public static ValueContentAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
PointsToAnalysisKind defaultPointsToAnalysisKind,
out CopyAnalysisResult?copyAnalysisResult,
out PointsToAnalysisResult?pointsToAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.None,
bool pessimisticAnalysis = true,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null,
ImmutableArray <INamedTypeSymbol> additionalSupportedValueTypes = default,
Func <IOperation, ValueContentAbstractValue>?getValueContentValueForAdditionalSupportedValueTypeOperation = null)
{
if (cfg == null)
{
throw new ArgumentNullException(nameof(cfg));
}
Debug.Assert(!analyzerOptions.IsConfiguredToSkipAnalysis(rule, owningSymbol, wellKnownTypeProvider.Compilation));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind);
return(TryGetOrComputeResult(cfg, owningSymbol, analyzerOptions, wellKnownTypeProvider,
pointsToAnalysisKind: analyzerOptions.GetPointsToAnalysisKindOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultPointsToAnalysisKind),
interproceduralAnalysisConfig, out copyAnalysisResult,
out pointsToAnalysisResult, pessimisticAnalysis,
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: performCopyAnalysisIfNotUserConfigured),
interproceduralAnalysisPredicate,
additionalSupportedValueTypes,
getValueContentValueForAdditionalSupportedValueTypeOperation));
}
public static ImmutableDictionary <IParameterSymbol, SyntaxNode> GetOrComputeHazardousParameterUsages(
IBlockOperation topmostBlock,
Compilation compilation,
ISymbol owningSymbol,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
CancellationToken cancellationToken,
PointsToAnalysisKind defaultPointsToAnalysisKind = PointsToAnalysisKind.PartialWithoutTrackingFieldsAndProperties,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
uint defaultMaxInterproceduralMethodCallChain = 1, // By default, we only want to track method calls one level down.
bool pessimisticAnalysis = false)
{
Debug.Assert(!analyzerOptions.IsConfiguredToSkipAnalysis(rule, owningSymbol, compilation, cancellationToken));
var cfg = topmostBlock.GetEnclosingControlFlowGraph();
if (cfg == null)
{
return(ImmutableDictionary <IParameterSymbol, SyntaxNode> .Empty);
}
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, compilation, interproceduralAnalysisKind, cancellationToken, defaultMaxInterproceduralMethodCallChain);
var performCopyAnalysis = analyzerOptions.GetCopyAnalysisOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, defaultValue: false, cancellationToken);
var nullCheckValidationMethods = analyzerOptions.GetNullCheckValidationMethodsOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, cancellationToken);
var pointsToAnalysisKind = analyzerOptions.GetPointsToAnalysisKindOption(rule, topmostBlock.Syntax.SyntaxTree, compilation, defaultPointsToAnalysisKind, cancellationToken);
return(GetOrComputeHazardousParameterUsages(cfg, compilation, owningSymbol, analyzerOptions,
nullCheckValidationMethods, pointsToAnalysisKind, interproceduralAnalysisConfig, performCopyAnalysis, pessimisticAnalysis));
}
public static DisposeAnalysisResult?TryGetOrComputeResult(
ControlFlowGraph cfg,
ISymbol owningSymbol,
WellKnownTypeProvider wellKnownTypeProvider,
AnalyzerOptions analyzerOptions,
DiagnosticDescriptor rule,
ImmutableHashSet <INamedTypeSymbol> disposeOwnershipTransferLikelyTypes,
PointsToAnalysisKind defaultPointsToAnalysisKind,
bool trackInstanceFields,
bool exceptionPathsAnalysis,
CancellationToken cancellationToken,
out PointsToAnalysisResult?pointsToAnalysisResult,
InterproceduralAnalysisKind interproceduralAnalysisKind = InterproceduralAnalysisKind.ContextSensitive,
bool performCopyAnalysisIfNotUserConfigured = false,
InterproceduralAnalysisPredicate?interproceduralAnalysisPredicate = null,
bool defaultDisposeOwnershipTransferAtConstructor = false,
bool defaultDisposeOwnershipTransferAtMethodCall = false)
{
if (cfg == null)
{
throw new ArgumentNullException(nameof(cfg));
}
Debug.Assert(!analyzerOptions.IsConfiguredToSkipAnalysis(rule, owningSymbol, wellKnownTypeProvider.Compilation, cancellationToken));
var interproceduralAnalysisConfig = InterproceduralAnalysisConfiguration.Create(
analyzerOptions, rule, cfg, wellKnownTypeProvider.Compilation, interproceduralAnalysisKind, cancellationToken);
var disposeOwnershipTransferAtConstructor = analyzerOptions.GetDisposeOwnershipTransferAtConstructorOption(
rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: defaultDisposeOwnershipTransferAtConstructor, cancellationToken);
