private boolean isStringAppend(Instruction ins, ConstantPoolGen cpg) { if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) ins; if ("append".equals(invoke.getMethodName(cpg)) && invoke.getClassName(cpg).startsWith("java.lang.StringB")) { String sig = invoke.getSignature(cpg); char firstChar = sig.charAt(1); return firstChar == '[' || firstChar == 'L'; } } return false; }
@Override public void visitINVOKEVIRTUAL(INVOKEVIRTUAL obj) { if ("cast".equals(obj.getMethodName(cpg)) && "java.lang.Class".equals(obj.getClassName(cpg))) { // treat as no-op try { ValueNumberFrame frame = getFrame(); ValueNumber resultType = frame.popValue(); frame.popValue(); frame.pushValue(resultType); } catch (DataflowAnalysisException e) { AnalysisContext.logError("oops", e); } return; } handleNormalInstruction(obj); }
if (("javax.crypto.Cipher").equals(invoke.getClassName(cpg)) && "init".equals(invoke.getMethodName(cpg))) { ICONST iconst = ByteCode.getPrevInstruction(location.getHandle(), ICONST.class); else if (("javax.crypto.Cipher").equals(invoke.getClassName(cpg)) && "getIV".equals(invoke.getMethodName(cpg))) { ivFetchFromCipher = true; if ("java.security.SecureRandom".equals(invoke.getClassName(cpg)) && "nextBytes".equals(invoke.getMethodName(cpg))) { foundSafeIvGeneration = true;
if ("java.security.MessageDigest".equals(invoke.getClassName(cpg)) && "digest".equals(invoke.getMethodName(cpg))) { invokeMessageDigest = true;
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
if ("javax.crypto.KeyGenerator".equals(invoke.getClassName(cpg)) && "init".equals(invoke.getMethodName(cpg))) { Number n = null;
INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) nextInst; String methodNameWithSignature = invoke.getClassName(cpg) + "." + invoke.getMethodName(cpg);
private boolean isStringAppend(Instruction ins, ConstantPoolGen cpg) { if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) ins; if ("append".equals(invoke.getMethodName(cpg)) && invoke.getClassName(cpg).startsWith("java.lang.StringB")) { String sig = invoke.getSignature(cpg); char firstChar = sig.charAt(1); return firstChar == '[' || firstChar == 'L'; } } return false; }
public static String getCallClassName(Instruction ins, ConstantPoolGen cp) { if (ins instanceof INVOKESTATIC) { INVOKESTATIC invst = (INVOKESTATIC) ins; return invst.getClassName(cp); } else if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invst = (INVOKEVIRTUAL) ins; return invst.getClassName(cp); } else if (ins instanceof INVOKEINTERFACE) { INVOKEINTERFACE invst = (INVOKEINTERFACE) ins; return invst.getClassName(cp); } else if (ins instanceof INVOKESPECIAL) { INVOKESPECIAL invst = (INVOKESPECIAL) ins; return invst.getClassName(cp); } else { return null; } }
if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setHostName".equals(invoke.getMethodName(cpg))) { hostName = ByteCode.getConstantLDC(location.getHandle().getPrev(), cpg, String.class); if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setSSLOnConnect".equals(invoke.getMethodName(cpg))) { Integer sslOn = ByteCode.getConstantInt(location.getHandle().getPrev()); if (sslOn != null && sslOn == 1) { sslConnMap.put(location, invoke.getClassName(cpg)+hostName); if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setSSLCheckServerIdentity".equals(invoke.getMethodName(cpg))) { Integer checkOn = ByteCode.getConstantInt(location.getHandle().getPrev()); if (checkOn != null && checkOn == 1) { sslCertVerSet.add(invoke.getClassName(cpg)+hostName);
