bool Equals(ExpressionInfo expressionInfo)
{
return expressionInfo.Depth.Equals(this.Depth) &&
expressionInfo.ExpressionType.Equals(this.ExpressionType) &&
expressionInfo.Value == this.Value &&
expressionInfo.Parent == this.Parent;
}
internal ExpressionInfo Parse()
{
var state = new ExpressionInfo();
foreach (var ex in this.Assignment_expressions)
{
state.AssignmentExpressions.Add(ex.Parse());
}
return state;
}
private void SetPropertyExpression(ExpressionInfo expressionInfo, string expressionTokenText)
{
PropertyExpression = ExpressionParserHelper.GetPropertyExpression(
expressionInfo.Parameter, expressionInfo.ParameterSyntax, expressionTokenText);
PropertyInfo = (PropertyInfo)this.PropertyExpression.Member;
if (PropertyInfo.PropertyType == typeof(bool))
{
Expression = Expression.IsTrue(this.PropertyExpression);
}
}
public void ExpressionInfo_Merge()
{
var sqliTaint = new SQLITaintSet(SQLITaint.SQL_ALL);
var xsstaint = new XSSTaintSet(XSSTaint.XSS_ALL);
var ts1 = new TaintSets(sqliTaint, xsstaint);
var exprInfo1 = new ExpressionInfo { ExpressionTaint = ts1 };
var exprInfo2 = new ExpressionInfo();
var exprInfo = exprInfo2.Merge(exprInfo1);
Assert.AreEqual(sqliTaint, exprInfo.ExpressionTaint.SqliTaint.Single(), "SQL Taint was not the expected");
Assert.AreEqual(xsstaint, exprInfo.ExpressionTaint.XssTaint.Single(), "XSS Taint was not the expected");
}
protected virtual string GetExpressionName(ExpressionInfo ei)
{
if (ei.Property.Name == "Parent")
{
return("Children");
}
if (ei.IsUnique)
{
return(Reflector.CleanTypeName(ei.ToType));
}
return(NaturalLanguageTools.Pluralize(Reflector.CleanTypeName(ei.ToType).SpacePascal()).ToPascal());
}
private void Modification_DataItem_Editor_DropDownClosed(object sender, EventArgs e)
{
if (ModificationList.ActiveSheet.ActiveRow.Tag == null)
{
ModificationList.ActiveSheet.ActiveRow.Tag = new ExpressionInfo();
}
ExpressionInfo expressionInfo = ModificationList.ActiveSheet.ActiveRow.Tag as ExpressionInfo;
expressionInfo.DataItem = Modification_DataItem_Editor.SelectedItem as FieldInfo;
ModificationList.ActiveSheet.Cells[ModificationList.ActiveSheet.ActiveRowIndex, 0].Value = Modification_DataItem_Editor.SelectedItem as FieldInfo;
Modification_DataItem_Editor.SendToBack();
}
private void WriteToTable_DataItem_Editor_DropDownClosed(object sender, EventArgs e)
{
if (ConditionList.ActiveSheet.ActiveRow.Tag == null)
{
ConditionList.ActiveSheet.ActiveRow.Tag = new ExpressionInfo();
}
ExpressionInfo expressionInfo = ConditionList.ActiveSheet.ActiveRow.Tag as ExpressionInfo;
expressionInfo.DataItem = WriteToTable_DataItem_Editor.SelectedItem as FieldInfo;
ConditionList.ActiveSheet.Cells[ConditionList.ActiveSheet.ActiveRowIndex, 0].Value = WriteToTable_DataItem_Editor.SelectedItem;
WriteToTable_DataItem_Editor.SendToBack();
}
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location, string?value)
{
var info = new ExpressionInfo(
cx,
null,
location,
ExprKind.DEFAULT,
parent,
childIndex,
true,
value);
return(new Expression(info));
}
public static Expression CreateGeneratedNullLiteral(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location)
{
var info = new ExpressionInfo(
cx,
null,
location,
ExprKind.NULL_LITERAL,
parent,
childIndex,
true,
ValueAsString(null));
return(new Expression(info));
}
public void Evaluate(ExpressionInfo expression, ITaskEngine taskEngine, Action <object> callback)
{
if (expression.IsEvaluating)
{
throw new InvalidOperationException("expression.IsEvaluating == true");
}
expression.IsEvaluating = true;
OnEvaluating(expression, taskEngine, result =>
{
expression.IsEvaluating = false;
callback(result);
});
}
public object CreateExpressionInfo_and_FastCompile()
{
//Expression<Func<Action<string>>> expr = () => a => s.SetValue(a);
var aParam = Expression.Parameter(typeof(string), "a");
var expr = ExpressionInfo.Lambda(
ExpressionInfo.Lambda(
ExpressionInfo.Call(ExpressionInfo.Constant(_s), _setValueMethod, aParam),
aParam
)
);
return(expr.TryCompile <Func <Action <string> > >());
}
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int index, Extraction.Entities.Location location)
{
var info = new ExpressionInfo(
cx,
null,
location,
ExprKind.ARRAY_INIT,
parent,
index,
true,
null);
return(new Expression(info));
}
/// <summary>
/// Evaluates the specified expression if possible and returns its value as a type.
/// </summary>
/// <typeparam name="T">The specified type.</typeparam>
/// <param name="expression">The expression to evaluate.</param>
/// <param name="defaultValue">The default value to use when the conversion fails or nothing to convert</param>
protected T EvaluateExpression <T>(ExpressionInfo expression, T defaultValue) where T : struct
{
// convert an expression to the string
string stringValue = EvaluatorService.EvaluateStringExpression(expression);
// set the default value
T result = defaultValue;
// convert the string to enum value
if (Enum.IsDefined(typeof(T), stringValue))
{
result = (T)Enum.Parse(typeof(T), stringValue);
}
return(result);
}
public void Initialize(InitializationContext context)
{
context.ExprHostBuilder.SortStart();
if (this.m_sortExpressions != null)
{
for (int i = 0; i < this.m_sortExpressions.Count; i++)
{
ExpressionInfo expressionInfo = this.m_sortExpressions[i];
expressionInfo.Initialize("SortExpression", context);
context.ExprHostBuilder.SortExpression(expressionInfo);
}
}
context.ExprHostBuilder.SortEnd();
}
public override void Deserialize(IntermediateFormatReader reader)
{
base.Deserialize(reader);
reader.RegisterDeclaration(m_Declaration);
while (reader.NextMember())
{
switch (reader.CurrentMember.MemberName)
{
case MemberName.DistanceFromScale:
m_distanceFromScale = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Placement:
m_placement = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.EnableGradient:
m_enableGradient = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.GradientDensity:
m_gradientDensity = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.TickMarkImage:
m_tickMarkImage = (TopImage)reader.ReadRIFObject();
break;
case MemberName.Length:
m_length = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Width:
m_width = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Shape:
m_shape = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Hidden:
m_hidden = (ExpressionInfo)reader.ReadRIFObject();
break;
default:
Global.Tracer.Assert(condition: false);
break;
}
}
}
public override void Deserialize(IntermediateFormatReader reader)
{
base.Deserialize(reader);
reader.RegisterDeclaration(m_Declaration);
while (reader.NextMember())
{
switch (reader.CurrentMember.MemberName)
