Refine search
private void checkForFieldEscape() { String sig = getSigConstantOperand(); if (sig.indexOf("Logger") >= 0) { loggerEscaped = true; } OpcodeStack.Item item = stack.getStackItem(0); if (item.getSignature().endsWith("Logger;")) { loggerEscaped = true; } }
private void checkForMethodExportImport() { int numArguments = PreorderVisitor.getNumberArguments(getSigConstantOperand()); for (int i = 0; i < numArguments; i++) { OpcodeStack.Item item = stack.getStackItem(i); if (item.getSignature().endsWith("Logger;")) { loggerEscaped = true; } } String sig = getSigConstantOperand(); int pos = sig.indexOf(')'); int loggerPos = sig.indexOf("Logger"); if (0 <= loggerPos && loggerPos < pos) { loggerEscaped = true; } }
@Override public void sawOpcode(int seen) { if ((seen == Const.INVOKEVIRTUAL && "java/util/HashMap".equals(getClassConstantOperand()) && "get".equals(getNameConstantOperand())) || (seen == Const.INVOKEINTERFACE && "java/util/Map".equals(getClassConstantOperand()) && "get".equals(getNameConstantOperand())) || (seen == Const.INVOKEVIRTUAL && "java/util/HashSet".equals(getClassConstantOperand()) && "contains".equals(getNameConstantOperand())) || (seen == Const.INVOKEINTERFACE && "java/util/Set".equals(getClassConstantOperand()) && "contains".equals(getNameConstantOperand()))) { OpcodeStack.Item top = stack.getStackItem(0); if ("Ljava/net/URL;".equals(top.getSignature())) { accumulator.accumulateBug(new BugInstance(DumbMethods.this, "DMI_COLLECTION_OF_URLS", HIGH_PRIORITY) .addClassAndMethod(DumbMethods.this), DumbMethods.this); } } } }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEINTERFACE) { String methodName = getNameConstantOperand(); String clsConstant = getClassConstantOperand(); if (("java/sql/ResultSet".equals(clsConstant) && ((methodName.startsWith("get") && dbFieldTypesSet .contains(methodName.substring(3))) || (methodName.startsWith("update") && dbFieldTypesSet .contains(methodName.substring(6))))) || (("java/sql/PreparedStatement".equals(clsConstant) && ((methodName.startsWith("set") && dbFieldTypesSet .contains(methodName.substring(3))))))) { String signature = getSigConstantOperand(); int numParms = PreorderVisitor.getNumberArguments(signature); if (stack.getStackDepth() >= numParms) { OpcodeStack.Item item = stack.getStackItem(numParms - 1); if ("I".equals(item.getSignature()) && item.couldBeZero()) { bugReporter.reportBug(new BugInstance(this, "java/sql/PreparedStatement".equals(clsConstant) ? "SQL_BAD_PREPARED_STATEMENT_ACCESS" : "SQL_BAD_RESULTSET_ACCESS", item.mustBeZero() ? HIGH_PRIORITY : NORMAL_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); } } } } } }
void check(String className, String[] methodNames, int target, int url) { if (Arrays.binarySearch(methodNames, getNameConstantOperand()) < 0) { return; } if (stack.getStackDepth() <= target) { return; } OpcodeStack.Item targetItem = stack.getStackItem(target); OpcodeStack.Item urlItem = stack.getStackItem(url); if (!"Ljava/net/URL;".equals(urlItem.getSignature())) { return; } if (!targetItem.getSignature().equals(className)) { return; } accumulator.accumulateBug(new BugInstance(this, "DMI_COLLECTION_OF_URLS", HIGH_PRIORITY).addClassAndMethod(this) .addCalledMethod(this), this); }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL) { if ("equals".equals(getNameConstantOperand()) && "(Ljava/lang/Object;)Z".equals(getSigConstantOperand())) { OpcodeStack.Item item = stack.getStackItem(1); ClassDescriptor c = DescriptorFactory.createClassDescriptorFromSignature(item.getSignature()); check(c); } else if ("java/lang/Class".equals(getClassConstantOperand()) && ("isInstance".equals(getNameConstantOperand()) || "cast".equals(getNameConstantOperand()))) { OpcodeStack.Item item = stack.getStackItem(1); if ("Ljava/lang/Class;".equals(item.getSignature())) { Object value = item.getConstant(); if (value instanceof String) { ClassDescriptor c = DescriptorFactory.createClassDescriptor((String) value); check(c); } } } } else if (seen == Const.INSTANCEOF || seen == Const.CHECKCAST) { check(getClassDescriptorOperand()); } }
