private void ParseAndAnalyze(string php, IVulnerabilityStorage storage) { FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings); fh.LoadJsonSpecifications(); var extractedFuncs = PHPParseUtils.ParseAndIterate <ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions; fh.CustomFunctions.AddRange(extractedFuncs); var cfg = PHPParseUtils.ParseAndIterate <CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph; var incResolver = new IncludeResolver(new List <File>()); var fileStack = new Stack <File>(); fileStack.Push(new File() { FullPath = @"C:\TestFile.txt" }); var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack, fh); var funcMock = new Mock <Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> >(); var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver, AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory(), fh); var immutableInitialTaint = new DefaultTaintProvider().GetTaint(); var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint); var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist()); taintAnalysis.Analyze(cfg); }
private static void ScanUnscannedSubroutines(List <File> filesCollection, Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage) { var defaultTaint = new DefaultTaintProvider().GetTaint(); foreach (var file in filesCollection) { Console.WriteLine("Scanning " + file.Name); var analysisStacks = new AnalysisStacks(file); var analyser = new FunctionAndMethodAnalyzer(defaultTaint, new IncludeResolver(filesCollection), analysisStacks, new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory, _funcHandler), vulnerabilityStorage, _funcHandler); foreach (var function in file.Functions.SelectMany(f => f.Value).Except(_funcHandler.ScannedFunctions)) { Console.WriteLine("> Scanning method " + function.Name); var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0); analysisStacks.CallStack.Push(functionCall); analyser.AnalyzeFunctionCall(functionCall, new List <ExpressionInfo>()); } foreach (var @class in file.Classes.SelectMany(c => c.Value)) { foreach (var method in @class.Methods.Except(_funcHandler.ScannedFunctions)) { Console.WriteLine("> Scanning method " + method.Name); var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0); analysisStacks.CallStack.Push(methodCall); analyser.AnalyzeMethodCall(methodCall, new List <ExpressionInfo>()); } } } }
private static ImmutableVariableStorage GetDefaultTaint() { var defaultTaint = new DefaultTaintProvider().GetTaint(); if (_components.TaintProviders.Count == 1) { return(_components.TaintProviders.Single().GetTaint()); } if (_components.TaintProviders.Count > 1) { Console.WriteLine("Found multiple taint providers. Can't decide which one to use. Using builtin default taint."); } return(defaultTaint); }
private void AssertNoOfVulnsInMultipleCodeFiles(Tuple <string, string>[] codeFiles, int numberOfVulns) { FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings); fh.LoadJsonSpecifications(); var vulnStorage = new Mock <IVulnerabilityStorage>(); var parsedFiles = codeFiles.Select(code => new File(PHPParseUtils.ParsePHPCode(code.Item2, Config.PHPSettings.PHPParserPath)) { FullPath = code.Item1, CFG = PHPParseUtils.ParseAndIterate <CFGCreator>(code.Item2, Config.PHPSettings.PHPParserPath).Graph }).ToArray(); Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer = null; fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) => { Preconditions.NotNull(varStorage, "varStorage"); Preconditions.NotNull(inclResolver, "inclResolver"); var fileToAnalyze = stacks.IncludeStack.Peek(); var blockAnalyzer = new TaintBlockAnalyzer(vulnStorage.Object, inclResolver, scope, fileTaintAnalyzer, stacks, new FunctionAndMethodAnalyzerFactory(), fh); var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack, fh); var cfgTaintAnalysis = new PHPAnalysis.Analysis.CFG.TaintAnalysis(blockAnalyzer, condAnalyser, varStorage); var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG)); analyzer.Analyze(fileToAnalyze.CFG); return(cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]); }; foreach (var file in parsedFiles) { var inclusionResolver = new IncludeResolver(parsedFiles); var fileStack = new Stack <File>(); fileStack.Push(file); var immutableInitialTaint = new DefaultTaintProvider().GetTaint(); var stacks = new AnalysisStacks(fileStack); fileTaintAnalyzer(immutableInitialTaint, inclusionResolver, AnalysisScope.File, stacks); } vulnStorage.Verify(x => x.AddVulnerability(It.IsAny <IVulnerabilityInfo>()), Times.Exactly(numberOfVulns)); }
public ImmutableVariableStorage GetTaint() { var defaultTaint = new DefaultTaintProvider().GetTaint(); var variableStorage = defaultTaint.ToMutable(); foreach (var superGlobal in variableStorage.SuperGlobals) { foreach (var var in superGlobal.Value.Info.Variables) { var newTaint = var.Value.Info.Taints.DeepClone(); if (newTaint.SqliTaint.Single().TaintTag > SQLITaint.SQL_NoQ) { newTaint.SqliTaint.Clear(); newTaint.SqliTaint.Add(new SQLITaintSet(SQLITaint.SQL_NoQ)); } var.Value.Info.Taints = newTaint; var.Value.Info.DefaultDimensionTaintFactory = () => new TaintSets(new SQLITaintSet(SQLITaint.SQL_NoQ), new XSSTaintSet(XSSTaint.XSS_ALL)); var.Value.Info.NestedVariableDefaultTaintFactory = var.Value.Info.DefaultDimensionTaintFactory; } } var wpdbGlobal = new Variable("wpdb", VariableScope.File); var prefixVar = new Variable("prefix", VariableScope.Instance) { Info = { Value = "Eir_" } }; wpdbGlobal.Info.Variables.Add(new VariableTreeDimension() { Key = "prefix" }, prefixVar); wpdbGlobal.Info.ClassNames.Add("wpdb"); variableStorage.GlobalVariables.Add("wpdb", wpdbGlobal); return(ImmutableVariableStorage.CreateFromMutable(variableStorage)); }