Пример #1
0
        private void setOrderedArguments(FlowOutputSet callInput, MemoryEntry[] arguments)
        {
            var argCount      = new MemoryEntry(callInput.CreateInt(arguments.Length));
            var argCountEntry = callInput.GetVariable(new VariableIdentifier(".argument_count"));

            argCountEntry.WriteMemory(callInput.Snapshot, argCount);

            var index     = 0;
            var callPoint = (Flow.CurrentProgramPoint as ExtensionPoint).Caller as RCallPoint;

            foreach (var arg in callPoint.Arguments)
            {
                var argVar        = argument(index);
                var argumentEntry = callInput.GetVariable(new VariableIdentifier(argVar));

                //determine that argument value is based on variable, so we can get it's alias
                var aliasProvider = arg as LValuePoint;
                if (aliasProvider == null)
                {
                    //assign value for parameter
                    argumentEntry.WriteMemory(callInput.Snapshot, arguments[index]);
                }
                else
                {
                    //join parameter with alias (for testing we join all possible arguments)
                    //be carefull here - Flow.OutSet belongs to call context already - so we has to read variable from InSet
                    argumentEntry.SetAliases(callInput.Snapshot, aliasProvider.LValue);
                }
                ++index;
            }
        }
Пример #2
0
        /// <summary>
        /// Initializer which sets environment for tests before analyzing
        /// </summary>
        /// <param name="outSet"></param>
        private static void initialize(FlowOutputSet outSet)
        {
            outSet.Snapshot.SetMode(SnapshotMode.InfoLevel);
            var POSTVar = outSet.GetVariable(new VariableIdentifier("_POST"), true);
            var POST    = outSet.CreateInfo(true);

            POSTVar.WriteMemory(outSet.Snapshot, new MemoryEntry(POST));

            POSTVar = outSet.GetVariable(new VariableIdentifier("_POST"), true);
            POST    = outSet.CreateInfo(true);

            POSTVar.WriteMemory(outSet.Snapshot, new MemoryEntry(POST));
        }
Пример #3
0
        private void initTaintedVariable(FlowOutputSet outSet, String name)
        {
            outSet.Snapshot.SetMode(SnapshotMode.InfoLevel);

            var TaintedVar = outSet.GetVariable(new VariableIdentifier(name), true);

            var taint = new TaintInfo();

            taint.taint    = new Taint(true);
            taint.priority = new TaintPriority(true);
            taint.tainted  = true;

            var Taint = outSet.CreateInfo(taint);

            //TaintedVar.WriteMemory(outSet.Snapshot, new MemoryEntry(Taint));

            var entry = TaintedVar.ReadIndex(EntryInput.Snapshot, MemberIdentifier.getAnyMemberIdentifier());

            entry.WriteMemory(EntryInput.Snapshot, new MemoryEntry(Taint));

            /*
             * TaintedVar = outSet.GetVariable(new VariableIdentifier(name), true);
             * Taint = outSet.CreateInfo(taint);
             *
             * TaintedVar.WriteMemory(outSet.Snapshot, new MemoryEntry(Taint));*/
        }
Пример #4
0
        private void setNamedArguments(FlowOutputSet callInput, MemoryEntry[] arguments, Signature signature)
        {
            var callPoint     = (Flow.CurrentProgramPoint as ExtensionPoint).Caller as RCallPoint;
            var callSignature = callPoint.CallSignature;
            var enumerator    = callPoint.Arguments.GetEnumerator();

            for (int i = 0; i < signature.FormalParams.Count; ++i)
            {
                enumerator.MoveNext();

                var param     = signature.FormalParams[i];
                var callParam = callSignature.Value.Parameters[i];

                var argumentVar = callInput.GetVariable(new VariableIdentifier(param.Name));

