public virtual void VisitAssignment(VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
}
public virtual void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
}
private VariableState VisitAssignment(VisualBasicSyntaxNode node,
ExpressionSyntax leftExpression,
ExpressionSyntax rightExpression,
ExecutionState state)
{
var leftSymbol = state.GetSymbol(leftExpression);
MethodBehavior behavior = null;
if (leftSymbol != null)
{
behavior = leftSymbol.GetMethodBehavior(state.AnalysisContext.Options.AdditionalFiles);
}
var variableState = VisitExpression(rightExpression, state);
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitAssignment(node, state, behavior, leftSymbol, variableState);
}
if (leftSymbol != null)
{
var rightTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(rightExpression).Type;
if (rightTypeSymbol == null)
{
return(new VariableState(rightExpression, VariableTaint.Unknown));
}
var leftTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(leftExpression).Type;
if (!state.AnalysisContext.SemanticModel.Compilation.ClassifyConversion(rightTypeSymbol, leftTypeSymbol).Exists)
{
return(new VariableState(rightExpression, VariableTaint.Unknown));
}
}
if (behavior != null && //Injection
behavior.IsInjectableField &&
variableState.Taint != VariableTaint.Constant && //Skip safe values
variableState.Taint != VariableTaint.Safe)
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocaleInjection, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
if (behavior != null && //Known Password API
behavior.IsPasswordField &&
variableState.Taint == VariableTaint.Constant) //Only constant
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocalePassword, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: taint the variable being assigned.
return(variableState);
}
private VariableState VisitAssignment(VisualBasicSyntaxNode node,
ExpressionSyntax leftExpression,
ExpressionSyntax rightExpression,
ExecutionState state)
{
var leftSymbol = state.GetSymbol(leftExpression);
MethodBehavior behavior = null;
if (leftSymbol != null)
{
behavior = leftSymbol.GetMethodBehavior(ProjectConfiguration.Behavior);
}
var variableState = VisitExpression(rightExpression, state);
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitAssignment(node, state, behavior, leftSymbol, variableState);
}
//if (leftSymbol != null)
//{
// var rightTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(rightExpression).Type;
// if (rightTypeSymbol == null)
// return new VariableState(rightExpression, VariableTaint.Unknown);
// var leftTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(leftExpression).Type;
// if (!state.AnalysisContext.SemanticModel.Compilation.ClassifyConversion(rightTypeSymbol, leftTypeSymbol).Exists)
// return new VariableState(rightExpression, VariableTaint.Unknown);
//}
if (variableState.Taint != VariableTaint.Constant &&
behavior != null &&
// compare if all required sanitization bits are set
((ulong)(variableState.Taint & VariableTaint.Safe) & behavior.InjectableField.RequiredTaintBits) != behavior.InjectableField.RequiredTaintBits &&
(variableState.Taint & (ProjectConfiguration.AuditMode ? VariableTaint.Tainted | VariableTaint.Unknown : VariableTaint.Tainted)) != 0)
{
var newRule = LocaleUtil.GetDescriptor(behavior.InjectableField.Locale, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: taint the variable being assigned.
return(variableState);
}
private IReadOnlyDictionary <int, PostCondition> GetPostConditions(MethodBehavior behavior, bool isExtensionMethod, ArgumentListSyntax argList, ExecutionState state)
{
if (behavior.Conditions == null)
{
return(behavior.PostConditions);
}
foreach (var condition in behavior.Conditions)
{
if (CheckPrecondition(condition.If, isExtensionMethod, argList, state))
{
return(condition.Then);
}
}
return(behavior.PostConditions);
}
private VariableState VisitAssignment(VisualBasicSyntaxNode node,
ExpressionSyntax leftExpression,
ExpressionSyntax rightExpression,
ExecutionState state)
{
var symbol = state.GetSymbol(leftExpression);
MethodBehavior behavior = BehaviorRepo.GetMethodBehavior(symbol);
var variableState = VisitExpression(rightExpression, state);
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitAssignment(node, state, behavior, symbol, variableState);
}
IdentifierNameSyntax parentIdentifierSyntax = GetParentIdentifier(leftExpression);
if (parentIdentifierSyntax != null)
{
state.MergeValue(ResolveIdentifier(parentIdentifierSyntax.Identifier), variableState);
}
if (behavior != null && //Injection
behavior.IsInjectableField &&
variableState.Taint != VariableTaint.Constant && //Skip safe values
variableState.Taint != VariableTaint.Safe)
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocaleInjection, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
if (behavior != null && //Known Password API
behavior.IsPasswordField &&
variableState.Taint == VariableTaint.Constant) //Only constant
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocalePassword, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: taint the variable being assigned.
return(variableState);
}
/// <summary>
/// Logic for each method invocation (including constructor)
/// The argument list is required because <code>InvocationExpressionSyntax</code> and
/// <code>ObjectCreationExpressionSyntax</code> do not share a common interface.
/// </summary>
/// <param name="node"></param>
/// <param name="argList"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitInvocationAndCreation(ExpressionSyntax node,
ArgumentListSyntax argList,
ExecutionState state)
{
var symbol = state.GetSymbol(node);
MethodBehavior behavior = BehaviorRepo.GetMethodBehavior(symbol);
int i = 0;
if (argList == null)
{
return(new VariableState(node, VariableTaint.Unknown));
}
var returnState = new VariableState(node, VariableTaint.Safe);
foreach (var argument in argList.Arguments)
{
var argumentState = VisitExpression(argument.Expression, state);
if (symbol != null)
{
Logger.Log(symbol.ContainingType + "." + symbol.Name + " -> " + argumentState);
}
if (behavior != null)
{
//If the API is at risk
if ((argumentState.Taint == VariableTaint.Tainted ||
argumentState.Taint == VariableTaint.Unknown) && //Tainted values
//If the current parameter can be injected.
Array.Exists(behavior.InjectablesArguments, element => element == i))
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocaleInjection);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if (argumentState.Taint == VariableTaint.Constant && //Hard coded value
//If the current parameter is a password
Array.Exists(behavior.PasswordArguments, element => element == i))
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocalePassword);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if (Array.Exists(behavior.TaintFromArguments, element => element == i))
{
returnState = returnState.Merge(argumentState);
}
}
//TODO: tainted all object passed in argument
i++;
}
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitInvocationAndCreation(node, argList, state);
}
var hasTaintFromArguments = behavior?.TaintFromArguments?.Length > 0;
return(hasTaintFromArguments ? returnState : new VariableState(node, VariableTaint.Unknown));
}