/** return an int on the stack, or 'defaultValue' if can't determine */ private int getIntValue(int stackDepth, int defaultValue) { if (stack.getStackDepth() < stackDepth) { return defaultValue; } OpcodeStack.Item it = stack.getStackItem(stackDepth); Object value = it.getConstant(); if (value == null || !(value instanceof Integer)) { return defaultValue; } return ((Number) value).intValue(); }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL && ENABLE_EXTENSIONS.matches(this)) { final OpcodeStack.Item item = stack.getStackItem(0); /* item has signature of Integer, check "instanceof" added to prevent cast from throwing exceptions */ if ((item.getConstant() == null) || ((item.getConstant() instanceof Integer) && (((Integer) item.getConstant()).intValue() == 1))) { bugReporter.reportBug(new BugInstance(this, RPC_ENABLED_EXTENSIONS, Priorities.HIGH_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); } } } }
private void checkStackValue(int arg) { Item item = getStack().getStackItem(arg); if(item.getXField() == currentDoubleCheckField) { bugReporter.reportBug(new BugInstance(this, "DC_PARTIALLY_CONSTRUCTED", NORMAL_PRIORITY).addClassAndMethod(this) .addField(currentDoubleCheckField).describe("FIELD_ON").addSourceLine(this).addSourceLine(this, assignPC) .describe("SOURCE_LINE_STORED")); stage++; } } }
&& getClassConstantOperand().contains("Set") || (seen == Const.INVOKEVIRTUAL || seen == Const.INVOKEINTERFACE) && "addAll".equals(getNameConstantOperand()) && "(Ljava/util/Collection;)Z".equals(getSigConstantOperand())) { OpcodeStack.Item top = stack.getStackItem(0); XMethod returnValueOf = top.getReturnValueOf(); if (returnValueOf != null && "entrySet".equals(returnValueOf.getName())) { && stack.getStackDepth() > 0) { OpcodeStack.Item item0 = stack.getStackItem(0); if (item0.getSignature().charAt(0) == '[') { bugReporter.reportBug(new BugInstance(this, "DMI_INVOKING_HASHCODE_ON_ARRAY", NORMAL_PRIORITY) .addClassAndMethod(this).addValueSource(item0, this).addSourceLine(this)); if (stack.getStackDepth() > 1) { OpcodeStack.Item item0 = stack.getStackItem(0); OpcodeStack.Item item1 = stack.getStackItem(1); imul_constant = adjustMultiplier(item0.getConstant(), imul_constant); imul_constant = adjustMultiplier(item1.getConstant(), imul_constant); Item index = stack.getStackItem(0); if (index.getSpecialKind() == Item.AVERAGE_COMPUTED_USING_DIVISION) { SourceLineAnnotation where; if (seen == Const.IADD && (getNextOpcode() == Const.ISHL || getNextOpcode() == Const.LSHL) && stack.getStackDepth() >=3) { OpcodeStack.Item l = stack.getStackItem(2); OpcodeStack.Item v = stack.getStackItem(1); Object constantValue = v.getConstant(); .addClassAndMethod(this) .addInt(c).describe(IntAnnotation.INT_SHIFT)
} else { prio = NORMAL_PRIORITY; Object constantValue = stack.getStackItem(0).getConstant(); if (constantValue instanceof Number) { long value = ((Number) constantValue).longValue(); BugInstance bug = new BugInstance(this, type, prio).addClass(this).addMethod(this).addCalledMethod(this) .addMethod(shouldCall).describe("SHOULD_CALL"); bugAccumulator.accumulateBug(bug, this);
XField xField = getXFieldOperand(); if (xField != null && xField.getClassDescriptor().equals(getClassDescriptor())) { Item first = stack.getStackItem(0); fieldWarningList.add(new BugInstance(this, "SE_BAD_FIELD_STORE", priority) .addClass(getThisClass().getClassName()).addField(f).addType(genSig) .describe("TYPE_FOUND").addSourceLine(this));
@Override public void sawOpcode(int seen) { boolean shouldReportBug = false; if(seen == INVOKESPECIAL) { if(PATTERN_SEARCH_CONTROLS_INIT.matches(this)) { OpcodeStack.Item item = stack.getStackItem(1); Object param = item.getConstant(); shouldReportBug = param instanceof Integer && Integer.valueOf(1).equals(param); } } else if(seen == INVOKEVIRTUAL) { if(PATTERN_SEARCH_CONTROLS_SETTER.matches(this)) { OpcodeStack.Item item = stack.getStackItem(0); Object param = item.getConstant(); shouldReportBug = param instanceof Integer && Integer.valueOf(1).equals(param); } } if(shouldReportBug) { bugReporter.reportBug(new BugInstance(this, LDAP_ENTRY_POISONING, Priorities.NORMAL_PRIORITY) // .addClass(this).addMethod(this).addSourceLine(this)); } } }
