Refine search
private void reportBugSource(Collection<String> fields, int priority) { if (fields.isEmpty()) { return; } String bugType = HARD_CODE_KEY_TYPE; for (String field : fields) { if (field.endsWith("[C")) { bugType = HARD_CODE_PASSWORD_TYPE; break; } } BugInstance bug = new BugInstance(this, bugType, priority).addClass(this); for (String field : fields) { bug.addString("is hard coded in field " + field + " with suspicious name"); } bugReporter.reportBug(bug); }
private void checkConst(Number constValue) { double candidate = constValue.doubleValue(); if (Double.isNaN(candidate) || Double.isInfinite(candidate)) { return; } for (BadConstant badConstant : badConstants) { int priority = getPriority(badConstant, constValue, candidate); if(getNextOpcode() == Const.FASTORE || getNextOpcode() == Const.DASTORE) { priority++; } if(priority < IGNORE_PRIORITY) { lastPriority = priority; lastBug = new BugInstance(this, "CNT_ROUGH_CONSTANT_VALUE", priority).addClassAndMethod(this) .addString(constValue.toString()).addString(badConstant.replacement); bugAccumulator.accumulateBug(lastBug, this); return; } } } }
@Override public void sawOpcode(int seen) { //printOpCode(seen); if(seen == INVOKESPECIAL) { String methodName = getNameConstantOperand(); String className = getClassConstantOperand(); if (methodName.equals("<init>") && className.toLowerCase().endsWith("spelview")) { //Constructor named SpelView() bugReporter.reportBug(new BugInstance(this, "SPEL_INJECTION", Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this).addString("SpelView()")); } } } }
@Override public void sawOpcode(int seen) { try { if(seen == INVOKEVIRTUAL && REDIRECT_METHODS.contains(getNameConstantOperand())) { if("scala/runtime/AbstractFunction0".equals(getClassDescriptor().getXClass().getSuperclassDescriptor().getClassName())) { bugReporter.reportBug(new BugInstance(this, PLAY_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this).addString(getNameConstantOperand())); // } } } catch (CheckedAnalysisException e) { } } }
bugReporter.reportBug(new BugInstance(this, "RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION", HIGH_PRIORITY) .addClassAndMethod(this).addCalledMethod(this).addSourceLine(this)); return; message = message.substring(0, eol); BugInstance bug = new BugInstance(this, "RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION", HIGH_PRIORITY) .addClassAndMethod(this).addCalledMethod(this).addString(message).describe(StringAnnotation.ERROR_MSG_ROLE) .addString(regex).describe(StringAnnotation.REGEX_ROLE); String options = getOptions(flags); if (options.length() > 0) { bug.addString("Regex flags: " + options).describe(StringAnnotation.STRING_MESSAGE);
private void analyzeField(Field field, JavaClass javaClass) { for (AnnotationEntry annotation : field.getAnnotationEntries()) { if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) || annotation.getAnnotationType().contains("JsonTypeInfo")) { for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) { if ("use".equals((elementValuePair.getNameString())) && VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) { bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addString(javaClass.getClassName() + " on field " + field.getName() + " of type " + field.getType() + " annotated with " + annotation.toShortString()) .addField(FieldAnnotation.fromBCELField(javaClass, field)) .addString("") ); } } } } }
private void checkForCompatibleLongComparison(OpcodeStack.Item left, OpcodeStack.Item right) { if (left.getSpecialKind() == Item.RESULT_OF_I2L && right.getConstant() != null) { long value = ((Number) right.getConstant()).longValue(); if ( (value > Integer.MAX_VALUE || value < Integer.MIN_VALUE)) { int priority = Priorities.HIGH_PRIORITY; if (value == Integer.MAX_VALUE+1L || value == Integer.MIN_VALUE-1L) { priority = Priorities.NORMAL_PRIORITY; } String stringValue = IntAnnotation.getShortInteger(value)+"L"; if (value == 0xffffffffL) { stringValue = "0xffffffffL"; } else if (value == 0x80000000L) { stringValue = "0x80000000L"; } accumulator.accumulateBug(new BugInstance(this, "INT_BAD_COMPARISON_WITH_INT_VALUE", priority ).addClassAndMethod(this) .addString(stringValue).describe(StringAnnotation.STRING_NONSTRING_CONSTANT_ROLE) .addValueSource(left, this) , this); } } }