var disposeOwnershipTransferAtMethodCall = analyzerOptions.GetDisposeOwnershipTransferAtMethodCall(
rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: defaultDisposeOwnershipTransferAtMethodCall, cancellationToken);
return(TryGetOrComputeResult(cfg, owningSymbol, analyzerOptions, wellKnownTypeProvider,
interproceduralAnalysisConfig, interproceduralAnalysisPredicate,
disposeOwnershipTransferLikelyTypes, disposeOwnershipTransferAtConstructor,
disposeOwnershipTransferAtMethodCall, trackInstanceFields, exceptionPathsAnalysis,
pointsToAnalysisKind: analyzerOptions.GetPointsToAnalysisKindOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultPointsToAnalysisKind, cancellationToken),
performCopyAnalysis: analyzerOptions.GetCopyAnalysisOption(rule, owningSymbol, wellKnownTypeProvider.Compilation, defaultValue: performCopyAnalysisIfNotUserConfigured, cancellationToken),
isConfiguredToSkipAnalysis: (ISymbol symbol) => analyzerOptions.IsConfiguredToSkipAnalysis(rule, symbol, owningSymbol, wellKnownTypeProvider.Compilation, cancellationToken),
out pointsToAnalysisResult));
}
public override void Initialize(AnalysisContext context)
{
context.EnableConcurrentExecution();
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
Compilation compilation = compilationContext.Compilation;
TaintedDataConfig taintedDataConfig = TaintedDataConfig.GetOrCreate(compilation);
TaintedDataSymbolMap <SourceInfo> sourceInfoSymbolMap = taintedDataConfig.GetSourceSymbolMap(this.SinkKind);
if (sourceInfoSymbolMap.IsEmpty)
{
return;
}
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = taintedDataConfig.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
Lazy <ControlFlowGraph?> controlFlowGraphFactory = new Lazy <ControlFlowGraph?>(
() => operationBlockStartContext.OperationBlocks.GetControlFlowGraph());
Lazy <PointsToAnalysisResult?> pointsToFactory = new Lazy <PointsToAnalysisResult?>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive);
return(PointsToAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
interproceduralAnalysisPredicate: null));
});
Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)> valueContentFactory = new Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null, null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive);
ValueContentAnalysisResult?valuecontentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
out _,
out PointsToAnalysisResult? p);
return(p, valuecontentAnalysisResult);
});
PooledHashSet <IOperation> rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IPropertyReferenceOperation propertyReferenceOperation = (IPropertyReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceProperty(propertyReferenceOperation.Property))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(propertyReferenceOperation.GetRoot());
}
}
},
OperationKind.PropertyReference);
if (sourceInfoSymbolMap.RequiresParameterReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IParameterReferenceOperation parameterReferenceOperation = (IParameterReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceParameter(parameterReferenceOperation.Parameter, wellKnownTypeProvider))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(parameterReferenceOperation.GetRoot());
}
}
},
OperationKind.ParameterReference);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceMethod(
invocationOperation.TargetMethod,
invocationOperation.Arguments,
pointsToFactory,
valueContentFactory,
out _))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(invocationOperation.GetRoot());
}
}
},
OperationKind.Invocation);
if (TaintedDataConfig.HasTaintArraySource(SinkKind))
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (arrayInitializerOperation.GetAncestor <IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol &&
sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol, arrayInitializerOperation))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
}
}
},
OperationKind.ArrayInitializer);
}
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
if (controlFlowGraphFactory.Value == null)
{
return;
}
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
TaintedDataAnalysisResult?taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
sourceInfoSymbolMap,
taintedDataConfig.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceSink.Sink.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationContext.CancellationToken);
}
});
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
var config = Configuration.GetOrCreate(compilationContext);
if (config.AuditMode)
{
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
