private void SetTaintedForEntity(IOperation operation, TaintedDataAbstractValue value)
 {
     if (AnalysisEntityFactory.TryCreate(operation, out AnalysisEntity analysisEntity))
     {
         this.CurrentAnalysisData.SetAbstractValue(analysisEntity, value);
     }
 }
Exemplo n.º 2
0
 protected override CopyAbstractValue ComputeAnalysisValueForReferenceOperation(IOperation operation, CopyAbstractValue defaultValue)
 {
     if (AnalysisEntityFactory.TryCreate(operation, out AnalysisEntity analysisEntity))
     {
         return(CurrentAnalysisData.TryGetValue(analysisEntity, out CopyAbstractValue value) ? value : GetDefaultCopyValue(analysisEntity));
     }
     else
     {
         return(defaultValue);
     }
 }
Exemplo n.º 3
0
            protected override CopyAbstractValue GetCopyAbstractValue(IOperation operation)
            {
                if (DataFlowAnalysisContext.CopyAnalysisResult == null &&
                    AnalysisEntityFactory.TryCreate(operation, out var entity) &&
                    entity.CaptureId.HasValue &&
                    AnalysisEntityFactory.TryGetCopyValueForFlowCapture(entity.CaptureId.Value.Id, out var copyValue) &&
                    copyValue.Kind == CopyAbstractValueKind.KnownValueCopy)
                {
                    return(copyValue);
                }

                return(base.GetCopyAbstractValue(operation));
            }
Exemplo n.º 4
0
 protected override PointsToAbstractValue ComputeAnalysisValueForReferenceOperation(IOperation operation, PointsToAbstractValue defaultValue)
 {
     if (ShouldBeTracked(operation.Type) &&
         AnalysisEntityFactory.TryCreate(operation, out AnalysisEntity analysisEntity))
     {
         return(GetAbstractValue(analysisEntity));
     }
     else
     {
         Debug.Assert(operation.Type == null || !operation.Type.IsNonNullableValueType() || defaultValue == PointsToAbstractValue.NoLocation);
         return(defaultValue);
     }
 }
            protected override PredicateValueKind SetValueForEqualsOrNotEqualsComparisonOperator(IBinaryOperation operation, CopyAnalysisData negatedCurrentAnalysisData, bool equals)
            {
                Debug.Assert(operation.IsComparisonOperator());

                if (GetCopyAbstractValue(operation.LeftOperand).Kind != CopyAbstractValueKind.Unknown &&
                    GetCopyAbstractValue(operation.RightOperand).Kind != CopyAbstractValueKind.Unknown &&
                    AnalysisEntityFactory.TryCreate(operation.LeftOperand, out AnalysisEntity leftEntity) &&
                    AnalysisEntityFactory.TryCreate(operation.RightOperand, out AnalysisEntity rightEntity))
                {
                    var predicateKind = PredicateValueKind.Unknown;
                    if (!CurrentAnalysisData.TryGetValue(rightEntity, out CopyAbstractValue rightValue))
                    {
                        rightValue = new CopyAbstractValue(rightEntity);
                    }
                    else if (rightValue.AnalysisEntities.Contains(leftEntity))
                    {
                        // We have "a == b && a == b" or "a == b && a != b"
                        // For both cases, condition on right is always true or always false and redundant.
                        predicateKind = equals ? PredicateValueKind.AlwaysTrue : PredicateValueKind.AlwaysFalse;
                    }
                    else if (negatedCurrentAnalysisData.TryGetValue(rightEntity, out var negatedRightValue) &&
                             negatedRightValue.AnalysisEntities.Contains(leftEntity))
                    {
                        // We have "a == b || a == b" or "a == b || a != b"
                        // For both cases, condition on right is always true or always false and redundant.
                        predicateKind = equals ? PredicateValueKind.AlwaysFalse : PredicateValueKind.AlwaysTrue;
                    }

                    if (predicateKind != PredicateValueKind.Unknown)
                    {
                        if (!equals)
                        {
                            // "a == b && a != b" or "a == b || a != b"
                            // CurrentAnalysisData and negatedCurrentAnalysisData are both unknown values.
                            foreach (var entity in rightValue.AnalysisEntities)
                            {
                                SetAbstractValue(CurrentAnalysisData, entity, CopyAbstractValue.Invalid, fromPredicate: true);
                                SetAbstractValue(negatedCurrentAnalysisData, entity, CopyAbstractValue.Invalid, fromPredicate: true);
                            }
                        }

