public void VisitAssignmentExpression(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
        {
            SyntaxNode right = nodeHelper.GetAssignmentRightNode(ctx.Node);
            SyntaxNode left  = nodeHelper.GetAssignmentLeftNode(ctx.Node);

            var symbol = ctx.SemanticModel.GetSymbolInfo(left).Symbol;

            var content = right.GetText().ToString();

            // Only if it is the RequiredLength property of a PasswordValidator
            if (!AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequiredLength") ||
                content == string.Empty)
            {
                return;
            }

            // Validates that the value is an int and that it is over the minimum value required
            if (!int.TryParse(right.GetText().ToString(), out var numericValue) ||
                numericValue >= Constants.PasswordValidatorRequiredLength)
            {
                return;
            }

            var diagnostic = Diagnostic.Create(RulePasswordLength, ctx.Node.GetLocation());

            ctx.ReportDiagnostic(diagnostic);
        }
Exemplo n.º 2
0
        protected void VisitSyntaxNode(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
        {
            var leftNode = nodeHelper.GetAssignmentLeftNode(ctx.Node);
            var symbol   = ctx.SemanticModel.GetSymbolInfo(leftNode).Symbol;

            if (symbol == null)
            {
                return;
            }

            var configuration = ConfigurationManager
                                .Instance.GetProjectConfiguration(ctx.Options.AdditionalFiles);

            if (configuration.AuditMode &&
                symbol.IsType("System.Net.ServicePointManager.CertificatePolicy"))
            {
                ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
                return;
            }

            if (!IsMatch(symbol))
            {
                return;
            }

            var rightNode = GetBody(nodeHelper.GetAssignmentRightNode(ctx.Node), ctx);

            if (rightNode == null)
            {
                return;
            }

            var rightValue = ctx.SemanticModel.GetConstantValue(rightNode);

            if (!rightValue.HasValue && configuration.AuditMode)
            {
                ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
                return;
            }

            if (rightValue.Value is bool value && value)
            {
                ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
                return;
            }

            if (configuration.AuditMode)
            {
                ctx.ReportDiagnostic(Diagnostic.Create(Rule, ctx.Node.GetLocation()));
            }
        }
        protected void VisitAssignment(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
        {
            var leftNode = nodeHelper.GetAssignmentLeftNode(ctx.Node);

            if (!leftNode.ToString().EndsWith("TypeNameHandling"))
            {
                return;
            }

            var symbols = ctx.SemanticModel.GetSymbolInfo(leftNode).Symbol;

            if (symbols.ContainingSymbol.ToString() != "Newtonsoft.Json.JsonSerializerSettings")
            {
                return;
            }

            ReportIfTypeNameHandlingIsNotNone(ctx, nodeHelper.GetAssignmentRightNode(ctx.Node));
        }
        protected void VisitAssignment(SyntaxNodeAnalysisContext ctx, SyntaxNodeHelper nodeHelper)
        {
            // todo: if PasswordField is reintroduced to Behaviors need to filter warnings covered by taint analyzer
            var leftNode = nodeHelper.GetAssignmentLeftNodeName(ctx.Node);

            if (!IsPasswordField(leftNode, ctx.Options.AdditionalFiles))
            {
                return;
            }

            var rightNode = nodeHelper.GetAssignmentRightNode(ctx.Node);

            if (rightNode == null)
            {
                return;
            }

            var constValue = ctx.SemanticModel.GetConstantValue(rightNode);

            if (!constValue.HasValue)
            {
                return;
            }

            if (!(constValue.Value is string value))
            {
                return;
            }

            if (value.Equals(string.Empty))
            {
                return;
            }

            var diagnostic = Diagnostic.Create(Rule, ctx.Node.GetLocation());

            ctx.ReportDiagnostic(diagnostic);
        }
            private bool IsAssigningIntendedValueToPropertyDerivedFromType(SyntaxNode assignment,
                                                                           SemanticModel model,
                                                                           Func <IPropertySymbol, bool> isTargetPropertyFunc,
                                                                           Func <SyntaxNode, bool> isIntendedValueFunc,
                                                                           out bool isTargetProperty)
            {
                bool isIntendedValue;

                SyntaxNode left  = _syntaxNodeHelper.GetAssignmentLeftNode(assignment);
                SyntaxNode right = _syntaxNodeHelper.GetAssignmentRightNode(assignment);

                IPropertySymbol leftSymbol = SyntaxNodeHelper.GetCalleePropertySymbol(left, model);

                isTargetProperty = isTargetPropertyFunc(leftSymbol);

                if (!isTargetProperty)
                {
                    return(false);
                }

                // call to isIntendedValueFunc must be after checking isTargetProperty
                // since the logic of isIntendedValueFunc relies on corresponding SyntaxNode
                isIntendedValue = isIntendedValueFunc(right);

                // Here's an example that needs some extra check:
                //
                //    class TestClass : XmlDocument
                //    {
                //        private XmlDocument doc = new XmlDocument();
                //        public TestClass(XmlDocument doc)
                //        {
                //            this.doc.XmlResolver = null;
                //        }
                //    }
                //
                // Even though the assignment would return true for both isTargetPropertyFunc and isIntendedValueFunc,
                // it is not setting the actual property for this class.

                // The goal is to find all assignment like in the example above, "this.xxx.xxx.Property = ...;".
                // For simplicity, here we adopt a simple but inaccurate logic:
                //   If the target is a member access node, then the only pattern we are looking for is "this.Property"
                SyntaxNode memberAccessNode = _syntaxNodeHelper.GetDescendantMemberAccessExpressionNodes(left).FirstOrDefault();

                // if assignment target doesn't have any member access node,
                // then we treat it as an instance property access without explicit 'this' ('Me' in VB)
                if (memberAccessNode == null)
                {
                    //stop here, to avoid false positive, as long as there's one setting <Property> to secure value, we are happy
                    return(isIntendedValue);
                }

                SyntaxNode exp       = _syntaxNodeHelper.GetMemberAccessExpressionNode(memberAccessNode);
                ISymbol    expSymbol = SyntaxNodeHelper.GetSymbol(exp, model);

                isTargetProperty = expSymbol.Kind == SymbolKind.Parameter && ((IParameterSymbol)expSymbol).IsThis;
                if (!isTargetProperty)
                {
                    return(false);
                }

                SyntaxNode name       = _syntaxNodeHelper.GetMemberAccessNameNode(memberAccessNode);
                ISymbol    nameSymbol = SyntaxNodeHelper.GetSymbol(name, model);

                isTargetProperty = isTargetPropertyFunc(nameSymbol as IPropertySymbol);
                if (!isTargetProperty)
                {
                    return(false);
                }

                // stop here, same reason as stated above
                return(isIntendedValue);
            }