                if (callParam.PublicAmpersand || param.PassedByRef)
                {
                    argumentVar.SetAliases(callInput.Snapshot, enumerator.Current.Value);
                }
                else
                {
                    argumentVar.WriteMemory(callInput.Snapshot, arguments[i]);
                }
            }
        }
Пример #5
0
        internal static ReadWriteSnapshotEntryBase GetNumberedArgument(FlowOutputSet outSet, int number)
        {
            var argId  = new VariableIdentifier(argument(number));
            var argVar = outSet.GetVariable(argId);

            return(argVar);
        }
Пример #6
0
        private void setNamedArguments(FlowOutputSet callInput, CallSignature?callSignature, Signature signature, IEnumerable <ValuePoint> arguments)
        {
            int i = 0;

            foreach (var arg in arguments)
            {
                if (i >= signature.FormalParams.Count)
                {
                    break;
                }
                var param       = signature.FormalParams[i];
                var argumentVar = callInput.GetVariable(new VariableIdentifier(param.Name));

                // var argumentValue = arg.Value.ReadMemory(Output);


                List <ValueInfo> values     = new List <ValueInfo>();
                var          varID          = getVariableIdentifier(arg.Value);
                List <Value> argumentValues = new List <Value>(arg.Value.ReadMemory(Output).PossibleValues);
                values.Add(new ValueInfo(argumentValues, varID));
                bool nullValue = hasPossibleNullValue(arg);

                TaintInfo argTaint = mergeTaint(values, nullValue);
                setTaint(argumentVar, argTaint);

                /*var argTaint = getTaint(arg.Value);
                 *
                 *              setTaint(argumentVar, argTaint);
                 *              //argumentVar.WriteMemory(callInput.Snapshot, argumentValue);*/

                ++i;
            }
            // TODO: if (arguments.Count() < signature.FormalParams.Count) and exists i > arguments.Count() signature.FormalParams[i].InitValue != null
        }
Пример #7
0
        internal static void AssertHasTaintStatus(FlowOutputSet outSet, string variableName, string assertMessage, TaintStatus taintStatus, Analysis.FlagType flag)
        {
            var varID               = new VariableIdentifier(variableName);
            var variable            = outSet.GetVariable(varID);
            var values              = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray();
            var computedTaintStatus = new TaintStatus(false, true);

            if (values.Count() == 0)
            {
                computedTaintStatus.priority.setAll(false);
            }
            foreach (var value in values)
            {
                if (!(value is InfoValue <TaintInfo>))
                {
                    continue;
                }
                TaintInfo   valueTaintInfo   = (value as InfoValue <TaintInfo>).Data;
                TaintStatus valueTaintStatus = new TaintStatus(valueTaintInfo, flag);
                computedTaintStatus.tainted.copyTaint(true, valueTaintStatus.tainted);
                computedTaintStatus.priority.copyTaint(false, valueTaintStatus.priority);
                computedTaintStatus.lines.AddRange(valueTaintStatus.lines);
            }
            String taintStatusString         = taintStatus.ToString(flag);
            String computedTaintStatusString = computedTaintStatus.ToString(flag);

            Assert.IsTrue(taintStatus.EqualTo(computedTaintStatus, flag), "Taint status of the taint type {0} of variable ${1} should be {2}, taint analysis computed {3}", flag, variableName, taintStatusString, computedTaintStatusString);
        }
Пример #8
0
        private static void SetInputOperands(FlowOutputSet entryInput, Value[] leftOperands,
                                             Value[] rightOperands)
        {
            Debug.Assert(leftOperands.Length == rightOperands.Length,
                         "Number of left and right operands is the same");

            for (var i = 0; i < leftOperands.Length; ++i)
            {
                var identifier    = new VariableIdentifier(string.Concat("left", i.ToString()));
                var snapshotEntry = entryInput.GetVariable(identifier, true);
                snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(leftOperands[i]));