{
case MemberName.Visible:
m_visible = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Label:
m_label = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Position:
m_position = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Rotation:
m_rotation = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.UseValueAsLabel:
m_useValueAsLabel = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.Action:
m_action = (Action)reader.ReadRIFObject();
break;
case MemberName.ChartDataPoint:
m_chartDataPoint = reader.ReadReference <ChartDataPoint>(this);
break;
case MemberName.ChartSeries:
m_chartSeries = reader.ReadReference <ChartSeries>(this);
break;
case MemberName.ToolTip:
m_toolTip = (ExpressionInfo)reader.ReadRIFObject();
break;
default:
Global.Tracer.Assert(condition: false);
break;
}
}
}
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Microsoft.CodeAnalysis.ITypeSymbol type, Extraction.Entities.Location location)
{
var typeAccessInfo = new ExpressionInfo(
cx,
AnnotatedTypeSymbol.CreateNotAnnotated(type),
location,
ExprKind.TYPE_ACCESS,
parent,
childIndex,
true,
null);
return(new Expression(typeAccessInfo));
}
private void btnHidden_CheckedChanged(object sender, EventArgs e)
{
if (!_isInitialized)
{
return;
}
if (btnHidden.Checked)
{
btnVisible.Checked = btnExpression.Checked = false;
visibilityExpressionEditor.Enabled = false;
visibilityExpressionEditor.Value = _visibilityWrapper.Hidden = ExpressionInfo.FromString(Boolean.TrueString);
}
}
public override void Deserialize(IntermediateFormatReader reader)
{
base.Deserialize(reader);
reader.RegisterDeclaration(ChartLegendCustomItem.m_Declaration);
while (reader.NextMember())
{
switch (reader.CurrentMember.MemberName)
{
case MemberName.Name:
this.m_name = reader.ReadString();
break;
case MemberName.ExprHostID:
this.m_exprHostID = reader.ReadInt32();
break;
case MemberName.Action:
this.m_action = (Action)reader.ReadRIFObject();
break;
case MemberName.Marker:
this.m_marker = (ChartMarker)reader.ReadRIFObject();
break;
case MemberName.Separator:
this.m_separator = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.SeparatorColor:
this.m_separatorColor = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.ToolTip:
this.m_toolTip = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.ChartLegendCustomItemCells:
this.m_chartLegendCustomItemCells = reader.ReadGenericListOfRIFObjects <ChartLegendCustomItemCell>();
break;
case MemberName.ID:
this.m_id = reader.ReadInt32();
break;
default:
Global.Tracer.Assert(false);
break;
}
}
}
public override void Deserialize(IntermediateFormatReader reader)
{
base.Deserialize(reader);
reader.RegisterDeclaration(m_Declaration);
while (reader.NextMember())
{
switch (reader.CurrentMember.MemberName)
{
case MemberName.Name:
m_name = reader.ReadString();
break;
case MemberName.Layout:
m_layout = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.MapLegendTitle:
m_mapLegendTitle = (MapLegendTitle)reader.ReadRIFObject();
break;
case MemberName.AutoFitTextDisabled:
m_autoFitTextDisabled = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.MinFontSize:
m_minFontSize = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.InterlacedRows:
m_interlacedRows = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.InterlacedRowsColor:
m_interlacedRowsColor = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.EquallySpacedItems:
m_equallySpacedItems = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.TextWrapThreshold:
m_textWrapThreshold = (ExpressionInfo)reader.ReadRIFObject();
break;
default:
Global.Tracer.Assert(condition: false);
break;
}
}
}
/// <summary>
/// Evaluates the specified expression if possible and returns its value as a length.
/// </summary>
/// <param name="expression">The expression to evaluate.</param>
/// <param name="defaultLength">The default length to use when the conversion fails or nothing to convert</param>
internal Length EvaluateLengthExpression(ExpressionInfo expression, Length defaultLength)
{
Length length = defaultLength;
if (expression != null && expression.IsConstant)
{
Length lineWidthValue = EvaluatorService.EvaluateStringExpression(expression);
if (lineWidthValue.IsValid)
{
length = lineWidthValue;
}
}
return(length);
}
static Rdl()
{
var schema = new Scope(Ns.Rdl2005)
.Type(s => Length.Parse(s), x => x.IsValid ? x.ToString() : "")
.Type(s => ExpressionInfo.Parse(s), x => x.ToString())
.Enum(DataElementOutput.Auto);
var rdl = new[] { Ns.Rdl2005, Ns.Rdl2003, Ns.Rdl2008, Ns.Rdl2010 };
schema.Element <Report>()
.Attributes()
.Add(x => x.Name)
.End()
.Elements(rdl)
.Add(x => x.Width)
.Add(x => x.Body)
.End()
.Use(rdl);
schema.Element <Body>()
.Elements(rdl)
.Add(x => x.Height)
.Add(x => x.ReportItems)
.End()
.Use(rdl);
var item = schema.Element <ReportItem>()
.Attributes()
.Add(x => x.Name)
.End()
.Elements(rdl)
.Add(x => x.DataElementName)
.Add(x => x.DataElementOutput)
.End();
item.Sub <TextBox>()
.Elements(rdl)
.Add(x => x.Value)
.End()
.Use(rdl);
item.Sub <Rectangle>()
.Elements(rdl)
.Add(x => x.ReportItems)
.End()
.Use(rdl);
Schema = schema;
}
public void Deserialize(IntermediateFormatReader reader)
{
reader.RegisterDeclaration(IndicatorState.m_Declaration);
while (reader.NextMember())
{
switch (reader.CurrentMember.MemberName)
{
case MemberName.GaugePanel:
this.m_gaugePanel = reader.ReadReference <GaugePanel>(this);
break;
case MemberName.Name:
this.m_name = reader.ReadString();
break;
case MemberName.StartValue:
this.m_startValue = (GaugeInputValue)reader.ReadRIFObject();
break;
case MemberName.EndValue:
this.m_endValue = (GaugeInputValue)reader.ReadRIFObject();
break;
case MemberName.Color:
this.m_color = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.ScaleFactor:
this.m_scaleFactor = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.IndicatorStyle:
this.m_indicatorStyle = (ExpressionInfo)reader.ReadRIFObject();
break;
case MemberName.IndicatorImage:
this.m_indicatorImage = (IndicatorImage)reader.ReadRIFObject();
break;
case MemberName.ExprHostID:
this.m_exprHostID = reader.ReadInt32();
break;
default:
Global.Tracer.Assert(false);
break;
}
}
}
private void BuildLayout(ExpressionInfo controllerExpressionInfo)
{
var def = new AvatarDefinition(controllerExpressionInfo.AvatarDescriptor);
IEnumerable <VrcParameterDefinition> parameters = def.Children.OfType <VrcParameterDefinition>();
foreach (VrcParameterDefinition parameterDefinition in parameters)
{
string parameter = parameterDefinition.Name;
VisualElement row = _dataRow.InstantiateTemplate(_parameterList.contentContainer);
row.Q("parameter").Add(ObjectHolder.CreateHolder(parameterDefinition, this));
