private boolean mightCloseResource(ClassContext classContext, Method method, ResourceTrackerType resourceTracker) throws CFGBuilderException, DataflowAnalysisException { CFG cfg = classContext.getCFG(method); ConstantPoolGen cpg = classContext.getConstantPoolGen(); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); if (resourceTracker.mightCloseResource(location.getBasicBlock(), location.getHandle(), cpg)) { return true; } } return false; }
/** * Constructor. * * @param pattern * the ByteCodePattern to look for examples of * @param classContext * ClassContext for the class to analyze * @param method * the Method to analyze */ public PatternMatcher(ByteCodePattern pattern, ClassContext classContext, Method method) throws CFGBuilderException, DataflowAnalysisException { this.pattern = pattern; this.cfg = classContext.getCFG(method); this.cpg = classContext.getConstantPoolGen(); this.dfs = classContext.getDepthFirstSearch(method); this.vnaDataflow = classContext.getValueNumberDataflow(method); this.domAnalysis = classContext.getNonExceptionDominatorsAnalysis(method); this.workList = new LinkedList<>(); this.visitedBlockMap = new IdentityHashMap<>(); this.resultList = new LinkedList<>(); }
private void analyzeMethod(ClassContext classContext, Method method) throws CFGBuilderException, ClassNotFoundException, DataflowAnalysisException { CFG cfg = classContext.getCFG(method); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (ins instanceof InvokeInstruction) { if (TARGET_METHOD != null && !((InvokeInstruction) ins).getMethodName(classContext.getConstantPoolGen()).equals(TARGET_METHOD)) { continue; } System.out.println("\n*******************************************************\n"); System.out.println("Method invocation: " + location.getHandle()); System.out.println("\tInvoking: " + SignatureConverter.convertMethodSignature((InvokeInstruction) ins, classContext.getConstantPoolGen())); JavaClassAndMethod proto = Hierarchy.findInvocationLeastUpperBound((InvokeInstruction) ins, classContext.getConstantPoolGen()); if (proto == null) { System.out.println("\tUnknown prototype method"); } else { System.out.println("\tPrototype method: class=" + proto.getJavaClass().getClassName() + ", method=" + proto.getMethod()); } Set<JavaClassAndMethod> calledMethodSet = Hierarchy.resolveMethodCallTargets((InvokeInstruction) ins, classContext.getTypeDataflow(method).getFactAtLocation(location), classContext.getConstantPoolGen()); System.out.println("\tTarget method set: " + calledMethodSet); } } }
private ResourceCollection<Resource> buildResourceCollection(ClassContext classContext, Method method, ResourceTrackerType resourceTracker) throws CFGBuilderException, DataflowAnalysisException { ResourceCollection<Resource> resourceCollection = new ResourceCollection<>(); CFG cfg = classContext.getCFG(method); ConstantPoolGen cpg = classContext.getConstantPoolGen(); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Resource resource = resourceTracker.isResourceCreation(location.getBasicBlock(), location.getHandle(), cpg); if (resource != null) { resourceCollection.addCreatedResource(location, resource); } } return resourceCollection; }
ConstantPoolGen cpg = classContext.getConstantPoolGen(); JavaClass jclass = classContext.getJavaClass();
protected void analyzeMethod(ClassContext classContext, Method method) throws CheckedAnalysisException { TaintDataflow dataflow = getTaintDataFlow(classContext, method); ConstantPoolGen cpg = classContext.getConstantPoolGen(); String currentMethod = getFullMethodName(classContext.getMethodGen(method)); for (Iterator<Location> i = getLocationIterator(classContext, method); i.hasNext();) { Location location = i.next(); InstructionHandle handle = location.getHandle(); Instruction instruction = handle.getInstruction(); if (!(instruction instanceof InvokeInstruction)) { continue; } InvokeInstruction invoke = (InvokeInstruction) instruction; TaintFrame fact = dataflow.getFactAtLocation(location); assert fact != null; if (!fact.isValid()) { continue; } analyzeLocation(classContext, method, handle, cpg, invoke, fact, currentMethod); } }
SignatureParser sigParser = new SignatureParser(instruction.getSignature(classContext.getConstantPoolGen())); if (vnaFrame != null) { try { valueNumber = vnaFrame.getArgument(instruction, classContext.getConstantPoolGen(), i, sigParser); BugAnnotation variableAnnotation = ValueNumberSourceInfo.findAnnotationFromValueNumber(method, location, valueNumber, vnaFrame, "VALUE_OF");
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof LDC) { LDC ldc = (LDC) inst; if (ldc != null) { if("java.naming.security.authentication".equals(ldc.getValue(cpg)) && "none".equals(ByteCode.getConstantLDC(location.getHandle().getNext(), cpg, String.class))){ JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, LDAP_ANONYMOUS, Priorities.LOW_PRIORITY) // .addClass(clz) .addMethod(clz, m) .addSourceLine(classContext, m, location)); break; } } } } }
