private VariableState VisitInterpolatedString(InterpolatedStringExpressionSyntax interpolatedString, ExecutionState state)
{
var varState = new VariableState(interpolatedString, VariableTaint.CONSTANT);
foreach (var content in interpolatedString.Contents)
{
var textString = content as InterpolatedStringTextSyntax;
if (textString != null)
{
varState = varState.merge(new VariableState(textString, VariableTaint.CONSTANT));
}
var interpolation = content as InterpolationSyntax;
if (interpolation != null)
{
var expressionState = VisitExpression(interpolation.Expression, state);
varState = varState.merge(expressionState);
}
}
return(varState);
}
/// <summary>
/// Evaluate expression that contains a list of assignment.
/// </summary>
/// <param name="declaration"></param>
/// <param name="state"></param>
private VariableState VisitVariableDeclaration(VariableDeclarationSyntax declaration, ExecutionState state)
{
VariableState lastState = new VariableState(VariableTaint.UNKNOWN);
foreach (var variable in declaration.Variables)
{
var identifier = variable.Identifier;
var initializer = variable.Initializer;
if (initializer is EqualsValueClauseSyntax)
{
EqualsValueClauseSyntax equalsClause = initializer;
VariableState varState = VisitExpression(equalsClause.Value, state);
state.AddNewValue(ResolveIdentifier(identifier), varState);
lastState = varState;
}
}
//
return(lastState);
}
public void MergeValue(string identifier, VariableState value)
{
if (Variables.ContainsKey(identifier)) //Override existing value
{
var state = Variables[identifier];
var newState = state.merge(value);
Variables.Remove(identifier);
Variables.Add(identifier, newState);
if (DebugMode)
{
SGLogging.Log(string.Format("Merging state for {0} ({1})", identifier, newState));
}
}
else
{ //Unexpected state
if (DebugMode)
{
SGLogging.Log(string.Format("Merging state for {0} ({1}) .. /!\\ unexpected state", identifier, value));
}
Variables.Add(identifier, value);
}
}
/// <summary>
/// Merge two different states. State are merge if a data structure accept new input or
/// if values are concatenate.
/// </summary>
/// <param name="secondState"></param>
/// <returns></returns>
public VariableState merge(VariableState secondState)
{
var newTaint = taint;
switch (secondState.taint)
{
case (TAINTED):
newTaint = TAINTED;
break;
case (UNKNOWN):
if (taint != TAINTED)
{
newTaint = UNKNOWN;
}
break;
case (SAFE):
if (taint != TAINTED && taint != UNKNOWN)
{
newTaint = SAFE;
}
break;
case (CONSTANT):
if (taint == SAFE)
{
newTaint = SAFE;
}
else if (taint == CONSTANT)
{
newTaint = CONSTANT;
}
break;
}
//It might be better to create a new instance.
return(new VariableState(newTaint));
}
private VariableState VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
{
var symbol = state.GetSymbol(node);
MethodBehavior behavior = behaviorRepo.GetMethodBehavior(symbol);
int i = 0;
if (argList == null)
{
return(new VariableState(node, VariableTaint.UNKNOWN));
}
var returnState = new VariableState(node, VariableTaint.SAFE);
foreach (var argument in argList.Arguments)
{
var argumentState = VisitExpression(argument.GetExpression(), state);
if (symbol != null)
{
SGLogging.Log(symbol.ContainingType + "." + symbol.Name + " -> " + argumentState);
}
if (behavior != null)
{ //If the API is at risk
if ((argumentState.taint == VariableTaint.TAINTED || //Tainted values
argumentState.taint == VariableTaint.UNKNOWN) &&
Array.Exists(behavior.injectablesArguments, element => element == i) //If the current parameter can be injected.
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localeInjection);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if (argumentState.taint == VariableTaint.CONSTANT && //Hard coded value
Array.Exists(behavior.passwordArguments, element => element == i) //If the current parameter is a password
)
{
var newRule = LocaleUtil.GetDescriptor(behavior.localePassword);
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
else if ( //
Array.Exists(behavior.taintFromArguments, element => element == i))
{
returnState = returnState.merge(argumentState);
}
}
//TODO: tainted all object passed in argument
i++;
}
//Additionnal analysis by extension
foreach (var ext in extensions)
{
ext.VisitInvocationAndCreation(node, argList, state);
}
var hasTaintFromArguments = behavior?.taintFromArguments?.Length > 0;
if (hasTaintFromArguments)
{
return(returnState);
}
else
{
return(new VariableState(node, VariableTaint.UNKNOWN));
}
}
private VariableState VisitExpression(ExpressionSyntax expression, ExecutionState state)
{
// TODO: Review other expresion types that are unique to VB.
// TODO: Write tests to cover all these.
