public void VisitAssignmentExpression(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
{
SyntaxNode right = nodeHelper.GetAssignmentRightNode(ctx.Node);
SyntaxNode left = nodeHelper.GetAssignmentLeftNode(ctx.Node);
var symbol = ctx.SemanticModel.GetSymbolInfo(left).Symbol;
var content = right.GetText().ToString();
// Only if it is the RequiredLength property of a PasswordValidator
if (!AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequiredLength") ||
content == string.Empty)
{
return;
}
// Validates that the value is an int and that it is over the minimum value required
if (!int.TryParse(right.GetText().ToString(), out var numericValue) ||
numericValue >= Constants.PasswordValidatorRequiredLength)
{
return;
}
var diagnostic = Diagnostic.Create(RulePasswordLength, ctx.Node.GetLocation());
ctx.ReportDiagnostic(diagnostic);
}
protected void VisitSyntaxNode(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
{
var leftNode = nodeHelper.GetAssignmentLeftNode(ctx.Node);
var symbol = ctx.SemanticModel.GetSymbolInfo(leftNode).Symbol;
if (symbol == null)
{
return;
}
var configuration = ConfigurationManager
.Instance.GetProjectConfiguration(ctx.Options.AdditionalFiles);
if (configuration.AuditMode &&
symbol.IsType("System.Net.ServicePointManager.CertificatePolicy"))
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
return;
}
if (!IsMatch(symbol))
{
return;
}
var rightNode = GetBody(nodeHelper.GetAssignmentRightNode(ctx.Node), ctx);
if (rightNode == null)
{
return;
}
var rightValue = ctx.SemanticModel.GetConstantValue(rightNode);
if (!rightValue.HasValue && configuration.AuditMode)
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
return;
}
if (rightValue.Value is bool value && value)
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
return;
}
if (configuration.AuditMode)
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
}
}
protected void VisitAssignment(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
{
var leftNode = nodeHelper.GetAssignmentLeftNode(ctx.Node);
if (!leftNode.ToString().EndsWith("TypeNameHandling"))
{
return;
}
var symbols = ctx.SemanticModel.GetSymbolInfo(leftNode).Symbol;
if (symbols.ContainingSymbol.ToString() != "Newtonsoft.Json.JsonSerializerSettings")
{
return;
}
ReportIfTypeNameHandlingIsNotNone(ctx, nodeHelper.GetAssignmentRightNode(ctx.Node));
}
protected void VisitAssignment(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
{
// todo: if PasswordField is reintroduced to Behaviors need to filter warnings covered by taint analyzer
var leftNode = nodeHelper.GetAssignmentLeftNodeName(ctx.Node);
if (!IsPasswordField(leftNode, ctx.Options.AdditionalFiles))
{
return;
}
var rightNode = nodeHelper.GetAssignmentRightNode(ctx.Node);
if (rightNode == null)
{
return;
}
var constValue = ctx.SemanticModel.GetConstantValue(rightNode);
if (!constValue.HasValue)
{
return;
}
if (!(constValue.Value is string value))
{
return;
}
if (value.Equals(string.Empty))
{
return;
}
var diagnostic = Diagnostic.Create(Rule, ctx.Node.GetLocation());
ctx.ReportDiagnostic(diagnostic);
}
private bool IsAssigningIntendedValueToPropertyDerivedFromType(SyntaxNode assignment,
SemanticModel model,
Func <IPropertySymbol, bool> isTargetPropertyFunc,
Func <SyntaxNode, bool> isIntendedValueFunc,
out bool isTargetProperty)
{
bool isIntendedValue;
SyntaxNode left = _syntaxNodeHelper.GetAssignmentLeftNode(assignment);
SyntaxNode right = _syntaxNodeHelper.GetAssignmentRightNode(assignment);
IPropertySymbol leftSymbol = SyntaxNodeHelper.GetCalleePropertySymbol(left, model);
isTargetProperty = isTargetPropertyFunc(leftSymbol);
if (!isTargetProperty)
{
return(false);
}
// call to isIntendedValueFunc must be after checking isTargetProperty
// since the logic of isIntendedValueFunc relies on corresponding SyntaxNode
isIntendedValue = isIntendedValueFunc(right);
// Here's an example that needs some extra check:
//
// class TestClass : XmlDocument
// {
// private XmlDocument doc = new XmlDocument();
// public TestClass(XmlDocument doc)
// {
// this.doc.XmlResolver = null;
// }
// }
//
// Even though the assignment would return true for both isTargetPropertyFunc and isIntendedValueFunc,
// it is not setting the actual property for this class.
// The goal is to find all assignment like in the example above, "this.xxx.xxx.Property = ...;".
// For simplicity, here we adopt a simple but inaccurate logic:
// If the target is a member access node, then the only pattern we are looking for is "this.Property"
SyntaxNode memberAccessNode = _syntaxNodeHelper.GetDescendantMemberAccessExpressionNodes(left).FirstOrDefault();
// if assignment target doesn't have any member access node,
// then we treat it as an instance property access without explicit 'this' ('Me' in VB)
if (memberAccessNode == null)
{
//stop here, to avoid false positive, as long as there's one setting <Property> to secure value, we are happy
return(isIntendedValue);
}
SyntaxNode exp = _syntaxNodeHelper.GetMemberAccessExpressionNode(memberAccessNode);
ISymbol expSymbol = SyntaxNodeHelper.GetSymbol(exp, model);
isTargetProperty = expSymbol.Kind == SymbolKind.Parameter && ((IParameterSymbol)expSymbol).IsThis;
if (!isTargetProperty)
{
return(false);
}
SyntaxNode name = _syntaxNodeHelper.GetMemberAccessNameNode(memberAccessNode);
ISymbol nameSymbol = SyntaxNodeHelper.GetSymbol(name, model);
isTargetProperty = isTargetPropertyFunc(nameSymbol as IPropertySymbol);
if (!isTargetProperty)
{
return(false);
}
// stop here, same reason as stated above
return(isIntendedValue);
}
