@Override public void visit(Code obj) { stage = synchronizedMethod ? 1 : 0; super.visit(obj); if (synchronizedMethod && stage == 4) { bugReporter.reportBug(new BugInstance(this, "NN_NAKED_NOTIFY", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this, notifyPC)); } }
@Override public void visit(Method obj) { if (isAdapter) { String methodName = obj.getName(); String signature = methodMap.get(methodName); if (!Const.CONSTRUCTOR_NAME.equals(methodName) && signature != null) { if (!signature.equals(obj.getSignature())) { if (!badOverrideMap.keySet().contains(methodName)) { badOverrideMap.put(methodName, new BugInstance(this, "BOA_BADLY_OVERRIDDEN_ADAPTER", NORMAL_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); } } else { badOverrideMap.put(methodName, null); } } } } }
public void reportBug(BugInstance bug, Data d) { bug.setPriority(d.priority); bug.addSourceLine(d.primarySource); HashSet<Integer> lines = new HashSet<>(); lines.add(d.primarySource.getStartLine()); d.allSource.remove(d.primarySource); for (SourceLineAnnotation source : d.allSource) { if (lines.add(source.getStartLine())) { bug.addSourceLine(source); bug.describe(SourceLineAnnotation.ROLE_ANOTHER_INSTANCE); } /* else if (false && SystemProperties.ASSERTIONS_ENABLED) { AnalysisContext.logError("Skipping duplicated source warning for " + bug.getInstanceHash() + " " + bug.getMessage()); }*/ } reporter.reportBug(bug); }
pendingUnreachableBranch = new BugInstance(this, "TESTING", NORMAL_PRIORITY) .addClassAndMethod(this).addString("Unreachable loop body").addSourceLineRange(this, becameTop, getPC()); bugReporter.reportBug(pendingUnreachableBranch); pendingUnreachableBranch = null; priority = Priorities.HIGH_PRIORITY; bugReporter.reportBug(new BugInstance(this, "DMI_ENTRY_SETS_MAY_REUSE_ENTRY_OBJECTS", priority) .addClassAndMethod(this).addCalledMethod(returnValueOf).addCalledMethod(this).addValueSource(top, this).addSourceLine(this)); OpcodeStack.Item item0 = stack.getStackItem(0); if (item0.getSignature().charAt(0) == '[') { bugReporter.reportBug(new BugInstance(this, "DMI_INVOKING_HASHCODE_ON_ARRAY", NORMAL_PRIORITY) .addClassAndMethod(this).addValueSource(item0, this).addSourceLine(this)); .addSourceLine(this)); OpcodeStack.Item item0 = stack.getStackItem(0); priority).addClassAndMethod(this).addClass(getClassConstantOperand()), this); .describe(IntAnnotation.INT_VALUE).addCalledMethod(this).addSourceLine(this)); .addInt(v).describe(IntAnnotation.INT_VALUE).addCalledMethod(this).addSourceLine(this)); .addClassAndMethod(this).addSourceLine(this));
XField xField = getXFieldOperand(); if (xField != null && xField.getClassDescriptor().equals(getClassDescriptor())) { Item first = stack.getStackItem(0); fieldWarningList.add(new BugInstance(this, "SE_BAD_FIELD_STORE", priority) .addClass(getThisClass().getClassName()).addField(f).addType(genSig) .describe("TYPE_FOUND").addSourceLine(this));
@Override public void visit(Code obj) { sawWait = false; sawAwait = false; waitHasTimeout = false; sawNotify = false; earliestJump = 9999999; super.visit(obj); if ((sawWait || sawAwait) && waitAt < earliestJump) { String bugType = sawWait ? "WA_NOT_IN_LOOP" : "WA_AWAIT_NOT_IN_LOOP"; bugReporter.reportBug(new BugInstance(this, bugType, waitHasTimeout ? LOW_PRIORITY : NORMAL_PRIORITY) .addClassAndMethod(this).addSourceLine(this, waitAt)); } if (sawNotify) { bugReporter.reportBug(new BugInstance(this, "NO_NOTIFY_NOT_NOTIFYALL", LOW_PRIORITY).addClassAndMethod(this) .addSourceLine(this, notifyPC)); } }
