Пример #1
0
        protected override SymbolAndNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes types, Version targetFrameworkVersion)
        {
            SymbolAndNodeAnalyzer analyzer = new SymbolAndNodeAnalyzer(types, CSharpSyntaxNodeHelper.Default, targetFrameworkVersion);
            context.RegisterSyntaxNodeAction(analyzer.AnalyzeNode, SyntaxKind.MethodDeclaration, SyntaxKind.ConstructorDeclaration);

            return analyzer;
        }
Пример #2
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            // TODO: Make analyzer thread-safe.
            //analysisContext.EnableConcurrentExecution();

            // Security analyzer - analyze and report diagnostics in generated code.
            analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);

            analysisContext.RegisterCompilationStartAction(
                (context) =>
                {
                    Compilation compilation = context.Compilation;
                    var xmlTypes = new CompilationSecurityTypes(compilation);
                    if (ReferencesAnyTargetType(xmlTypes))
                    {
                        Version version = SecurityDiagnosticHelpers.GetDotNetFrameworkVersion(compilation);

                        // bail if we are not analyzing project targeting .NET Framework
                        // TODO: should we throw an exception to notify user?
                        if (version != null)
                        {
                            SymbolAndNodeAnalyzer analyzer = GetAnalyzer(context, xmlTypes, version);
                            context.RegisterSymbolAction(analyzer.AnalyzeSymbol, SymbolKind.NamedType);
                        }
                    }
                });
        }
Пример #3
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            // TODO: Make analyzer thread-safe
            //analysisContext.EnableConcurrentExecution();

            // Security analyzer - analyze and report diagnostics in generated code.
            analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);

            analysisContext.RegisterCompilationStartAction(
                (context) =>
                {
                    Compilation compilation = context.Compilation;
                    var xmlTypes = new CompilationSecurityTypes(compilation);

                    if (ReferencesAnyTargetType(xmlTypes))
                    {
                        Version version = SecurityDiagnosticHelpers.GetDotNetFrameworkVersion(compilation);

                        if (version != null)
                        {
                            context.RegisterOperationBlockStartAction(
                                (c) =>
                                {
                                    RegisterAnalyzer(c, xmlTypes, version);
                                });
                        }
                    }
                });
        }
Пример #4
0
 protected override SyntaxNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes cryptTypes)
 {
     SyntaxNodeAnalyzer analyzer = new SyntaxNodeAnalyzer(cryptTypes);
     context.RegisterSyntaxNodeAction(analyzer.AnalyzeNode,
                                      SyntaxKind.InvocationExpression,
                                      SyntaxKind.ObjectCreationExpression);
     return analyzer;
 }
Пример #5
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return types.DES != null
         || types.DSA != null
         || types.DSASignatureFormatter != null
         || types.HMACMD5 != null
         || types.RC2 != null
         || types.TripleDES != null
         || types.RIPEMD160 != null
         || types.HMACRIPEMD160 != null;
 }
Пример #6
0
 public override void Initialize(AnalysisContext analysisContext)
 {
     analysisContext.RegisterCompilationStartAction(
         (context) =>
         {
             var cryptTypes = new CompilationSecurityTypes(context.Compilation);
             if (ReferencesAnyTargetType(cryptTypes))
             {
                 GetAnalyzer(context, cryptTypes);
             }
         });
 }
Пример #7
0
 private void RegisterAnalyzer(OperationBlockStartAnalysisContext context, CompilationSecurityTypes types, Version frameworkVersion)
 {
     var analyzer = new OperationAnalyzer(types, frameworkVersion);
     context.RegisterOperationAction(
         analyzer.AnalyzeOperation,
         OperationKind.InvocationExpression,
         OperationKind.AssignmentExpression,
         OperationKind.VariableDeclaration,
         OperationKind.ObjectCreationExpression,
         OperationKind.FieldInitializerAtDeclaration
     );
     context.RegisterOperationBlockEndAction(
         analyzer.AnalyzeOperationBlock
     );
 }
Пример #8
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            analysisContext.EnableConcurrentExecution();