void check(String className, String[] methodNames, int target, int url) { if (Arrays.binarySearch(methodNames, getNameConstantOperand()) < 0) { return; } if (stack.getStackDepth() <= target) { return; } OpcodeStack.Item targetItem = stack.getStackItem(target); OpcodeStack.Item urlItem = stack.getStackItem(url); if (!"Ljava/net/URL;".equals(urlItem.getSignature())) { return; } if (!targetItem.getSignature().equals(className)) { return; } accumulator.accumulateBug(new BugInstance(this, "DMI_COLLECTION_OF_URLS", HIGH_PRIORITY).addClassAndMethod(this) .addCalledMethod(this), this); }
@Override public void afterOpcode(int seen) { super.afterOpcode(seen); switch (seen) { case Const.IAND: case Const.LAND: case Const.IOR: case Const.LOR: if(stack.getStackDepth() > 0) { bitresultItem = stack.getStackItem(0); } break; default: break; } }
@Override public void sawOpcode(int seen) { // printOpCode(seen); if (seen == Const.INVOKEVIRTUAL) { String fullClassName = getClassConstantOperand(); String method = getNameConstantOperand(); if(isVulnerableClassToPrint(fullClassName) && method.equals("printStackTrace")) { if (stack.getStackDepth() > 1) { // If has parameters OpcodeStack.Item parameter = stack.getStackItem(0); if (parameter.getSignature().equals("Ljava/io/PrintStream;") || parameter.getSignature().equals("Ljava/io/PrintWriter;")) { bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.NORMAL_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } else { // No parameter (only printStackTrace) bugReporter.reportBug(new BugInstance(this, INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE_TYPE, Priorities.LOW_PRIORITY) .addClass(this).addMethod(this).addSourceLine(this)); } } } }
throw new IllegalArgumentException("Password masking requires stack depth 1, but is " + stackDepth); if (stack.getStackDepth() < stackDepth) { return; OpcodeStack.Item it = stack.getStackItem(stackDepth); Object value = it.getConstant(); if (value == null || !(value instanceof String)) { if (ignorePasswordMasking && dotIsUsed) { priority = NORMAL_PRIORITY; OpcodeStack.Item top = stack.getStackItem(0); Object topValue = top.getConstant(); if (topValue instanceof String) { bugReporter.reportBug(new BugInstance(this, "RE_POSSIBLE_UNINTENDED_PATTERN", priority).addClassAndMethod(this) .addCalledMethod(this).addSourceLine(this));
private void markHardCodedItemsFromFlow() { for (int i = 0; i < stack.getStackDepth(); i++) { OpcodeStack.Item stackItem = stack.getStackItem(i); if ((stackItem.getConstant() != null || stackItem.isNull()) && !stackItem.getSignature().startsWith("[")) { setHardCodedItem(stackItem); } if (hasHardCodedFieldSource(stackItem)) { setHardCodedItem(stackItem); } } }
private void reportBugSink(int priority, Collection<Integer> offsets) { String bugType = HARD_CODE_KEY_TYPE; for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); String signature = stackItem.getSignature(); if ("Ljava/lang/String;".equals(signature) || "[C".equals(signature)) { bugType = HARD_CODE_PASSWORD_TYPE; break; } } BugInstance bugInstance = new BugInstance(this, bugType, priority) .addClass(this).addMethod(this) .addSourceLine(this).addCalledMethod(this); for (Integer paramIndex : offsets) { OpcodeStack.Item stackItem = stack.getStackItem(paramIndex); bugInstance.addParameterAnnotation(paramIndex, "Hard coded parameter number (in reverse order) is") .addFieldOrMethodValueSource(stackItem); Object constant = stackItem.getConstant(); if (constant != null) { bugInstance.addString(constant.toString()); } } bugReporter.reportBug(bugInstance); }
if ("java/io/ObjectOutputStream".equals(calledClassName) && Const.CONSTRUCTOR_NAME.equals(calledMethodName) && "(Ljava/io/OutputStream;)V".equals(calledMethodSig) && stack.getStackItem(0).getSpecialKind() == OpcodeStack.Item.FILE_OPENED_IN_APPEND_MODE) { bugReporter.reportBug(new BugInstance(this, "IO_APPENDING_TO_OBJECT_OUTPUT_STREAM", Priorities.HIGH_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); OpcodeStack.Item item = stack.getStackItem(0); Object value = item.getConstant(); sawOpenInAppendMode = value instanceof Integer && ((Integer) value).intValue() == 1; bugReporter.reportBug(new BugInstance(this, "IO_APPENDING_TO_OBJECT_OUTPUT_STREAM", Priorities.HIGH_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); sawOpenInAppendMode = false; } else {
