public ImmutableVariableStorage GetTaint() { var defaultTaint = new DefaultTaintProvider().GetTaint(); var variableStorage = defaultTaint.ToMutable(); foreach (var superGlobal in variableStorage.SuperGlobals) { foreach (var var in superGlobal.Value.Info.Variables) { var newTaint = var.Value.Info.Taints.DeepClone(); if (newTaint.SqliTaint.Single().TaintTag > SQLITaint.SQL_NoQ) { newTaint.SqliTaint.Clear(); newTaint.SqliTaint.Add(new SQLITaintSet( SQLITaint.SQL_NoQ)); } var.Value.Info.Taints = newTaint; var.Value.Info.DefaultDimensionTaintFactory = () => new TaintSets(new SQLITaintSet(SQLITaint.SQL_NoQ), new XSSTaintSet(XSSTaint.XSS_ALL)); var.Value.Info.NestedVariableDefaultTaintFactory = var.Value.Info.DefaultDimensionTaintFactory; } } var wpdbGlobal = new Variable("wpdb", VariableScope.File); var prefixVar = new Variable("prefix", VariableScope.Instance) { Info = { Value = "Eir_" } }; wpdbGlobal.Info.Variables.Add(new VariableTreeDimension() { Key = "prefix" }, prefixVar); wpdbGlobal.Info.ClassNames.Add("wpdb"); variableStorage.GlobalVariables.Add("wpdb", wpdbGlobal); return ImmutableVariableStorage.CreateFromMutable(variableStorage); }
private void ParseAndAnalyze(string php, IVulnerabilityStorage storage) { var extractedFuncs = PHPParseUtils.ParseAndIterate<ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions; FunctionsHandler.Instance.CustomFunctions.AddRange(extractedFuncs); var cfg = PHPParseUtils.ParseAndIterate<CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph; var incResolver = new IncludeResolver(new List<File>()); var fileStack = new Stack<File>(); fileStack.Push(new File() { FullPath = @"C:\TestFile.txt" }); var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack); var funcMock = new Mock<Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage>>(); var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver, AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory()); var immutableInitialTaint = new DefaultTaintProvider().GetTaint(); var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint); var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist()); taintAnalysis.Analyze(cfg); }
private static void ScanUnscannedSubroutines(List<File> filesCollection, Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage) { var defaultTaint = new DefaultTaintProvider().GetTaint(); foreach (var file in filesCollection) { var analysisStacks = new AnalysisStacks(file); var analyser = new FunctionAndMethodAnalyzer(defaultTaint, new IncludeResolver(filesCollection), analysisStacks, new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory), vulnerabilityStorage); foreach (var function in file.Functions.SelectMany(f => f.Value).Except(FunctionsHandler.Instance.ScannedFunctions)) { var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0); analysisStacks.CallStack.Push(functionCall); analyser.AnalyzeFunctionCall(functionCall, new List<ExpressionInfo>()); } foreach (var @class in file.Classes.SelectMany(c => c.Value)) { foreach (var method in @class.Methods.Except(FunctionsHandler.Instance.ScannedFunctions)) { var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0); analysisStacks.CallStack.Push(methodCall); analyser.AnalyzeMethodCall(methodCall, new List<ExpressionInfo>()); } } } }
private void AssertNoOfVulnsInMultipleCodeFiles(Tuple<string, string>[] codeFiles, int numberOfVulns) { var vulnStorage = new Mock<IVulnerabilityStorage>(); var parsedFiles = codeFiles.Select(code => new File(PHPParseUtils.ParsePHPCode(code.Item2, Config.PHPSettings.PHPParserPath)) { FullPath = code.Item1, CFG = PHPParseUtils.ParseAndIterate<CFGCreator>(code.Item2, Config.PHPSettings.PHPParserPath).Graph }).ToArray(); Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer = null; fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) => { Preconditions.NotNull(varStorage, "varStorage"); Preconditions.NotNull(inclResolver, "inclResolver"); var fileToAnalyze = stacks.IncludeStack.Peek(); var blockAnalyzer = new TaintBlockAnalyzer(vulnStorage.Object, inclResolver, scope, fileTaintAnalyzer, stacks, new FunctionAndMethodAnalyzerFactory()); var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack); var cfgTaintAnalysis = new PHPAnalysis.Analysis.CFG.TaintAnalysis(blockAnalyzer, condAnalyser, varStorage); var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG)); analyzer.Analyze(fileToAnalyze.CFG); return cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]; }; foreach (var file in parsedFiles) { var inclusionResolver = new IncludeResolver(parsedFiles); var fileStack = new Stack<File>(); fileStack.Push(file); var immutableInitialTaint = new DefaultTaintProvider().GetTaint(); var stacks = new AnalysisStacks(fileStack); fileTaintAnalyzer(immutableInitialTaint, inclusionResolver, AnalysisScope.File, stacks); } vulnStorage.Verify(x => x.AddVulnerability(It.IsAny<IVulnerabilityInfo>()), Times.Exactly(numberOfVulns)); }
private static ImmutableVariableStorage GetDefaultTaint() { var defaultTaint = new DefaultTaintProvider().GetTaint(); if (_components.TaintProviders.Count == 1) { return _components.TaintProviders.Single().GetTaint(); } if (_components.TaintProviders.Count > 1) { Console.WriteLine("Found multiple taint providers. Can't decide which one to use. Using builtin default taint."); } return defaultTaint; }