public void StoredVulns_TempSanitize(string phpCode, int vulns)
{
var reporter = new Mock<IVulnerabilityReporter>();
var vulnStorage = new ReportingVulnerabilityStorage(reporter.Object);
ParseAndAnalyze(phpCode, vulnStorage);
vulnStorage.CheckForStoredVulnerabilities();
reporter.Verify(x => x.ReportStoredVulnerability(It.IsAny<IVulnerabilityInfo[]>()), Times.Exactly(vulns));
}
public void StoredVulnInFunction()
{
string phpCode = @"<?php $test = 'INSERT INTO products (product_name) VALUES (' . $_GET['test'] . ')';
mysql_query($test);
$result = mysql_query('SELECT product_name FROM products');
echo $result;
mysql_query('INSERT INTO products (product_name) VALUES (' . $_GET['test2'] . ')');
$result = mysql_query('SELECT product_name FROM products');
echo $result;";
var reporter = new Mock<IVulnerabilityReporter>();
var vulnStorage = new ReportingVulnerabilityStorage(reporter.Object);
ParseAndAnalyze(phpCode, vulnStorage);
vulnStorage.CheckForStoredVulnerabilities();
reporter.Verify(x => x.ReportStoredVulnerability(It.IsAny<IVulnerabilityInfo[]>()), Times.Exactly(2));
}
public void UnknownFunctionTest_NoTaintedInput()
{
string phpCode = @"<?php echo hello('fisk'); ?>";
var vulnStorage = new ReportingVulnerabilityStorage(new Mock<IVulnerabilityReporter>().Object);
ParseAndAnalyze(phpCode, vulnStorage);
Assert.AreEqual(0, vulnStorage.Vulnerabilities.Count());
}
public void UnknownFunctionTest_ShouldCreateOneError()
{
string phpCode = @"<?php echo hello($_GET['test']); ?>";
var vulnStorage = new ReportingVulnerabilityStorage(new Mock<IVulnerabilityReporter>().Object);
ParseAndAnalyze(phpCode, vulnStorage);
Assert.AreEqual(1, vulnStorage.DetectedVulns.Count);
Assert.True(vulnStorage.Vulnerabilities.First().Message.ToUpper().Contains("XSS"));
}
public void SanitizationPropagateTaintedArgsAndAnalyzeWithReturn_ShouldCreateTwoVulns()
{
string phpcode = @"<?php
$dbConnection = mysqli_connect(""localhost"",""root"",""1234"",""SomeDB"");
$test = $_REQUEST['test'];
$sql = ""SELECT * FROM someTable WHERE id="" . $test;
$sqlQuery = mysqli_query($dbConnection, $sql);
echo $test;
$test = mysqli_real_escape_string($dbConnection, $test);
$sql = ""SELECT * FROM someTable WHERE id="" . $test;
$sqlQuery = mysqli_query($dbConnection, $sql);
$test = htmlentities($test);
echo $test;
$sqlQuery = mysqli_query($db, ""SELECT * FROM someTable WHERE id="" . $test);
?>";
var vulnStorage = new ReportingVulnerabilityStorage(new Mock<IVulnerabilityReporter>().Object);
ParseAndAnalyze(phpcode, vulnStorage);
Assert.AreEqual(2, vulnStorage.DetectedVulns.Count);
Assert.NotNull(vulnStorage.Vulnerabilities.First(x => x.Message.ToUpper().Contains("SQL")));
Assert.NotNull(vulnStorage.Vulnerabilities.First(x => x.Message.ToUpper().Contains("XSS")));
}
public void ReportedVarName()
{
string phpCode = @"<?php
$x = $_GET['a'];
$y = 2;
echo $y . $x;";
var vulnStorage = new ReportingVulnerabilityStorage(new Mock<IVulnerabilityReporter>().Object);
ParseAndAnalyze(phpCode, vulnStorage);
// Kenneth this is not supposed to happen? :P The message says var y, but should be var x.
