Refine search
throws IOException { String t; ConstantPool cp = c.getConstantPool(); out.write(linkPath(t = c.getSourceFileName())); defs.add(t); refs.add(t); out.write(TAB); fout.write(TAB); aflgs = Utility.accessToString(fld.getAccessFlags()); if (aflgs != null && aflgs.length() > 0) { out.write(aflgs); out.write(SPACE); fldsig=Utility.signatureToString(fld.getSignature()); out.write(fldsig); fout.write(fldsig); out.write(SPACE); fout.write(SPACE); tdef=tagDef(t = fld.getName()); out.write(tdef); fout.write(tdef); fout.write(SPACE);
Code code = obj.getCode(); Method realVoidConstructor = findVoidConstructor(getThisClass()); if (code != null && !markedAsNotUsable(obj)) { if (codeDoesSomething(code)) { priority--; } else if (!obj.isPublic() && getThisClass().isPublic()) { priority--; for (Method m : this.getThisClass().getMethods()) { if (!m.isStatic() && m != obj && !isVoidConstructor(getThisClass(), m)) { instanceMembers = true; for (Field f : this.getThisClass().getFields()) { if (!f.isStatic()) { instanceMembers = true; bugReporter.reportBug(new BugInstance(this, "NM_METHOD_CONSTRUCTOR_CONFUSION", priority).addClassAndMethod(this) .lowerPriorityIfDeprecated()); return;
if (aField.isPrivate()) { if (!aField.isStatic() && !"java/lang/Enum".equals(superclassName)) { return; if (!aField.isPublic() && !aField.isProtected()) { return; ClassDescriptor classOfField = DescriptorFactory.createClassDescriptorFromFieldSignature(aField.getSignature()); String tBugType = null; int priority = aField.isPublic() && aField.isFinal() && aField.getName().equals(aField.getName().toUpperCase()) && getThisClass().isPublic() ? HIGH_PRIORITY : NORMAL_PRIORITY; if (classOfField != null) { try { pendingBugs.put(getXField(), new BugInstance(this, tBugType, priority).addClass(currentClass).addField(this));
/** * @param obj * the field to parse * @return a descriptor for the field */ protected FieldDescriptor parseField(Field obj) { return new FieldDescriptor(slashedClassName, obj.getName(), obj.getSignature(), obj.isStatic()); }
/** * Factory method. Construct from class name and BCEL Field object. * * @param jClass * the class which defines the field * @param field * the BCEL Field object * @return the FieldAnnotation */ public static FieldAnnotation fromBCELField(JavaClass jClass, Field field) { return new FieldAnnotation(jClass.getClassName(), field.getName(), field.getSignature(), field.isStatic()); }
classWalker.visit(); org.apache.bcel.classfile.Method[] bcelMethods= jc.getMethods(); org.apache.bcel.classfile.Field[] bcelFields= jc.getFields(); ObjectType type= new ObjectType(jc.getClassName()); Map<String, String> annotationsValues= getAnnotationsValues(jc.getAttributes(), "::::"); Attribute[] attributes= field.getAttributes(); String name= ":" + field.getName() + ":::"; Map<String, String> methodAnnotationsValues= getAnnotationsValues(attributes, name); annotationsValues.putAll(methodAnnotationsValues); ParameterAnnotationEntry[] parameterAnnotationEntries= method.getParameterAnnotationEntries(); for (int i= 0; i < parameterAnnotationEntries.length; i++) variableDecl.setName(field.getName()); variableDecl.setModifiers(field.getModifiers()); variableDecl.setType(field.getType()); String genericSignature= field.getGenericSignature(); if (genericSignature != null && !genericSignature.equals(field.getSignature())) Type type2= Type.getType(field.getSignature()); String normalizedSignature= "$$$" + field.getName() + DragomeJavaScriptGenerator.FIELD_TYPE_SEPARATOR + DragomeJavaScriptGenerator.normalizeExpression(type2.toString()); String normalizedClassname= DragomeJavaScriptGenerator.normalizeExpression(type.getClassName()); Project.getSingleton().addGenericSignature(normalizedClassname + "|" + normalizedSignature + "|" + genericSignature);
private void analyzeMethod(ClassContext classContext, Method method) throws DataflowAnalysisException, CFGBuilderException { if (BCELUtil.isSynthetic(method) || (method.getAccessFlags() & Const.ACC_BRIDGE) == Const.ACC_BRIDGE) { return; System.out.println(" Analyzing method " + classContext.getJavaClass().getClassName() + "." + method.getName()); Dataflow<BitSet, LiveLocalStoreAnalysis> llsaDataflow = classContext.getLiveLocalStoreDataflow(method); int numLocals = method.getCode().getMaxLocals(); int[] localStoreCount = new int[numLocals]; int[] localLoadCount = new int[numLocals]; String sourceFileName = javaClass.getSourceFileName(); if (LocalVariableAnnotation.UNKNOWN_NAME.equals(lvAnnotation.getName())) { if (sourceFileName.endsWith(".groovy")) { for (Field f : javaClass.getFields()) { if (f.getName().equals(lvName) && f.isStatic() == method.isStatic()) { shadowedField = f; propertySet.addProperty(DeadLocalStoreProperty.SHADOWS_FIELD); priority--; pendingBugReportAboutOverwrittenParameter = new BugInstance(this, "IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN", priority).addClassAndMethod(methodGen, sourceFileName).add(lvAnnotation);
