コード例 #1
0
        public ModuleResults GetResults(InstanceInfo instanceInfo)
        {
            List<string> report = new List<string>();

            bool isWebSite = ProjectCodeFilesHelper.Current.IsWebSiteProject(instanceInfo.Directory);

            List<string> customerCodeFiles = ProjectCodeFilesHelper.Current.GetCustomerProjectCodeFiles(instanceInfo.Directory, instanceInfo.Version, isWebSite, true).ToList();
            if (customerCodeFiles.Count == 0)
            {
                return new ModuleResults
                {
                    ResultComment = "No customer files found.",
                    Status = Status.Good
                };
            }

            report.AddRange(customerCodeFiles);

            VulnerabilityAnalysisResults results = new VulnerabilityAnalysisResults();
            AnalyseVulnerabilities(instanceInfo.Directory, customerCodeFiles, ref results);
            string resultString = PrintResults(results);
            if (!String.IsNullOrEmpty(resultString))
            {
                report.Add(String.Empty);
                report.AddRange(resultString.Split(new[] { "<br />" }, StringSplitOptions.None));
            }

            return new ModuleResults
            {
                Result = report,
                Trusted = true
            };
        }
コード例 #2
0
        /// <summary>
        /// Analyses code file for presence of security vulnerabilities.
        /// </summary>
        /// <param name="pathToKenticoInstance">Path to Kentico instance (e.g. <c>C:\inetpub\wwwroot\myKenticoInstance\CMS</c>).</param>
        /// <param name="fileWithinInstance">File to be analysed within the instance (relative paths).</param>
        /// <param name="results">Analysis results (the results are appended).</param>
        private void AnalyseVulnerabilities(DirectoryInfo pathToKenticoInstance, string fileWithinInstance, ref VulnerabilityAnalysisResults results)
        {
            var filePath = Path.Combine(pathToKenticoInstance.FullName, fileWithinInstance);
            var lines = File.ReadAllLines(filePath);
            int lineNo = 1;
            foreach (var line in lines)
            {
                string sqlInjection = null;
                string potentialSqlInjection = null;
                string potentialXss = null;

                AnalyseSqlInjection(line, ref sqlInjection, ref potentialSqlInjection);
                AnalyseXss(line, ref potentialXss);

                if (!String.IsNullOrEmpty(sqlInjection))
                {
                    results.SqlInjections.Add(String.Format("File: '{0}', line {1}: {2}", fileWithinInstance, lineNo, HttpUtility.HtmlEncode(sqlInjection)));
                }
                if (!String.IsNullOrEmpty(potentialSqlInjection))
                {
                    results.PotentialSqlInjections.Add(String.Format("File: '{0}', line {1}: {2}", fileWithinInstance, lineNo, HttpUtility.HtmlEncode(potentialSqlInjection)));
                }
                if (!String.IsNullOrEmpty(potentialXss))
                {
                    results.PotentialXss.Add(String.Format("File: '{0}', line {1}: {2}", fileWithinInstance, lineNo, HttpUtility.HtmlEncode(potentialXss)));
                }

                ++lineNo;
            }
        }
コード例 #3
0
        /// <summary>
        /// Prints analysis result to string with HTML formatting. Vulnerabilites are highlighted.
        /// </summary>
        /// <param name="results">Results to be printed.</param>
        /// <returns>String with formatted results.</returns>
        private string PrintResults(VulnerabilityAnalysisResults results)
        {
            StringBuilder res = new StringBuilder();

            if (results.SqlInjections.Count > 0)
            {
                res.Append("<strong>Check the following files for SQL injection:</strong><br />")
                        .Append(PrintHighlightedResults(results.SqlInjections)).Append("<br />");
            }
            if (results.PotentialSqlInjections.Count > 0)
            {
                res.Append("<strong>Check the following files for potential SQL injection:</strong><br />")
                        .Append(PrintHighlightedResults(results.PotentialSqlInjections)).Append("<br />");
            }
            if (results.PotentialXss.Count > 0)
            {
                res.Append("<strong>Check the following files for XSS:</strong><br />")
                        .Append(PrintHighlightedResults(results.PotentialXss)).Append("<br />");
            }

            return res.ToString();
        }
コード例 #4
0
 /// <summary>
 /// Analyses code files for presence of security vulnerabilites.
 /// </summary>
 /// <param name="pathToKenticoInstance">Path to Kentico instance (e.g. <c>C:\inetpub\wwwroot\myKenticoInstance\CMS</c>).</param>
 /// <param name="filesWithinInstance">Files to be analysed within the instance (relative paths).</param>
 /// <param name="results">Analysis results (the results are appended).</param>
 private void AnalyseVulnerabilities(DirectoryInfo pathToKenticoInstance, IEnumerable<string> filesWithinInstance, ref VulnerabilityAnalysisResults results)
 {
     foreach (var fileWithinInstance in filesWithinInstance)
     {
         AnalyseVulnerabilities(pathToKenticoInstance, fileWithinInstance, ref results);
     }
 }