public virtual void VisitInvocationAndCreation(VBSyntax.ExpressionSyntax node, VBSyntax.ArgumentListSyntax argList, ExecutionState state)
{
}
public virtual void VisitEndMethodDeclaration(CSharpSyntax.MethodDeclarationSyntax node, ExecutionState state)
{
}
// (ii) Visual Basic
public virtual void VisitStatement(VBSyntax.StatementSyntax node, ExecutionState state)
{
}
/// <summary>
/// Combine the state of the two operands. Binary expression include concatenation.
/// </summary>
/// <param name="expression"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitBinaryExpression(BinaryExpressionSyntax expression, ExecutionState state)
{
VariableState left = VisitExpression(expression.Left, state);
VariableState right = VisitExpression(expression.Right, state);
return(left.merge(right));
}
public virtual void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
}
private VariableState VisitObjectCreation(ObjectCreationExpressionSyntax node, ExecutionState state)
{
VariableState finalState = VisitInvocationAndCreation(node, node.ArgumentList, state);
foreach (SyntaxNode child in node.DescendantNodes())
{
if (child is AssignmentExpressionSyntax)
{
finalState = finalState.merge(VisitAssignment((AssignmentExpressionSyntax)child, state));
}
else
{
SGLogging.Log(child.GetText().ToString().Trim() + " -> " + finalState);
}
}
return(finalState);
}
/// <summary>
/// Identifier name include variable name.
/// </summary>
/// <param name="expression"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitIdentifierName(IdentifierNameSyntax expression, ExecutionState state)
{
var value = ResolveIdentifier(expression.Identifier);
return(state.GetValueByIdentifier(value));
}
private VariableState VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
{
return(VisitExpression(node.Expression, state)); //Simply unwrap the expression
}
private VariableState VisitObjectCreation(ObjectCreationExpressionSyntax node, ExecutionState state)
{
return(VisitInvocationAndCreation(node, node.ArgumentList, state));
}
private VariableState VisitInterpolatedString(InterpolatedStringExpressionSyntax interpolatedString, ExecutionState state)
{
var varState = new VariableState(VariableTaint.CONSTANT);
foreach (var content in interpolatedString.Contents)
{
var textString = content as InterpolatedStringTextSyntax;
if (textString != null)
{
varState = varState.merge(new VariableState(VariableTaint.CONSTANT));
}
var interpolation = content as InterpolationSyntax;
if (interpolation != null)
{
var expressionState = VisitExpression(interpolation.Expression, state);
varState = varState.merge(expressionState);
}
}
return(varState);
}
private VariableState VisitElementAccess(ElementAccessExpressionSyntax elementAccess, BracketedArgumentListSyntax argumentList, ExecutionState state)
{
foreach (var argument in argumentList.Arguments)
{
VisitExpression(argument.Expression, state);
}
return(new VariableState(VariableTaint.UNKNOWN));
}
private VariableState VisitExpression(ExpressionSyntax expression, ExecutionState state)
{
//Invocation
if (expression is InvocationExpressionSyntax)
{
var invocation = (InvocationExpressionSyntax)expression;
return(VisitMethodInvocation(invocation, state));
}
else if (expression is ObjectCreationExpressionSyntax)
{
var objCreation = (ObjectCreationExpressionSyntax)expression;
return(VisitObjectCreation(objCreation, state));
}
else if (expression is LiteralExpressionSyntax)
{
return(new VariableState(VariableTaint.CONSTANT));
}
else if (expression is IdentifierNameSyntax)
{
var identifierName = (IdentifierNameSyntax)expression;
return(VisitIdentifierName(identifierName, state));
}
//Arithmetic : Addition
else if (expression is BinaryExpressionSyntax)
{
var binaryExpression = (BinaryExpressionSyntax)expression;
return(VisitBinaryExpression(binaryExpression, state));
}
else if (expression is AssignmentExpressionSyntax)
{
var assignment = (AssignmentExpressionSyntax)expression;
return(VisitAssignment(assignment, state));
}
else if (expression is MemberAccessExpressionSyntax)
{
var memberAccess = (MemberAccessExpressionSyntax)expression;
var leftExpression = memberAccess.Expression;
var name = memberAccess.Name;
return(VisitExpression(leftExpression, state));
}
else if (expression is ElementAccessExpressionSyntax)
{
var elementAccess = (ElementAccessExpressionSyntax)expression;
return(VisitElementAccess(elementAccess, elementAccess.ArgumentList, state));
}
else if (expression is ArrayCreationExpressionSyntax)
{
var arrayCreation = (ArrayCreationExpressionSyntax)expression;
return(VisitArrayCreation(arrayCreation, state));
}
else if (expression is TypeOfExpressionSyntax)
{
var typeofEx = (TypeOfExpressionSyntax)expression;
return(new VariableState(VariableTaint.SAFE));
}
else if (expression is ConditionalExpressionSyntax)
{
var conditional = (ConditionalExpressionSyntax)expression;
VisitExpression(conditional.Condition, state);
var finalState = new VariableState(VariableTaint.SAFE);
var whenTrueState = VisitExpression(conditional.WhenTrue, state);
finalState.merge(whenTrueState);
var whenFalseState = VisitExpression(conditional.WhenFalse, state);
finalState.merge(whenFalseState);
return(finalState);
}
else if (expression is CheckedExpressionSyntax)
{
var checkedEx = (CheckedExpressionSyntax)expression;
return(VisitExpression(checkedEx.Expression, state));
}
else if (expression is QueryExpressionSyntax)
{
var query = (QueryExpressionSyntax)expression;
var body = query.Body;
return(new VariableState(VariableTaint.UNKNOWN));
}
else if (expression is InterpolatedStringExpressionSyntax)
{
var interpolatedString = (InterpolatedStringExpressionSyntax)expression;
return(VisitInterpolatedString(interpolatedString, state));
}
SGLogging.Log("Unsupported expression " + expression.GetType() + " (" + expression.ToString() + ")");
//Unsupported expression
return(new VariableState(VariableTaint.UNKNOWN));
}
/// <summary>
/// Evaluate expression that contains a list of assignment.
