public PatternUst VisitPatternOrExpression(DslParser.PatternOrExpressionContext context) { IEnumerable <PatternUst> values = context.expression().Select(expr => VisitExpression(expr)); var result = new PatternOr(values, context.GetTextSpan()); return(result); }
public PatternUst VisitMemberReferenceOrLiteralExpression(DslParser.MemberReferenceOrLiteralExpressionContext context) { var textSpan = context.GetTextSpan(); var values = new PatternUst[] { new PatternMemberReferenceExpression((PatternUst)VisitExpression(context.expression()), VisitLiteralOrPatternId(context.literalOrPatternId()), textSpan), VisitLiteralOrPatternId(context.literalOrPatternId()) }; var result = new PatternOr(values, context.GetTextSpan()); return(result); }
public override PatternUst Visit(PatternOr patternOr) { if (patternOr.Patterns.Count == 1) { return(Visit(patternOr.Patterns[0])); } IEnumerable <PatternUst> exprs = patternOr.Patterns .Select(e => Visit(e)) .OrderBy(e => e); return(new PatternOr(exprs, patternOr.TextSpan)); }
public void Sort_PatternVars_CorrectOrder() { var unsorted = new PatternOr ( new PatternStringLiteral("42"), new PatternIntLiteral(100), new PatternIntLiteral(42), new PatternIntLiteral(0), new PatternStringLiteral("42"), new PatternNot(new PatternStringLiteral("42")), new PatternStringLiteral("Hello World!"), new PatternIdToken("testId"), new PatternIdToken("42"), new PatternNot(new PatternStringLiteral("42")) ); var expectedSorted = new PatternOr ( new PatternIdToken("42"), new PatternIdToken("testId"), new PatternIntLiteral(0), new PatternIntLiteral(42), new PatternIntLiteral(100), new PatternNot(new PatternStringLiteral("42")), new PatternNot(new PatternStringLiteral("42")), new PatternStringLiteral("42"), new PatternStringLiteral("42"), new PatternStringLiteral("Hello World!") ); var logger = new TestLogger(); var processor = new DslProcessor(); var normalizer = new PatternNormalizer() { Logger = logger }; var actualPattern = (PatternOr)normalizer.Visit(unsorted); List <PatternUst> actualAlternatives = actualPattern.Patterns; List <PatternUst> expectedAlternatives = expectedSorted.Patterns; Assert.AreEqual(expectedAlternatives.Count, actualAlternatives.Count); for (int i = 0; i < expectedAlternatives.Count; i++) { Assert.IsTrue(expectedAlternatives[i].Equals(actualAlternatives[i]), $"Not equal at {i} index: expected {expectedAlternatives[i]} not equals to {actualAlternatives[i]}"); } }
public override PatternUst Visit(PatternOr patternOr) { if (patternOr.Patterns.Count == 1) { return(Visit(patternOr.Patterns[0])); } var exprs = new List <PatternUst>(patternOr.Patterns.Count); foreach (PatternUst pattern in patternOr.Patterns) { exprs.Add(Visit(pattern)); } exprs.Sort(); return(new PatternOr(exprs, patternOr.TextSpan)); }
private PatternUst ProcessPatternIds(IList <DslParser.PatternIdContext> contexts) { PatternUst result; var firstPatternId = contexts.First(); if (contexts.Count == 1) { result = VisitPatternId(firstPatternId); } else { IEnumerable <PatternUst> values = contexts.Select(literal => VisitPatternId(literal)); result = new PatternOr(values, firstPatternId.GetTextSpan()); } return(result); }
public PatternUst VisitDslCode(DslParser.DslCodeContext context) { PatternUst result; if (context.statement().Length > 0) { List <PatternUst> statements = context.statement().Select( statement => VisitStatement(statement)) .Where(statement => statement != null).ToList(); if (statements.Count == 1) { result = statements.First(); } else { result = new PatternStatements(statements) { TextSpan = context.GetTextSpan() }; } } else if (context.expression() != null) { result = VisitExpression(context.expression()); } else { IEnumerable <PatternCommentRegex> patternComments = context.PatternString().Select(literal => new PatternCommentRegex(RemoveQuotes(literal.GetText()), literal.GetTextSpan())); if (patternComments.Count() == 1) { result = patternComments.ElementAt(0); } else { result = new PatternOr(patternComments, context.GetTextSpan()); } } return(result); }
public virtual T Visit(PatternOr patternOr) { return(VisitChildren(patternOr)); }
public IEnumerable <PatternRoot> CreatePhpPatterns() { var patterns = new List <PatternRoot>(); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "HardcodedPasswordIn_mysql_connect. Hardcoded passwords could compromise system security in a way that cannot be easily remedied.", Languages = new HashSet <Language> { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)^mysql_connect$"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternAnyExpression(), new PatternStringRegexLiteral() ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "InsecureRandomness. Standard pseudorandom number generators cannot withstand cryptographic attacks.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)^(mt_rand|rand|uniqid|shuffle|lcg_value)$"), Arguments = new PatternArgs() } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "OverlyPermissiveCORSPolicyg. The program defines an overly permissive Cross-Origin Resource Sharing (CORS) policy.