visitedBlocks = new BitSet(); clsContext = classContext; clsName = clsContext.getJavaClass().getClassName(); clsSig = SignatureUtils.classToSignature(clsName); JavaClass cls = classContext.getJavaClass(); Field[] fields = cls.getFields(); ConstantPool cp = classContext.getConstantPoolGen().getConstantPool(); if (!f.isStatic() && !f.isVolatile() && (f.getName().indexOf(Values.SYNTHETIC_MEMBER_CHAR) < 0) && f.isPrivate()) { FieldAnnotation fa = new FieldAnnotation(cls.getClassName(), f.getName(), f.getSignature(), false); boolean hasExternalAnnotation = false; for (AnnotationEntry entry : f.getAnnotationEntries()) { ConstantUtf8 cutf = (ConstantUtf8) cp.getConstant(entry.getTypeIndex()); if (!cutf.getBytes().startsWith(Values.JAVA)) { localizableFields.put(f.getName(), new FieldInfo(fa, hasExternalAnnotation)); FieldAnnotation fa = fi.getFieldAnnotation(); SourceLineAnnotation sla = fi.getSrcLineAnnotation(); BugInstance bug = new BugInstance(this, BugType.FCBL_FIELD_COULD_BE_LOCAL.name(), NORMAL_PRIORITY).addClass(this).addField(fa); if (sla != null) { bug.addSourceLine(sla);
classGen.addField(new Field(ACC_PUBLIC, cpg.addUtf8(name), cpg.addUtf8(signature), null, cpg.getConstantPool()));
this.className = javaClass.getClassName(); this.isInterface = javaClass.isInterface(); addFeature(CLASS_NAME_KEY + transformClassName(javaClass.getClassName())); for (Method method : javaClass.getMethods()) { if (!isSynthetic(method)) { String transformedMethodSignature = transformMethodSignature(method.getSignature()); if (method.isStatic() || !overridesSuperclassMethod(javaClass, method)) { addFeature(METHOD_NAME_KEY + method.getName() + ":" + transformedMethodSignature); for (Field field : javaClass.getFields()) { if (!isSynthetic(field)) { addFeature(FIELD_NAME_KEY + field.getName() + ":" + transformSignature(field.getSignature()));
@Override public void visit(JavaClass obj) { String superClassname = obj.getSuperclassName(); return; int flags = obj.getAccessFlags(); isAbstract = (flags & Const.ACC_ABSTRACT) != 0 || (flags & Const.ACC_INTERFACE) != 0; isAnonymousInnerClass = anonymousInnerClassNamePattern.matcher(getClassName()).matches(); innerClassHasOuterInstance = false; for (Field f : obj.getFields()) { if ("this$0".equals(f.getName())) { innerClassHasOuterInstance = true; break; for (Method m : obj.getMethods()) { if ("readObject".equals(m.getName()) && "(Ljava/io/ObjectInputStream;)V".equals(m.getSignature())) { sawReadObject = true; } else if ("readResolve".equals(m.getName()) && m.getSignature().startsWith("()")) { sawReadResolve = true; } else if ("readObjectNoData".equals(m.getName()) && "()V".equals(m.getSignature())) { for (Field f : obj.getFields()) { if (f.isTransient()) { seenTransientField = true;
/** * checks to see if the class is Serializable, then looks for fields that are both final and transient * * @param classContext * the context object of the currently parsed class */ @Override public void visitClassContext(ClassContext classContext) { try { JavaClass cls = classContext.getJavaClass(); if ((serializableClass != null) && (cls.implementationOf(serializableClass))) { Field[] fields = cls.getFields(); setupVisitorForClass(cls); for (Field f : fields) { if (!f.isStatic() && f.isFinal() && f.isTransient()) { bugReporter.reportBug(new BugInstance(this, BugType.NFF_NON_FUNCTIONAL_FIELD.name(), Priorities.NORMAL_PRIORITY).addClass(this) .addField(cls.getClassName(), f.getName(), f.getSignature(), f.getAccessFlags())); } } } } catch (ClassNotFoundException cnfe) { bugReporter.reportMissingClass(cnfe); } }
@Override public void visit(JavaClass obj) { String name = obj.getClassName(); String[] parts = name.split("[$+.]"); baseClassName = parts[parts.length - 1]; return; classIsPublicOrProtected = obj.isPublic() || obj.isProtected(); if (Character.isLetter(baseClassName.charAt(0)) && !Character.isUpperCase(baseClassName.charAt(0)) && baseClassName.indexOf('_') == -1) { int priority = classIsPublicOrProtected ? NORMAL_PRIORITY : LOW_PRIORITY; bugReporter.reportBug(new BugInstance(this, "NM_CLASS_NAMING_CONVENTION", priority).addClass(this)); bugReporter.reportBug(new BugInstance(this, "NM_CLASS_NOT_EXCEPTION", NORMAL_PRIORITY).addClass(this)); for (Field f : obj.getFields()) { if (f.getName().length() >= 2 && badFieldName(f)) { badFieldNames++; int badMethodNames = 0; for (Method m : obj.getMethods()) { if (badMethodName(m.getName())) { badMethodNames++;