/// </summary>
/// <param name="declaration"></param>
/// <param name="ctx"></param>
/// <param name="state"></param>
private VariableState VisitVariableDeclaration(VariableDeclarationSyntax declaration, ExecutionState state)
{
var variables = declaration.Variables;
VariableState lastState = new VariableState(VariableTaint.UNKNOWN);
foreach (var variable in declaration.Variables)
{
var identifier = variable.Identifier;
var initializer = variable.Initializer;
if (initializer is EqualsValueClauseSyntax)
{
EqualsValueClauseSyntax equalsClause = initializer;
VariableState varState = VisitExpression(equalsClause.Value, state);
state.AddNewValue(ResolveIdentifier(identifier), varState);
lastState = varState;
}
}
//
return(lastState);
}
/// <summary>
/// Unwrap
/// </summary>
/// <param name="declaration"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitLocalDeclaration(LocalDeclarationStatementSyntax declaration, ExecutionState state)
{
return(VisitVariableDeclaration(declaration.Declaration, state));
}
public virtual void VisitAssignment(VisualBasicSyntaxNode node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
}
/// <summary>
/// Logic for each method invocation (including constructor)
/// The argument list is required because <code>InvocationExpressionSyntax</code> and
/// <code>ObjectCreationExpressionSyntax</code> do not share a common interface.
/// </summary>
/// <param name="node"></param>
/// <param name="argList"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
{
var symbol = state.GetSymbol(node);
MethodBehavior behavior = behaviorRepo.GetMethodBehavior(symbol);
int i = 0;
if (argList == null)
{
return(new VariableState(VariableTaint.UNKNOWN));
}
var returnState = new VariableState(VariableTaint.SAFE);
foreach (var argument in argList.Arguments)
{
var argumentState = VisitExpression(argument.Expression, state);
if (symbol != null)
{
SGLogging.Log(symbol.ContainingType + "." + symbol.Name + " -> " + argumentState);
}
if (behavior != null)
{ //If the API is at risk
if ((argumentState.taint == VariableTaint.TAINTED || //Tainted values
argumentState.taint == VariableTaint.UNKNOWN) &&
Array.Exists(behavior.injectablesArguments, element => element == i) //If the current parameter can be injected.
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localeInjection);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if (argumentState.taint == VariableTaint.CONSTANT && //Hard coded value
Array.Exists(behavior.passwordArguments, element => element == i) //If the current parameter is a password
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localePassword);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if ( //
Array.Exists(behavior.taintFromArguments, element => element == i))
{
returnState = returnState.merge(argumentState);
}
}
//TODO: tainted all object passed in argument
i++;
}
//Additionnal analysis by extension
foreach (var ext in extensions)
{
ext.VisitInvocationAndCreation(node, argList, state);
}
var hasTaintFromArguments = behavior?.taintFromArguments?.Length > 0;
if (hasTaintFromArguments)
{
return(returnState);
}
else
{
return(new VariableState(VariableTaint.UNKNOWN));
}
}
public virtual void VisitEndMethodDeclaration(VBSyntax.MethodBlockSyntax node, ExecutionState state)
{
}
/// <summary>
/// Logic for each method invocation (including constructor)
/// The argument list is required because <code>InvocationExpressionSyntax</code> and
/// <code>ObjectCreationExpressionSyntax</code> do not share a common interface.
/// </summary>
/// <param name="node"></param>
/// <param name="argList"></param>
/// <param name="state"></param>
/// <returns></returns>
private VariableState VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
{
var symbol = state.GetSymbol(node);
MethodBehavior behavior = behaviorRepo.GetMethodBehavior(symbol);
int i = 0;
if (argList == null)
{
return(new VariableState(VariableTaint.UNKNOWN));
}
foreach (var argument in argList.Arguments)
{
var argumentState = VisitExpression(argument.Expression, state);
if (symbol != null)
{
SGLogging.Log(symbol.ContainingType + "." + symbol.Name + " -> " + argumentState);
}
if (behavior != null && //If the API is at risk
(argumentState.taint == VariableTaint.TAINTED || //Tainted values
argumentState.taint == VariableTaint.UNKNOWN) &&
Array.Exists(behavior.injectablesArguments, element => element == i) //If the current parameter can be injected.
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.vulnerabilityLocale);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if ((behavior != null || AnalyzerUtil.SymbolMatch(symbol, name:"Password")) &&
argumentState.taint == VariableTaint.CONSTANT && //Hard coded value
Array.Exists(behavior.passwordArguments, element => element == i) //If the current parameter is a password
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.vulnerabilityLocale);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: tainted all object passed in argument
i++;
}
return(new VariableState(VariableTaint.UNKNOWN));
}