foreach (AnimatorLayerDefinition l in GetLayers(def, parameter))
{
if (!l.TryGetFirstParent(out AnimatorDefinition _))
{
continue;
}
row.Q("layer").Add(ObjectHolder.CreateHolder(l, this));
}
foreach (MotionDefinition m in GetMotions(def, parameter))
{
if (m.Motion == null)
{
continue;
}
row.Q("misc").Add(ObjectHolder.CreateHolder(m, this));
}
foreach (VrcParameterDriverDefinition d in GetDrivers(def, parameter))
{
row.Q("misc").Add(ObjectHolder.CreateHolder(d, this));
}
foreach (MenuControlDefinition m in GetMenuControls(def, parameter))
{
if (!m.TryGetFirstParent(out MenuDefinition _))
{
continue;
}
row.Q("menu").Add(ObjectHolder.CreateHolder(m, this));
}
}
}
public void Can_compile_lambda_with_property()
{
var thisType = GetType().GetTypeInfo();
var funcExpr =
ExpressionInfo.Lambda(
ExpressionInfo.Property(thisType.GetProperty(nameof(PropX))));
var func = ExpressionCompiler.TryCompile <Func <X> >(funcExpr);
Assert.IsNotNull(func);
var x = func();
Assert.IsInstanceOf <X>(x);
}
internal ExpressionInfo[] GetForeignKeyExpressions()
{
int joinConditionCount = JoinConditionCount;
if (joinConditionCount == 0)
{
return(null);
}
ExpressionInfo[] array = new ExpressionInfo[joinConditionCount];
for (int i = 0; i < joinConditionCount; i++)
{
array[i] = m_joinConditions[i].ForeignKeyExpression;
}
return(array);
}
public void Can_compile_lambda_without_coverting_to_expression()
{
var funcExpr =
ExpressionInfo.Lambda(
ExpressionInfo.New(typeof(X).GetTypeInfo().GetConstructors()[0],
ExpressionInfo.New(typeof(Y).GetTypeInfo().GetConstructors()[0])));
var func = ExpressionCompiler.TryCompile <Func <X> >(funcExpr);
Assert.IsNotNull(func);
var x = func();
Assert.IsInstanceOf <X>(x);
}
void IBotSubmitTask.RegisterTask(TaskTemplateType type, SerializedTask serializedTask)
{
m_state.TaskTemplates[type] = new TaskInfoPool(() =>
{
TaskInfo coreTaskInfo = SerializedTask.ToTaskInfo(serializedTask);
return(TaskInfo.Procedure
(
null,
null,
coreTaskInfo,
TaskInfo.Return(ExpressionInfo.TaskStatus(coreTaskInfo))
));
});
}
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value,
Extraction.Entities.Location location)
{
var info = new ExpressionInfo(
cx,
AnnotatedTypeSymbol.CreateNotAnnotated(type),
location,
GetExprKind(type, null, cx),
parent,
childIndex,
true,
ValueAsString(value));
return(new Expression(info));
}
private ExpressionInfo GetInfo(Expression node)
{
ExpressionInfo info;
if (this.nodes.TryGetValue(node, out info))
{
return(info);
}
else
{
info = new ExpressionInfo(node);
this.nodes[node] = info;
return(info);
}
}
public void ExpreessionInfoCloneTest2()
{
ExpressionInfo canRun = ExpressionInfo.Eq(
ExpressionInfo.PrimitiveVal(CmdResultCode.Success),
ExpressionInfo.Val(new TaskInputInfo()));
Assert.DoesNotThrow(() =>
{
TaskInfo task = new TaskInfo {
Expression = canRun
};
byte[] b = m_protobufSerializer.Serialize(SerializedTask.FromTaskInfo(task));
SerializedTask.ToTaskInfo(m_protobufSerializer.Deserialize <SerializedTask>(b));
});
}
public void Nested_Func_using_outer_parameter()
{
// The same hoisted expression:
//Expression<Func<string, string>> expr = a => GetS(() => a);
var aParam = Expression.Parameter(typeof(string), "a");
var expr = ExpressionInfo.Lambda(
ExpressionInfo.Call(GetType().GetTypeInfo().DeclaredMethods.First(m => m.Name == nameof(GetS)),
ExpressionInfo.Lambda(aParam)),
aParam);
var f = ExpressionCompiler.TryCompile <Func <string, string> >(expr);
Assert.AreEqual("a", f("a"));
}
/// <summary>
/// Method to analyze a PHP method call with the class name included
/// </summary>
/// <param name="methodCall">The method call to analyze</param>
/// <param name="argInfos">The argument infos to include in the analysis</param>
/// <returns>The common TaintSets found</returns>
public ExpressionInfo AnalyzeMethodCall(MethodCall methodCall, IList <ExpressionInfo> argInfos)
{
//In most cases there should be either 0 or 1 classes, but situations where functions are specified several places can happen.
//Therefore, we support it and select the worst case.
var exprInfo = new ExpressionInfo();
//Try to find all the possible method calls, and create the worst case scenario of taints.
foreach (string className in methodCall.ClassNames)
{
IList <Function> funclist = _funcHandler.LookupFunction(methodCall.CreateFullMethodName(className));
exprInfo = exprInfo.Merge(CreateCommonTaintSets(funclist, argInfos));
}
return(exprInfo);
}
public void ExpressionInfo_Merge()
{
var sqliTaint = new SQLITaintSet(SQLITaint.SQL_ALL);
var xsstaint = new XSSTaintSet(XSSTaint.XSS_ALL);
var ts1 = new TaintSets(sqliTaint, xsstaint);
var exprInfo1 = new ExpressionInfo {
ExpressionTaint = ts1
};
var exprInfo2 = new ExpressionInfo();
var exprInfo = exprInfo2.Merge(exprInfo1);
Assert.AreEqual(sqliTaint, exprInfo.ExpressionTaint.SqliTaint.Single(), "SQL Taint was not the expected");
Assert.AreEqual(xsstaint, exprInfo.ExpressionTaint.XssTaint.Single(), "XSS Taint was not the expected");
}
public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
IVulnerabilityStorage vulnStorage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
{
var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
if (_getOptionsFunctions.Contains(funcCall.Name) ||
_addOptionFunctions.Contains(funcCall.Name) ||
_updateOptionFunctions.Contains(funcCall.Name))
{
return HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks);
}
else if (_hookFunctions.Contains(funcCall.Name))
{
return HandleHookCall(node, exprInfo, varStorage, analysisStacks);
}
return exprInfo;
}
public void Update(
ExpressionInfo expressionInfo,
string expressionTokenText)
{
if (ExpressionParserHelper.IsPropertyToken(expressionInfo.ParameterSyntax, expressionTokenText))
{
SetPropertyExpression(expressionInfo, expressionTokenText);
return;
}
if (OperationExpression != null)
{
var constantValue = expressionTokenText;
if (PropertyInfo.PropertyType == typeof(string))
{
constantValue = constantValue.Replace("'", null);
}
var comparisonConstantValue =
TypeDescriptor
.GetConverter(PropertyInfo.PropertyType)
.ConvertFromString(constantValue);
Expression =
OperationExpression(PropertyExpression, Expression.Constant(comparisonConstantValue));
return;
}
if (ExpressionParserHelper.GetOperatorFunc(expressionTokenText) != null)
{
OperationExpression = ExpressionParserHelper.GetOperatorFunc(expressionTokenText);
}
}
private ExpressionInfo Node_New(XmlNode node)
{
//ExpressionInfo info = Analyze(node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Class));
string className = "";
var classNode = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Class);
XmlNode nameNode = null;
