Refine search
JavaClass jclass = classContext.getJavaClass(); String calledClassName = inv.getClassName(cpg); if (!calledClassName.equals(jclass.getClassName())) { return null; String calledMethodName = inv.getMethodName(cpg); String calledMethodSignature = inv.getSignature(cpg); boolean isStaticCall = (inv instanceof INVOKESTATIC); Method[] methods = jclass.getMethods(); for (Method method : methods) { String methodName = method.getName();
Instruction ins = location.getHandle().getInstruction(); short opcode = ins.getOpcode(); if (!invokeOpcodeSet.get(opcode)) { return null; ReferenceType classType = inv.getReferenceType(cpg); if (!Hierarchy.isSubtype(classType, baseClassType)) { return null; String methodName = inv.getMethodName(cpg); String methodSig = inv.getSignature(cpg); if (!this.methodName.equals(methodName) || !this.methodSig.equals(methodSig)) { return null;
public boolean isAssertionCall(InvokeInstruction inv) { boolean isAssertionMethod = assertionMethodRefSet.get(inv.getIndex()); return isAssertionMethod; } }
/** * Convenience method for generating a method signature in human readable * form. * * @param inv * an InvokeInstruction * @param cpg * the ConstantPoolGen for the class the instruction belongs to */ public static String convertMethodSignature(InvokeInstruction inv, ConstantPoolGen cpg) { return convertMethodSignature(inv.getClassName(cpg), inv.getName(cpg), inv.getSignature(cpg)); }
public MethodDescriptor(InvokeInstruction iins, ConstantPoolGen cpg) { super(ClassName.toSlashedClassName(iins.getClassName(cpg)), iins.getMethodName(cpg), iins.getSignature(cpg), iins instanceof INVOKESTATIC); }
private boolean matchMethod(InvokeInstruction inv, ConstantPoolGen cpg, String className, String methodName) { return inv.getClassName(cpg).equals(className) && inv.getName(cpg).equals(methodName); }
String sourceFile = classContext.getJavaClass().getSourceFileName(); if (DEBUG) { System.out.println("\n" + fullMethodName); Location location = iter.next(); InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); argSignature = argSignature.substring(0, argSignature.indexOf(')') + 1); String call = invokedMethodName+argSignature; SignatureParser sigParser = new SignatureParser(inv.getSignature(cpg)); Subtypes2 subtypes2 = AnalysisContext.currentAnalysisContext().getSubtypes2(); if (DEBUG) { System.out.println("at " + handle.getPosition() + " Checking call to " + info.interfaceForCall + " : " + invokedMethod); if (operandType.equals(TopType.instance())) { if (operandType.equals(NullType.instance())) { InstructionHandle next = handle.getNext(); if (next != null) { Instruction nextIns = next.getInstruction(); boolean parmIsObject = "Ljava/lang/Object;".equals(expectedType.getSignature()); boolean selfOperation = !allMethod && operand.equals(actualType) && !parmIsObject; if (!allMethod && !parmIsObject && actualType instanceof GenericObjectType) {
ConstantPool cp = javaClass.getConstantPool(); ConstantPoolGen cpg = new ConstantPoolGen(cp); for (Method m : javaClass.getMethods()) String fullClassName = javaClass.getClassName(); String className = fullClassName.substring(0, fullClassName.length()-6); Instruction instruction = ih.getInstruction(); if (!(instruction instanceof InvokeInstruction)) ReferenceType referenceType = ii.getReferenceType(cpg); if (!(referenceType instanceof ObjectType)) String methodName = ii.getMethodName(cpg); Type[] argumentTypes = ii.getArgumentTypes(cpg); Method method = findMethod(referencedJavaClass, methodName, argumentTypes);
ConstantPoolGen cpg = classContext.getConstantPoolGen(); String sourceFile = classContext.getJavaClass().getSourceFileName(); if (DEBUG) { String methodName = methodGen.getClassName() + "." + methodGen.getName(); System.out.println("Checking " + methodName); Location location = i.next(); InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); String mName = invoke.getMethodName(cpg); if (!"writeObject".equals(mName)) { continue; String cName = invoke.getClassName(cpg); if (!"java.io.ObjectOutput".equals(cName) && !"java.io.ObjectOutputStream".equals(cName)) { continue; if (operandType.equals(TopType.instance())) { methodGen, sourceFile, handle); bugReporter.reportBug(new BugInstance(this, "DMI_NONSERIALIZABLE_OBJECT_WRITTEN", isSerializable < 0.15 ? HIGH_PRIORITY : isSerializable > 0.5 ? LOW_PRIORITY : NORMAL_PRIORITY) .addClassAndMethod(methodGen, sourceFile).addType(problem).describe(TypeAnnotation.FOUND_ROLE) .addSourceLine(sourceLineAnnotation));