                identifier    = new VariableIdentifier(string.Concat("right", i.ToString()));
                snapshotEntry = entryInput.GetVariable(identifier, true);
                snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(rightOperands[i]));
            }
        }
Пример #9
0
 private static void SetInputArray(FlowOutputSet entryInput)
 {
     for (var i = 0; i < inputVariables.Length; ++i)
     {
         var identifier    = new VariableIdentifier(inputVariables[i]);
         var snapshotEntry = entryInput.GetVariable(identifier, true);
         snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(inputValues[i]));
     }
 }
Пример #10
0
        internal static void AssertIsXSSDirty(FlowOutputSet outSet, string variableName, string assertMessage)
        {
            var variable = outSet.GetVariable(new VariableIdentifier(variableName));
            var values   = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray();

            if (!FlagsHandler.IsDirty(values, FlagType.SQLDirty))
            {
                Assert.Fail("No possible value for variable ${0} is dirty", variableName);
            }
        }
Пример #11
0
        internal static void AssertHasTaintStatus(FlowOutputSet outSet, string variableName, string assertMessage, bool taintStatus)
        {
            var variable            = outSet.GetVariable(new VariableIdentifier(variableName));
            var values              = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray();
            var computedTaintStatus = false;

            foreach (var value in values)
            {
                computedTaintStatus = computedTaintStatus || (value as InfoValue <bool>).Data;
            }
            Assert.IsTrue(taintStatus == computedTaintStatus, "Taint status of the variable ${0} should be {1}, taint analysis computed {2}", variableName, taintStatus, computedTaintStatus);
        }
Пример #12
0
        public override void Catch(CatchPoint catchPoint, FlowOutputSet outSet)
        {
            //TODO this is simple catch demonstration - there should be catch stack unrolling

            var catchVariable    = catchPoint.CatchDescription.CatchVariable;
            var hasCatchVariable = catchVariable != null;

            if (hasCatchVariable)
            {
                var catchVar = outSet.GetVariable(catchPoint.CatchDescription.CatchVariable);
                catchVar.WriteMemory(outSet.Snapshot, catchPoint.ThrowedValue);
            }
        }
Пример #13
0
        internal static void AssertIsXSSClean(FlowOutputSet outSet, string variableName, string assertMessage)
        {
            var variable = outSet.GetVariable(new VariableIdentifier(variableName));
            var values   = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray();

            foreach (var value in values)
            {
                var info = value.GetInfo <SimpleInfo>();
                if (info != null && !info.XssSanitized)
                {
                    Assert.IsTrue(info.XssSanitized, "Variable ${0} with value {1} is not sanitized", variableName, value);
                }
            }
        }
Пример #14
0
        private void setOrderedArguments(FlowOutputSet callInput, IEnumerable <ValuePoint> arguments, LangElement declaration)
        {
            var index = 0;

            foreach (var arg in arguments)
            {
                // var argID = getVariableIdentifier(arg.Value);
                var argVar        = argumentString(index);
                var argumentEntry = callInput.GetVariable(new VariableIdentifier(argVar));

                var argumentValue = arg.Value.ReadMemory(Output);
                argumentEntry.WriteMemory(callInput.Snapshot, argumentValue);

                ++index;
            }
        }
Пример #15
0
        private static void TestVariableResults(FlowOutputSet outSet, Value[] results,
                                                Func <int, string> nameGenerator)
        {
            for (var i = 0; i < results.Length; ++i)
            {
                var identifier    = new VariableIdentifier(nameGenerator(i));
                var snapshotEntry = outSet.GetVariable(identifier, true);

                var entry      = snapshotEntry.ReadMemory(outSet.Snapshot);
                var enumerator = entry.PossibleValues.GetEnumerator();
                enumerator.MoveNext();
                var value = enumerator.Current as Value;