bool success = classNode.TryGetSubNode(AstConstants.Node + ":" + AstConstants.Nodes.Name, out nameNode);
if (success)
{
className = nameNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts).InnerText;
}
//TODO: extract class names from vars. (Requires var tracking)
//TODO: Analyze constructor here
var exprInfo = new ExpressionInfo();
if (className != "")
{
exprInfo.ValueInfo.Type = className;
exprInfo.ValueInfo.ClassNames.Add(className);
}
return exprInfo;
}
private ExpressionInfo Node_MethodCall(XmlNode node)
{
var functionCallExtractor = new FunctionCallExtractor();
var methodCall = functionCallExtractor.ExtractMethodCall(node, this._variableStorage, this._analysisScope);
bool isAlreadyInStack = _analysisStacks.CallStack.Any(x => x.Name == methodCall.Name);
_analysisStacks.CallStack.Push(methodCall);
var argInfos = new List<ExpressionInfo>();
//Actually analyze the arguments
for (uint index = 1; index <= methodCall.Arguments.Count; index++)
{
var item = methodCall.Arguments.FirstOrDefault(x => x.Key == index);
var exprInfo = this.Analyze(item.Value);
if (_varResolver.IsResolvableNode(item.Value))
{
var @var = _varResolver.ResolveVariable(item.Value);
exprInfo.ValueInfo = @var.Variable.Info;
}
argInfos.Add(exprInfo);
}
if (methodCall.Name == "")
{
var exprInfo = new ExpressionInfo();
_analysisStacks.CallStack.Pop();
return argInfos.Aggregate(exprInfo, (current, info) => current.Merge(info));
}
var customFunctionHandler = new CustomFunctionHandler(this._analyzer, _subroutineAnalyzerFactory);
customFunctionHandler.AnalysisExtensions.AddRange(this.AnalysisExtensions);
var functionMethodAnalyzer = _subroutineAnalyzerFactory.Create(ImmutableVariableStorage.CreateFromMutable(_variableStorage),
_inclusionResolver, _analysisStacks, customFunctionHandler, _vulnerabilityStorage);
var methodCallTaintSet = new ExpressionInfo();
if(!isAlreadyInStack)
{
methodCallTaintSet = functionMethodAnalyzer.AnalyzeMethodCall(methodCall, argInfos);
}
FunctionsHandler fh = FunctionsHandler.Instance;
var resultTaintSet = new ExpressionInfo();
foreach (var className in methodCall.ClassNames.Distinct())
{
var tempResultTaintSet = methodCallTaintSet.AssignmentClone();
var sqlSaniFunc = fh.FindSQLSanitizerByName(methodCall.CreateFullMethodName(className));
var sqlSinkFunc = fh.FindSQLSinkByName(methodCall.CreateFullMethodName(className));
var xssSaniFunc = fh.FindXSSSanitizerByName(methodCall.CreateFullMethodName(className));
var xssSinkFunc = fh.FindXSSSinkByName(methodCall.CreateFullMethodName(className));
if (sqlSaniFunc != null && sqlSaniFunc.DefaultStatus == SQLITaint.None)
{
resultTaintSet.ExpressionTaint.SqliTaint.Clear();
}
if (xssSaniFunc != null && xssSaniFunc.DefaultStatus == XSSTaint.None)
{
resultTaintSet.ExpressionTaint.XssTaint.Clear();
}
if (sqlSinkFunc != null || xssSinkFunc != null)
{
if (sqlSinkFunc != null)
{
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive)
.ToDictionary(pair => pair.Key);
var parameters = methodCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in parameters)
{
//var argInfo = Analyze(parameter.Value);
var argInfo = argInfos.ElementAt((int)(parameter.Key - 1));
CheckForSQLVulnerabilities(argInfo, parameter.Value);
}
if (sqlSinkFunc.ReturnType == "object" || sqlSinkFunc.ReturnType == "mix")
{
resultTaintSet.ValueInfo.ClassNames.AddRange(sqlSinkFunc.Classnames);
}
}
if (xssSinkFunc != null)
{
var vulnerableXssParams = xssSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = methodCall.Arguments.Where(x => vulnerableXssParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
var argInfo = argInfos.ElementAt((int)(parameter.Key - 1));
CheckForXssVulnerabilities(argInfo, parameter.Value);
}
}
// Assuming sinks does not return taint.
resultTaintSet.ExpressionTaint.ClearTaint();
resultTaintSet.ExpressionStoredTaint.Taint.ClearTaint();
}
tempResultTaintSet = StoredMethodHandler(tempResultTaintSet, node);
resultTaintSet = resultTaintSet.Merge(tempResultTaintSet);
var methodNameWithClass = methodCall.CreateFullMethodName(className);
bool isStoredProvider = FunctionsHandler.Instance.FindStoredProviderMethods(methodNameWithClass).Any();
if (isStoredProvider)
{
resultTaintSet.ExpressionStoredTaint = resultTaintSet.ExpressionStoredTaint.Merge(methodCall.Var.Info.PossibleStoredTaint);
//TODO: The following is not true in all cases.
// What cases?
var cloned = resultTaintSet.ExpressionStoredTaint.Taint.DeepClone();
resultTaintSet.ValueInfo.NestedVariablePossibleStoredDefaultTaintFactory = () => cloned;
}
}
_analysisStacks.CallStack.Pop();
return resultTaintSet;
}
private ExpressionInfo Node_FuncCall(XmlNode node)
{
var functionCallExtractor = new FunctionCallExtractor();
var functionCall = functionCallExtractor.ExtractFunctionCall(node);
bool isAlreadyInStack = _analysisStacks.CallStack.Any(x => x.Name == functionCall.Name);
_analysisStacks.CallStack.Push(functionCall);
var argInfos = new List<ExpressionInfo>();
//Actually extract the arguments
for (uint index = 1; index <= functionCall.Arguments.Count; index++)
{
var item = functionCall.Arguments.FirstOrDefault(x => x.Key == index);
var exprInfo = this.Analyze(item.Value);
if (_varResolver.IsResolvableNode(item.Value))
{
var variableResolveResult = _varResolver.ResolveVariable(item.Value);
exprInfo.ValueInfo = variableResolveResult.Variable.Info;
}
argInfos.Add(exprInfo);
}
if (functionCall.Name == "")
{
var expr_info = new ExpressionInfo();
_analysisStacks.CallStack.Pop();
return argInfos.Aggregate(expr_info, (current, info) => current.Merge(info));
}
var customFunctionHandler = new CustomFunctionHandler(this._analyzer, _subroutineAnalyzerFactory);
customFunctionHandler.AnalysisExtensions.AddRange(this.AnalysisExtensions);
var immutableVariableStorage = ImmutableVariableStorage.CreateFromMutable(_variableStorage);
var functionMethodAnalyzer = this._subroutineAnalyzerFactory.Create(immutableVariableStorage, _inclusionResolver,
_analysisStacks, customFunctionHandler, _vulnerabilityStorage);
var resultTaintSet = new ExpressionInfo();
if (!isAlreadyInStack)
{
resultTaintSet = functionMethodAnalyzer.AnalyzeFunctionCall(functionCall, argInfos);
}
FunctionsHandler fh = FunctionsHandler.Instance;
var sqlSaniFunc = fh.FindSQLSanitizerByName(functionCall.Name);
var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name);
var xssSaniFunc = fh.FindXSSSanitizerByName(functionCall.Name);
var xssSinkFunc = fh.FindXSSSinkByName(functionCall.Name);
if(sqlSaniFunc != null && sqlSaniFunc.DefaultStatus == SQLITaint.None)
{
resultTaintSet.ExpressionTaint.SqliTaint.Clear();
resultTaintSet.ValueInfo.Taints.SqliTaint.Clear();
