Exemplo n.º 1
0
        internal static void Run(SyntaxNodeAnalysisContext context, ExpressionSyntax token)
        {   //Check String
            string id = token.ToFullString();

            if (string.IsNullOrWhiteSpace(id))
            {
                return;
            }
            //Check BlockSyntax
            BlockSyntax method = context.Node.FirstAncestorOrSelf <BlockSyntax>();

            if (method == null)
            {
                return;
            }
            try
            {   //Check InvocationExpression case
                if (token.IsKind(SyntaxKind.InvocationExpression))
                {
                    var    nodes = method.DescendantNodes();
                    string s     = string.Empty;

                    foreach (SyntaxNode n in nodes)
                    {   //Check ExpressionStatement case and have Contains("Appand("). , Build String
                        if (n.IsKind(SyntaxKind.ExpressionStatement) && id.Contains(n.GetFirstToken().Text) && n.ToFullString().Contains("Append("))
                        {
                            string rm = n.GetFirstToken().Text + ".Append(";
                            s += n.GetText().ToString().Replace(rm, "").Replace(@""")", "").Replace("\r\n", "").Replace(";", "") + " ";
                            s  = s.Replace("                 \"", string.Empty);
                        }
                    }
                    //Send to class Helper and Report error
                    s = Helper.BuildSqlStringFromIdString(context, s);
                    List <string> errorlist     = SqlParser.Parse(s);
                    string        errorlistText = String.Join("\r\n", errorlist);
                    var           diagnostic2   = Diagnostic.Create(Rule, context.Node.GetLocation(), errorlistText);

                    context.ReportDiagnostic(diagnostic2);
                    return;
                }
                //DescendantTokens where SyntaxToken
                t = method.DescendantTokens().Where <SyntaxToken>(tk => tk.ValueText != null && tk.IsKind(SyntaxKind.IdentifierToken) && tk.ValueText == id).First <SyntaxToken>();

                if (string.IsNullOrWhiteSpace(t.ValueText))
                {
                    return;
                }

                sql = t.GetNextToken().GetNextToken().Value.ToString();

                if (sql != null)
                {
                    AzureML(sql);
                    SendData(getJson);
                    while (getResult == "")
                    {
                    }
                    Deserialize(getResult);
                    getResult = "";
                }

                if (string.IsNullOrWhiteSpace(sql))
                {
                    return;
                }

                List <string> errors = SqlParser.Parse(sql);
                if (errors.Count == 0)
                {   //Check BinaryExpression case
                    var binaryExpressions = method.DescendantNodesAndSelf().OfType <BinaryExpressionSyntax>().First <BinaryExpressionSyntax>();
                    if (binaryExpressions != null)
                    {   //Send to class BinaryExpressionDiagnostic
                        BinaryExpressionDiagnostic.Run(context, binaryExpressions);
                        return;
                    }
                    return;
                }
                //Report error
                string errorText  = String.Join("\r\n", errors);
                var    diagnostic = Diagnostic.Create(Rule, t.GetNextToken().GetNextToken().GetLocation(), errorText);

                context.ReportDiagnostic(diagnostic);
            }
            catch (Exception ex)
            {
                System.Diagnostics.Debug.WriteLine("don't handle syntax yet: " + ex.Message);
            }
            //Report warning union query injection
            if (reportWarningUnionquery != "0")
            {
                Diagnostics.UnionQueryExpression.Run(context, t);
            }
            //Report warning illegal query injection
            if (reportWarningIllegalquery != "0")
            {
                Diagnostics.IllegalExpression.Run(context, t);
            }
            //Report warning piggybacked query injection
            if (reportWarningPiggybackedquery != "0")
            {
                Diagnostics.PiggyBackedExpression.Run(context, t);
            }
        }
        internal static void Run(SyntaxNodeAnalysisContext context, ExpressionSyntax token)
        {
            string id = token.ToFullString();

            if (string.IsNullOrWhiteSpace(id))
            {
                return;
            }

            BlockSyntax method = context.Node.FirstAncestorOrSelf <BlockSyntax>();

            if (method == null)
            {
                return;
            }

            try
            {
                if (token.IsKind(SyntaxKind.InvocationExpression))
                {
                    var    nodes = method.DescendantNodes();
                    string s     = string.Empty;

                    foreach (SyntaxNode n in nodes)
                    {
                        if (n.IsKind(SyntaxKind.ExpressionStatement) && id.Contains(n.GetFirstToken().Text) && n.ToFullString().Contains("Append("))
                        {
                            string rm = n.GetFirstToken().Text + ".Append(";
                            s += n.GetText().ToString().Replace(rm, "").Replace(@""")", "").Replace("\r\n", "").Replace(";", "") + " ";
                            s  = s.Replace("            \"", string.Empty);
                        }
                    }
                    s = Helper.BuildSqlStringFromIdString(context, s);
                    List <string> errorlist     = SqlParser.Parse(s);
                    string        errorlistText = String.Join("\r\n", errorlist);
                    var           diagnostic2   = Diagnostic.Create(RuleParam, context.Node.GetLocation(), errorlistText);

                    context.ReportDiagnostic(diagnostic2);
                    return;
                }
                var t = method.DescendantTokens().Where <SyntaxToken>(tk => tk.ValueText != null && tk.IsKind(SyntaxKind.IdentifierToken) && tk.ValueText == id).First <SyntaxToken>();

                if (string.IsNullOrWhiteSpace(t.ValueText))
                {
                    return;
                }

                string sql = t.GetNextToken().GetNextToken().Value.ToString();
                if (string.IsNullOrWhiteSpace(sql))
                {
                    return;
                }

                List <string> errors = SqlParser.Parse(sql);

                if (errors.Count == 0)
                {
                    var binaryExpressions = method.DescendantNodesAndSelf().OfType <BinaryExpressionSyntax>().First <BinaryExpressionSyntax>();

                    if (binaryExpressions != null)
                    {
                        BinaryExpressionDiagnostic.Run(context, binaryExpressions);
                        return;
                    }
                    return;
                }
                string errorText  = String.Join("\r\n", errors);
                var    diagnostic = Diagnostic.Create(RuleParam, t.GetNextToken().GetNextToken().GetLocation(), errorText);

                context.ReportDiagnostic(diagnostic);
            }
            catch (Exception ex)
            {
                System.Diagnostics.Debug.WriteLine("don't handle syntax yet: " + ex.Message);
            }
        }