boolean invokeToHexString = false; ConstantPoolGen cpg = classContext.getConstantPoolGen(); if (methodGen == null || methodGen.getInstructionList() == null) { continue; //No instruction .. nothing to do
boolean callToAssertionMethod(Location loc) { InstructionHandle h = loc.getHandle(); int firstPos = h.getPosition(); LineNumberTable ln = method.getLineNumberTable(); int firstLine = ln == null ? -1 : ln.getSourceLine(firstPos); while (h != null) { int pos = h.getPosition(); if (ln == null) { if (pos > firstPos + 15) { break; } } else { int line = ln.getSourceLine(pos); if (line != firstLine) { break; } } Instruction i = h.getInstruction(); if (i instanceof InvokeInstruction) { InvokeInstruction ii = (InvokeInstruction) i; String name = ii.getMethodName(classContext.getConstantPoolGen()); if (name.startsWith("check") || name.startsWith("assert")) { return true; } } h = h.getNext(); } return false; }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { MethodGen methodGen = classContext.getMethodGen(m); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); if (methodGen == null || methodGen.getInstructionList() == null) { return; //No instruction .. nothing to do } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) inst; String methodName = invoke.getMethodName(cpg); if ("enableDefaultTyping".equals(methodName)) { JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(clz) .addMethod(clz, m) .addCalledMethod(cpg, invoke) .addSourceLine(classContext, m, location) ); } } } }
private void analyzeMethod(ClassContext classContext, Method method) throws CFGBuilderException, DataflowAnalysisException { // System.out.println("Checking " + method); CFG cfg = classContext.getCFG(method); LockDataflow lockDataflow = classContext.getLockDataflow(method); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (!(ins instanceof INVOKESTATIC)) { continue; } if (!isSleep((INVOKESTATIC) ins, classContext.getConstantPoolGen())) { continue; } // System.out.println("Found sleep at " + location.getHandle()); LockSet lockSet = lockDataflow.getFactAtLocation(location); if (lockSet.getNumLockedObjects() > 0) { bugAccumulator.accumulateBug( new BugInstance(this, "SWL_SLEEP_WITH_LOCK_HELD", NORMAL_PRIORITY).addClassAndMethod( classContext.getJavaClass(), method), classContext, method, location); } } bugAccumulator.reportAccumulatedBugs(); }
TypeFrame frame = typeDataflow.getFactAtLocation(location); if (frame.isValid()) { Type type = frame.getInstance(ins, classContext.getConstantPoolGen()); if (type instanceof ReferenceType) { propertySet.setProperty(GeneralWarningProperty.RECEIVER_OBJECT_TYPE, type.toString());
BugAnnotation getVariableAnnotation(Location location) { BugAnnotation variableAnnotation = null; try { // Get the value number ValueNumberFrame vnaFrame = classContext.getValueNumberDataflow(method).getFactAtLocation(location); if (vnaFrame.isValid()) { Instruction ins = location.getHandle().getInstruction(); ValueNumber valueNumber = vnaFrame.getInstance(ins, classContext.getConstantPoolGen()); if (valueNumber.hasFlag(ValueNumber.CONSTANT_CLASS_OBJECT)) { return null; } variableAnnotation = ValueNumberSourceInfo.findAnnotationFromValueNumber(method, location, valueNumber, vnaFrame, "VALUE_OF"); } } catch (DataflowAnalysisException e) { // ignore } catch (CFGBuilderException e) { // ignore } return variableAnnotation; }
ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m);
profiler.start(CheckCallSitesAndReturnInstructions.class); try { ConstantPoolGen cpg = classContext.getConstantPoolGen(); TypeDataflow typeDataflow = classContext.getTypeDataflow(method);
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m);
Instruction ins = location.getHandle().getInstruction(); BugAnnotation cause; final ConstantPoolGen cpg = classContext.getConstantPoolGen();
private void checkMonitorWait() { try { TypeDataflow typeDataflow = getClassContext().getTypeDataflow(getMethod()); TypeDataflow.LocationAndFactPair pair = typeDataflow.getLocationAndFactForInstruction(getPC()); if (pair == null) { return; } Type receiver = pair.frame.getInstance(pair.location.getHandle().getInstruction(), getClassContext() .getConstantPoolGen()); if (!(receiver instanceof ReferenceType)) { return; } if (Hierarchy.isSubtype((ReferenceType) receiver, CONDITION_TYPE)) { accumulator.accumulateBug( new BugInstance(this, "DM_MONITOR_WAIT_ON_CONDITION", HIGH_PRIORITY).addClassAndMethod(this), this); } } catch (ClassNotFoundException e) { bugReporter.reportMissingClass(e); } catch (DataflowAnalysisException e) { bugReporter.logError("Exception caught by DumbMethods", e); } catch (CFGBuilderException e) { bugReporter.logError("Exception caught by DumbMethods", e); } }