public void visitLocation(ClassContext classContext, Location location, MethodGen methodGen, LockDataflow dataflow) throws DataflowAnalysisException { ConstantPoolGen cpg = methodGen.getConstantPool(); if (Hierarchy.isMonitorWait(location.getHandle().getInstruction(), cpg)) { int count = dataflow.getFactAtLocation(location).getNumLockedObjects(); if (count > 1) { // A wait with multiple locks held? String sourceFile = javaClass.getSourceFileName(); possibleWaitBugs.add(new BugInstance(this, "TLW_TWO_LOCK_WAIT", HIGH_PRIORITY).addClassAndMethod(methodGen, sourceFile).addSourceLine(classContext, methodGen, sourceFile, location.getHandle())); } } if (Hierarchy.isMonitorNotify(location.getHandle().getInstruction(), cpg)) { int count = dataflow.getFactAtLocation(location).getNumLockedObjects(); if (count > 1) { // A notify with multiple locks held? String sourceFile = javaClass.getSourceFileName(); possibleNotifyLocations.add(SourceLineAnnotation.fromVisitedInstruction(classContext, methodGen, sourceFile, location.getHandle())); } } }
@Override public void sawOpcode(int seen) { //printOpCode(seen); if(seen == INVOKESPECIAL) { String methodName = getNameConstantOperand(); String className = getClassConstantOperand(); if (methodName.equals("<init>") && className.toLowerCase().endsWith("spelview")) { //Constructor named SpelView() bugReporter.reportBug(new BugInstance(this, "SPEL_INJECTION", Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this).addString("SpelView()")); } } } }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL) { String method = getNameConstantOperand(); String signature = getSigConstantOperand(); if ((("getDocumentBase".equals(method) || "getCodeBase".equals(method)) && "()Ljava/net/URL;".equals(signature)) || ("getAppletContext".equals(method) && "()Ljava/applet/AppletContext;".equals(signature)) || ("getParameter".equals(method) && "(Ljava/lang/String;)Ljava/lang/String;".equals(signature))) { bugReporter.reportBug(new BugInstance(this, "BAC_BAD_APPLET_CONSTRUCTOR", NORMAL_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); } } } }
@Override public void sawOpcode(int seen) { if (seen == Const.MONITOREXIT && (getPrevOpcode(2) == Const.MONITORENTER || getPrevOpcode(1) == Const.MONITORENTER)) { bugReporter.reportBug(new BugInstance(this, "ESync_EMPTY_SYNC", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this)); } } }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL && ENABLE_EXTENSIONS.matches(this)) { final OpcodeStack.Item item = stack.getStackItem(0); /* item has signature of Integer, check "instanceof" added to prevent cast from throwing exceptions */ if ((item.getConstant() == null) || ((item.getConstant() instanceof Integer) && (((Integer) item.getConstant()).intValue() == 1))) { bugReporter.reportBug(new BugInstance(this, RPC_ENABLED_EXTENSIONS, Priorities.HIGH_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); } } } }
private void checkStackValue(int arg) { Item item = getStack().getStackItem(arg); if(item.getXField() == currentDoubleCheckField) { bugReporter.reportBug(new BugInstance(this, "DC_PARTIALLY_CONSTRUCTED", NORMAL_PRIORITY).addClassAndMethod(this) .addField(currentDoubleCheckField).describe("FIELD_ON").addSourceLine(this).addSourceLine(this, assignPC) .describe("SOURCE_LINE_STORED")); stage++; } } }
@Override public void sawOpcode(int seen) { boolean shouldReportBug = false; if(seen == INVOKESPECIAL) { if(PATTERN_SEARCH_CONTROLS_INIT.matches(this)) { OpcodeStack.Item item = stack.getStackItem(1); Object param = item.getConstant(); shouldReportBug = param instanceof Integer && Integer.valueOf(1).equals(param); } } else if(seen == INVOKEVIRTUAL) { if(PATTERN_SEARCH_CONTROLS_SETTER.matches(this)) { OpcodeStack.Item item = stack.getStackItem(0); Object param = item.getConstant(); shouldReportBug = param instanceof Integer && Integer.valueOf(1).equals(param); } } if(shouldReportBug) { bugReporter.reportBug(new BugInstance(this, LDAP_ENTRY_POISONING, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); } } }