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)^header$"), Arguments = new PatternArgs(new PatternStringRegexLiteral(@"Access-Control-Allow-Origin:\s*\*")) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "InadequateRSAPadding. Public key RSA encryption is performed without using OAEP padding, thereby making the encryption weak.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternIdToken("OPENSSL_NO_PADDING") }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "BrokenRiskyCryptographicAlgorithm. Weak Encryption: Broken or Risky Cryptographic Algorithm.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternIdToken("MCRYPT_DES") }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "WeakCryptographicHash. Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)^(md5|sha1)$"), Arguments = new PatternArgs(new PatternMultipleExpressions()) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "ExcessiveSessionTimeout. An overly long session timeout gives attackers more time to potentially compromise user accounts.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternMemberReferenceExpression { Target = new PatternIdToken("Configure"), Name = new PatternIdRegexToken("write") }, Arguments = new PatternArgs ( new PatternStringLiteral("Security.level"), new PatternStringLiteral("low") ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "DebugInformation. A CakePHP debug level of 1 or greater can cause sensitive data to be logged.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternMemberReferenceExpression { Target = new PatternIdToken("Configure"), Name = new PatternIdToken("write") }, Arguments = new PatternArgs ( new PatternStringLiteral("debug"), new PatternIntRangeLiteral(1, 9) ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "SystemInformationLeak. Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)^(debug_print_backtrace|var_dump|debug_zval_dump|print_r|var_export|phpinfo|mysql_error)$"), Arguments = new PatternArgs() } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "WeakCryptographicHashHardcodedSalt. A hardcoded salt may compromise system security in a way that cannot be easily remedied.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)crypt"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternStringRegexLiteral() ) } }); var patternNullOrString = new PatternOr ( new PatternStringRegexLiteral(), new PatternNullLiteral() ); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "KeyManagementNullEncryptionKey. Null encryption keys may compromise system security in a way that cannot be easily remedied.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternStatements ( new PatternAssignmentExpression { Left = new PatternVar("encryption_key"), Right = patternNullOrString }, new PatternAssignmentExpression { Left = new PatternAnyExpression(), Right = new PatternObjectCreateExpression { Type = new PatternIdToken("Zend_Filter_Encrypt"), Arguments = new PatternArgs(new PatternVar("encryption_key")) } } ) }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "KeyManagementNullEncryptionKey", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternObjectCreateExpression { Type = new PatternIdToken("Zend_Filter_Encrypt"), Arguments = new PatternArgs(patternNullOrString) } }); // TODO: Union this next pattern. patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "CookieSecurityOverlyBroadPath. A cookie with an overly broad path can be accessed through other applications on the same domain.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)setcookie"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternStringLiteral("/"), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression() ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "CookieSecurityOverlyBroadDomain. A cookie with an overly broad domain opens an application to attacks through other applications.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)setcookie"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternStringRegexLiteral(@"^\..*"), new PatternAnyExpression(), new PatternAnyExpression() ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "CookieSecurityHTTPOnlyNotSet. The program creates a cookie, but fails to set the HttpOnly flag to true.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)setcookie"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression() ) } }); patterns.Add(new PatternRoot { Key = patternIdGenerator.NextId(), DebugInfo = "CookieSecurityCookieNotSentOverSSL. The program creates a cookie without setting the secure flag to true.", Languages = new HashSet <Language>() { Php.Language }, Node = new PatternInvocationExpression { Target = new PatternIdRegexToken("(?i)setcookie"), Arguments = new PatternArgs ( new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression(), new PatternAnyExpression() ) } }); return(patterns); }