private VariableState VisitAssignment(VisualBasicSyntaxNode node,
ExpressionSyntax leftExpression,
ExpressionSyntax rightExpression,
ExecutionState state)
{
var symbol = state.GetSymbol(leftExpression);
MethodBehavior behavior = BehaviorRepo.GetMethodBehavior(symbol);
var variableState = VisitExpression(rightExpression, state);
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitAssignment(node, state, behavior, symbol, variableState);
}
IdentifierNameSyntax parentIdentifierSyntax = GetParentIdentifier(leftExpression);
if (parentIdentifierSyntax != null)
{
state.MergeValue(ResolveIdentifier(parentIdentifierSyntax.Identifier), variableState);
}
if (behavior != null && //Injection
behavior.IsInjectableField &&
variableState.Taint != VariableTaint.Constant && //Skip safe values
variableState.Taint != VariableTaint.Safe)
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocaleInjection, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
if (behavior != null && //Known Password API
behavior.IsPasswordField &&
variableState.Taint == VariableTaint.Constant) //Only constant
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocalePassword, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: taint the variable being assigned.
return(variableState);
}
private VariableState VisitAssignment(AssignmentExpressionSyntax node, ExecutionState state)
{
var leftSymbol = state.GetSymbol(node.Left);
MethodBehavior behavior = null;
if (leftSymbol != null)
{
behavior = leftSymbol.GetMethodBehavior(state.AnalysisContext.Options.AdditionalFiles);
}
var variableState = VisitExpression(node.Right, state);
//Additional analysis by extension
foreach (var ext in Extensions)
{
ext.VisitAssignment(node, state, behavior, leftSymbol, variableState);
}
if (leftSymbol != null)
{
var rightTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(node.Right).Type;
if (rightTypeSymbol == null)
{
return(new VariableState(node.Right, VariableTaint.Unknown));
}
var leftTypeSymbol = state.AnalysisContext.SemanticModel.GetTypeInfo(node.Left).Type;
if (!state.AnalysisContext.SemanticModel.Compilation.ClassifyConversion(rightTypeSymbol, leftTypeSymbol).IsImplicit)
{
return(new VariableState(node.Right, VariableTaint.Unknown));
}
}
IdentifierNameSyntax parentIdentifierSyntax = GetParentIdentifier(node.Left);
if (parentIdentifierSyntax != null)
{
state.MergeValue(ResolveIdentifier(parentIdentifierSyntax.Identifier), variableState);
}
if (behavior != null && //Injection
behavior.IsInjectableField &&
variableState.Taint != VariableTaint.Constant && //Skip safe values
variableState.Taint != VariableTaint.Safe)
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocaleInjection, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
if (behavior != null && //Known Password API
behavior.IsPasswordField &&
variableState.Taint == VariableTaint.Constant) //Only constant
{
var newRule = LocaleUtil.GetDescriptor(behavior.LocalePassword, "title_assignment");
var diagnostic = Diagnostic.Create(newRule, node.GetLocation());
state.AnalysisContext.ReportDiagnostic(diagnostic);
}
//TODO: taint the variable being assigned.
return(variableState);
}
