private StringAppendState updateStringAppendState(Location location, ConstantPoolGen cpg, StringAppendState stringAppendState) { InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (!isConstantStringLoad(location, cpg)) { throw new IllegalArgumentException("instruction must be LDC"); } LDC load = (LDC) ins; Object value = load.getValue(cpg); String stringValue = ((String) value).trim(); if (stringValue.startsWith(",") || stringValue.endsWith(",")) { stringAppendState.setSawComma(handle); } if (isCloseQuote(stringValue) && stringAppendState.getSawOpenQuote(handle)) { stringAppendState.setSawCloseQuote(handle); } if (isOpenQuote(stringValue)) { stringAppendState.setSawOpenQuote(handle); } return stringAppendState; }
ValueNumberDataflow vnd = classContext.getValueNumberDataflow(method); Set<ValueNumber> passthruParams = getPassthruParams(vnd, method, javaClass); CFG cfg = classContext.getCFG(method); StringAppendState stringAppendState = getStringAppendState(cfg, cpg); Location prev = getValueNumberCreationLocation(vnd, vn); if (prev == null || !isSafeValue(prev, cpg)) { BugInstance bug = generateBugInstance(javaClass, methodGen, location.getHandle(), stringAppendState, executeMethod); bugAccumulator.accumulateBug(
private @CheckForNull Location getPreviousLocation(CFG cfg, Location startLocation, boolean skipNops) { Location loc = startLocation; InstructionHandle prev = getPreviousInstruction(loc.getHandle(), skipNops); if (prev != null) { return new Location(prev, loc.getBasicBlock()); } BasicBlock block = loc.getBasicBlock(); while (true) { block = cfg.getPredecessorWithEdgeType(block, EdgeTypes.FALL_THROUGH_EDGE); if (block == null) { return null; } InstructionHandle lastInstruction = block.getLastInstruction(); if (lastInstruction != null) { return new Location(lastInstruction, block); } } }
InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (isConstantStringLoad(location, cpg)) { stringAppendState = updateStringAppendState(location, cpg, stringAppendState); } else if (isStringAppend(ins, cpg)) { stringAppendState.setSawAppend(handle); Location prevLocation = getPreviousLocation(cfg, location, true); if (prevLocation != null && !isSafeValue(prevLocation, cpg)) { stringAppendState.setSawUnsafeAppend(handle);
CFG cfg = classContext.getCFG(method); StringAppendState stringAppendState = getStringAppendState(cfg, cpg); Location prev = getPreviousLocation(cfg, location, true); if (prev == null || !isSafeValue(prev, cpg)) { BugInstance bug = generateBugInstance(javaClass, methodGen, location.getHandle(), stringAppendState, executeMethod); if(!testingEnabled && "TESTING".equals(bug.getType())){ continue;
@Test public void testOpenQuote() { assertTrue(FindSqlInjection.isOpenQuote("'")); assertTrue(FindSqlInjection.isOpenQuote(" '")); assertTrue(FindSqlInjection.isOpenQuote("='")); assertTrue(FindSqlInjection.isOpenQuote(",'")); assertTrue(FindSqlInjection.isOpenQuote("('")); assertFalse(FindSqlInjection.isOpenQuote("'abc'")); assertFalse(FindSqlInjection.isOpenQuote("='abc'")); }
@Test public void testCloseQuote() { assertTrue(FindSqlInjection.isCloseQuote("'")); assertTrue(FindSqlInjection.isCloseQuote("' ")); assertTrue(FindSqlInjection.isCloseQuote("',")); assertTrue(FindSqlInjection.isCloseQuote("')")); assertFalse(FindSqlInjection.isCloseQuote("'abc'")); assertFalse(FindSqlInjection.isCloseQuote("='abc'")); } }
@Override public void visitClassContext(ClassContext classContext) { JavaClass javaClass = classContext.getJavaClass(); if(!PreorderVisitor.hasInterestingMethod(javaClass.getConstantPool(), allMethods)) { return; } Method[] methodList = javaClass.getMethods(); for (Method method : methodList) { MethodGen methodGen = classContext.getMethodGen(method); if (methodGen == null) { continue; } try { analyzeMethod(classContext, method); } catch (DataflowAnalysisException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } catch (CFGBuilderException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } catch (RuntimeException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } } }
private boolean isSafeValue(Location location, ConstantPoolGen cpg) throws CFGBuilderException { Instruction prevIns = location.getHandle().getInstruction(); if (prevIns instanceof LDC || prevIns instanceof GETSTATIC) { return true; } if (prevIns instanceof InvokeInstruction) { String methodName = ((InvokeInstruction) prevIns).getMethodName(cpg); if (methodName.startsWith("to") && methodName.endsWith("String") && methodName.length() > 8) { return true; } } if (prevIns instanceof AALOAD) { CFG cfg = classContext.getCFG(method); Location prev = getPreviousLocation(cfg, location, true); if (prev != null) { Location prev2 = getPreviousLocation(cfg, prev, true); if (prev2 != null && prev2.getHandle().getInstruction() instanceof GETSTATIC) { GETSTATIC getStatic = (GETSTATIC) prev2.getHandle().getInstruction(); if ("[Ljava/lang/String;".equals(getStatic.getSignature(cpg))) { return true; } } } } return false; }
InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (isConstantStringLoad(location, cpg)) { stringAppendState = updateStringAppendState(location, cpg, stringAppendState); } else if (isStringAppend(ins, cpg)) { stringAppendState.setSawAppend(handle); Location prevLocation = getPreviousLocation(cfg, location, true); if (prevLocation != null && !isSafeValue(prevLocation, cpg)) { stringAppendState.setSawUnsafeAppend(handle);
@Override public void visitClassContext(ClassContext classContext) { JavaClass javaClass = classContext.getJavaClass(); if(!PreorderVisitor.hasInterestingMethod(javaClass.getConstantPool(), allMethods)) { return; } Method[] methodList = javaClass.getMethods(); for (Method method : methodList) { MethodGen methodGen = classContext.getMethodGen(method); if (methodGen == null) { continue; } try { analyzeMethod(classContext, method); } catch (DataflowAnalysisException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } catch (CFGBuilderException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } catch (RuntimeException e) { bugReporter.logError( "FindSqlInjection caught exception while analyzing " + classContext.getFullyQualifiedMethodName(method), e); } } }
private boolean isSafeValue(Location location, ConstantPoolGen cpg) throws CFGBuilderException { Instruction prevIns = location.getHandle().getInstruction(); if (prevIns instanceof LDC || prevIns instanceof GETSTATIC) { return true; } if (prevIns instanceof InvokeInstruction) { String methodName = ((InvokeInstruction) prevIns).getMethodName(cpg); if (methodName.startsWith("to") && methodName.endsWith("String") && methodName.length() > 8) { return true; } } if (prevIns instanceof AALOAD) { CFG cfg = classContext.getCFG(method); Location prev = getPreviousLocation(cfg, location, true); if (prev != null) { Location prev2 = getPreviousLocation(cfg, prev, true); if (prev2 != null && prev2.getHandle().getInstruction() instanceof GETSTATIC) { GETSTATIC getStatic = (GETSTATIC) prev2.getHandle().getInstruction(); if ("[Ljava/lang/String;".equals(getStatic.getSignature(cpg))) { return true; } } } } return false; }
private StringAppendState updateStringAppendState(Location location, ConstantPoolGen cpg, StringAppendState stringAppendState) { InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (!isConstantStringLoad(location, cpg)) { throw new IllegalArgumentException("instruction must be LDC"); } LDC load = (LDC) ins; Object value = load.getValue(cpg); String stringValue = ((String) value).trim(); if (stringValue.startsWith(",") || stringValue.endsWith(",")) { stringAppendState.setSawComma(handle); } if (isCloseQuote(stringValue) && stringAppendState.getSawOpenQuote(handle)) { stringAppendState.setSawCloseQuote(handle); } if (isOpenQuote(stringValue)) { stringAppendState.setSawOpenQuote(handle); } return stringAppendState; }
private @CheckForNull Location getPreviousLocation(CFG cfg, Location startLocation, boolean skipNops) { Location loc = startLocation; InstructionHandle prev = getPreviousInstruction(loc.getHandle(), skipNops); if (prev != null) { return new Location(prev, loc.getBasicBlock()); } BasicBlock block = loc.getBasicBlock(); while (true) { block = cfg.getPredecessorWithEdgeType(block, EdgeTypes.FALL_THROUGH_EDGE); if (block == null) { return null; } InstructionHandle lastInstruction = block.getLastInstruction(); if (lastInstruction != null) { return new Location(lastInstruction, block); } } }