if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setHostName".equals(invoke.getMethodName(cpg))) { hostName = ByteCode.getConstantLDC(location.getHandle().getPrev(), cpg, String.class); if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setSSLOnConnect".equals(invoke.getMethodName(cpg))) { Integer sslOn = ByteCode.getConstantInt(location.getHandle().getPrev()); if (sslOn != null && sslOn == 1) { sslConnMap.put(location, invoke.getClassName(cpg)+hostName); if (INSECURE_APIS.contains(invoke.getClassName(cpg)) && "setSSLCheckServerIdentity".equals(invoke.getMethodName(cpg))) { Integer checkOn = ByteCode.getConstantInt(location.getHandle().getPrev()); if (checkOn != null && checkOn == 1) { sslCertVerSet.add(invoke.getClassName(cpg)+hostName);
@Override public void visitINVOKEVIRTUAL(INVOKEVIRTUAL obj) { if ("cast".equals(obj.getMethodName(cpg)) && "java.lang.Class".equals(obj.getClassName(cpg))) { // treat as no-op try { ValueNumberFrame frame = getFrame(); ValueNumber resultType = frame.popValue(); frame.popValue(); frame.pushValue(resultType); } catch (DataflowAnalysisException e) { AnalysisContext.logError("oops", e); } return; } handleNormalInstruction(obj); }
if ("java.security.MessageDigest".equals(invoke.getClassName(cpg)) && "digest".equals(invoke.getMethodName(cpg))) { invokeMessageDigest = true;
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
if ("java.security.KeyPairGenerator".equals(invoke.getClassName(cpg)) && "initialize".equals(invoke.getMethodName(cpg))) { Number n = null;
if ("javax.crypto.KeyGenerator".equals(invoke.getClassName(cpg)) && "init".equals(invoke.getMethodName(cpg))) { Number n = null;
INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) nextInst; String methodNameWithSignature = invoke.getClassName(cpg) + "." + invoke.getMethodName(cpg);
/** Checks if the constraints of operands of the said instruction(s) are satisfied. */ public void visitINVOKEVIRTUAL(INVOKEVIRTUAL o){ // INVOKEVIRTUAL is a LoadClass; the Class where the referenced method is declared in, // is therefore resolved/verified. // INVOKEVIRTUAL is an InvokeInstruction, the argument and return types are resolved/verified, // too. So are the allowed method names. String classname = o.getClassName(cpg); JavaClass jc = Repository.lookupClass(classname); Method[] ms = jc.getMethods(); Method m = null; for (int i=0; i<ms.length; i++){ if ( (ms[i].getName().equals(o.getMethodName(cpg))) && (Type.getReturnType(ms[i].getSignature()).equals(o.getReturnType(cpg))) && (objarrayequals(Type.getArgumentTypes(ms[i].getSignature()), o.getArgumentTypes(cpg))) ){ m = ms[i]; break; } } if (m == null){ constraintViolated(o, "Referenced method '"+o.getMethodName(cpg)+"' with expected signature not found in class '"+jc.getClassName()+"'. The native verfier does allow the method to be declared in some superclass or implemented interface, which the Java Virtual Machine Specification, Second Edition does not."); } if (! (jc.isClass())){ constraintViolated(o, "Referenced class '"+jc.getClassName()+"' is an interface, but not a class as expected."); } }
/** Checks if the constraints of operands of the said instruction(s) are satisfied. */ @Override public void visitINVOKEVIRTUAL(final INVOKEVIRTUAL o) { try { // INVOKEVIRTUAL is a LoadClass; the Class where the referenced method is declared in, // is therefore resolved/verified. // INVOKEVIRTUAL is an InvokeInstruction, the argument and return types are resolved/verified, // too. So are the allowed method names. final String classname = o.getClassName(cpg); final JavaClass jc = Repository.lookupClass(classname); final Method m = getMethodRecursive(jc, o); if (m == null) { constraintViolated(o, "Referenced method '"+o.getMethodName(cpg)+"' with expected signature '"+ o.getSignature(cpg)+"' not found in class '"+jc.getClassName()+"'."); } if (! (jc.isClass())) { constraintViolated(o, "Referenced class '"+jc.getClassName()+"' is an interface, but not a class as expected."); } } catch (final ClassNotFoundException e) { // FIXME: maybe not the best way to handle this throw new AssertionViolatedException("Missing class: " + e, e); } }
final String theClass = o.getClassName(cpg);