void CreateWarning(OperationAnalysisContext operationAnalysisContext, Location location, ISymbol paramSymbol, ISymbol symbol)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
location,
additionalLocations: new Location[] { location },
messageArgs: new object[] {
paramSymbol.Name,
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationAnalysisContext.ReportDiagnostic(diagnostic);
}
bool IsConstant(IOperation operation, IOperation value, OperationAnalysisContext operationAnalysisContext)
{
if (value.ConstantValue.HasValue || value is ITypeOfOperation)
{
return(true);
}
if (!operation.TryGetEnclosingControlFlowGraph(out var cfg))
{
return(false);
}
var valueContentResult = ValueContentAnalysis.TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
operationAnalysisContext.Options, TaintedDataEnteringSinkDescriptor, PointsToAnalysisKind.Complete, operationAnalysisContext.CancellationToken);
if (valueContentResult == null)
{
return(false);
}
ValueContentAbstractValue abstractValue = valueContentResult[value.Kind, value.Syntax];
return(abstractValue.NonLiteralState == ValueContainsNonLiteralState.No);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IAssignmentOperation operation = (IAssignmentOperation)operationAnalysisContext.Operation;
if (!(operation.Target is IPropertyReferenceOperation propertyReferenceOperation))
{
return;
}
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(propertyReferenceOperation.Member.ContainingType);
if (infosForType != null &&
infosForType.Any(x => x.SinkProperties.Contains(propertyReferenceOperation.Member.MetadataName)) &&
!IsConstant(operation, operation.Value, operationAnalysisContext))
{
CreateWarning(
operationAnalysisContext,
propertyReferenceOperation.Syntax.GetLocation(),
operation.Value.Type,
propertyReferenceOperation.Member);
}
},
OperationKind.SimpleAssignment);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.TargetMethod.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => !IsConstant(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.TargetMethod.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.TargetMethod);
return;
}
}
}
},
OperationKind.Invocation);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IObjectCreationOperation invocationOperation = (IObjectCreationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.Constructor.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => !IsConstant(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.IsAnyStringParameterInConstructorASink &&
taintedArgument.Parameter.Type.SpecialType == SpecialType.System_String)
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.Constructor);
return;
}
else if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.Constructor.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(operationAnalysisContext, invocationOperation.Syntax.GetLocation(), taintedArgument.Parameter, invocationOperation.Constructor);
return;
}
}
}
},
OperationKind.ObjectCreation);
});
}
else
{
TaintedDataSymbolMap <SourceInfo> sourceInfoSymbolMap = config.TaintConfiguration.GetSourceSymbolMap(this.SinkKind);
if (sourceInfoSymbolMap.IsEmpty)
{
return;
}
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
Lazy <ControlFlowGraph?> controlFlowGraphFactory = new Lazy <ControlFlowGraph?>(
() => operationBlockStartContext.OperationBlocks.GetControlFlowGraph());
Lazy <PointsToAnalysisResult?> pointsToFactory = new Lazy <PointsToAnalysisResult?>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: cancellationToken,
defaultMaxInterproceduralMethodCallChain: config.MaxInterproceduralMethodCallChain,
defaultMaxInterproceduralLambdaOrLocalFunctionCallChain: config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
return(PointsToAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
interproceduralAnalysisPredicate: null));
});
Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)> valueContentFactory = new Lazy <(PointsToAnalysisResult?, ValueContentAnalysisResult?)>(
() =>
{
if (controlFlowGraphFactory.Value == null)
{
return(null, null);
}
InterproceduralAnalysisConfiguration interproceduralAnalysisConfiguration = InterproceduralAnalysisConfiguration.Create(
options,
SupportedDiagnostics,
controlFlowGraphFactory.Value,
operationBlockStartContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: cancellationToken,
defaultMaxInterproceduralMethodCallChain: config.MaxInterproceduralMethodCallChain,
defaultMaxInterproceduralLambdaOrLocalFunctionCallChain: config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
