/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for(int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return exprInfoAll;
}
private static File BuildFileCFGAndExtractFileInformation(KeyValuePair<string, XmlDocument> parsedFile)
{
var traverser = new XmlTraverser();
var metricAnalyzer = new MetricVisitor();
var extractor = new ClassAndFunctionExtractor();
var printer = new ASTPrinter(Console.Out);
var cfgcreator = new CFGCreator();
traverser.AddVisitor(extractor);
traverser.AddVisitor(metricAnalyzer);
traverser.AddVisitor(cfgcreator);
//traverser.AddVisitor(printer);
traverser.AddVisitors(_components.AstVisitors.ToArray());
traverser.Traverse(parsedFile.Value.FirstChild.NextSibling);
foreach (var function in extractor.Functions)
{
function.File = parsedFile.Key;
}
foreach (var closure in extractor.Closures)
{
closure.File = parsedFile.Key;
}
FunctionsHandler.Instance.CustomFunctions.AddRange(extractor.Functions);
foreach (var @class in extractor.Classes)
{
@class.File = parsedFile.Key;
foreach (var method in @class.Methods)
{
//HACK: This is not a good way to handle this! Should we add a new derived function class called method that includes the class name
//-||-: and make a special list for them in the function handler, or is this okay?
method.Name = @class.Name + "->" + method.Name;
method.File = parsedFile.Key;
FunctionsHandler.Instance.CustomFunctions.Add(method);
}
}
//cfgcreator.Graph.VisualizeGraph("graph", Program.Configuration.GraphSettings);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
//cfgcreator.Graph.VisualizeGraph("graph-pruned", Configuration.GraphSettings);
File file = new File(parsedFile.Value) {
CFG = cfgcreator.Graph,
FullPath = parsedFile.Key,
Interfaces = extractor.Interfaces.GroupBy(i => i.Name, i => i).ToDictionary(i => i.Key, i => i.ToList()),
Classes = extractor.Classes.GroupBy(c => c.Name, c => c).ToDictionary(c => c.Key, c => c.ToList()),
Closures = extractor.Closures.ToArray(),
Functions = extractor.Functions.GroupBy(i => i.Name, i => i).ToDictionary(i => i.Key, i => i.ToList())
};
return file;
}