public static List<Tuple<State, string>> BuildScaryGraph(List<FileAnalyzer> FileAnalyzers)
{
List<Tuple<State, string>> retval = new List<Tuple<State, string>>();
foreach (FileAnalyzer a in FileAnalyzers)
{
foreach (CodeClass c in a.FileSyntaxAnalyzer.CodeClasses)
{
foreach (CodeMethod m in c.CodeMethods)
{
State startState = new State(a, c, m);
foreach (CodeInvocation i in m.CodeInvocations)
{
foreach (string scaryMethod in Util.ScaryMethodNames)
{
if (i.Code.Contains(scaryMethod))
{
retval.Add(new Tuple<State, string>(startState, scaryMethod));
}
}
}
}
}
}
return retval;
}
public static List<Tuple<State, State>> BuildGraph(List<FileAnalyzer> FileAnalyzers)
{
List<Tuple<State, State>> retval = new List<Tuple<State, State>>();
foreach (FileAnalyzer a in FileAnalyzers)
{
foreach (CodeClass c in a.FileSyntaxAnalyzer.CodeClasses)
{
foreach (CodeMethod m in c.CodeMethods)
{
State startState = new State(a, c, m);
foreach (CodeInvocation i in m.CodeInvocations)
{
State targetState = FindTarget(FileAnalyzers, new State(a, c, m), i.Name);
if (targetState != null)
{
// this.debug(a.Filename + ":" + c.Name + ":" + m.Name + " -> " + targetState.FileAnalyzer.Filename + ":" + targetState.CodeClass.Name + ":" + targetState.CodeMethod.Name);
retval.Add(new Tuple<State, State>(startState, targetState));
}
}
}
}
}
return retval;
}
public string DoesThisMethodAssignParametersToALocalVariableWhichIsPassedToAScaryMethod(State s)
{
string retval = string.Empty;
foreach (var scaryEdge in this.scaryEdges)
{
if (scaryEdge.Item1.ToString().CompareTo(s.ToString()) == 0)
{
//
// ok, s calls a scary method. Let's see what it does with parameters.
//
foreach (var p in scaryEdge.Item1.CodeMethod.CodeParameterDeclarations)
{
foreach (var variableDeclaration in scaryEdge.Item1.CodeMethod.CodeVariableDeclarationStatements)
{
if (variableDeclaration.Code.Contains(p.Name))
{
//
// we appear to be assigning parameter 'p' to variableDeclaration. Do we pass variableDeclaration.Name
//
foreach (var invocation in scaryEdge.Item1.CodeMethod.CodeInvocations)
{
if (invocation.Code.Contains(scaryEdge.Item2))
{
if (invocation.Code.Contains(variableDeclaration.Name))
{
//
// we are passing in a parameter. That parameter is getting assigned. The assigned variable is getting passed to evil.
//
retval = string.Format("{0} is passed a parameter {1} which is assigned to a local variable {2} which is passed to scary method: {3}",
s.ToString(), p.Name, variableDeclaration.Name, scaryEdge.Item2);
}
}
}
}
}
}
}
}
return retval;
}
public void Trace(State s, Stack<State> stack)
{
bool isEvilState = false;
stack.Push(s);
if (s.IsEvil)
{
this.Vulnerabilities.Add(new GenericVulnerability(s.FileAnalyzer.Filename, Util.StateStackToString(stack) + " " + s.ScaryMethodUsed, Color.LightPink, "TRACE"));
}
else
{
foreach (var t in this.edges)
{
if (t.Item1.ToString().CompareTo(s.ToString()) == 0)
{
Trace(t.Item2, stack);
}
}
}
stack.Pop(); // remove s
}
public string DoesThisMethodPassParametersToAScaryMethod(State s)
{
string retval = string.Empty;
foreach (var scaryEdge in this.scaryEdges)
{
if (scaryEdge.Item1.ToString().CompareTo(s.ToString()) == 0)
{
//
// ok, it *calls* a scary method, but does it pass a parameter to it?
//
foreach (var invocation in s.CodeMethod.CodeInvocations)
{
if (invocation.Code.Contains(scaryEdge.Item2))
{
foreach (var p in scaryEdge.Item1.CodeMethod.CodeParameterDeclarations)
{
if (invocation.Code.Contains(p.Name))
{
//
// it appears to do this.
//
retval = string.Format("{0} calls {1} and passes in parameter {2}", s.ToString(), invocation.Name, p.Name);
}
}
}
}
}
}
return retval;
}
public static State FindTarget(List<FileAnalyzer> FileAnalyzers, State s, string invokedMethod)
{
State retval = null;
foreach (FileAnalyzer fileAnalyzer in FileAnalyzers)
{
foreach (var c in fileAnalyzer.FileSyntaxAnalyzer.CodeClasses)
{
foreach (var m in c.CodeMethods)
{
if (m.Name.CompareTo(invokedMethod) == 0)
{
retval = new State(fileAnalyzer, c, m);
}
}
}
}
return retval;
}