                        return(predicateKind);
                    }

                    var analysisData = equals ? CurrentAnalysisData : negatedCurrentAnalysisData;
                    SetAbstractValue(analysisData, leftEntity, rightValue, fromPredicate: true);
                }

                return(PredicateValueKind.Unknown);
            }
            protected override TaintedDataAbstractValue ComputeAnalysisValueForReferenceOperation(IOperation operation, TaintedDataAbstractValue defaultValue)
            {
                // If the property reference itself is a tainted data source
                if (operation is IPropertyReferenceOperation propertyReferenceOperation &&
                    this.DataFlowAnalysisContext.SourceInfos.IsSourceProperty(propertyReferenceOperation.Property))
                {
                    return(TaintedDataAbstractValue.CreateTainted(propertyReferenceOperation.Member, propertyReferenceOperation.Syntax, this.OwningSymbol));
                }

                if (AnalysisEntityFactory.TryCreate(operation, out AnalysisEntity analysisEntity))
                {
                    return(this.CurrentAnalysisData.TryGetValue(analysisEntity, out TaintedDataAbstractValue value) ? value : defaultValue);
                }

                return(defaultValue);
            }
            private void SetValueForComparisonOperator(IOperation target, IOperation assignedValue, bool equals, ref PredicateValueKind predicateValueKind, ValueContentAnalysisData targetAnalysisData)
            {
                ValueContentAbstractValue currentAssignedValue = GetCachedAbstractValue(assignedValue);

                if (currentAssignedValue.IsLiteralState &&
                    AnalysisEntityFactory.TryCreate(target, out AnalysisEntity targetEntity))
                {
                    if (CurrentAnalysisData.TryGetValue(targetEntity, out ValueContentAbstractValue existingTargetValue) &&
                        existingTargetValue.IsLiteralState)
                    {
                        var newValue = currentAssignedValue.IntersectLiteralValues(existingTargetValue);
                        if (newValue.NonLiteralState == ValueContainsNonLiteralState.Invalid)
                        {
                            predicateValueKind = equals ? PredicateValueKind.AlwaysFalse : PredicateValueKind.AlwaysTrue;
                        }
                        else if (predicateValueKind != PredicateValueKind.AlwaysFalse &&
                                 newValue.IsLiteralState &&
                                 newValue.LiteralValues.Count == 1 &&
                                 currentAssignedValue.LiteralValues.Count == 1 &&
                                 existingTargetValue.LiteralValues.Count == 1)
                        {
                            predicateValueKind = equals ? PredicateValueKind.AlwaysTrue : PredicateValueKind.AlwaysFalse;
                        }

                        currentAssignedValue = newValue;
                    }

                    if (equals)
                    {
                        CopyAbstractValue copyValue = GetCopyAbstractValue(target);
                        if (copyValue.Kind.IsKnown())
                        {
                            // https://github.com/dotnet/roslyn-analyzers/issues/2106 tracks enabling the below assert.
                            //Debug.Assert(copyValue.AnalysisEntities.Contains(targetEntity));
                            foreach (var analysisEntity in copyValue.AnalysisEntities)
                            {
                                SetAbstractValue(targetAnalysisData, analysisEntity, currentAssignedValue);
                            }
                        }
                        else
                        {
                            SetAbstractValue(targetAnalysisData, targetEntity, currentAssignedValue);
                        }
                    }
                }
            }
Exemplo n.º 8
0
            private bool SetValueForComparisonOperator(IOperation target, IOperation assignedValue, PointsToAnalysisData negatedCurrentAnalysisData, bool equals, ref PredicateValueKind predicateValueKind)
            {
                NullAbstractValue value = GetNullAbstractValue(assignedValue);