resultTaintSet.ExpressionStoredTaint.Taint.SqliTaint.Clear();
}
if (xssSaniFunc != null && xssSaniFunc.DefaultStatus == XSSTaint.None)
{
resultTaintSet.ExpressionTaint.XssTaint.Clear();
resultTaintSet.ValueInfo.Taints.XssTaint.Clear();
resultTaintSet.ExpressionStoredTaint.Taint.XssTaint.Clear();
}
if (sqlSinkFunc != null)
{
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
var argInfo = argInfos.ElementAt((int) (parameter.Key - 1));
CheckForSQLVulnerabilities(argInfo, parameter.Value);
}
}
if (xssSinkFunc != null)
{
var vulnerableXssParams = xssSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableXssParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
var argInfo = argInfos.ElementAt((int)(parameter.Key - 1));
CheckForXssVulnerabilities(argInfo, parameter.Value);
}
}
resultTaintSet = StoredFuncHandler(resultTaintSet, node, argInfos);
var argumentInfoWithIndex = argInfos.Select((a, i) => new { Info = a, Index = (uint)i + 1 })
.ToDictionary(a => a.Index, a => a.Info);
resultTaintSet = ApplyAnalysisExtensionsToFuncCall(node, resultTaintSet, argumentInfoWithIndex);
_analysisStacks.CallStack.Pop();
return resultTaintSet;
}
private ExpressionInfo Expr_AssignOp_Concat(XmlNode node)
{
var rhsExpr = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Expr);
var rhsTaint = Analyze(rhsExpr);
var lhsExpr = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Var);
var lhsVariable = _varResolver.ResolveVariable(lhsExpr.FirstChild).Variable;
lhsVariable.Info.Taints = lhsVariable.Info.Taints.Merge(rhsTaint.ExpressionTaint);
var result = new ExpressionInfo() { ExpressionTaint = lhsVariable.Info.Taints };
if (lhsVariable.Info.Value != null && rhsTaint.ValueInfo.Value != null)
{
lhsVariable.Info.Value = lhsVariable.Info.Value + rhsTaint.ValueInfo.Value;
}
return result;
}
/// <summary>
/// Calls AnalyzeFuncCall on all external components. This was created because we currently do not call Analyze on "Node:Arg",
/// which is needed to let the components find the arguments themselves.
/// TODO: Handle Node:Arg in the analysis explicitly, to allow this.
/// </summary>
private ExpressionInfo ApplyAnalysisExtensionsToFuncCall(XmlNode node, ExpressionInfo currentInfo, IDictionary<uint, ExpressionInfo> argInfos)
{
foreach (var analysisExtension in AnalysisExtensions)
{
analysisExtension.FunctionMethodAnalyzerFactory = storage =>
{
var customFunctionHandler = new CustomFunctionHandler(this._analyzer, _subroutineAnalyzerFactory);
customFunctionHandler.AnalysisExtensions.AddRange(this.AnalysisExtensions);
var varStorage = ImmutableVariableStorage.CreateFromMutable(storage);
return _subroutineAnalyzerFactory.Create(varStorage, _inclusionResolver, _analysisStacks,
customFunctionHandler, _vulnerabilityStorage);
};
currentInfo = analysisExtension.AnalyzeFunctionCall(node, currentInfo, _variableStorage, _vulnerabilityStorage, argInfos, this._analysisStacks);
}
return currentInfo;
}
private ExpressionInfo StoredMethodHandler(ExpressionInfo exprInfo, XmlNode node)
{
var functionCallExtractor = new FunctionCallExtractor();
var methodCall = functionCallExtractor.ExtractMethodCall(node, this._variableStorage, this._analysisScope);
var fh = FunctionsHandler.Instance;
foreach (var className in methodCall.ClassNames.Distinct())
{
var sqlSinkFunc = fh.FindSQLSinkByName(methodCall.CreateFullMethodName(className));
if (sqlSinkFunc == null)
{
continue;
}
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = methodCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var parameter in param)
{
ExpressionInfo customParameterAnalysis = Analyze(parameter.Value);
if (customParameterAnalysis.ValueInfo.Value == null)
continue;
if (StringAnalysis.IsSQLInsertionStmt(customParameterAnalysis.ValueInfo.Value))
{
customParameterAnalysis.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(customParameterAnalysis.ValueInfo.Value),
AstNode.GetStartLine(node)) {
Taint = customParameterAnalysis.ExpressionTaint,
ICantFeelIt = IsItInYet.YesItsGoingIn
};
InsertIntoStoredLocation(customParameterAnalysis, node);
customParameterAnalysis = new ExpressionInfo();
}
else if (StringAnalysis.IsSQLRetrieveStmt(customParameterAnalysis.ValueInfo.Value))
{
customParameterAnalysis.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(customParameterAnalysis.ValueInfo.Value),
AstNode.GetStartLine(node)) {
Taint = new DefaultTaintProvider().GetTaintedTaintSet(),
ICantFeelIt = IsItInYet.NoImPullingOut
};
exprInfo.ValueInfo.NestedVariablePossibleStoredDefaultTaintFactory = () => new DefaultTaintProvider().GetTaintedTaintSet();
}
exprInfo.ExpressionStoredTaint = exprInfo.ExpressionStoredTaint.Merge(customParameterAnalysis.ExpressionStoredTaint);
}
}
return exprInfo;
}
protected virtual string GetExpressionName(ExpressionInfo ei)
{
if (ei.Property.Name == "Parent")
return "Children";
if(ei.IsUnique)
return Reflector.CleanTypeName(ei.ToType);
return NaturalLanguageTools.Pluralize(Reflector.CleanTypeName(ei.ToType).SpacePascal()).ToPascal();
}
public TokenInfo(Token identifier, ExpressionInfo info)
{
Identifier = identifier;
Info = info;
}
private void ScanVariables(BackgroundWorker worker, string objectPath, string objectName, string containerID, Variables variables)
{
if (worker.CancellationPending)
{
return;
}
foreach (Variable variable in variables)
{
try
{
if (!variable.EvaluateAsExpression)
{
continue;
}
// Check path to ensure variable is parented by current scope
// only, not by child containers that inherit the variable
if (!variable.GetPackagePath().StartsWith(objectPath + ".Variables["))
{
continue;
}
ExpressionInfo info = new ExpressionInfo();
info.ContainerID = containerID;
info.ObjectID = variable.ID;
info.ObjectName = objectName;
info.Type = typeof(Variable);
info.ObjectPath = objectPath + ".Variables[" + variable.QualifiedName + "]";
info.ObjectType = variable.GetType().Name;
info.PropertyName = variable.QualifiedName;
info.Expression = variable.Expression;
info.HasExpression = variable.EvaluateAsExpression;
info.Icon = BIDSHelper.Resources.Versioned.Variable;
worker.ReportProgress(0, info);
}
catch { }
}
}
private void ScanProperties(BackgroundWorker worker, string objectPath, Type objectType, string objectTypeName, string containerID, string objectID, string objectName, IDTSPropertiesProvider provider, string containerKey)
{
if (worker.CancellationPending)
{
return;
}
foreach (DtsProperty property in provider.Properties)
{
try
{
string expression = provider.GetExpression(property.Name);
if (expression == null)
{
continue;
}
System.Diagnostics.Debug.Assert(PackageHelper.ControlFlowInfos.ContainsKey(containerKey));