private void reportBugSink(int priority, Collection<Integer> offsets) { String bugType = HARD_CODE_KEY_TYPE; for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); String signature = stackItem.getSignature(); if ("Ljava/lang/String;".equals(signature) || "[C".equals(signature)) { bugType = HARD_CODE_PASSWORD_TYPE; break; } } BugInstance bugInstance = new BugInstance(this, bugType, priority) .addClass(this).addMethod(this) .addSourceLine(this).addCalledMethod(this); for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); bugInstance.addParameterAnnotation(paramIndex, "Hard coded parameter number (in reverse order) is") .addFieldOrMethodValueSource(stackItem); Object constant = stackItem.getConstant(); if (constant != null) { bugInstance.addString(constant.toString()); } } bugReporter.reportBug(bugInstance); }
private void markHardCodedItemsFromFlow() { for (int i = 0; i < stack.getStackDepth(); i++) { OpcodeStack.Item stackItem = stack.getStackItem(i); if ((stackItem.getConstant() != null || stackItem.isNull()) && !stackItem.getSignature().startsWith("[")) { setHardCodedItem(stackItem); } if (hasHardCodedFieldSource(stackItem)) { setHardCodedItem(stackItem); } } }
int[] oldStartEnd = iterator.next(); if(codeEquals(oldStartEnd, startEnd)) { Item item1 = getStack().getStackItem(0); Item item2 = getStack().getStackItem(1); accumulator.accumulateBug( new BugInstance("CO_COMPARETO_INCORRECT_FLOATING", NORMAL_PRIORITY).addClassAndMethod(this) .addType(item1.getSignature()) .addMethod(item1.getSignature().equals("D")?DOUBLE_DESCRIPTOR:FLOAT_DESCRIPTOR).describe(MethodAnnotation.SHOULD_CALL) .addValueSource(item1, this) .addValueSource(item2, this), this); OpcodeStack.Item top = stack.getStackItem(0); Object o = top.getConstant(); if (o instanceof Integer && ((Integer)o).intValue() == Integer.MIN_VALUE) {
private void check(int pos) { OpcodeStack.Item item = stack.getStackItem(pos); JavaClass type = null; OpcodeStack.Item collection = stack.getStackItem(PreorderVisitor.getNumberArguments(getSigConstantOperand())); String collectionSignature = collection.getSignature(); if (collectionSignature.indexOf("Tree") >= 0 || collectionSignature.indexOf("Sorted") >= 0
Item topItem = null; if (getStackDepth() > 0) { topItem = getStackItem(0); break; Item item = getStackItem(i); String itemSignature = item.getSignature(); if ("Ljava/lang/StringBuilder;".equals(itemSignature) || "Ljava/lang/StringBuffer;".equals(itemSignature)) { markConstantValueUnknown(item); if (seen == Const.INVOKESPECIAL && Const.CONSTRUCTOR_NAME.equals(methodName) && clsName.startsWith("java/io") && clsName.endsWith("Writer") && numberArguments > 0) { Item firstArg = getStackItem(numberArguments-1); if (firstArg.isServletWriter()) { initializingServletWriter = true; && "java/util/Collections".equals(clsName)) { Item requestParameter = pop(); if (JAVA_UTIL_ARRAYS_ARRAY_LIST.equals(requestParameter.getSignature())) { Item result = new Item(JAVA_UTIL_ARRAYS_ARRAY_LIST); push(result);
case Const.ATHROW: if (stack.getStackDepth() > 0) { OpcodeStack.Item item = stack.getStackItem(0); String signature = item.getSignature(); if (signature != null && signature.length() > 0) { if (signature.startsWith("L")) {
