private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
XmlNode firstArgument;
XmlNode secondArgument;
string optionKeyValue;
if (call.Arguments.TryGetValue(1, out firstArgument) &&
call.Arguments.TryGetValue(2, out secondArgument) &&
TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
{
foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
{
if (sqliTaintSet.TaintTag == SQLITaint.None)
{
continue;
}
string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.SQL,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
}
});
}
foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
{
if (xssTaintSet.TaintTag == XSSTaint.None)
{
continue;
}
string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.XSS,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
}
});
}
}
return exprInfo;
}
private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
XmlNode firstArgument;
XmlNode secondArgument;
string optionKeyValue;
if (call.Arguments.TryGetValue(1, out firstArgument) &&
call.Arguments.TryGetValue(2, out secondArgument) &&
TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
{
foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
{
if (sqliTaintSet.TaintTag == SQLITaint.None)
{
continue;
}
string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.SQL,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
}
});
}
foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
{
if (xssTaintSet.TaintTag == XSSTaint.None)
{
continue;
}
string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();
storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = analysisStacks.CallStack.ToImmutableStack(),
Message = message,
VulnerabilityType = VulnType.XSS,
PossibleStoredVuln = new StoredVulnInfo()
{
ICantFeelIt = IsItInYet.YesItsGoingIn,
StorageName = optionKeyValue,
StorageOrigin = "Options",
Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
}
});
}
}
return(exprInfo);
}