ValueContentAnalysisResult?valuecontentAnalysisResult = ValueContentAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
owningSymbol,
options,
wellKnownTypeProvider,
PointsToAnalysisKind.Complete,
interproceduralAnalysisConfiguration,
out _,
out PointsToAnalysisResult? p);
return(p, valuecontentAnalysisResult);
});
var rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IPropertyReferenceOperation propertyReferenceOperation = (IPropertyReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceProperty(propertyReferenceOperation.Property))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(propertyReferenceOperation.GetRoot());
}
}
},
OperationKind.PropertyReference);
if (sourceInfoSymbolMap.RequiresFieldReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IFieldReferenceOperation fieldReferenceOperation = (IFieldReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceField(fieldReferenceOperation.Field))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(fieldReferenceOperation.GetRoot());
}
}
},
OperationKind.FieldReference);
}
if (sourceInfoSymbolMap.RequiresParameterReferenceAnalysis)
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IParameterReferenceOperation parameterReferenceOperation = (IParameterReferenceOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceParameter(parameterReferenceOperation.Parameter, wellKnownTypeProvider))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(parameterReferenceOperation.GetRoot());
}
}
},
OperationKind.ParameterReference);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IInvocationOperation invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceMethod(
invocationOperation.TargetMethod,
invocationOperation.Arguments,
pointsToFactory,
valueContentFactory,
out _))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(invocationOperation.GetRoot());
}
}
},
OperationKind.Invocation);
if (config.TaintConfiguration.HasTaintArraySource(SinkKind, config))
{
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (arrayInitializerOperation.GetAncestor <IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol &&
sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol, arrayInitializerOperation))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
}
}
},
OperationKind.ArrayInitializer);
}
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
if (controlFlowGraphFactory.Value == null)
{
return;
}
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
TaintedDataAnalysisResult?taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
sourceInfoSymbolMap,
config.TaintConfiguration.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap,
operationBlockAnalysisContext.CancellationToken,
config.MaxInterproceduralMethodCallChain,
config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
// Something like:
// CA3001: Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'.
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.Name,
sourceSink.Sink.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
sourceOrigin.AccessingMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationContext.CancellationToken);
}
});
});
}
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
var config = Configuration.GetOrCreate(compilationContext);
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
var warnings = PooledHashSet <Location> .GetInstance();
void CreateWarning(OperationAnalysisContext operationAnalysisContext, Location location, ISymbol symbol)
{
warnings.Add(location);
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
location,
additionalLocations: new Location[] { location },
messageArgs: new object[] {
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
});
operationAnalysisContext.ReportDiagnostic(diagnostic);
}
bool IsHardcoded(IOperation operation, IOperation value, OperationAnalysisContext operationAnalysisContext)
{
bool IsEmptyString(object?value)
{
return(Equals(value, null) || Equals(value, string.Empty));
}
if (value.ConstantValue.HasValue && !IsEmptyString(value.ConstantValue.Value))
{
return(true);
}
if (value.Kind == OperationKind.ArrayCreation &&
value is IArrayCreationOperation arrayValue &&
arrayValue.Initializer?.Children.All(x => x.ConstantValue.HasValue) == true)
{
return(true);
}
if (!operation.TryGetEnclosingControlFlowGraph(out var cfg))
{
return(false);
}
var valueContentResult = ValueContentAnalysis.TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
operationAnalysisContext.Options, TaintedDataEnteringSinkDescriptor, PointsToAnalysisKind.Complete, operationAnalysisContext.CancellationToken);