OpcodeStack.Item it0 = stack.getStackItem(0); int r0 = it0.getRegisterNumber(); OpcodeStack.Item it1 = stack.getStackItem(1); int r1 = it1.getRegisterNumber(); if (r0 == r1 && r0 > 0) { OpcodeStack.Item it = stack.getStackItem(parameters - 1 - i); if (!it.isInitialParameter() || it.getRegisterNumber() != i) { match1 = false; System.out.println("parameters = " + parameters + ", Item is " + p); String sig = p.getSignature(); sameMethod = p.isInitialParameter() && p.getRegisterNumber() == 0 && sig.equals("L" + getClassName() + ";");
@Override public void sawOpcode(int seen) { // printOpCode(seen); if (seen == Const.INVOKEVIRTUAL) { String fullClassName = getClassConstantOperand(); String method = getNameConstantOperand(); if(isVulnerableClassToPrint(fullClassName) && method.equals("printStackTrace")) { if (stack.getStackDepth() > 1) { // If has parameters OpcodeStack.Item parameter = stack.getStackItem(0); if (parameter.getSignature().equals("Ljava/io/PrintStream;") || parameter.getSignature().equals("Ljava/io/PrintWriter;")) { bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.NORMAL_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } else { // No parameter (only printStackTrace) bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.LOW_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } } }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL && writeObject.equals(getXMethodOperand())) { OpcodeStack.Item top = stack.getStackItem(0); String signature = top.getSignature(); while (signature.charAt(0) == '[') { signature = signature.substring(1); OpcodeStack.Item top = stack.getStackItem(0); if (readObject.equals(top.getReturnValueOf())) { ClassDescriptor c = getClassDescriptorOperand();
Item left = stack.getStackItem(1); XMethod leftM = left.getReturnValueOf(); Item right = stack.getStackItem(0); XMethod rightM = right.getReturnValueOf(); if ("Ljava/lang/Class;".equals(left.getSignature()) && "Ljava/lang/Class;".equals(right.getSignature())) { boolean leftMatch = leftM != null && "getClass".equals(leftM.getName()); boolean rightMatch = rightM != null && "getClass".equals(rightM.getName());
OpcodeStack.Item item0 = stack.getStackItem(0); OpcodeStack.Item item1 = stack.getStackItem(1); if ("D".equals(item0.getSignature()) || "F".equals(item0.getSignature())) { return; if ("D".equals(item1.getSignature()) || "F".equals(item1.getSignature())) { return;
OpcodeStack.Item left = stack.getStackItem(1); OpcodeStack.Item right = stack.getStackItem(0); if (badUseOfCompareResult(left, right)) { XMethod returnValueOf = left.getReturnValueOf(); OpcodeStack.Item invokedOn = stack.getStackItem(arguments); if (invokedOn.isNewlyAllocated() && (!Const.CONSTRUCTOR_NAME.equals(getMethodName()) || invokedOn.getRegisterNumber() != 0)) { OpcodeStack.Item item = stack.getStackItem(i); if (item.isNewlyAllocated() && item.getSignature().equals(invokedOn.getSignature())) { break checkForInitWithoutCopyOnStack;
@Override public void sawOpcode(int seen) { if ((isRegisterStore() && !isRegisterLoad()) || seen == Const.PUTFIELD || seen == Const.PUTSTATIC || seen == Const.ARETURN) { Item valueItem = getStack().getStackItem(0); if(!valueItem.isNull() && valueItem.isNewlyAllocated() && valueItem.getSignature().startsWith("[L") && !((Integer)0).equals(valueItem.getConstant())) { String valueClass = valueItem.getSignature().substring(2, valueItem.getSignature().length()-1); String arraySignature = null; int priority = LOW_PRIORITY; .addFoundAndExpectedType(valueItem.getSignature(), arraySignature) .addSourceLine(this).addValueSource(valueItem, this); if(field != null) { Item valueItem = getStack().getStackItem(0); if(!valueItem.isNull()) { Item arrayItem = getStack().getStackItem(2); String arraySignature = arrayItem.getSignature(); String valueSignature = valueItem.getSignature();
switch (seen) { case Const.MONITORENTER: OpcodeStack.Item top = stack.getStackItem(0); syncSignature = top.getSignature(); isSyncOnBoolean = false; Object constant = top.getConstant();