ExpressionInfo info = new ExpressionInfo();
info.ContainerID = containerID;
info.ObjectID = objectID;
info.Type = objectType;
info.ObjectName = objectName;
if (property.Name.StartsWith("["))
{
info.ObjectPath = objectPath + ".Properties" + property.Name + "";
}
else
{
info.ObjectPath = objectPath + ".Properties[" + property.Name + "]";
}
info.ObjectType = objectTypeName;
info.PropertyName = property.Name;
info.Expression = expression;
info.HasExpression = (info.Expression != null);
info.Icon = PackageHelper.ControlFlowInfos[containerKey].Icon;
worker.ReportProgress(0, info);
}
catch { }
}
}
private void ScanPrecedenceConstraints(BackgroundWorker worker, string objectPath, string containerID, PrecedenceConstraints constraints)
{
if (worker.CancellationPending)
{
return;
}
foreach (PrecedenceConstraint constraint in constraints)
{
if (constraint.EvalOp == DTSPrecedenceEvalOp.Constraint)
{
continue;
}
if (string.IsNullOrEmpty(constraint.Expression))
{
continue;
}
ExpressionInfo info = new ExpressionInfo();
info.ContainerID = containerID;
info.ObjectID = constraint.ID;
info.ObjectName = ((DtsContainer)constraint.PrecedenceExecutable).Name;
info.ObjectPath = objectPath + ".PrecedenceConstraints[" + constraint.Name + "]";
info.Type = typeof(PrecedenceConstraint);
info.ObjectType = constraint.GetType().Name;
info.PropertyName = constraint.Name;
info.Expression = constraint.Expression;
info.HasExpression = true;
info.Icon = BIDSHelper.Resources.Common.Path;
worker.ReportProgress(0, info);
}
}
private ExpressionInfo Scalar_Encapsed(XmlNode node)
{
var partsArray = node.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Parts)
.GetSubNode(AstConstants.Scalar + ":" + AstConstants.Scalars.Array);
var encapsedParts = partsArray.GetSubNodesByPrefixes(AstConstants.Node, AstConstants.Scalar);
var result = new ExpressionInfo();
foreach (var partResult in encapsedParts.Select(Analyze))
{
result.ExpressionTaint = result.ExpressionTaint.Merge(partResult.ExpressionTaint);
result.ValueInfo.Value = result.ValueInfo.Value + partResult.ValueInfo.Value;
}
return result;
}
private ExpressionInfo StoredFuncHandler(ExpressionInfo exprInfo, XmlNode node, List<ExpressionInfo> argInfos)
{
var resultExpr = new ExpressionInfo();
var functionCallExtractor = new FunctionCallExtractor();
var functionCall = functionCallExtractor.ExtractFunctionCall(node);
var fh = FunctionsHandler.Instance;
var sqlSinkFunc = fh.FindSQLSinkByName(functionCall.Name);
if (sqlSinkFunc != null)
{
var vulnerableSqlParams = sqlSinkFunc.Parameters.Where(x => x.Value.IsSensitive).ToDictionary(pair => pair.Key);
var param = functionCall.Arguments.Where(x => vulnerableSqlParams.Keys.Any(z => z.Item1 == x.Key));
foreach (var arg in argInfos)
{
exprInfo = arg;
if (exprInfo.ValueInfo.Value == null)
{
continue;
}
if (StringAnalysis.IsSQLInsertionStmt(exprInfo.ValueInfo.Value))
{
exprInfo.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node))
{
Taint = exprInfo.ExpressionTaint,
ICantFeelIt = IsItInYet.YesItsGoingIn
};
InsertIntoStoredLocation(exprInfo, node);
exprInfo = new ExpressionInfo();
}
else if(StringAnalysis.IsSQLRetrieveStmt(exprInfo.ValueInfo.Value))
{
exprInfo.ExpressionStoredTaint =
new StoredVulnInfo(StringAnalysis.RetrieveSQLTableName(exprInfo.ValueInfo.Value), AstNode.GetStartLine(node))
{
Taint = new DefaultTaintProvider().GetTaintedTaintSet(),
ICantFeelIt = IsItInYet.NoImPullingOut
};
resultExpr.ValueInfo.NestedVariablePossibleStoredDefaultTaintFactory = () => new DefaultTaintProvider().GetTaintedTaintSet();
}
resultExpr.ExpressionStoredTaint = resultExpr.ExpressionStoredTaint.Merge(exprInfo.ExpressionStoredTaint);
}
}
else
{
return exprInfo;
}
return resultExpr;
}
protected virtual string GetRegisterExpression(ExpressionInfo ei)
{
return "dqm.RegisterExpression(({from} {f}) => {f}.{name}(), () => typeof({to}).{NiceName}());"
.Replace("{from}", ei.FromType.Name)
.Replace("{to}", ei.ToType.Name)
.Replace("{f}", GetVariableName(ei.FromType))
.Replace("{name}", ei.Name)
.Replace("{NiceName}", ei.IsUnique ? "NiceName" : "NicePluralName");
}
private ExpressionInfo Subnode_Exprs(XmlNode node)
{
var arraynode = node.GetSubNode(AstConstants.Scalar + ":" + AstConstants.Scalars.Array);
var subnodes = arraynode.GetSubNodesByPrefix(AstConstants.Node);
var results = new ExpressionInfo();
var temptaintsets = subnodes.Select(Analyze).ToList();
return temptaintsets.Aggregate(results, (current, exprTaint) => current.Merge(exprTaint));
}
/// <summary>
/// Attempts to add a list of expressions to this instance and invalidates the graph window.
/// </summary>
/// <param name="expressions">The list of expressions to add to this instance.</param>
/// <returns><para>
/// The list of expressions that was provided in <paramref name="expressions"/> paired with any exceptions that
/// might have occurred while attempting to parse it. If no exception occurred while processing an expression,
/// then that expression is added to this instance. It is then added to the returned dictionary, and its value
/// is set to <c>null</c>. If, however, an exception occurred while processing an expression, that expression
/// is added to the dictionary, and the exception that occurred is set to its value. It is not added to this
/// instance.
/// </para><para>
/// Because of the way the returned dictionary is filled, the number of expressions in the dictionary will be
/// equal to the number of expressions that was provided in <paramref name="expressions"/>. See the examples
/// for clarification.
/// </para><para>
/// The graph window is invalidated during this method's runtime, and all added and enabled expressions will be
/// recalculated. Additionally, all plotted points (e.g. the value point, see <see cref="ShowLineValue"/>)
/// are cleared.
/// </para></returns>
/// <example>
/// The following demonstrates adding two valid and two invalid expressions to a Graph.
/// <code>
/// var errors = graph.PutExpressions(
/// new[]
/// {
/// new UncompiledStandardExpression(0, ExpressionType.Linear, "x^2"),
/// new UncompiledStandardExpression(0, ExpressionType.Linear, "5x+2"),
/// new UncompiledStandardExpression(0, ExpressionType.Linear, "9sin(5x))"), // Extra parenthese
/// new UncompiledStandardExpression(0, ExpressionType.Linear, "5e^{4-sin(x))") // Curly brace
/// });
///
/// foreach (var pair in errors)
/// {
/// Console.WriteLine("Expression: '{0}', Exception: '{1}'", pair.Key, pair.Value);
/// }
///
/// /* Output:
/// * Expression: 'x^2', Exception: 'null'
/// * Expression: '5x+2', Exception: 'null'
/// * Expression: '9sin(5x))', Exception: 'Malformed infix detected.'