if (valueContentResult == null)
{
return(false);
}
ValueContentAbstractValue abstractValue = valueContentResult[value.Kind, value.Syntax];
if (abstractValue.NonLiteralState != ValueContainsNonLiteralState.No)
{
return(false);
}
if (abstractValue.LiteralValues.All(IsEmptyString))
{
return(false);
}
return(true);
}
var rootOperationsNeedingAnalysis = PooledHashSet <IOperation> .GetInstance();
var sourceInfosBuilder = PooledHashSet <SourceInfo> .GetInstance();
Lazy <ControlFlowGraph?> controlFlowGraphFactory = new Lazy <ControlFlowGraph?>(
() => operationBlockStartContext.OperationBlocks.GetControlFlowGraph());
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var operation = (IFieldReferenceOperation)operationAnalysisContext.Operation;
if ((operation.Field.IsConst && operation.ConstantValue.HasValue) ||
operation.Field.IsReadOnly /* huge assumption that it is set to a hardcoded value in initializer or constructor */)
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(operationAnalysisContext.Operation.GetRoot());
sourceInfosBuilder.AddSourceInfo(
operation.Field.ContainingType.ToString(),
isInterface: false,
taintedProperties: null,
taintedFields: Enumerable.Repeat(operation.Field.Name, 1),
taintedMethods: null);
}
}
},
OperationKind.FieldReference);
operationBlockStartContext.RegisterOperationBlockEndAction(
operationBlockAnalysisContext =>
{
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
if (controlFlowGraphFactory.Value == null)
{
return;
}
var sourceInfos = sourceInfosBuilder.ToImmutable();
foreach (IOperation rootOperation in rootOperationsNeedingAnalysis)
{
TaintedDataAnalysisResult?taintedDataAnalysisResult = TaintedDataAnalysis.TryGetOrComputeResult(
controlFlowGraphFactory.Value,
operationBlockAnalysisContext.Compilation,
operationBlockAnalysisContext.OwningSymbol,
operationBlockAnalysisContext.Options,
TaintedDataEnteringSinkDescriptor,
new TaintedDataSymbolMap <SourceInfo>(wellKnownTypeProvider, sourceInfos),
config.TaintConfiguration.GetSanitizerSymbolMap(this.SinkKind),
sinkInfoSymbolMap,
operationBlockAnalysisContext.CancellationToken,
config.MaxInterproceduralMethodCallChain,
config.MaxInterproceduralLambdaOrLocalFunctionCallChain);
if (taintedDataAnalysisResult == null)
{
return;
}
foreach (TaintedDataSourceSink sourceSink in taintedDataAnalysisResult.TaintedDataSourceSinks)
{
if (!sourceSink.SinkKinds.Contains(this.SinkKind))
{
continue;
}
foreach (SymbolAccess sourceOrigin in sourceSink.SourceOrigins)
{
if (warnings.Contains(sourceSink.Sink.Location))
{
continue;
}
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
sourceSink.Sink.Location,
additionalLocations: new Location[] { sourceOrigin.Location },
messageArgs: new object[] {
sourceSink.Sink.Symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)
});
operationBlockAnalysisContext.ReportDiagnostic(diagnostic);
}
}
}
}
}
finally
{
warnings.Free(compilationContext.CancellationToken);
sourceInfosBuilder.Free(compilationContext.CancellationToken);
rootOperationsNeedingAnalysis.Free(compilationContext.CancellationToken);
}
});
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var operation = (IAssignmentOperation)operationAnalysisContext.Operation;
if (!(operation.Target is IPropertyReferenceOperation propertyReferenceOperation))
{
return;
}
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(propertyReferenceOperation.Member.ContainingType);
if (infosForType != null &&
infosForType.Any(x => x.SinkProperties.Contains(propertyReferenceOperation.Member.MetadataName)) &&
IsHardcoded(operation, operation.Value, operationAnalysisContext))
{
CreateWarning(
operationAnalysisContext,
propertyReferenceOperation.Syntax.GetLocation(),
propertyReferenceOperation.Member);
}
},
OperationKind.SimpleAssignment);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.TargetMethod.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => IsHardcoded(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.TargetMethod.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
invocationOperation.TargetMethod);
return;
}
}
}
},
OperationKind.Invocation);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var invocationOperation = (IObjectCreationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.Constructor.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => IsHardcoded(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.IsAnyStringParameterInConstructorASink &&
taintedArgument.Parameter.Type.SpecialType == SpecialType.System_String)
