private void setOrderedArguments(FlowOutputSet callInput, MemoryEntry[] arguments) { var argCount = new MemoryEntry(callInput.CreateInt(arguments.Length)); var argCountEntry = callInput.GetVariable(new VariableIdentifier(".argument_count")); argCountEntry.WriteMemory(callInput.Snapshot, argCount); var index = 0; var callPoint = (Flow.CurrentProgramPoint as ExtensionPoint).Caller as RCallPoint; foreach (var arg in callPoint.Arguments) { var argVar = argument(index); var argumentEntry = callInput.GetVariable(new VariableIdentifier(argVar)); //determine that argument value is based on variable, so we can get it's alias var aliasProvider = arg as LValuePoint; if (aliasProvider == null) { //assign value for parameter argumentEntry.WriteMemory(callInput.Snapshot, arguments[index]); } else { //join parameter with alias (for testing we join all possible arguments) //be carefull here - Flow.OutSet belongs to call context already - so we has to read variable from InSet argumentEntry.SetAliases(callInput.Snapshot, aliasProvider.LValue); } ++index; } }
/// <summary> /// Initializer which sets environment for tests before analyzing /// </summary> /// <param name="outSet"></param> private static void initialize(FlowOutputSet outSet) { outSet.Snapshot.SetMode(SnapshotMode.InfoLevel); var POSTVar = outSet.GetVariable(new VariableIdentifier("_POST"), true); var POST = outSet.CreateInfo(true); POSTVar.WriteMemory(outSet.Snapshot, new MemoryEntry(POST)); POSTVar = outSet.GetVariable(new VariableIdentifier("_POST"), true); POST = outSet.CreateInfo(true); POSTVar.WriteMemory(outSet.Snapshot, new MemoryEntry(POST)); }
private void initTaintedVariable(FlowOutputSet outSet, String name) { outSet.Snapshot.SetMode(SnapshotMode.InfoLevel); var TaintedVar = outSet.GetVariable(new VariableIdentifier(name), true); var taint = new TaintInfo(); taint.taint = new Taint(true); taint.priority = new TaintPriority(true); taint.tainted = true; var Taint = outSet.CreateInfo(taint); //TaintedVar.WriteMemory(outSet.Snapshot, new MemoryEntry(Taint)); var entry = TaintedVar.ReadIndex(EntryInput.Snapshot, MemberIdentifier.getAnyMemberIdentifier()); entry.WriteMemory(EntryInput.Snapshot, new MemoryEntry(Taint)); /* * TaintedVar = outSet.GetVariable(new VariableIdentifier(name), true); * Taint = outSet.CreateInfo(taint); * * TaintedVar.WriteMemory(outSet.Snapshot, new MemoryEntry(Taint));*/ }
private void setNamedArguments(FlowOutputSet callInput, MemoryEntry[] arguments, Signature signature) { var callPoint = (Flow.CurrentProgramPoint as ExtensionPoint).Caller as RCallPoint; var callSignature = callPoint.CallSignature; var enumerator = callPoint.Arguments.GetEnumerator(); for (int i = 0; i < signature.FormalParams.Count; ++i) { enumerator.MoveNext(); var param = signature.FormalParams[i]; var callParam = callSignature.Value.Parameters[i]; var argumentVar = callInput.GetVariable(new VariableIdentifier(param.Name)); if (callParam.PublicAmpersand || param.PassedByRef) { argumentVar.SetAliases(callInput.Snapshot, enumerator.Current.Value); } else { argumentVar.WriteMemory(callInput.Snapshot, arguments[i]); } } }
internal static ReadWriteSnapshotEntryBase GetNumberedArgument(FlowOutputSet outSet, int number) { var argId = new VariableIdentifier(argument(number)); var argVar = outSet.GetVariable(argId); return(argVar); }
private void setNamedArguments(FlowOutputSet callInput, CallSignature?callSignature, Signature signature, IEnumerable <ValuePoint> arguments) { int i = 0; foreach (var arg in arguments) { if (i >= signature.FormalParams.Count) { break; } var param = signature.FormalParams[i]; var argumentVar = callInput.GetVariable(new VariableIdentifier(param.Name)); // var argumentValue = arg.Value.ReadMemory(Output); List <ValueInfo> values = new List <ValueInfo>(); var varID = getVariableIdentifier(arg.Value); List <Value> argumentValues = new List <Value>(arg.Value.ReadMemory(Output).PossibleValues); values.Add(new ValueInfo(argumentValues, varID)); bool nullValue = hasPossibleNullValue(arg); TaintInfo argTaint = mergeTaint(values, nullValue); setTaint(argumentVar, argTaint); /*var argTaint = getTaint(arg.Value); * * setTaint(argumentVar, argTaint); * //argumentVar.WriteMemory(callInput.Snapshot, argumentValue);*/ ++i; } // TODO: if (arguments.Count() < signature.FormalParams.Count) and exists i > arguments.Count() signature.FormalParams[i].InitValue != null }