bugReporter.reportBug(new BugInstance(this, "VA_FORMAT_STRING_USES_NEWLINE", NORMAL_PRIORITY) .addClassAndMethod(this).addCalledMethod(this).addString(formatString) .describe(StringAnnotation.FORMAT_STRING_ROLE).addSourceLine(this));
/** * @param seen * @param item */ private void reportVacuousBitOperation(int seen, OpcodeStack.Item item) { if (item.getConstant() == null) { accumulator .accumulateBug( new BugInstance(this, "INT_VACUOUS_BIT_OPERATION", NORMAL_PRIORITY) .addClassAndMethod(this) .addString(Const.getOpcodeName(seen)) .addOptionalAnnotation( LocalVariableAnnotation.getLocalVariableAnnotation(getMethod(), item, getPC())), this); } }
private void reportBugSink(int priority, Collection<Integer> offsets) { String bugType = HARD_CODE_KEY_TYPE; for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); String signature = stackItem.getSignature(); if ("Ljava/lang/String;".equals(signature) || "[C".equals(signature)) { bugType = HARD_CODE_PASSWORD_TYPE; break; } } BugInstance bugInstance = new BugInstance(this, bugType, priority) .addClass(this).addMethod(this) .addSourceLine(this).addCalledMethod(this); for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); bugInstance.addParameterAnnotation(paramIndex, "Hard coded parameter number (in reverse order) is") .addFieldOrMethodValueSource(stackItem); Object constant = stackItem.getConstant(); if (constant != null) { bugInstance.addString(constant.toString()); } } bugReporter.reportBug(bugInstance); }
if(result > 0) { accumulator.accumulateBug( new BugInstance("DM_INVALID_MIN_MAX", HIGH_PRIORITY).addClassAndMethod(DumbMethods.this) .addString(String.valueOf(n)), DumbMethods.this);
@Override public void visit(JavaClass obj) { isTigerOrHigher = obj.getMajor() >= Const.MAJOR_1_5; try { Subtypes2 subtypes2 = AnalysisContext.currentAnalysisContext().getSubtypes2(); ClassDescriptor me = getClassDescriptor(); if (subtypes2.isSubtype(me, MAP_ENTRY) && subtypes2.isSubtype(me, ITERATOR)) { bugReporter.reportBug(new BugInstance(this, "PZ_DONT_REUSE_ENTRY_OBJECTS_IN_ITERATORS", NORMAL_PRIORITY) .addClass(this).addString("shouldn't reuse Iterator as a Map.Entry")); } } catch (ClassNotFoundException e) { AnalysisContext.reportMissingClass(e); } }
@Override public void sawOpcode(int seen) { switch (seen) { default: break; case Const.IF_ICMPEQ: case Const.IF_ICMPNE: OpcodeStack.Item left = stack.getStackItem(1); OpcodeStack.Item right = stack.getStackItem(0); if (bad(left, right) || bad(right, left)) { accumulator.accumulateBug(new BugInstance(this, "TESTING", NORMAL_PRIORITY).addClassAndMethod(this) .addValueSource(left, this).addValueSource(right, this) .addString("Just check the sign of the result of compare or compareTo, not specific values such as 1 or -1"), this); } break; } }
BugInstance bug; if (highbit) { bug = new BugInstance(this, "BIT_SIGNED_CHECK_HIGH_BIT", (seen == Const.IFLE || seen == Const.IFGT) ? HIGH_PRIORITY : NORMAL_PRIORITY); } else { bug = new BugInstance(this, "BIT_SIGNED_CHECK", onlyLowBits ? LOW_PRIORITY : NORMAL_PRIORITY); bug.addClassAndMethod(this).addString(toHex(arg1)+" ("+arg1+")").addSourceLine(this); bugReporter.reportBug(bug); BugInstance bug = new BugInstance(this, t, HIGH_PRIORITY).addClassAndMethod(this); if (!"BIT_AND_ZZ".equals(t)) { bug.addString(toHex(arg1)).addString(toHex(arg2));
BugInstance bug = new BugInstance(DumbMethods.this, bugPattern, NORMAL_PRIORITY).addClassAndMethod(DumbMethods.this) .addCalledMethod(DumbMethods.this) .addString("Passing String constant as value that should be null checked").describe(StringAnnotation.STRING_MESSAGE) .addString((String) o).describe(StringAnnotation.STRING_CONSTANT_ROLE); if (secondArgument != null) { bug.addValueSource(secondArgument, DumbMethods.this); BugInstance bug = new BugInstance(DumbMethods.this, bugPattern, NORMAL_PRIORITY).addClassAndMethod(DumbMethods.this) .addCalledMethod(DumbMethods.this).addString("Passing String constant as value that should be null checked").describe(StringAnnotation.STRING_MESSAGE) .addString((String) o).describe(StringAnnotation.STRING_CONSTANT_ROLE); if (secondArgument != null) { bug.addValueSource(secondArgument, DumbMethods.this);