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
taintedArgument.Parameter);
return;
}
else if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.Constructor.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
taintedArgument.Parameter);
return;
}
}
}
},
OperationKind.ObjectCreation);
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationStartAnalysisContext) =>
{
Compilation compilation = compilationStartAnalysisContext.Compilation;
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
if (!wellKnownTypeProvider.TryGetOrCreateTypeByMetadataName(ValidatorTypeName, out var validatorType))
{
return;
}
var rootOperationsNeedingAnalysis = PooledHashSet <(IOperation, ISymbol)> .GetInstance();
compilationStartAnalysisContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(RuleRequiredPasswordValidators, owningSymbol, compilation, cancellationToken))
{
return;
}
operationBlockStartContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var returnOperation = (IReturnOperation)operationAnalysisContext.Operation;
if (validatorType.Equals(returnOperation.ReturnedValue?.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add(
(returnOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Return);
operationBlockStartContext.RegisterOperationAction(
(OperationAnalysisContext operationAnalysisContext) =>
{
var argumentOperation = (IArgumentOperation)operationAnalysisContext.Operation;
if (argumentOperation.Parameter.Type.Equals(validatorType))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((argumentOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
}
}
},
OperationKind.Argument);
operationBlockStartContext.RegisterOperationAction(
ctx =>
{
var operation = (IObjectCreationOperation)ctx.Operation;
if (validatorType.Equals(operation.Type))
{
lock (rootOperationsNeedingAnalysis)
{
rootOperationsNeedingAnalysis.Add((operation.GetRoot(), ctx.ContainingSymbol));
}
}
},
OperationKind.ObjectCreation);
});
compilationStartAnalysisContext.RegisterCompilationEndAction(
(CompilationAnalysisContext compilationAnalysisContext) =>
{
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?allResults = null;
try
{
lock (rootOperationsNeedingAnalysis)
{
if (!rootOperationsNeedingAnalysis.Any())
{
return;
}
PooledDictionary <(Location Location, IMethodSymbol?Method), HazardousUsageEvaluationResult>?GetHazardousUsages(
ConstructorMapper constructorMapper,
PropertyMapperCollection propertyMappers,
HazardousUsageEvaluatorCollection hazardousUsageEvaluators)
{
return(PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
compilationAnalysisContext.Compilation,
rootOperationsNeedingAnalysis,
compilationAnalysisContext.Options,
ValidatorTypeName,
constructorMapper,
propertyMappers,
hazardousUsageEvaluators,
InterproceduralAnalysisConfiguration.Create(
compilationAnalysisContext.Options,
SupportedDiagnostics,
rootOperationsNeedingAnalysis.First().Item1,
compilationAnalysisContext.Compilation,
defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
cancellationToken: compilationAnalysisContext.CancellationToken)));
}
var configuration = Configuration.GetOrCreate(compilationStartAnalysisContext);
foreach (var requiredProperty in configuration.PasswordValidatorRequiredProperties)
{
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers, ConstructorMapper constructorMapper) =
BuildRequiredPropertiesMappers((x) => PropertySetToTrueCallback(x, configuration.AuditMode), requiredProperty);
allResults = GetHazardousUsages(constructorMapper, propertyMappers, HazardousUsageEvaluators);
ReportDiagnostics(
RuleRequiredPasswordValidators,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
requiredProperty);
}
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers2, ConstructorMapper constructorMapper2) =
BuildRequiredPropertiesMappers((x) => PropertyLenCallback(x, configuration.AuditMode, configuration.PasswordValidatorRequiredLength), "RequiredLength");
allResults = GetHazardousUsages(constructorMapper2, propertyMappers2, HazardousUsageEvaluators);
ReportDiagnostics(
RulePasswordLength,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
configuration.PasswordValidatorRequiredLength);
var hazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Return,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)),
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Initialization,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)),
new HazardousUsageEvaluator(
HazardousUsageEvaluatorKind.Argument,
(abstractValue) => PropertiesCountEvaluatorCallback(
abstractValue, configuration.MinimumPasswordValidatorProperties, configuration.AuditMode)));