            // Security analyzer - analyze and report diagnostics in generated code.
            analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);

            analysisContext.RegisterCompilationStartAction(
                (context) =>
                {
                    var cryptTypes = new CompilationSecurityTypes(context.Compilation);
                    if (ReferencesAnyTargetType(cryptTypes))
                    {
                        GetAnalyzer(context, cryptTypes);
                    }
                });
        }
Пример #9
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            analysisContext.EnableConcurrentExecution();
            analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze);

            analysisContext.RegisterCompilationStartAction(compilationStartAnalysisContext =>
            {
                var compilationTypes = new CompilationSecurityTypes(compilationStartAnalysisContext.Compilation);
                if (compilationTypes.HandleProcessCorruptedStateExceptionsAttribute == null)
                {
                    return;
                }

                compilationStartAnalysisContext.RegisterOperationBlockAction(operationBlockAnalysisContext =>
                {
                    if (operationBlockAnalysisContext.OwningSymbol.Kind != SymbolKind.Method)
                    {
                        return;
                    }

                    var method = (IMethodSymbol) operationBlockAnalysisContext.OwningSymbol;

                    if (!ContainsHandleProcessCorruptedStateExceptionsAttribute(method, compilationTypes))
                    {
                        return;
                    }

                    foreach (var operation in operationBlockAnalysisContext.OperationBlocks)
                    {
                        var walker = new EmptyThrowInsideCatchAllWalker(compilationTypes);
                        walker.Visit(operation);

                        foreach (var catchClause in walker.CatchAllCatchClausesWithoutEmptyThrow)
                        {
                            operationBlockAnalysisContext.ReportDiagnostic(catchClause.Syntax.CreateDiagnostic(Rule,
                                method.ToDisplayString()));
                        }
                    }
                });
            });
        }
Пример #10
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            analysisContext.RegisterCompilationStartAction(
                (context) =>
                {
                    Compilation compilation = context.Compilation;
                    var xmlTypes = new CompilationSecurityTypes(compilation);
                    if (ReferencesAnyTargetType(xmlTypes))
                    {
                        Version version = SecurityDiagnosticHelpers.GetDotNetFrameworkVersion(compilation);

                        // bail if we are not analyzing project targeting .NET Framework
                        // TODO: should we throw an exception to notify user?
                        if (version != null)
                        {
                            Analyzer analyzer = GetAnalyzer(context, xmlTypes, version);
                            context.RegisterSymbolAction(analyzer.AnalyzeSymbol, SymbolKind.NamedType);
                        }
                    }
                });
        }
Пример #11
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return types.MD5 != null 
         || types.SHA1 != null
         || types.HMACSHA1 != null;
 }
Пример #12
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return types.XmlDocument != null
         || types.XmlTextReader != null;
 }
Пример #13
0
 public SymbolAndNodeAnalyzer(CompilationSecurityTypes xmlTypes, SyntaxNodeHelper helper, Version targetFrameworkVersion)
 {
     _xmlTypes          = xmlTypes;
     _syntaxNodeHelper  = helper;
     _isFrameworkSecure = targetFrameworkVersion == null ? false : targetFrameworkVersion >= SymbolAndNodeAnalyzer.s_minSecureFxVersion;
 }
Пример #14
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return(types.XmlDocument != null ||
            types.XmlTextReader != null);
 }
Пример #15
0
        protected override SyntaxNodeAnalyzer GetAnalyzer(CodeBlockStartAnalysisContext <SyntaxKind> context, CompilationSecurityTypes types)
        {
            SyntaxNodeAnalyzer analyzer = new SyntaxNodeAnalyzer(types, CSharpSyntaxNodeHelper.Default);

            context.RegisterSyntaxNodeAction(
                analyzer.AnalyzeNode,
                SyntaxKind.InvocationExpression,
                SyntaxKind.ObjectCreationExpression,
                SyntaxKind.SimpleAssignmentExpression,
                SyntaxKind.VariableDeclarator);

            return(analyzer);
        }
Пример #16
0
        protected override SymbolAndNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes types, Version targetFrameworkVersion)
        {
            SymbolAndNodeAnalyzer analyzer = new SymbolAndNodeAnalyzer(types, CSharpSyntaxNodeHelper.Default, targetFrameworkVersion);

            context.RegisterSyntaxNodeAction(analyzer.AnalyzeNode, SyntaxKind.MethodDeclaration, SyntaxKind.ConstructorDeclaration);

            return(analyzer);
        }
Пример #17
0
        public override void Initialize(AnalysisContext analysisContext)
        {
            analysisContext.EnableConcurrentExecution();