this.className = javaClass.getClassName(); Method[] methodList = new Method[javaClass.getMethods().length]; System.arraycopy(javaClass.getMethods(), 0, methodList, 0, javaClass.getMethods().length); Arrays.sort(methodList, (o1, o2) -> { int cmp = o1.getName().compareTo(o2.getName()); if (cmp != 0) { return cmp; return o1.getSignature().compareTo(o2.getSignature()); System.arraycopy(javaClass.getFields(), 0, fieldList, 0, javaClass.getFields().length); Arrays.sort(fieldList, (o1, o2) -> { int cmp = o1.getName().compareTo(o2.getName()); if (cmp != 0) { return cmp; return o1.getSignature().compareTo(o2.getSignature()); }); work(digest, field.getName(), encoder); work(digest, field.getSignature(), encoder);
public static boolean isJSP(JavaClass javaClass) { @DottedClassName String className = javaClass.getClassName(); if ( className.endsWith("_jsp") || className.endsWith("_tag")) { return true; } for(Method m : javaClass.getMethods()) { if (m.getName().startsWith("_jsp")) { return true; } } for(Field f : javaClass.getFields()) { if (f.getName().startsWith("_jsp")) { return true; } } return Subtypes2.instanceOf(className, "javax.servlet.jsp.JspPage") || Subtypes2.instanceOf(className, "org.apache.jasper.runtime.HttpJspBase") || Subtypes2.instanceOf(className, "javax.servlet.jsp.tagext.SimpleTagSupport") || Subtypes2.instanceOf(className, " org.apache.jasper.runtime.JspSourceDependent"); }
public void addAllDefinitions(JavaClass obj) { String className2 = obj.getClassName(); defined.add(className2); for (Method m : obj.getMethods()) { if (!m.isPrivate()) { String name = getMemberName(obj, className2, m.getNameIndex(), m.getSignatureIndex()); defined.add(name); } } for (Field f : obj.getFields()) { if (!f.isPrivate()) { String name = getMemberName(obj, className2, f.getNameIndex(), f.getSignatureIndex()); defined.add(name); } } }
@Override public void visitField(Field obj) { if (obj.isProtected()) { bugReporter.reportBug(new BugInstance(this, "CI_CONFUSED_INHERITANCE", LOW_PRIORITY).addClass(cls).addField( new FieldAnnotation(cls.getClassName(), obj.getName(), obj.getSignature(), obj.isStatic()))); } }
if (jc.isClass()){ int maxone=0; if (obj.isPrivate()) maxone++; if (obj.isProtected()) maxone++; if (obj.isPublic()) maxone++; if (maxone > 1){ throw new ClassConstraintException("Field '"+tostring(obj)+"' must only have at most one of its ACC_PRIVATE, ACC_PROTECTED, ACC_PUBLIC modifiers set."); if (obj.isFinal() && obj.isVolatile()){ throw new ClassConstraintException("Field '"+tostring(obj)+"' must only have at most one of its ACC_FINAL, ACC_VOLATILE modifiers set."); if (!obj.isPublic()){ throw new ClassConstraintException("Interface field '"+tostring(obj)+"' must have the ACC_PUBLIC modifier set but hasn't!"); if (!obj.isStatic()){ throw new ClassConstraintException("Interface field '"+tostring(obj)+"' must have the ACC_STATIC modifier set but hasn't!"); if (!obj.isFinal()){ throw new ClassConstraintException("Interface field '"+tostring(obj)+"' must have the ACC_FINAL modifier set but hasn't!"); if ((obj.getAccessFlags() & ~(ACC_PUBLIC|ACC_PRIVATE|ACC_PROTECTED|ACC_STATIC|ACC_FINAL|ACC_VOLATILE|ACC_TRANSIENT)) > 0){ addMessage("Field '"+tostring(obj)+"' has access flag(s) other than ACC_PUBLIC, ACC_PRIVATE, ACC_PROTECTED, ACC_STATIC, ACC_FINAL, ACC_VOLATILE, ACC_TRANSIENT set (ignored)."); checkIndex(obj, obj.getNameIndex(), CONST_Utf8); String name = obj.getName(); if (! validFieldName(name)){ throw new ClassConstraintException("Field '"+tostring(obj)+"' has illegal name '"+obj.getName()+"'.");
private void analyzeField(Field field, JavaClass javaClass) { for (AnnotationEntry annotation : field.getAnnotationEntries()) { if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) || annotation.getAnnotationType().contains("JsonTypeInfo")) { for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) { if ("use".equals((elementValuePair.getNameString())) && VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) { bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addString(javaClass.getClassName() + " on field " + field.getName() + " of type " + field.getType() + " annotated with " + annotation.toShortString()) .addField(FieldAnnotation.fromBCELField(javaClass, field)) .addString("") ); } } } } }