allResults?.Free(compilationAnalysisContext.CancellationToken);
allResults = null;
(PropertyMapperCollection propertyMappers3, ConstructorMapper constructorMapper3) =
BuildRequiredPropertiesMappers((x) => PropertySetToTrueCallback(x, configuration.AuditMode), AllPropertyNames);
allResults = GetHazardousUsages(constructorMapper3, propertyMappers3, hazardousUsageEvaluators);
ReportDiagnostics(
RulePasswordValidators,
compilationAnalysisContext,
allResults,
configuration.AuditMode,
configuration.MinimumPasswordValidatorProperties);
}
}
finally
{
rootOperationsNeedingAnalysis.Free(compilationAnalysisContext.CancellationToken);
allResults?.Free(compilationAnalysisContext.CancellationToken);
}
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
var config = Configuration.GetOrCreate(compilationContext);
TaintedDataSymbolMap <SinkInfo> sinkInfoSymbolMap = config.TaintConfiguration.GetSinkSymbolMap(this.SinkKind);
if (sinkInfoSymbolMap.IsEmpty)
{
return;
}
Compilation compilation = compilationContext.Compilation;
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(TaintedDataEnteringSinkDescriptor, owningSymbol, compilation, cancellationToken))
{
return;
}
WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
var warnings = PooledHashSet <Location> .GetInstance();
void CreateWarning(OperationAnalysisContext operationAnalysisContext, Location location, ISymbol symbol)
{
warnings.Add(location);
Diagnostic diagnostic = Diagnostic.Create(
this.TaintedDataEnteringSinkDescriptor,
location,
additionalLocations: new Location[] { location },
messageArgs: new object[] {
symbol.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat),
});
operationAnalysisContext.ReportDiagnostic(diagnostic);
}
bool IsHardcoded(IOperation operation, IOperation value, OperationAnalysisContext operationAnalysisContext)
{
bool IsEmptyString(object?value)
{
return(Equals(value, null) || Equals(value, string.Empty));
}
if (value.ConstantValue.HasValue && !IsEmptyString(value.ConstantValue.Value))
{
return(true);
}
if (value.Kind == OperationKind.ArrayCreation &&
value is IArrayCreationOperation arrayValue &&
arrayValue.Initializer?.Children.All(x => x.ConstantValue.HasValue) == true)
{
return(true);
}
if (!operation.TryGetEnclosingControlFlowGraph(out var cfg))
{
return(false);
}
var valueContentResult = ValueContentAnalysis.TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
operationAnalysisContext.Options, TaintedDataEnteringSinkDescriptor, PointsToAnalysisKind.Complete, operationAnalysisContext.CancellationToken);
if (valueContentResult == null)
{
return(false);
}
ValueContentAbstractValue abstractValue = valueContentResult[value.Kind, value.Syntax];
if (abstractValue.NonLiteralState != ValueContainsNonLiteralState.No)
{
return(false);
}
if (abstractValue.LiteralValues.All(IsEmptyString))
{
return(false);
}
return(true);
}
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var operation = (IAssignmentOperation)operationAnalysisContext.Operation;
if (!(operation.Target is IPropertyReferenceOperation propertyReferenceOperation))
{
return;
}
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(propertyReferenceOperation.Member.ContainingType);
if (infosForType != null &&
infosForType.Any(x => x.SinkProperties.Contains(propertyReferenceOperation.Member.MetadataName)) &&
IsHardcoded(operation, operation.Value, operationAnalysisContext))
{
CreateWarning(
operationAnalysisContext,
propertyReferenceOperation.Syntax.GetLocation(),
propertyReferenceOperation.Member);
}
},
OperationKind.SimpleAssignment);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var invocationOperation = (IInvocationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.TargetMethod.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => IsHardcoded(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.TargetMethod.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
invocationOperation.TargetMethod);
return;
}
}
}
},
OperationKind.Invocation);
operationBlockStartContext.RegisterOperationAction(
operationAnalysisContext =>
{
var invocationOperation = (IObjectCreationOperation)operationAnalysisContext.Operation;
IEnumerable <SinkInfo>?infosForType = sinkInfoSymbolMap.GetInfosForType(invocationOperation.Constructor.ContainingType);
if (infosForType == null)
{
return;
}
foreach (SinkInfo sinkInfo in infosForType)
{
foreach (IArgumentOperation taintedArgument in invocationOperation.Arguments.Where(x => IsHardcoded(x, x.Value, operationAnalysisContext)))
{