internal static void AssertHasTaintStatus(FlowOutputSet outSet, string variableName, string assertMessage, TaintStatus taintStatus, Analysis.FlagType flag) { var varID = new VariableIdentifier(variableName); var variable = outSet.GetVariable(varID); var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray(); var computedTaintStatus = new TaintStatus(false, true); if (values.Count() == 0) { computedTaintStatus.priority.setAll(false); } foreach (var value in values) { if (!(value is InfoValue <TaintInfo>)) { continue; } TaintInfo valueTaintInfo = (value as InfoValue <TaintInfo>).Data; TaintStatus valueTaintStatus = new TaintStatus(valueTaintInfo, flag); computedTaintStatus.tainted.copyTaint(true, valueTaintStatus.tainted); computedTaintStatus.priority.copyTaint(false, valueTaintStatus.priority); computedTaintStatus.lines.AddRange(valueTaintStatus.lines); } String taintStatusString = taintStatus.ToString(flag); String computedTaintStatusString = computedTaintStatus.ToString(flag); Assert.IsTrue(taintStatus.EqualTo(computedTaintStatus, flag), "Taint status of the taint type {0} of variable ${1} should be {2}, taint analysis computed {3}", flag, variableName, taintStatusString, computedTaintStatusString); }
private static void SetInputOperands(FlowOutputSet entryInput, Value[] leftOperands, Value[] rightOperands) { Debug.Assert(leftOperands.Length == rightOperands.Length, "Number of left and right operands is the same"); for (var i = 0; i < leftOperands.Length; ++i) { var identifier = new VariableIdentifier(string.Concat("left", i.ToString())); var snapshotEntry = entryInput.GetVariable(identifier, true); snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(leftOperands[i])); identifier = new VariableIdentifier(string.Concat("right", i.ToString())); snapshotEntry = entryInput.GetVariable(identifier, true); snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(rightOperands[i])); } }
private static void SetInputArray(FlowOutputSet entryInput) { for (var i = 0; i < inputVariables.Length; ++i) { var identifier = new VariableIdentifier(inputVariables[i]); var snapshotEntry = entryInput.GetVariable(identifier, true); snapshotEntry.WriteMemoryWithoutCopy(entryInput.Snapshot, new MemoryEntry(inputValues[i])); } }
internal static void AssertIsXSSDirty(FlowOutputSet outSet, string variableName, string assertMessage) { var variable = outSet.GetVariable(new VariableIdentifier(variableName)); var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray(); if (!FlagsHandler.IsDirty(values, FlagType.SQLDirty)) { Assert.Fail("No possible value for variable ${0} is dirty", variableName); } }
internal static void AssertHasTaintStatus(FlowOutputSet outSet, string variableName, string assertMessage, bool taintStatus) { var variable = outSet.GetVariable(new VariableIdentifier(variableName)); var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray(); var computedTaintStatus = false; foreach (var value in values) { computedTaintStatus = computedTaintStatus || (value as InfoValue <bool>).Data; } Assert.IsTrue(taintStatus == computedTaintStatus, "Taint status of the variable ${0} should be {1}, taint analysis computed {2}", variableName, taintStatus, computedTaintStatus); }
public override void Catch(CatchPoint catchPoint, FlowOutputSet outSet) { //TODO this is simple catch demonstration - there should be catch stack unrolling var catchVariable = catchPoint.CatchDescription.CatchVariable; var hasCatchVariable = catchVariable != null; if (hasCatchVariable) { var catchVar = outSet.GetVariable(catchPoint.CatchDescription.CatchVariable); catchVar.WriteMemory(outSet.Snapshot, catchPoint.ThrowedValue); } }
internal static void AssertIsXSSClean(FlowOutputSet outSet, string variableName, string assertMessage) { var variable = outSet.GetVariable(new VariableIdentifier(variableName)); var values = variable.ReadMemory(outSet.Snapshot).PossibleValues.ToArray(); foreach (var value in values) { var info = value.GetInfo <SimpleInfo>(); if (info != null && !info.XssSanitized) { Assert.IsTrue(info.XssSanitized, "Variable ${0} with value {1} is not sanitized", variableName, value); } } }
