText = secondString.Text;
if (firstStringText.Length > 0 && IsAlphaNumericOrAt(firstStringText.ToCharArray().Last()) &&
secondStringText.Length > 0 && IsAlphaNumericOrAt(secondStringText[0]))
{
var word = secondStringText.Split(' ').FirstOrDefault();
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, secondString.Node, Enums.ScannerType.SqlKeywordDelimit, string.Format(message, word)));
}
}
}
/// <summary>
/// This method will find Open Redirect vulnerabilities in <paramref name="item"/>
/// </summary>
/// <param name="item"></param>
private void FindOpenRedirect(InvocationExpressionSyntax item)
{
if (!(model.GetSymbol(item) is IMethodSymbol symbol))
{
return;
}
if (Redirect_MethodNames.Contains(symbol.Name) && Response_ReceiverType.Contains(symbol.ReceiverType.ToString()) &&
item.ArgumentList.Arguments.Count > 0)
{
if (IsVulnerable(item.ArgumentList.Arguments.First().Expression))
{
vulnerabilities.Add(VulnerabilityDetail.Create(_filePath, item.Parent, Enums.ScannerType.OpenRedirect));
}
}
}