            // Security analyzer - analyze and report diagnostics on generated code.
            analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);

            analysisContext.RegisterCompilationStartAction(
                (CompilationStartAnalysisContext context) =>
            {
                var cryptTypes = new CompilationSecurityTypes(context.Compilation);
                if (!ReferencesAnyTargetType(cryptTypes))
                {
                    return;
                }

                context.RegisterOperationAction(
                    (OperationAnalysisContext operationAnalysisContext) =>
                {
                    IMethodSymbol method;

                    switch (operationAnalysisContext.Operation)
                    {
                    case IInvocationOperation invocationOperation:
                        method = invocationOperation.TargetMethod;
                        break;

                    case IObjectCreationOperation objectCreationOperation:
                        method = objectCreationOperation.Constructor;
                        break;

                    default:
                        Debug.Fail($"Unhandled IOperation {operationAnalysisContext.Operation.Kind}");
                        return;
                    }

                    INamedTypeSymbol type = method.ContainingType;
                    DiagnosticDescriptor rule;
                    string algorithmName;

                    if (type.DerivesFrom(cryptTypes.MD5))
                    {
                        rule          = DoNotUseBrokenCryptographyRule;
                        algorithmName = cryptTypes.MD5.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.SHA1))
                    {
                        rule          = DoNotUseWeakCryptographyRule;
                        algorithmName = cryptTypes.SHA1.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.HMACSHA1))
                    {
                        rule          = DoNotUseWeakCryptographyRule;
                        algorithmName = cryptTypes.HMACSHA1.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.DES))
                    {
                        rule          = DoNotUseBrokenCryptographyRule;
                        algorithmName = cryptTypes.DES.Name;
                    }
                    else if ((method.ContainingType.DerivesFrom(cryptTypes.DSA) &&
                              method.MetadataName == SecurityMemberNames.CreateSignature) ||
                             (type.Equals(cryptTypes.DSASignatureFormatter) &&
                              method.ContainingType.DerivesFrom(cryptTypes.DSASignatureFormatter) &&
                              method.MetadataName == WellKnownMemberNames.InstanceConstructorName))
                    {
                        rule          = DoNotUseBrokenCryptographyRule;
                        algorithmName = "DSA";
                    }
                    else if (type.DerivesFrom(cryptTypes.HMACMD5))
                    {
                        rule          = DoNotUseBrokenCryptographyRule;
                        algorithmName = cryptTypes.HMACMD5.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.RC2))
                    {
                        rule          = DoNotUseBrokenCryptographyRule;
                        algorithmName = cryptTypes.RC2.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.TripleDES))
                    {
                        rule          = DoNotUseWeakCryptographyRule;
                        algorithmName = cryptTypes.TripleDES.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.RIPEMD160))
                    {
                        rule          = DoNotUseWeakCryptographyRule;
                        algorithmName = cryptTypes.RIPEMD160.Name;
                    }
                    else if (type.DerivesFrom(cryptTypes.HMACRIPEMD160))
                    {
                        rule          = DoNotUseWeakCryptographyRule;
                        algorithmName = cryptTypes.HMACRIPEMD160.Name;
                    }
                    else
                    {
                        return;
                    }

                    operationAnalysisContext.ReportDiagnostic(
                        Diagnostic.Create(
                            rule,
                            operationAnalysisContext.Operation.Syntax.GetLocation(),
                            operationAnalysisContext.ContainingSymbol.Name,
                            algorithmName));
                },
                    OperationKind.Invocation,
                    OperationKind.ObjectCreation);
            });
        }
Пример #18
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return types.XmlDocument != null
         || types.XmlNode != null
         || types.XmlReader != null
         || types.XmlTextReader != null
         || types.XPathDocument != null
         || types.XmlSchema != null
         || types.DataSet != null
         || types.DataTable != null
         || types.DataViewManager != null
         || types.XmlSerializer != null;
 }
Пример #19
0
 private static bool ReferencesAnyTargetType(CompilationSecurityTypes types)
 {
     return(types.MD5 != null ||
            types.SHA1 != null ||
            types.HMACSHA1 != null);
 }
Пример #20
0
 public OperationBlockAnalyzer(CompilationSecurityTypes xmlTypes, ISymbol enclosingSymbol)
 {
     _xmlTypes        = xmlTypes;
     _enclosingSymbol = enclosingSymbol;
 }
Пример #21
0
 public OperationAnalyzer(CompilationSecurityTypes xmlTypes, Version targetFrameworkVersion)
 {
     _xmlTypes = xmlTypes;
     _isFrameworkSecure = targetFrameworkVersion == null ? false : targetFrameworkVersion >= s_minSecureFxVersion;
 }
Пример #22
0
        protected override SyntaxNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes cryptTypes)
        {
            SyntaxNodeAnalyzer analyzer = new SyntaxNodeAnalyzer(cryptTypes);