//Invocation
if (expression is InvocationExpressionSyntax)
{
var invocation = (InvocationExpressionSyntax)expression;
return(VisitMethodInvocation(invocation, state));
}
else if (expression is ObjectCreationExpressionSyntax)
{
var objCreation = (ObjectCreationExpressionSyntax)expression;
return(VisitObjectCreation(objCreation, state));
}
else if (expression is LiteralExpressionSyntax)
{
return(new VariableState(expression, VariableTaint.CONSTANT));
}
else if (expression is IdentifierNameSyntax)
{
var identifierName = (IdentifierNameSyntax)expression;
return(VisitIdentifierName(identifierName, state));
}
//Arithmetic : Addition
else if (expression is BinaryExpressionSyntax)
{
var binaryExpression = (BinaryExpressionSyntax)expression;
return(VisitBinaryExpression(binaryExpression, state));
}
else if (expression is MemberAccessExpressionSyntax)
{
var memberAccess = (MemberAccessExpressionSyntax)expression;
var leftExpression = memberAccess.Expression;
return(VisitExpression(leftExpression, state));
}
else if (expression is ArrayCreationExpressionSyntax)
{
var arrayCreation = (ArrayCreationExpressionSyntax)expression;
return(VisitArrayCreation(arrayCreation, state));
}
else if (expression is TypeOfExpressionSyntax)
{
var typeofEx = (TypeOfExpressionSyntax)expression;
return(new VariableState(expression, VariableTaint.SAFE));
}
else if (expression is TernaryConditionalExpressionSyntax)
{
var conditional = (TernaryConditionalExpressionSyntax)expression;
VisitExpression(conditional.Condition, state);
var finalState = new VariableState(expression, VariableTaint.SAFE);
var whenTrueState = VisitExpression(conditional.WhenTrue, state);
finalState = finalState.merge(whenTrueState);
var whenFalseState = VisitExpression(conditional.WhenFalse, state);
finalState = finalState.merge(whenFalseState);
return(finalState);
}
else if (expression is QueryExpressionSyntax)
{
var query = (QueryExpressionSyntax)expression;
var body = query.Clauses;
return(new VariableState(expression, VariableTaint.UNKNOWN));
}
SGLogging.Log("Unsupported expression " + expression.GetType() + " (" + expression.ToString() + ")");
//Unsupported expression
return(new VariableState(expression, VariableTaint.UNKNOWN));
}
private VariableState VisitExpression(ExpressionSyntax expression, ExecutionState state)
{
//Invocation
if (expression is InvocationExpressionSyntax)
{
var invocation = (InvocationExpressionSyntax)expression;
return(VisitMethodInvocation(invocation, state));
}
else if (expression is ObjectCreationExpressionSyntax)
{
var objCreation = (ObjectCreationExpressionSyntax)expression;
return(VisitObjectCreation(objCreation, state));
}
else if (expression is LiteralExpressionSyntax)
{
return(new VariableState(VariableTaint.CONSTANT));
}
else if (expression is IdentifierNameSyntax)
{
var identifierName = (IdentifierNameSyntax)expression;
return(VisitIdentifierName(identifierName, state));
}
//Arithmetic : Addition
else if (expression is BinaryExpressionSyntax)
{
var binaryExpression = (BinaryExpressionSyntax)expression;
return(VisitBinaryExpression(binaryExpression, state));
}
else if (expression is AssignmentExpressionSyntax)
{
var assignment = (AssignmentExpressionSyntax)expression;
return(VisitAssignment(assignment, state));
}
else if (expression is MemberAccessExpressionSyntax)
{
var memberAccess = (MemberAccessExpressionSyntax)expression;
var leftExpression = memberAccess.Expression;
var name = memberAccess.Name;
return(VisitExpression(leftExpression, state));
}
else if (expression is ElementAccessExpressionSyntax)
{
var elementAccess = (ElementAccessExpressionSyntax)expression;
return(VisitElementAccess(elementAccess, elementAccess.ArgumentList, state));
}
else if (expression is ArrayCreationExpressionSyntax)
{
var arrayCreation = (ArrayCreationExpressionSyntax)expression;
return(VisitArrayCreation(arrayCreation, state));
}
else if (expression is TypeOfExpressionSyntax)
{
var typeofEx = (TypeOfExpressionSyntax)expression;
return(new VariableState(VariableTaint.SAFE));
}
else if (expression is ConditionalExpressionSyntax)
{
var conditional = (ConditionalExpressionSyntax)expression;
VisitExpression(conditional.Condition, state);
var finalState = new VariableState(VariableTaint.SAFE);
var whenTrueState = VisitExpression(conditional.WhenTrue, state);
finalState.merge(whenTrueState);
var whenFalseState = VisitExpression(conditional.WhenFalse, state);
finalState.merge(whenFalseState);
return(finalState);
}
else if (expression is CheckedExpressionSyntax)
{
var checkedEx = (CheckedExpressionSyntax)expression;
return(VisitExpression(checkedEx.Expression, state));
}
else if (expression is QueryExpressionSyntax)
{
var query = (QueryExpressionSyntax)expression;
var body = query.Body;
new VariableState(VariableTaint.UNKNOWN);
}
SGLogging.Log("Unsupported expression " + expression.GetType() + " (" + expression.ToString() + ")");
//Unsupported expression
return(new VariableState(VariableTaint.UNKNOWN));
}
public virtual void VisitAssignment(VisualBasicSyntaxNode node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
}
public virtual void VisitAssignment(CSharpSyntax.AssignmentExpressionSyntax node, ExecutionState state, MethodBehavior behavior, ISymbol symbol, VariableState variableRightState)
{
}