private void setOrderedArguments(FlowOutputSet callInput, IEnumerable <ValuePoint> arguments, LangElement declaration) { var index = 0; foreach (var arg in arguments) { // var argID = getVariableIdentifier(arg.Value); var argVar = argumentString(index); var argumentEntry = callInput.GetVariable(new VariableIdentifier(argVar)); var argumentValue = arg.Value.ReadMemory(Output); argumentEntry.WriteMemory(callInput.Snapshot, argumentValue); ++index; } }
private static void TestVariableResults(FlowOutputSet outSet, Value[] results, Func <int, string> nameGenerator) { for (var i = 0; i < results.Length; ++i) { var identifier = new VariableIdentifier(nameGenerator(i)); var snapshotEntry = outSet.GetVariable(identifier, true); var entry = snapshotEntry.ReadMemory(outSet.Snapshot); var enumerator = entry.PossibleValues.GetEnumerator(); enumerator.MoveNext(); var value = enumerator.Current as Value; Assert.AreEqual(results[i], value); } }
internal void EnvironmentInitializer(FlowOutputSet outSet) { foreach (var nonDeterministic in _nonDeterminiticVariables) { outSet.GetVariable(new VariableIdentifier(nonDeterministic)).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.AnyValue)); } foreach (var initializer in _initializers) { initializer(outSet); } if (PreviousTest != null) { PreviousTest.EnvironmentInitializer(outSet); } }
/// <inheritdoc /> public override void Catch(CatchPoint catchPoint, FlowOutputSet outSet) { if (catchPoint.CatchDescription.CatchedType.QualifiedName.Equals(new QualifiedName(new Name("")))) { return; } var catchBlocks = outSet.GetControlVariable(new VariableName(".catchBlocks")); var stack = new List <HashSet <CatchBlockDescription> >(); foreach (var value in catchBlocks.ReadMemory(outSet.Snapshot).PossibleValues) { if (stack.Count == 0) { for (int i = 0; i < (value as InfoValue <TryBlockStack>).Data.blocks.Count; i++) { stack.Add(new HashSet <CatchBlockDescription>()); } } for (int i = 0; i < (value as InfoValue <TryBlockStack>).Data.blocks.Count; i++) { foreach (var block in (value as InfoValue <TryBlockStack>).Data.blocks[i]) { stack[i].Add(block); } } } for (int i = stack.Count - 1; i >= 0; i--) { if (stack[i].Where(a => a.CatchedType.QualifiedName.Equals(catchPoint.CatchDescription.CatchedType.QualifiedName)).Count() > 0) { stack.RemoveLast(); break; } stack.RemoveLast(); } outSet.GetControlVariable(new VariableName(".catchBlocks")).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.CreateInfo(new TryBlockStack(stack)))); outSet.GetVariable(catchPoint.CatchDescription.CatchVariable).WriteMemory(outSet.Snapshot, catchPoint.ThrowedValue); }
internal static void AssertIsPropagatedTo(FlowOutputSet declarationSet, string variableName, string assertMessage, string[] expectedTargets) { var expectedCollection = new List <string>(expectedTargets); expectedCollection.Add(variableName); var expectedTargetsMessage = string.Join(", ", expectedCollection); var snapshot = declarationSet.Snapshot; var variable = declarationSet.GetVariable(new VariableIdentifier(variableName)); if (variable == null || !variable.IsDefined(snapshot)) { Assert.Fail("Variable {0} is not defined", variableName); } var actualValues = variable.ReadMemory(snapshot); if (actualValues.Count != 1) { Assert.Fail("Expected single propagation info"); } var info = actualValues.PossibleValues.First(); if (info is UndefinedValue) { Assert.IsTrue(expectedTargets.Count() == 0, "Variable is propagated nowhere instead of {0}", expectedTargetsMessage); return; } var data = (info as InfoValue <PropagationInfo>).Data; var actualCollection = new List <string>(data.Targets); var actualTargetMessage = string.Join(", ", actualCollection.ToArray()); CollectionAssert.AreEquivalent(expectedCollection, actualCollection, "Wrong targets for propagation {0}, expected {1}", actualTargetMessage, expectedTargetsMessage); }
private static void testVariable(FlowOutputSet outSet, string variableName, string compareValue) { var val = (ScalarValue <string>)outSet.GetVariable(new VariableIdentifier(variableName)).ReadMemory(outSet.Snapshot).PossibleValues.First(); Assert.IsTrue(val.Value.Equals(compareValue)); }
private void EnvironmentInitializer(FlowOutputSet outSet) { outSet.GetVariable(new VariableIdentifier("_POST"), true).WriteMemory(outSet.Snapshot, new MemoryEntry(outSet.AnyArrayValue)); }