                Assert.AreEqual(results[i], value);
            }
        }
Пример #16
0
        internal void EnvironmentInitializer(FlowOutputSet outSet)
        {
            foreach (var nonDeterministic in _nonDeterminiticVariables)
            {
                outSet.GetVariable(new VariableIdentifier(nonDeterministic)).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.AnyValue));
            }

            foreach (var initializer in _initializers)
            {
                initializer(outSet);
            }

            if (PreviousTest != null)
            {
                PreviousTest.EnvironmentInitializer(outSet);
            }
        }
Пример #17
0
        /// <inheritdoc />
        public override void Catch(CatchPoint catchPoint, FlowOutputSet outSet)
        {
            if (catchPoint.CatchDescription.CatchedType.QualifiedName.Equals(new QualifiedName(new Name(""))))
            {
                return;
            }
            var catchBlocks = outSet.GetControlVariable(new VariableName(".catchBlocks"));
            var stack       = new List <HashSet <CatchBlockDescription> >();

            foreach (var value in catchBlocks.ReadMemory(outSet.Snapshot).PossibleValues)
            {
                if (stack.Count == 0)
                {
                    for (int i = 0; i < (value as InfoValue <TryBlockStack>).Data.blocks.Count; i++)
                    {
                        stack.Add(new HashSet <CatchBlockDescription>());
                    }
                }
                for (int i = 0; i < (value as InfoValue <TryBlockStack>).Data.blocks.Count; i++)
                {
                    foreach (var block in (value as InfoValue <TryBlockStack>).Data.blocks[i])
                    {
                        stack[i].Add(block);
                    }
                }
            }

            for (int i = stack.Count - 1; i >= 0; i--)
            {
                if (stack[i].Where(a => a.CatchedType.QualifiedName.Equals(catchPoint.CatchDescription.CatchedType.QualifiedName)).Count() > 0)
                {
                    stack.RemoveLast();
                    break;
                }
                stack.RemoveLast();
            }

            outSet.GetControlVariable(new VariableName(".catchBlocks")).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.CreateInfo(new TryBlockStack(stack))));
            outSet.GetVariable(catchPoint.CatchDescription.CatchVariable).WriteMemory(outSet.Snapshot, catchPoint.ThrowedValue);
        }
Пример #18
0
        internal static void AssertIsPropagatedTo(FlowOutputSet declarationSet, string variableName, string assertMessage, string[] expectedTargets)
        {
            var expectedCollection = new List <string>(expectedTargets);

            expectedCollection.Add(variableName);

            var expectedTargetsMessage = string.Join(", ", expectedCollection);

            var snapshot = declarationSet.Snapshot;
            var variable = declarationSet.GetVariable(new VariableIdentifier(variableName));

            if (variable == null || !variable.IsDefined(snapshot))
            {
                Assert.Fail("Variable {0} is not defined", variableName);
            }

            var actualValues = variable.ReadMemory(snapshot);

            if (actualValues.Count != 1)
            {
                Assert.Fail("Expected single propagation info");
            }

            var info = actualValues.PossibleValues.First();

            if (info is UndefinedValue)
            {
                Assert.IsTrue(expectedTargets.Count() == 0, "Variable is propagated nowhere instead of {0}", expectedTargetsMessage);
                return;
            }

            var data             = (info as InfoValue <PropagationInfo>).Data;
            var actualCollection = new List <string>(data.Targets);

            var actualTargetMessage = string.Join(", ", actualCollection.ToArray());

            CollectionAssert.AreEquivalent(expectedCollection, actualCollection, "Wrong targets for propagation {0}, expected {1}", actualTargetMessage, expectedTargetsMessage);
        }
Пример #19
0
        private static void testVariable(FlowOutputSet outSet, string variableName, string compareValue)
        {
            var val = (ScalarValue <string>)outSet.GetVariable(new VariableIdentifier(variableName)).ReadMemory(outSet.Snapshot).PossibleValues.First();

            Assert.IsTrue(val.Value.Equals(compareValue));
        }
Пример #20
0
 private void EnvironmentInitializer(FlowOutputSet outSet)
 {
     outSet.GetVariable(new VariableIdentifier("_POST"), true).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.AnyArrayValue));
 }