                if (IsValidValueForPredicateAnalysis(value) &&
                    AnalysisEntityFactory.TryCreate(target, out AnalysisEntity targetEntity))
                {
                    bool inferInCurrentAnalysisData        = true;
                    bool inferInNegatedCurrentAnalysisData = true;
                    if (value == NullAbstractValue.NotNull)
                    {
                        // Comparison with a non-null value guarantees that we can infer result in only one of the branches.
                        // For example, predicate "a == c", where we know 'c' is non-null, guarantees 'a' is non-null in CurrentAnalysisData,
                        // but we cannot infer anything about nullness of 'a' in NegatedCurrentAnalysisData.
                        if (equals)
                        {
                            inferInNegatedCurrentAnalysisData = false;
                        }
                        else
                        {
                            inferInCurrentAnalysisData = false;
                        }
                    }

                    CopyAbstractValue copyValue = GetCopyAbstractValue(target);
                    if (copyValue.Kind == CopyAbstractValueKind.Known)
                    {
                        Debug.Assert(copyValue.AnalysisEntities.Contains(targetEntity));
                        foreach (var analysisEntity in copyValue.AnalysisEntities)
                        {
                            SetValueFromPredicate(analysisEntity, value, negatedCurrentAnalysisData, equals,
                                                  inferInCurrentAnalysisData, inferInNegatedCurrentAnalysisData, target, ref predicateValueKind);
                        }
                    }
                    else
                    {
                        SetValueFromPredicate(targetEntity, value, negatedCurrentAnalysisData, equals,
                                              inferInCurrentAnalysisData, inferInNegatedCurrentAnalysisData, target, ref predicateValueKind);
                    }

                    return(true);
                }

                return(false);
            }
            public override TaintedDataAbstractValue VisitInvocation_NonLambdaOrDelegateOrLocalFunction(
                IMethodSymbol method,
                IOperation visitedInstance,
                ImmutableArray <IArgumentOperation> visitedArguments,
                bool invokedAsDelegate,
                IOperation originalOperation,
                TaintedDataAbstractValue defaultValue)
            {
                // Always invoke base visit.
                TaintedDataAbstractValue baseVisit = base.VisitInvocation_NonLambdaOrDelegateOrLocalFunction(
                    method,
                    visitedInstance,
                    visitedArguments,
                    invokedAsDelegate,
                    originalOperation,
                    defaultValue);

                IEnumerable <IArgumentOperation> taintedArguments = GetTaintedArguments(visitedArguments);

                if (taintedArguments.Any())
                {
                    ProcessTaintedDataEnteringInvocationOrCreation(method, taintedArguments, originalOperation);
                }

                if (this.IsSanitizingMethod(method))
                {
                    return(TaintedDataAbstractValue.NotTainted);
                }
                else if (this.DataFlowAnalysisContext.SourceInfos.IsSourceMethod(method))
                {
                    return(TaintedDataAbstractValue.CreateTainted(method, originalOperation.Syntax, this.OwningSymbol));
                }
                else if (visitedInstance != null && this.IsSanitizingInstanceMethod(method))
                {
                    if (AnalysisEntityFactory.TryCreate(visitedInstance, out AnalysisEntity analysisEntity))
                    {
                        this.CurrentAnalysisData.SetAbstractValue(analysisEntity, TaintedDataAbstractValue.NotTainted);
                    }