@Override public void visit(Field field) { ConstantValue value = field.getConstantValue(); if (value == null) { return; } Constant c = getConstantPool().getConstant(value.getConstantValueIndex()); if (testingEnabled && c instanceof ConstantLong && ((ConstantLong)c).getBytes() == MICROS_PER_DAY_OVERFLOWED_AS_INT) { bugReporter.reportBug( new BugInstance(this, "TESTING", HIGH_PRIORITY).addClass(this).addField(this) .addString("Did you mean MICROS_PER_DAY") .addInt(MICROS_PER_DAY_OVERFLOWED_AS_INT) .describe(IntAnnotation.INT_VALUE)); } } @Override
if (seen == Const.INVOKEINTERFACE && getClassConstantOperand().equals("java/sql/Connection") && getMethodDescriptorOperand().getName().equals("prepareStatement") && hasConstantArguments()) { matched.put(getPC(), new BugInstance(this, "IIL_PREPARE_STATEMENT_IN_LOOP", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this, getPC()).addCalledMethod(this)); } else if (seen == Const.INVOKEINTERFACE && getMethodDescriptorOperand().equals(NODELIST_GET_LENGTH)) { if(returnValueOf != null && returnValueOf.getClassName().startsWith("org.w3c.dom.") && returnValueOf.getName().startsWith("getElementsByTagName")) { matched.put(getPC(), new BugInstance(this, "IIL_ELEMENTS_GET_LENGTH_IN_LOOP", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this, getPC()).addCalledMethod(this)); sources.put(getPC(), item.getPC()); .equals(PATTERN_COMPILE_2)) && hasConstantArguments()) { String regex = getFirstArgument(); matched.put(getPC(), new BugInstance(this, "IIL_PATTERN_COMPILE_IN_LOOP", NORMAL_PRIORITY).addClassAndMethod(this) .addSourceLine(this, getPC()).addCalledMethod(this).addString(regex).describe(StringAnnotation.REGEX_ROLE)); } else if ((seen == Const.INVOKESTATIC || seen == Const.INVOKEVIRTUAL) && implicitPatternMethods.contains(getMethodDescriptorOperand())) { String regex = getFirstArgument(); if (regex != null && !(getNameConstantOperand().equals("split") && isFastPath(regex))) { BugInstance bug = new BugInstance(this, "IIL_PATTERN_COMPILE_IN_LOOP_INDIRECT", LOW_PRIORITY) .addClassAndMethod(this).addSourceLine(this, getPC()).addCalledMethod(this).addString(regex) .describe(StringAnnotation.REGEX_ROLE); matched.put(getPC(), bug);
bugReporter.reportBug(new BugInstance(this, XXE_DTD_TRANSFORM_FACTORY_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this) .addString(simpleClassName + "." + method + "(...)")); bugReporter.reportBug(new BugInstance(this, XXE_XSLT_TRANSFORM_FACTORY_TYPE, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this) .addString(simpleClassName + "." + method + "(...)"));
String ref = getClassName(obj, i); if ((ref.startsWith("java") || ref.startsWith("org.w3c.dom")) && !defined.contains(ref)) { bugReporter.reportBug(new BugInstance(this, "VR_UNRESOLVABLE_REFERENCE", NORMAL_PRIORITY).addClass(obj) .addString(ref)); JavaClass target = Repository.lookupClass(className); if (!find(target, name, signature)) { bugReporter.reportBug(new BugInstance(this, "VR_UNRESOLVABLE_REFERENCE", NORMAL_PRIORITY).addClass(obj) .addString(getMemberName(target.getClassName(), name, signature)));
String password = operandValue.getConstantString(); if (password.length() == 0) { bugAccumulator.accumulateBug(new BugInstance(this, "DMI_EMPTY_DB_PASSWORD", NORMAL_PRIORITY) .addClassAndMethod(methodGen, sourceFile), classContext, methodGen, sourceFile, location); } else { bugAccumulator.accumulateBug(new BugInstance(this, "DMI_CONSTANT_DB_PASSWORD", NORMAL_PRIORITY) .addClassAndMethod(methodGen, sourceFile), classContext, methodGen, sourceFile, location); bugAccumulator.accumulateBug(new BugInstance(this, "DMI_USELESS_SUBSTRING", NORMAL_PRIORITY) .addClassAndMethod(methodGen, sourceFile), classContext, methodGen, sourceFile, location); bugAccumulator.accumulateBug(new BugInstance(this, "DMI_HARDCODED_ABSOLUTE_FILENAME", priority) .addClassAndMethod(methodGen, sourceFile).addString(v).describe("FILE_NAME"), classContext, methodGen, sourceFile, location);