TypeDataflow typeDataflow = classContext.getTypeDataflow(method); String sourceFileName = javaClass.getSourceFileName(); Instruction ins = handle.getInstruction(); if ("putIfAbsent".equals(invoke.getMethodName(cpg))) { String signature = invoke.getSignature(cpg); if ("(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;".equals(signature) && !(invoke instanceof INVOKESTATIC)) { TypeFrame typeFrame = typeDataflow.getFactAtLocation(location); Type objType = typeFrame.getStackValue(2); if(extendsConcurrentMap(ClassName.toDottedClassName(ClassName.fromFieldSignature(objType.getSignature())))) { InstructionHandle next = handle.getNext(); boolean isIgnored = next != null && next.getInstruction() instanceof POP; Type type = typeFrame.getTopValue(); int priority = getPriorityForBeingMutable(type); BugInstance bugInstance = new BugInstance(this, pattern, priority) .addClassAndMethod(methodGen, sourceFileName).addCalledMethod(methodGen, invoke) .add(new TypeAnnotation(type)).add(ba); SourceLineAnnotation where = SourceLineAnnotation.fromVisitedInstruction(classContext,
RefComparisonTypeFrameModelingVisitor visitor, TypeDataflow typeDataflow, Location location) throws DataflowAnalysisException { Instruction ins = location.getHandle().getInstruction(); short opcode = ins.getOpcode(); if (opcode == Const.IF_ACMPEQ || opcode == Const.IF_ACMPNE) { checkRefComparison(location, jclass, method, methodGen, visitor, typeDataflow, stringComparisonList, InvokeInstruction inv = (InvokeInstruction) ins; boolean isStatic = inv instanceof INVOKESTATIC; @DottedClassName String className = inv.getClassName(cpg); String methodName = inv.getMethodName(cpg); String methodSig = inv.getSignature(cpg); if ( "assertSame".equals(methodName) && "(Ljava/lang/Object;Ljava/lang/Object;)V".equals(methodSig)) { checkRefComparison(location, jclass, method, methodGen, visitor, typeDataflow, stringComparisonList, } else if ( "assertFalse".equals(methodName) && "(Z)V".equals(methodSig)) { SourceLineAnnotation lastLocation = bugAccumulator.getLastBugLocation(); InstructionHandle prevHandle = location.getHandle().getPrev(); if (lastLocation != null && prevHandle != null && lastLocation.getEndBytecode() == prevHandle.getPosition()){ bugAccumulator.forgetLastBug(); if (DEBUG) {
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { MethodGen methodGen = classContext.getMethodGen(m); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); if (methodGen == null || methodGen.getInstructionList() == null) { return; //No instruction .. nothing to do } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) inst; String methodName = invoke.getMethodName(cpg); if ("enableDefaultTyping".equals(methodName)) { JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(clz) .addMethod(clz, m) .addCalledMethod(cpg, invoke) .addSourceLine(classContext, m, location) ); } } } }
/** * Get a MethodDescriptor describing the method called by given * InvokeInstruction. * * @param inv * the InvokeInstruction * @param cpg * ConstantPoolGen of class containing instruction * @return MethodDescriptor describing the called method */ public static MethodDescriptor getCalledMethodDescriptor(InvokeInstruction inv, ConstantPoolGen cpg) { String calledClassName = inv.getClassName(cpg).replace('.', '/'); String calledMethodName = inv.getMethodName(cpg); String calledMethodSig = inv.getSignature(cpg); boolean isStatic = inv.getOpcode() == Const.INVOKESTATIC; return DescriptorFactory.instance().getMethodDescriptor(calledClassName, calledMethodName, calledMethodSig, isStatic); }
ConstantPoolGen cpg = classContext.getConstantPoolGen(); MethodGen methodGen = classContext.getMethodGen(method); String sourceFile = classContext.getJavaClass().getSourceFileName(); Instruction ins = location.getHandle().getInstruction(); switch (ins.getOpcode()) { case INVOKEVIRTUAL: case INVOKEINTERFACE: InvokeInstruction iins = (InvokeInstruction) ins; String invoking = iins.getName(cpg); if ( comparatorMethod(invoking) || booleanComparisonMethod(invoking) ) { if (methodGen.getName().toLowerCase().indexOf("test") >= 0) { break; if (classContext.getJavaClass().getSuperclassName().toLowerCase().indexOf("test") >= 0) { break; if (location.getHandle().getNext().getInstruction().getOpcode() == POP) { break; String sig = iins.getSignature(cpg);