            context.RegisterSyntaxNodeAction(analyzer.AnalyzeNode,
                                             SyntaxKind.InvocationExpression,
                                             SyntaxKind.ObjectCreationExpression);
            return(analyzer);
        }
Пример #23
0
 public Analyzer(CompilationSecurityTypes cryptTypes)
 {
     _cryptTypes = cryptTypes; 
 }
Пример #24
0
 private bool ContainsHandleProcessCorruptedStateExceptionsAttribute(IMethodSymbol method, CompilationSecurityTypes compilationTypes)
 {
     ImmutableArray<AttributeData> attributes = method.GetAttributes();
     return attributes.Any(
         attribute => attribute.AttributeClass.Equals(compilationTypes.HandleProcessCorruptedStateExceptionsAttribute));
 }
Пример #25
0
 public EmptyThrowInsideCatchAllWalker(CompilationSecurityTypes compilationTypes)
 {
     _compilationTypes = compilationTypes;
 }
Пример #26
0
        private static bool ContainsHandleProcessCorruptedStateExceptionsAttribute(IMethodSymbol method, CompilationSecurityTypes compilationTypes)
        {
            ImmutableArray <AttributeData> attributes = method.GetAttributes();

            return(attributes.Any(
                       attribute => attribute.AttributeClass.Equals(compilationTypes.HandleProcessCorruptedStateExceptionsAttribute)));
        }
Пример #27
0
        private static void RegisterAnalyzer(OperationBlockStartAnalysisContext context, CompilationSecurityTypes types, Version frameworkVersion)
        {
            var analyzer = new OperationAnalyzer(types, frameworkVersion);

            context.RegisterOperationAction(
                analyzer.AnalyzeOperation,
                OperationKind.Invocation,
                OperationKind.SimpleAssignment,
                OperationKind.VariableDeclarator,
                OperationKind.ObjectCreation,
                OperationKind.FieldInitializer
                );
            context.RegisterOperationBlockEndAction(
                analyzer.AnalyzeOperationBlock
                );
        }
Пример #28
0
 public EmptyThrowInsideCatchAllWalker(CompilationSecurityTypes compilationTypes)
 {
     _compilationTypes = compilationTypes;
 }
Пример #29
0
 public OperationAnalyzer(CompilationSecurityTypes xmlTypes, Version targetFrameworkVersion)
 {
     _xmlTypes          = xmlTypes;
     _isFrameworkSecure = targetFrameworkVersion == null ? false : targetFrameworkVersion >= s_minSecureFxVersion;
 }
Пример #30
0
 public Analyzer(CompilationSecurityTypes xmlTypes, SyntaxNodeHelper helper, Version targetFrameworkVersion)
 {
     _xmlTypes = xmlTypes;
     _syntaxNodeHelper = helper;
     _isFrameworkSecure = targetFrameworkVersion == null ? false : targetFrameworkVersion >= Analyzer.s_minSecureFxVersion;
 }
Пример #31
0
 protected abstract SymbolAndNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes types, Version targetFrameworkVersion);
Пример #32
0
 public SyntaxNodeAnalyzer(CompilationSecurityTypes cryptTypes)
 {
     _cryptTypes = cryptTypes;
 }
Пример #33
0
 public SyntaxNodeAnalyzer(CompilationSecurityTypes cryptTypes)
 {
     _cryptTypes = cryptTypes;
 }
Пример #34
0
 protected abstract SyntaxNodeAnalyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes cryptTypes);
Пример #35
0
 protected abstract Analyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes types, Version targetFrameworkVersion);
Пример #36
0
 protected abstract Analyzer GetAnalyzer(CompilationStartAnalysisContext context, CompilationSecurityTypes cryptTypes);
Пример #37
0
 protected abstract SyntaxNodeAnalyzer GetAnalyzer(CodeBlockStartAnalysisContext <TLanguageKindEnum> context, CompilationSecurityTypes types);
Пример #38
0
 public SyntaxNodeAnalyzer(CompilationSecurityTypes xmlTypes, SyntaxNodeHelper helper)
 {
     _xmlTypes         = xmlTypes;
     _syntaxNodeHelper = helper;
 }