/// * Expression: '5e^{4-sin(x))', Exception: 'Malformed infix detected.'
/// */
/// </code>
/// </example>
public Dictionary<UncompiledExpression, Exception> PutExpressions(IEnumerable<UncompiledExpression> expressions)
{
var errors = new Dictionary<UncompiledExpression, Exception>();
foreach (UncompiledExpression expr in expressions)
{
bool isEmpty;
if (expr.Type == ExpressionType.Parametric)
{
var paraExpr = (UncompiledParametricExpression)expr;
isEmpty = string.IsNullOrWhiteSpace(paraExpr.XExpression) ||
string.IsNullOrWhiteSpace(paraExpr.YExpression);
}
else
{
var stdExpr = (UncompiledStandardExpression)expr;
isEmpty = string.IsNullOrWhiteSpace(stdExpr.Expression);
}
if (!isEmpty)
{
ExpressionInfo existingExpr;
if (_expressions.TryGetValue(expr.Slot, out existingExpr) &&
existingExpr.OriginalUncompiled.Equals(expr))
{
// Don't compile an expression that hasn't been
// changed, but check to see if the domains are different
if (!existingExpr.Expression.Domain.OriginalUncompiled.SequenceEqual(expr.Domain))
{
existingExpr.Expression.Domain = DomainCompiler.CompileDomain(Calculator, expr.Domain);
}
existingExpr.Expression.Color = expr.Color;
continue;
}
ExpressionInfo info;
try
{
CompiledDomain domain = null;
if (expr.Domain.Count > 0)
{
domain = DomainCompiler.CompileDomain(Calculator, expr.Domain);
}
info = new ExpressionInfo(expr, domain)
{
Expression = { Color = expr.Color }
};
}
catch (Exception ex)
{
errors.Add(expr, ex);
continue;
}
_expressions[expr.Slot] = info;
}
else
{
_expressions.Remove(expr.Slot);
}
errors.Add(expr, null);
}
_recalcLines = true;
ClearPoints();
Invalidate();
return errors;
}
private void CheckForXssVulnerabilities(ExpressionInfo expressionInfo, XmlNode node)
{
foreach (var vuln in expressionInfo.ExpressionTaint.XssTaint.Where(taint => taint.TaintTag != XSSTaint.None))
{
string varName = (vuln.InitialTaintedVariable ?? "???");
string message = "XSS vulnerability found on variable: " + varName +
" on line: " + AstNode.GetStartLine(node) + " in file: " + _analysisStacks.IncludeStack.Peek();
_vulnerabilityStorage.AddVulnerability(new VulnerabilityInfo()
{
Message = message,
IncludeStack = _analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = _analysisStacks.CallStack.ToImmutableStack()
});
}
if (expressionInfo.ValueInfo.PossibleStoredTaint == null)
{
return;
}
var xssTaintSets = expressionInfo.ValueInfo.PossibleStoredTaint.Taint.XssTaint;
foreach (var possibleVuln in xssTaintSets.Where(taint => taint.TaintTag != XSSTaint.None))
{
string varName = possibleVuln.InitialTaintedVariable ?? "???";
var vulnMessage = "Tainted outgoing reaches sensitive sink: {0} on line: {1} in file: {2}";
string message = string.Format(vulnMessage, varName, AstNode.GetStartLine(node), _analysisStacks.IncludeStack.Peek());
var vulnInfo = new StoredVulnerabilityInfo()
{
Message = message,
PossibleStoredVuln = expressionInfo.ValueInfo.PossibleStoredTaint,
IncludeStack = _analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = _analysisStacks.CallStack.ToImmutableStack(),
VulnerabilityType = VulnType.XSS
};
_vulnerabilityStorage.AddPossibleStoredVulnerability(vulnInfo);
}
}
//========================================================================= Helper functions
private List<ExpressionInfo> GetExpressionInfoListFromGui()
{
var expInfoList = new List<ExpressionInfo>();
if (this.ExpressionListView == null)
return expInfoList;
var index = 0;
foreach (var dataItem in this.ExpressionListView.Items)
{
var expInfo = new ExpressionInfo { Id = index++ };
var ddField = GetFieldNameControl(dataItem);
var ddRelOp = GetRelOpControl(dataItem);
var tbExp = GetExpressionControl(dataItem);
var ddChainOp = GetChainOpControl(dataItem);
if (ddField != null) expInfo.FieldName = ddField.SelectedValue;
if (ddRelOp != null) expInfo.RelationalOperator = (Operator)Convert.ToInt32(ddRelOp.SelectedValue);
if (tbExp != null) expInfo.Expression = tbExp.Text;
if (ddChainOp != null) expInfo.LogicalOperator = (LogicalOperator)Convert.ToInt32(ddChainOp.SelectedValue);
expInfoList.Add(expInfo);
}
return expInfoList;
}
private void InsertIntoStoredLocation(ExpressionInfo expressionInfo, XmlNode node)
{
if (expressionInfo.ExpressionStoredTaint != null)
{
if (expressionInfo.ExpressionStoredTaint.ICantFeelIt != IsItInYet.YesItsGoingIn)
{
throw new NotSupportedException("Trying to insert a Stored taint into vulnerabilityStorage, " +
"but is not tagged with in-going store taint");
}
// SQLI
foreach (var possibleVuln in expressionInfo.ExpressionStoredTaint.Taint.SqliTaint)
{
if (possibleVuln.TaintTag != SQLITaint.None)
{
string varName = (possibleVuln.InitialTaintedVariable ?? "???");
string message = "Stored SQLI found - Ingoing: " + varName +
" on line: " + AstNode.GetStartLine(node) + " in file: " + _analysisStacks.IncludeStack.Peek();
_vulnerabilityStorage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
Message = message,
PossibleStoredVuln = expressionInfo.ExpressionStoredTaint,
IncludeStack = _analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = _analysisStacks.CallStack.ToImmutableStack(),
VulnerabilityType = VulnType.SQL
});
}
}
// XSS
foreach (var possibleVuln in expressionInfo.ExpressionStoredTaint.Taint.XssTaint)
{
if (possibleVuln.TaintTag != XSSTaint.None)
{
string varName = (possibleVuln.InitialTaintedVariable ?? "???");
string message = "Stored XSS found - Ingoing: " + varName +
" on line: " + AstNode.GetStartLine(node) + " in file: " + _analysisStacks.IncludeStack.Peek();
_vulnerabilityStorage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
{
Message = message,
PossibleStoredVuln = expressionInfo.ExpressionStoredTaint,
IncludeStack = _analysisStacks.IncludeStack.ToImmutableStack(),
CallStack = _analysisStacks.CallStack.ToImmutableStack(),
VulnerabilityType = VulnType.XSS
});
}
}
}
}
private ExpressionItem GetExpressionItem(ExpressionInfo expInfo)
{
if (expInfo == null || expInfo.IsEmpty)
return null;
PropertyType pType = null;
var pred = new Predicate
{
LeftOperand = expInfo.FieldName,
LogicalOperator = LogicalOperator.None, //expInfo.LogicalOperator,
Operator = expInfo.RelationalOperator,
RightOperand = expInfo.Expression
};
TransformReferenceToInt(pred);
switch (pred.LeftOperand)
{
case "Id":
case "ParentId":
case "Index":
case "IsDeleted":
case "IsInherited":
case "Locked":
case "LockType":
case "LockTimeout":
case "CreatedById":
case "ModifiedById":
case "LockedById":
pred.PredicateType = PredicateType.IntExpression;
break;
case "CreatedBy":
case "ModifiedBy":
pred.PredicateType = PredicateType.ReferenceExpression;