Location location = i.next(); InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (isConstantStringLoad(location, cpg)) { stringAppendState = updateStringAppendState(location, cpg, stringAppendState); String sig1 = inv.getSignature(cpg); String sig2 = sig1.substring(sig1.indexOf(')')); String methodName = inv.getMethodName(cpg); String className = inv.getClassName(cpg); if ("valueOf".equals(methodName) && "java.lang.String".equals(className) && "(Ljava/lang/Object;)Ljava/lang/String;".equals(sig1)) { if (operandType.equals(TopType.instance())) { String sig3 = operandType.getSignature(); if (!"Ljava/lang/String;".equals(sig3)) { stringAppendState.setSawTaint(handle);
Instruction inst = location.getHandle().getInstruction(); if ("setAttribute".equals(invoke.getMethodName(cpg))) { LDC propertyConst = ByteCode.getPrevInstruction(location.getHandle().getPrev(), LDC.class); LDC loadConst = ByteCode.getPrevInstruction(location.getHandle(), LDC.class); if (propertyConst != null && loadConst != null) { } else if ("setFeature".equals(invoke.getMethodName(cpg))) { LDC propertyConst = ByteCode.getPrevInstruction(location.getHandle().getPrev(), LDC.class); ICONST loadConst = ByteCode.getPrevInstruction(location.getHandle(), ICONST.class); if (propertyConst != null && loadConst != null bugReporter.reportBug(new BugInstance(this, XXE_DTD_TRANSFORM_FACTORY_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this) .addString(simpleClassName + "." + method + "(...)"));
/** * Looks for the method referenced by the given invoke instruction in the given class. * @param jc the class that defines the referenced method * @param invoke the instruction that references the method * @return the referenced method or null if not found. */ private Method getMethod(final JavaClass jc, final InvokeInstruction invoke) { final Method[] ms = jc.getMethods(); for (final Method element : ms) { if ( (element.getName().equals(invoke.getMethodName(cpg))) && (Type.getReturnType(element.getSignature()).equals(invoke.getReturnType(cpg))) && (objarrayequals(Type.getArgumentTypes(element.getSignature()), invoke.getArgumentTypes(cpg))) ) { return element; } } return null; }
Instruction ins = thrower.getInstruction(); if (!(ins instanceof InvokeInstruction)) { continue; String className = inv.getClassName(cpg); continue; String methodSig = inv.getSignature(cpg); if (!methodSig.endsWith("V")) { continue; bugReporter.reportBug(new BugInstance(this, "TESTING", Priorities.NORMAL_PRIORITY) .addClassAndMethod(classContext.getJavaClass(), method) .addString("Call to method that always throws Exception").addMethod(primaryXMethod) .describe(MethodAnnotation.METHOD_CALLED).addSourceLine(classContext, method, loc));
private void analyzeMethod(ClassContext classContext, Method method) throws CFGBuilderException, ClassNotFoundException, DataflowAnalysisException { CFG cfg = classContext.getCFG(method); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (ins instanceof InvokeInstruction) { if (TARGET_METHOD != null && !((InvokeInstruction) ins).getMethodName(classContext.getConstantPoolGen()).equals(TARGET_METHOD)) { continue; } System.out.println("\n*******************************************************\n"); System.out.println("Method invocation: " + location.getHandle()); System.out.println("\tInvoking: " + SignatureConverter.convertMethodSignature((InvokeInstruction) ins, classContext.getConstantPoolGen())); JavaClassAndMethod proto = Hierarchy.findInvocationLeastUpperBound((InvokeInstruction) ins, classContext.getConstantPoolGen()); if (proto == null) { System.out.println("\tUnknown prototype method"); } else { System.out.println("\tPrototype method: class=" + proto.getJavaClass().getClassName() + ", method=" + proto.getMethod()); } Set<JavaClassAndMethod> calledMethodSet = Hierarchy.resolveMethodCallTargets((InvokeInstruction) ins, classContext.getTypeDataflow(method).getFactAtLocation(location), classContext.getConstantPoolGen()); System.out.println("\tTarget method set: " + calledMethodSet); } } }
Location location = iter.next(); InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); TypeFrame frame = typeDataflow.getFactAtLocation(location); String methodName = inv.getMethodName(constantPoolGen); if (methodName.toLowerCase().indexOf("unsupported") >= 0) { continue; String methodSig = inv.getSignature(constantPoolGen); if ("()Ljava/lang/UnsupportedOperationException;".equals(methodSig)) { continue; BugInstance bug = new BugInstance(this, "DMI_UNSUPPORTED_METHOD", priority) .addClassAndMethod(classContext.getJavaClass(), method).addCalledMethod(constantPoolGen, inv) .addSourceLine(classContext, method, location); bugReporter.reportBug(bug);