                    return(TaintedDataAbstractValue.NotTainted);
                }

                return(baseVisit);
            }
Exemplo n.º 10
0
            private void SetValueForComparisonOperator(IOperation target, IOperation assignedValue, StringContentAnalysisData negatedCurrentAnalysisData, bool equals, ref PredicateValueKind predicateValueKind)
            {
                var analysisData = equals ? CurrentAnalysisData : negatedCurrentAnalysisData;
                StringContentAbstractValue stringContentValue = GetCachedAbstractValue(assignedValue);

                if (stringContentValue.IsLiteralState &&
                    AnalysisEntityFactory.TryCreate(target, out AnalysisEntity targetEntity))
                {
                    if (analysisData.TryGetValue(targetEntity, out StringContentAbstractValue existingValue) &&
                        existingValue.IsLiteralState)
                    {
                        var newStringContentValue = stringContentValue.IntersectLiteralValues(existingValue);
                        if (newStringContentValue.NonLiteralState == StringContainsNonLiteralState.Invalid)
                        {
                            predicateValueKind = equals ? PredicateValueKind.AlwaysFalse : PredicateValueKind.AlwaysTrue;
                        }
                        else if (predicateValueKind != PredicateValueKind.AlwaysFalse &&
                                 newStringContentValue.IsLiteralState &&
                                 newStringContentValue.LiteralValues.Count == 1 &&
                                 stringContentValue.LiteralValues.Count == 1 &&
                                 existingValue.LiteralValues.Count == 1)
                        {
                            predicateValueKind = equals ? PredicateValueKind.AlwaysTrue : PredicateValueKind.AlwaysFalse;
                        }

                        stringContentValue = newStringContentValue;
                    }

                    CopyAbstractValue copyValue = GetCopyAbstractValue(target);
                    if (copyValue.Kind == CopyAbstractValueKind.Known)
                    {
                        Debug.Assert(copyValue.AnalysisEntities.Contains(targetEntity));
                        foreach (var analysisEntity in copyValue.AnalysisEntities)
                        {
                            SetAbstractValue(analysisData, analysisEntity, stringContentValue);
                        }
                    }
                    else
                    {
                        SetAbstractValue(analysisData, targetEntity, stringContentValue);
                    }
                }
            }
Exemplo n.º 11
0
            protected override PointsToAbstractValue ComputeAnalysisValueForReferenceOperation(IOperation operation, PointsToAbstractValue defaultValue)
            {
                if (!operation.Type.HasValueCopySemantics() &&
                    AnalysisEntityFactory.TryCreate(operation, out AnalysisEntity analysisEntity))
                {
                    if (!HasAbstractValue(analysisEntity))
                    {
                        var value = new PointsToAbstractValue(AbstractLocation.CreateAllocationLocation(operation, operation.Type));
                        SetAbstractValue(analysisEntity, value);
                        return(value);
                    }

                    return(GetAbstractValue(analysisEntity));
                }
                else
                {
                    Debug.Assert(!operation.Type.HasValueCopySemantics() || defaultValue == PointsToAbstractValue.NoLocation);
                    return(defaultValue);
                }
            }
Exemplo n.º 12
0
            public override PointsToAbstractValue VisitParameterReference(IParameterReferenceOperation operation, object argument)
            {
                // Create a dummy PointsTo value for each reference type parameter.
                if (!operation.Type.HasValueCopySemantics())
                {
                    var result = AnalysisEntityFactory.TryCreateForSymbolDeclaration(operation.Parameter, out AnalysisEntity analysisEntity);
                    Debug.Assert(result);
                    if (!HasAbstractValue(analysisEntity))
                    {
                        var value = new PointsToAbstractValue(AbstractLocation.CreateAllocationLocation(operation, operation.Parameter.Type));
                        SetAbstractValue(analysisEntity, value);
                        return(value);
                    }

                    return(GetAbstractValue(analysisEntity));
                }
                else
                {
                    return(PointsToAbstractValue.NoLocation);
                }
            }
Exemplo n.º 13
0
        public AnalysisResult Analyze(AnalysisConfig config)
        {
            IAnalysisEntityFactory factory = new AnalysisEntityFactory();
            AnalysisResult         result  = factory.CreateAnalysisResult(config);

            var tree = CSharpSyntaxTree.ParseText(GetFileContents(config.SourceFileFullPath));