Assert.IsTrue(vulnStorage.Vulnerabilities.First().Message.Contains("variable: x "));
}
private static void Analyze(Arguments arguments, Config configuration)
{
Console.WriteLine("Parsing project at: " + arguments.Target);
Console.WriteLine();
foreach (var analysisStartingListener in _components.AnalysisStartingListeners)
{
// TODO - This should probably be a proper event - same goes for EndingEvent (this will also remove the loop(s)).
analysisStartingListener.AnalysisStarting(null, new AnalysisStartingEventArgs(configuration, arguments));
}
var stopwatch = Stopwatch.StartNew();
Console.WriteLine("Building ASTs..");
ParseResult parseResult = ParseTarget(arguments, configuration);
Console.WriteLine(" - AST build for {0} files ({1} failed)..", parseResult.ParsedFiles.Count, parseResult.FilesThatFailedToParse.Count);
Console.WriteLine("Traversing ASTs..");
var filesCollection = new List<File>();
var runningVulnReporter = new CompositeVulneribilityReporter(_components.VulnerabilityReporters);
var vulnerabilityStorage = new ReportingVulnerabilityStorage(runningVulnReporter);
var progrssIndicator = ProgressIndicatorFactory.CreateProgressIndicator(parseResult.ParsedFiles.Count());
foreach (var parsedFile in parseResult.ParsedFiles)
{
progrssIndicator.Step();
var file = BuildFileCFGAndExtractFileInformation(parsedFile);
filesCollection.Add(file);
}
var subroutineAnalyzerFactory = new FunctionAndMethodAnalyzerFactory { UseSummaries = arguments.UseFunctionSummaries };
Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks,
ImmutableVariableStorage> fileTaintAnalyzer = null;
fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
{
Preconditions.NotNull(varStorage, "varStorage");
Preconditions.NotNull(inclResolver, "inclResolver");
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, inclResolver, scope, fileTaintAnalyzer, stacks, subroutineAnalyzerFactory);
blockAnalyzer.AnalysisExtensions.AddRange(_components.BlockAnalyzers);
var condAnalyser = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
var fileToAnalyze = stacks.IncludeStack.Peek();
var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));
//var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
analyzer.Analyze(fileToAnalyze.CFG);
return cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal];
};
foreach (var file in filesCollection)
{
Console.WriteLine(Environment.NewLine + "=============================");
Console.WriteLine("Analyzing {0}..", file.FullPath);
var initialTaint = GetDefaultTaint();
var inclusionResolver = new IncludeResolver(filesCollection);
var stacks = new AnalysisStacks(file);
fileTaintAnalyzer(initialTaint, inclusionResolver, AnalysisScope.File, stacks);
}
Console.WriteLine("Scanned {0}/{1} subroutines. ", FunctionsHandler.Instance.ScannedFunctions.Count, FunctionsHandler.Instance.CustomFunctions.Count);
if (arguments.ScanAllSubroutines)
{
Console.WriteLine("Scanning remaining subroutines..");
ScanUnscannedSubroutines(filesCollection, fileTaintAnalyzer, subroutineAnalyzerFactory, vulnerabilityStorage);
}
vulnerabilityStorage.CheckForStoredVulnerabilities();
//parseResult.ParsedFiles.Values.First().Save(@"C:\Users\Kenneth\Documents\Uni\TestScript\current\parsedFile");
stopwatch.Stop();
foreach (var analysisEndedListener in _components.AnalysisEndedListeners)
{
analysisEndedListener.AnalysisEnding(null, new AnalysisEndedEventArgs(stopwatch.Elapsed));
}
Console.WriteLine("Time spent: " + stopwatch.Elapsed);
Console.WriteLine("Found {0} vulnerabilities.", runningVulnReporter.NumberOfReportedVulnerabilities);
}
private static void ScanUnscannedSubroutines(List<File> filesCollection, Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage)
{
var defaultTaint = new DefaultTaintProvider().GetTaint();
foreach (var file in filesCollection)
{
var analysisStacks = new AnalysisStacks(file);
var analyser = new FunctionAndMethodAnalyzer(defaultTaint,
new IncludeResolver(filesCollection), analysisStacks,
new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory), vulnerabilityStorage);
foreach (var function in file.Functions.SelectMany(f => f.Value).Except(FunctionsHandler.Instance.ScannedFunctions))
{
var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0);
analysisStacks.CallStack.Push(functionCall);
analyser.AnalyzeFunctionCall(functionCall, new List<ExpressionInfo>());
}
foreach (var @class in file.Classes.SelectMany(c => c.Value))
{
foreach (var method in @class.Methods.Except(FunctionsHandler.Instance.ScannedFunctions))
{
var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0);
analysisStacks.CallStack.Push(methodCall);
analyser.AnalyzeMethodCall(methodCall, new List<ExpressionInfo>());
}
}
}
}