break;
case "Name":
case "Path":
case "LockToken":
pred.PredicateType = PredicateType.StringExpression;
break;
case "CreationDate":
case "ModificationDate":
case "LockDate":
case "LastLockUpdate":
pred.PredicateType = PredicateType.DateTimeExpression;
break;
//case "NodeType":
//case "ContentListId":
//case "ContentListType":
//case "Parent":
//case "IsModified":
//case "NodeCreationDate":
//case "NodeCreatedBy":
//case "Version":
//case "VersionId":
//case "Lock":
//case "LockedBy":
//case "ETag":
//case "Security":
default:
//#Text1 -> #String_0
if (expInfo.FieldName.StartsWith("#"))
{
var cList = SystemContext as ContentList;
pred.LeftOperand = cList.GetPropertySingleId(expInfo.FieldName);
}
pType = ActiveSchema.PropertyTypes[pred.LeftOperand];
break;
}
if (pType != null)
{
switch (pType.DataType)
{
case DataType.String:
pred.PredicateType = PredicateType.StringExpression;
break;
case DataType.Reference:
pred.PredicateType = PredicateType.ReferenceExpression;
break;
case DataType.Int:
pred.PredicateType = PredicateType.IntExpression;
break;
case DataType.Text:
pred.PredicateType = PredicateType.SearchExpression;
break;
case DataType.DateTime:
pred.PredicateType = PredicateType.DateTimeExpression;
break;
default:
return null;
}
}
return pred;
}
protected virtual bool ShouldWriteExpression(ExpressionInfo ei)
{
switch (EntityKindCache.GetEntityKind(ei.FromType))
{
case EntityKind.Part:
case EntityKind.String:
case EntityKind.SystemString: return false;
default: return true;
}
}
/// <summary>
/// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
/// </summary>
/// <returns>A TainSets for the custom function that is being analyzed</returns>
/// <param name="customFunction">Custom function object to perform the analysis on</param>
/// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
/// <param name="paramActualVals">Parameter actual values</param>
/// <param name="resolver">File inclusion resolver</param>
/// <param name="includeStack">Currently known includes</param>
/// <param name="functionCalls">Currently known function calls</param>
internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
{
var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;
var traverser = new XmlTraverser();
var cfgcreator = new CFGCreator();
traverser.AddVisitor(cfgcreator);
traverser.Traverse(stmts);
var cfgPruner = new CFGPruner();
cfgPruner.Prune(cfgcreator.Graph);
var initialTaint = varStorage.ToMutable();
initialTaint.SuperGlobals.Clear();
initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
initialTaint.LocalVariables.Clear();
initialTaint.LocalAccessibleGlobals.Clear();
for(int i = 1; i <= paramActualVals.Count; i++)
{
var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
if (paramFormal.Value == null)
{
continue;
}
var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
}
var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
//var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
taintAnalysis.Analyze(cfgcreator.Graph);
var exprInfoAll = new ExpressionInfo();
foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
{
exprInfoAll = exprInfoAll.Merge(exprInfo);
}
return exprInfoAll;
}
public override TooltipItem GetTooltipItem(Vector2 pos)
{
Vector2 originalPos = pos;
if (parserInterface.lastSourceFile == null) {
Reparse();
}
pos = editor.doc.GoToEndOfWord(pos,1);
Vector2 endWordPos = editor.doc.IncrementPosition(pos,-1);
pos = editor.doc.GoToEndOfWhitespace(pos,1);
ExpressionInfo result = new ExpressionInfo();
result.startPosition = pos;
result.endPosition = pos;
result.initialized = true;
char nextChar = editor.doc.GetCharAt(pos);
bool isBeginGeneric = nextChar == '<';
if (useUnityscript) {
Vector2 charAfterPos = editor.doc.GoToEndOfWhitespace(editor.doc.IncrementPosition(pos,1),1);
char charAfter = editor.doc.GetCharAt(charAfterPos);
if (nextChar == '.' && charAfter == '<') {
pos = charAfterPos;
nextChar = editor.doc.GetCharAt(pos);
isBeginGeneric = true;
}
}
//GameObject go;
//go.GetComponent<Vector3>();
if (isBeginGeneric) {
result.startPosition = pos;
result.endPosition = pos;
ExpressionResolver.editor = editor;
result = ExpressionResolver.CountToExpressionEnd(result,1,ExpressionBracketType.Generic);
pos = result.endPosition;
pos = editor.doc.IncrementPosition(pos,1);
pos = editor.doc.GoToEndOfWhitespace(pos,1);
result.startPosition = pos;
result.endPosition = pos;
nextChar = editor.doc.GetCharAt(pos);
}
bool isFunction = false;
if (nextChar == '(') {
ExpressionResolver.editor = editor;
result = ExpressionResolver.CountToExpressionEnd(result,1,ExpressionBracketType.Expression);
pos = result.endPosition;
nextChar = editor.doc.GetCharAt(pos);
isFunction = true;
}
if (!isFunction) {
pos = endWordPos;
}
//Debug.Log(nextChar+" "+editor.doc.GetCharAt(endWordPos));
string str = editor.syntaxRule.ResolveExpressionAt(pos,-1);
if (useUnityscript) {
str = str.Replace(".<","<");
}
//Debug.Log(str);
ChainResolver sigChainResolver = new ChainResolver(editor,originalPos);
ChainItem item = null;
item = sigChainResolver.ResolveChain(str,false);
TooltipItem tooltipItem = null;
if (item != null) {
if (item.finalLinkType != null) {
tooltipItem = new TooltipItem(item.finalLinkType.Name+" "+item.finalLink.name);
tooltipItem.clrType = item.finalLinkType;
}
if (item.finalLink.completionItem != null) {
tooltipItem = new TooltipItem(item.finalLink.completionItem);
}
}
return tooltipItem;
}
protected virtual string WriteExpressionMethod(ExpressionInfo info)
{
Type from = info.Property.PropertyType.CleanType();
string varFrom = GetVariableName(from);
string varTo = GetVariableName(info.ToType);
if (varTo == varFrom)
varTo += "2";
string filter = info.Property.PropertyType.IsLite() ? "{t} => {t}.{prop}.RefersTo({f})" : "{t} => {t}.{prop} == {f}";
string str = info.IsUnique?
@"static Expression<Func<{from}, {to}>> {MethodExpression} =
{f} => Database.Query<{to}>().SingleOrDefaultEx({filter});
[ExpressionField]
public static {to} {Method}(this {from} e)
{
return {MethodExpression}.Evaluate(e);
}
" :
@"static Expression<Func<{from}, IQueryable<{to}>>> {MethodExpression} =
{f} => Database.Query<{to}>().Where({filter});
[ExpressionField]
public static IQueryable<{to}> {Method}(this {from} e)
{
return {MethodExpression}.Evaluate(e);
}
";
return str.Replace("{filter}", filter)
.Replace("{from}", from.Name)
.Replace("{to}", info.ToType.Name)
.Replace("{t}", varTo)
.Replace("{f}", varFrom)
.Replace("{prop}", info.Property.Name)
.Replace("{Method}", info.Name)
.Replace("{MethodExpression}", info.ExpressionName);
}