@Override public void sawOpcode(int seen) { // printOpCode(seen); if (seen == Const.INVOKEVIRTUAL) { String fullClassName = getClassConstantOperand(); String method = getNameConstantOperand(); if(isVulnerableClassToPrint(fullClassName) && method.equals("printStackTrace")) { if (stack.getStackDepth() > 1) { // If has parameters OpcodeStack.Item parameter = stack.getStackItem(0); if (parameter.getSignature().equals("Ljava/io/PrintStream;") || parameter.getSignature().equals("Ljava/io/PrintWriter;")) { bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.NORMAL_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } else { // No parameter (only printStackTrace) bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.LOW_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } } }
bugReporter.reportBug(new BugInstance(this, WEAK_TRUST_MANAGER_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); bugReporter.reportBug(new BugInstance(this, WEAK_HOSTNAME_VERIFIER_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); bugReporter.reportBug(new BugInstance(this, WEAK_TRUST_MANAGER_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this));
@Override public void sawOpcode(int seen) { switch (stage) { case 0: if (seen == Const.MONITORENTER) { stage = 1; } break; case 1: if (seen == Const.INVOKEVIRTUAL && "wait".equals(getNameConstantOperand())) { bugReporter.reportBug(new BugInstance(this, "UW_UNCOND_WAIT", "()V".equals(getSigConstantOperand()) ? NORMAL_PRIORITY : LOW_PRIORITY).addClassAndMethod(this) .addSourceLine(this)); stage = 2; } break; default: break; } } }
@Override public void sawOpcode(int seen) { if (alreadyReported) { return; } switch (state) { case SEEN_NOTHING: if (seen == Const.ALOAD_0) { state = SEEN_ALOAD_0; } break; case SEEN_ALOAD_0: if ((seen == Const.INVOKEVIRTUAL) && "java/lang/Object".equals(getClassConstantOperand())) { String methodName = getNameConstantOperand(); if ("wait".equals(methodName) || "notify".equals(methodName) || "notifyAll".equals(methodName)) { bugReporter.reportBug(new BugInstance(this, "PS_PUBLIC_SEMAPHORES", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this)); alreadyReported = true; } } state = SEEN_NOTHING; break; default: break; } }
if ("java/io/ObjectOutputStream".equals(calledClassName) && Const.CONSTRUCTOR_NAME.equals(calledMethodName) && "(Ljava/io/OutputStream;)V".equals(calledMethodSig) && stack.getStackItem(0).getSpecialKind() == OpcodeStack.Item.FILE_OPENED_IN_APPEND_MODE) { bugReporter.reportBug(new BugInstance(this, "IO_APPENDING_TO_OBJECT_OUTPUT_STREAM", Priorities.HIGH_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); OpcodeStack.Item item = stack.getStackItem(0); Object value = item.getConstant(); sawOpenInAppendMode = value instanceof Integer && ((Integer) value).intValue() == 1; bugReporter.reportBug(new BugInstance(this, "IO_APPENDING_TO_OBJECT_OUTPUT_STREAM", Priorities.HIGH_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); sawOpenInAppendMode = false; } else {
@Override public void sawOpcode(int seen) { try { if(seen == INVOKEVIRTUAL && REDIRECT_METHODS.contains(getNameConstantOperand())) { if("scala/runtime/AbstractFunction0".equals(getClassDescriptor().getXClass().getSuperclassDescriptor().getClassName())) { bugReporter.reportBug(new BugInstance(this, PLAY_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this).addString(getNameConstantOperand())); // } } } catch (CheckedAnalysisException e) { } } }
private void reportBugSink(int priority, Collection<Integer> offsets) { String bugType = HARD_CODE_KEY_TYPE; for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); String signature = stackItem.getSignature(); if ("Ljava/lang/String;".equals(signature) || "[C".equals(signature)) { bugType = HARD_CODE_PASSWORD_TYPE; break; } } BugInstance bugInstance = new BugInstance(this, bugType, priority) .addClass(this).addMethod(this) .addSourceLine(this).addCalledMethod(this); for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); bugInstance.addParameterAnnotation(paramIndex, "Hard coded parameter number (in reverse order) is") .addFieldOrMethodValueSource(stackItem); Object constant = stackItem.getConstant(); if (constant != null) { bugInstance.addString(constant.toString()); } } bugReporter.reportBug(bugInstance); }