public override void VisitAssignment(VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
if (behavior != null || //Unknown API
symbol == null ||
variableRightState.Taint != VariableTaint.Constant ||
Microsoft.CodeAnalysis.VisualBasic.VisualBasicExtensions.Kind(variableRightState.Node) !=
Microsoft.CodeAnalysis.VisualBasic.SyntaxKind.StringLiteralExpression ||
!IsPasswordField(symbol))
{
return;
}
var constValue = state.AnalysisContext.SemanticModel.GetConstantValue(variableRightState.Node);
if (constValue.HasValue && constValue.Value.Equals(""))
{
return;
}
var varSymbol = state.GetSymbol(variableRightState.Node);
if (varSymbol != null && varSymbol.IsType("System.String.Empty"))
{
return;
}
var diagnostic = Diagnostic.Create(Rule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
public override void VisitAssignment(VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
Analyzer.VisitAssignment(symbol, variableRightState);
}
public override void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
Analyzer.VisitAssignment(symbol, variableRightState);
}
public override void VisitAssignment(VB.VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
if (node is VBSyntax.AssignmentStatementSyntax || node is VBSyntax.NamedFieldInitializerSyntax)
{
Analyzer.TagVariables(symbol, variableRightState);
}
}
public override void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
if (node != null)
{
TagVariables(symbol, variableRightState);
}
}
public override void VisitAssignment(VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
if (behavior == null && //Unknown API
symbol != null && IsPasswordField(symbol) &&
variableRightState.Taint == VariableTaint.Constant) //Only constant
{
var diagnostic = Diagnostic.Create(Rule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
}
public override void VisitAssignment(VisualBasicSyntaxNode node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "Secure"))
{
variableRightState.AddTag(VariableTag.HttpCookieSecure);
}
else if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "HttpOnly"))
{
variableRightState.AddTag(VariableTag.HttpCookieHttpOnly);
}
}
public static MethodBehaviors GetMethodsBehavior(Type dsaType, Type proxyType)
{
MethodBehaviors behaviors = new MethodBehaviors();
List <MethodInfo> methods = GetAgentMethods(dsaType, proxyType);
OfflineBehavior defaultBehavior = GetDefaultBehavior(dsaType);
foreach (MethodInfo method in methods)
{
OfflineBehavior methodOfflineBehavior = GetMethodBehavior(dsaType, method.Name);
MethodBehavior behavior = GenerateMethodBehavior(method, methodOfflineBehavior, defaultBehavior);
behaviors.Add(behavior);
}
return(behaviors);
}
public override void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node,
ExecutionState state,
MethodBehavior behavior,
ISymbol symbol,
VariableState variableRightState)
{
//Looking for Assignment to Secure or HttpOnly property
if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "Secure"))
{
variableRightState.AddTag(VariableTag.HttpCookieSecure);
}
else if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "HttpOnly"))
{
variableRightState.AddTag(VariableTag.HttpCookieHttpOnly);
}
}
public override void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
if (behavior == null && //Unknown API
(symbol != null && IsPasswordField(symbol)) &&
variableRightState.taint == VariableTaint.CONSTANT //Only constant
)
{
var diagnostic = Diagnostic.Create(Rule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
}
public void VisitAssignment(AssignmentExpressionSyntax node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
//Looking for Assigment to Secure or HttpOnly property
var assigment = node;
if (assigment.Left is MemberAccessExpressionSyntax)
{
var memberAccess = (MemberAccessExpressionSyntax)assigment.Left;
if (memberAccess.Expression is IdentifierNameSyntax)
{
var identifier = (IdentifierNameSyntax)memberAccess.Expression;
string variableAccess = identifier.Identifier.ValueText;
if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "Secure"))
{
state.AddTag(variableAccess, VariableTag.HttpCookieSecure);
}
else if (AnalyzerUtil.SymbolMatch(symbol, "HttpCookie", "HttpOnly"))
{
state.AddTag(variableAccess, VariableTag.HttpCookieHttpOnly);
}
}
}
}
private static MethodBehavior GenerateMethodBehavior(MethodInfo method, OfflineBehavior methodOffBehavior, OfflineBehavior defaultOffBehavior)
{
MethodBehavior behavior = new MethodBehavior(method, false);
behavior.Expiration = null;
behavior.MaxRetries = null;
behavior.Stamps = null;
behavior.Tag = null;
if (methodOffBehavior != null)
{
if (defaultOffBehavior == null)
{
behavior.Expiration = methodOffBehavior.Expiration - DateTime.Now;
behavior.MaxRetries = methodOffBehavior.MaxRetries;
behavior.Stamps = methodOffBehavior.Stamps;
behavior.Tag = methodOffBehavior.Tag;
}
else
{
TimeSpan methoBehaviorExpiration = new TimeSpan();
TimeSpan defaultBehaviorExpiration = new TimeSpan();
if (methodOffBehavior.Expiration.HasValue)
{
methoBehaviorExpiration = methodOffBehavior.Expiration.Value - DateTime.Now;
methoBehaviorExpiration = new TimeSpan(methoBehaviorExpiration.Days,
methoBehaviorExpiration.Hours,
methoBehaviorExpiration.Minutes,
methoBehaviorExpiration.Seconds);
}
if (defaultOffBehavior.Expiration.HasValue)
{
defaultBehaviorExpiration = defaultOffBehavior.Expiration.Value - DateTime.Now;
defaultBehaviorExpiration = new TimeSpan(defaultBehaviorExpiration.Days,
defaultBehaviorExpiration.Hours,
defaultBehaviorExpiration.Minutes,
defaultBehaviorExpiration.Seconds);
}
if (methoBehaviorExpiration != null && defaultBehaviorExpiration != null &&
!(methoBehaviorExpiration.Equals(defaultBehaviorExpiration)))
{
behavior.Expiration = methoBehaviorExpiration;
behavior.IsOverride = true;
}
if (!(methodOffBehavior.MaxRetries.Equals(defaultOffBehavior.MaxRetries)))
{
behavior.MaxRetries = methodOffBehavior.MaxRetries;
behavior.IsOverride = true;
}
if (!(methodOffBehavior.Stamps.Equals(defaultOffBehavior.Stamps)))
{
behavior.Stamps = methodOffBehavior.Stamps;
behavior.IsOverride = true;
}
if (methodOffBehavior.Tag != null &&
!(methodOffBehavior.Tag.Equals(defaultOffBehavior.Tag)))
{
behavior.Tag = methodOffBehavior.Tag;
behavior.IsOverride = true;
}
}
}
return(behavior);
}
public void VisitAssignment(AssignmentExpressionSyntax node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
var assignment = node;
if (assignment is AssignmentExpressionSyntax)
{
// Only PasswordValidator properties will cause a new tag to be added
if (AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequiredLength"))
{
variableRightState.AddTag(VariableTag.RequiredLengthIsSet);
}
else if (AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequireDigit"))
{
variableRightState.AddTag(VariableTag.RequireDigitIsSet);
}
else if (AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequireLowercase"))
{
variableRightState.AddTag(VariableTag.RequireLowercaseIsSet);
}
else if (AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequireNonLetterOrDigit"))
{
variableRightState.AddTag(VariableTag.RequireNonLetterOrDigitIsSet);
}
else if (AnalyzerUtil.SymbolMatch(symbol, type: "PasswordValidator", name: "RequireUppercase"))
{
variableRightState.AddTag(VariableTag.RequireUppercaseIsSet);
}
}
}