if (sinkInfo.IsAnyStringParameterInConstructorASink &&
taintedArgument.Parameter.Type.SpecialType == SpecialType.System_String)
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
taintedArgument.Parameter);
return;
}
else if (sinkInfo.SinkMethodParameters.TryGetValue(invocationOperation.Constructor.MetadataName, out ImmutableHashSet <string> sinkParameters) &&
sinkParameters.Contains(taintedArgument.Parameter.MetadataName))
{
CreateWarning(
operationAnalysisContext,
invocationOperation.Syntax.GetLocation(),
taintedArgument.Parameter);
return;
}
}
}
},
OperationKind.ObjectCreation);
});
});
}
public override void Initialize(AnalysisContext context)
{
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
if (!Debugger.IsAttached) // prefer single thread for debugging in development
{
context.EnableConcurrentExecution();
}
if (context.IsAuditMode())
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
}
else
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
}
context.RegisterCompilationStartAction(
(CompilationStartAnalysisContext compilationContext) =>
{
Compilation compilation = compilationContext.Compilation;
var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
if (!wellKnownTypeProvider.TryGetOrCreateTypeByMetadataName("System.Xml.Xsl.XsltSettings", out var type))
{
return;
}
var configuration = Configuration.GetOrCreate(compilationContext);
compilationContext.RegisterOperationBlockStartAction(
operationBlockStartContext =>
{
ISymbol owningSymbol = operationBlockStartContext.OwningSymbol;
AnalyzerOptions options = operationBlockStartContext.Options;
CancellationToken cancellationToken = operationBlockStartContext.CancellationToken;
if (options.IsConfiguredToSkipAnalysis(Rule, owningSymbol, compilation, cancellationToken))
{
return;
}
bool?GetValue(IOperation operation, IOperation value, OperationAnalysisContext operationAnalysisContext)
{
if (value.ConstantValue.HasValue && value.ConstantValue.Value is bool isEnableScript)
{
return(isEnableScript);
}
if (!operation.TryGetEnclosingControlFlowGraph(out var cfg))
{
return(null);
}
var valueContentResult = ValueContentAnalysis.TryGetOrComputeResult(cfg, owningSymbol, wellKnownTypeProvider,
operationAnalysisContext.Options, Rule, PointsToAnalysisKind.Complete, operationAnalysisContext.CancellationToken);
if (valueContentResult == null)
{
return(null);
}
ValueContentAbstractValue abstractValue = valueContentResult[value.Kind, value.Syntax];
PropertySetAbstractValueKind kind = PropertySetCallbacks.EvaluateLiteralValues(abstractValue, (object?o) => o is true);
if (kind == PropertySetAbstractValueKind.MaybeFlagged || kind == PropertySetAbstractValueKind.Flagged)
{
return(true);
}
kind = PropertySetCallbacks.EvaluateLiteralValues(abstractValue, (object?o) => o is false);
if (kind == PropertySetAbstractValueKind.Flagged)
{
return(false);
}
return(null);
}
operationBlockStartContext.RegisterOperationAction(
ctx =>
{
IAssignmentOperation operation = (IAssignmentOperation)ctx.Operation;
if (!(operation.Target is IPropertyReferenceOperation propertyReferenceOperation))
{
return;
}
if (propertyReferenceOperation.Member.ContainingType != type)
{
return;
}
if (propertyReferenceOperation.Member.Name == "EnableScript")
{
var enableScript = GetValue(operation, operation.Value, ctx);
if ((enableScript.HasValue && enableScript.Value) ||
!enableScript.HasValue && configuration.AuditMode)
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, operation.Syntax.GetLocation()));
}
}
},
OperationKind.SimpleAssignment);
operationBlockStartContext.RegisterOperationAction(
ctx =>
{
var operation = (IPropertyReferenceOperation)ctx.Operation;
if (operation.Property.ContainingType != type || operation.Property.Name != "TrustedXslt")
{
return;
}
ctx.ReportDiagnostic(Diagnostic.Create(Rule, operation.Syntax.GetLocation()));
},
OperationKind.PropertyReference);
operationBlockStartContext.RegisterOperationAction(
ctx =>
{
IObjectCreationOperation invocationOperation = (IObjectCreationOperation)ctx.Operation;
if (invocationOperation.Constructor.ContainingType != type)
{
return;
}
var enableScriptArg = invocationOperation.Arguments.FirstOrDefault(x => x.Parameter.Name == "enableScript");
if (enableScriptArg == null)
{
return;
}
var enableScript = GetValue(invocationOperation, enableScriptArg.Value, ctx);
if ((enableScript.HasValue && enableScript.Value) ||
!enableScript.HasValue && configuration.AuditMode)
{
ctx.ReportDiagnostic(Diagnostic.Create(Rule, invocationOperation.Syntax.GetLocation()));
}
},
OperationKind.ObjectCreation);
});
});
}