            DexterDependUtil.ToolName = checkerConfig.ToolName;
            SyntaxNode syntaxRoot = tree.GetRoot();

            foreach (Checker checker in CheckerConfig.CheckerList)
            {
                if (!checker.IsActive)
                {
                    continue;
                }
                IDependLogic logic = GetCheckerLogic(checker.Code);
                logic.Analyze(config, result, checker, syntaxRoot);
            }
            return(result);
        }
            public override TaintedDataAbstractValue VisitInvocation_NonLambdaOrDelegateOrLocalFunction(
                IMethodSymbol method,
                IOperation visitedInstance,
                ImmutableArray <IArgumentOperation> visitedArguments,
                bool invokedAsDelegate,
                IOperation originalOperation,
                TaintedDataAbstractValue defaultValue)
            {
                // Always invoke base visit.
                TaintedDataAbstractValue baseVisit = base.VisitInvocation_NonLambdaOrDelegateOrLocalFunction(
                    method,
                    visitedInstance,
                    visitedArguments,
                    invokedAsDelegate,
                    originalOperation,
                    defaultValue);

                IEnumerable <IArgumentOperation> taintedArguments = GetTaintedArguments(visitedArguments);

                if (taintedArguments.Any())
                {
                    ProcessTaintedDataEnteringInvocationOrCreation(method, taintedArguments, originalOperation);
                }

                PooledHashSet <IsInvocationTaintedWithPointsToAnalysis>     evaluateWithPointsToAnalysis     = null;
                PooledHashSet <IsInvocationTaintedWithValueContentAnalysis> evaluateWithValueContentAnalysis = null;

                try
                {
                    if (this.IsSanitizingMethod(method))
                    {
                        return(TaintedDataAbstractValue.NotTainted);
                    }
                    else if (visitedInstance != null && this.IsSanitizingInstanceMethod(method))
                    {
                        if (AnalysisEntityFactory.TryCreate(visitedInstance, out AnalysisEntity analysisEntity))
                        {
                            this.CurrentAnalysisData.SetAbstractValue(analysisEntity, TaintedDataAbstractValue.NotTainted);
                        }

                        return(TaintedDataAbstractValue.NotTainted);
                    }
                    else if (this.DataFlowAnalysisContext.SourceInfos.IsSourceMethod(
                                 method,
                                 out evaluateWithPointsToAnalysis,
                                 out evaluateWithValueContentAnalysis))
                    {
                        ImmutableArray <IArgumentOperation>     argumentOperation          = (originalOperation as IInvocationOperation).Arguments;
                        IEnumerable <PointsToAbstractValue>     pointsToAnalysisResult     = argumentOperation.Select(o => GetPointsToAbstractValue(o.Value));
                        IEnumerable <ValueContentAbstractValue> valueContentAnalysisResult = argumentOperation.Select(o => GetValueContentAbstractValue(o.Value));
                        if ((evaluateWithPointsToAnalysis != null && evaluateWithPointsToAnalysis.Any(o => o(pointsToAnalysisResult))) ||
                            (evaluateWithValueContentAnalysis != null && evaluateWithValueContentAnalysis.Any(o => o(pointsToAnalysisResult, valueContentAnalysisResult))))
                        {
                            return(TaintedDataAbstractValue.CreateTainted(method, originalOperation.Syntax, this.OwningSymbol));
                        }

                        return(TaintedDataAbstractValue.NotTainted);
                    }
                }
                finally
                {
                    if (evaluateWithPointsToAnalysis != null)
                    {
                        evaluateWithPointsToAnalysis.Free();
                    }

                    if (evaluateWithValueContentAnalysis != null)
                    {
                        evaluateWithValueContentAnalysis.Free();
                    }
                }

                return(baseVisit);
            }