Item sbItem = null; Item topItem = null; if (getStackDepth() > 0) { topItem = getStackItem(0); Item item = getStackItem(i); String itemSignature = item.getSignature(); if ("Ljava/lang/StringBuilder;".equals(itemSignature) || "Ljava/lang/StringBuffer;".equals(itemSignature)) { if (seen == Const.INVOKESPECIAL && Const.CONSTRUCTOR_NAME.equals(methodName) && clsName.startsWith("java/io") && clsName.endsWith("Writer") && numberArguments > 0) { Item firstArg = getStackItem(numberArguments-1); if (firstArg.isServletWriter()) { initializingServletWriter = true; if (Const.CONSTRUCTOR_NAME.equals(methodName)) { if ("(Ljava/lang/String;)V".equals(signature)) { Item i = getStackItem(0); appenderValue = (String) i.getConstant(); if (i.isServletParameterTainted()) { } else if ("toString".equals(methodName) && getStackDepth() >= 1) { Item i = getStackItem(0); appenderValue = (String) i.getConstant(); if (i.isServletParameterTainted()) { sbItem = getStackItem(1); Item i = getStackItem(0); if (i.isServletParameterTainted() || sbItem.isServletParameterTainted()) {
) { String primitiveType = ClassName.getPrimitiveType(called.getClassDescriptor().getClassName()); XMethod rvo = stack.getStackItem(1).getReturnValueOf(); XField field = stack.getStackItem(1).getXField(); String signature; if (rvo != null) { OpcodeStack.Item left = stack.getStackItem(1); OpcodeStack.Item right = stack.getStackItem(0); checkForCompatibleLongComparison(left, right); checkForCompatibleLongComparison(right, left); case Const.IF_ICMPLT: case Const.IF_ICMPGT: OpcodeStack.Item item0 = stack.getStackItem(0); OpcodeStack.Item item1 = stack.getStackItem(1); if (item0.getConstant() instanceof Integer) { OpcodeStack.Item tmp = item0; if (seen == Const.IFLT && stack.getStackDepth() > 0 && stack.getStackItem(0).getSpecialKind() == OpcodeStack.Item.SIGNED_BYTE) { sawCheckForNonNegativeSignedByte = getPC(); } else { if (seen == Const.IREM) { OpcodeStack.Item top = stack.getStackItem(0); Object constantValue = top.getConstant(); if (constantValue instanceof Number && Util.isPowerOfTwo(((Number) constantValue).intValue())) { String parameter = i.next();
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEINTERFACE) { String methodName = getNameConstantOperand(); String clsConstant = getClassConstantOperand(); if (("java/sql/ResultSet".equals(clsConstant) && ((methodName.startsWith("get") && dbFieldTypesSet .contains(methodName.substring(3))) || (methodName.startsWith("update") && dbFieldTypesSet .contains(methodName.substring(6))))) || (("java/sql/PreparedStatement".equals(clsConstant) && ((methodName.startsWith("set") && dbFieldTypesSet .contains(methodName.substring(3))))))) { String signature = getSigConstantOperand(); int numParms = PreorderVisitor.getNumberArguments(signature); if (stack.getStackDepth() >= numParms) { OpcodeStack.Item item = stack.getStackItem(numParms - 1); if ("I".equals(item.getSignature()) && item.couldBeZero()) { bugReporter.reportBug(new BugInstance(this, "java/sql/PreparedStatement".equals(clsConstant) ? "SQL_BAD_PREPARED_STATEMENT_ACCESS" : "SQL_BAD_RESULTSET_ACCESS", item.mustBeZero() ? HIGH_PRIORITY : NORMAL_PRIORITY) .addClassAndMethod(this).addSourceLine(this)); } } } } } }
switch (seen) { case Const.ATHROW: if (stack.getStackDepth() > 0) { OpcodeStack.Item item = stack.getStackItem(0); String signature = item.getSignature(); if (signature != null && signature.length() > 0) {
private void bitSetSilliness(String methodName) { if (("clear".equals(methodName) || "flip".equals(methodName) || "get".equals(methodName) || "set".equals(methodName)) && (stack.getStackDepth() > 0)) { OpcodeStack.Item item = stack.getStackItem(0); Object o = item.getConstant(); if ((o instanceof Integer) && (((Integer) o).intValue() < 0)) { bugReporter.reportBug( new BugInstance(this, BugType.SPP_NEGATIVE_BITSET_ITEM.name(), NORMAL_PRIORITY).addClass(this).addMethod(this).addSourceLine(this)); } } }
@Override public void sawOpcode(int seen) { if (seen == Const.INVOKEVIRTUAL && stack.getStackDepth() > 0 && "java/lang/String".equals(getClassConstantOperand())) { boolean lastIndexOf = "lastIndexOf".equals(getNameConstantOperand()); if (lastIndexOf || "indexOf".equals(getNameConstantOperand())) { int stackOff = -1; if ("(Ljava/lang/String;)I".equals(getSigConstantOperand())) { // sig: String stackOff = 0; } else if ("(Ljava/lang/String;I)I".equals(getSigConstantOperand())) { // sig: String, int stackOff = 1; } if (stackOff > -1) { OpcodeStack.Item item = stack.getStackItem(stackOff); Object o = item.getConstant(); if (o != null && ((String) o).length() == 1) { bugReporter.reportBug(new BugInstance(this, lastIndexOf ? "IIO_INEFFICIENT_LAST_INDEX_OF" : "IIO_INEFFICIENT_INDEX_OF", LOW_PRIORITY).addClassAndMethod(this) .describe(StringAnnotation.STRING_MESSAGE).addCalledMethod(this).addSourceLine(this)); } } } } }