/** * Is instruction at given location a store? * * @param location * the location * @return true if instruction at given location is a store, false if not */ private boolean isStore(Location location) { Instruction ins = location.getHandle().getInstruction(); return (ins instanceof StoreInstruction) || (ins instanceof IINC); }
private boolean hasManyPreceedingNullTests(int pc) { int ifNullTests = 0; BitSet seen = new BitSet(); try { for (Iterator<Location> i = classContext.getCFG(method).locationIterator(); i.hasNext();) { Location loc = i.next(); int pc2 = loc.getHandle().getPosition(); if (pc2 >= pc || pc2 < pc - 30) { continue; } Instruction ins = loc.getHandle().getInstruction(); if ((ins instanceof IFNONNULL || ins instanceof IFNULL || ins instanceof NullnessConversationInstruction) && !seen.get(pc2)) { ifNullTests++; seen.set(pc2); } } boolean result = ifNullTests > 2; // System.out.println("Preceding null tests " + ifNullTests + " " + // ifNonnullTests + " " + result); return result; } catch (CFGBuilderException e) { return false; } }
InvokeInstruction inv = (InvokeInstruction) location.getHandle().getInstruction(); if (inv instanceof INVOKEDYNAMIC) { Iterator<String> parameterIterator = sigParser.parameterSignatureIterator(); for (int i = 0; i < numParams; i++) { String parameterSignature = parameterIterator.next(); char firstChar = parameterSignature.charAt(0); if (firstChar != 'L' && firstChar != '[') { .getHandle().getPosition()); int catchSizeNFE = Util.getSizeOfSurroundingTryBlock(method, "java/lang/NumberFormatException", location .getHandle().getPosition()); if (catchSizeNPE == Integer.MAX_VALUE && (!"java.lang.Integer".equals(called.getClassName()) || catchSizeNFE == Integer.MAX_VALUE)) {
for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = nextLocation(i, cpg); Instruction inst = location.getHandle().getInstruction(); ICONST iconst = ByteCode.getPrevInstruction(location.getHandle(), ICONST.class); if (iconst != null) { int mode = iconst.getValue().intValue(); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = nextLocation(i, cpg); Instruction inst = location.getHandle().getInstruction();
private static Map<InstructionHandle, Call> buildCallMap(CFG cfg, ConstantPoolGen cpg) { Map<InstructionHandle, Call> callMap = new HashMap<>(); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { InstructionHandle handle = i.next().getHandle(); Instruction ins = handle.getInstruction(); if (ins instanceof InvokeInstruction) { InvokeInstruction inv = (InvokeInstruction) ins; Call call = new Call(inv.getClassName(cpg), inv.getName(cpg), inv.getSignature(cpg)); callMap.put(handle, call); } } return callMap; }
if (derefLocationSet.size() == 1) { Location loc = derefLocationSet.iterator().next(); source = knownNullLocations.iterator().next().getEndBytecode(); int pos = loc.getHandle().getPosition(); if (pos != source + 3) { Location assignedNull = assignedNullLocationSet.iterator().next(); SourceLineAnnotation sourceLineAnnotation = SourceLineAnnotation.fromVisitedInstruction(classContext, method, assignedNull);
/** * Is instruction at given location a load? * * @param location * the location * @return true if instruction at given location is a load, false if not */ private boolean isLoad(Location location) { Instruction ins = location.getHandle().getInstruction(); return (ins instanceof LoadInstruction) || (ins instanceof IINC); }
private void registerInstructionSinks() throws DataflowAnalysisException { TypeQualifierAnnotation returnValueAnnotation = null; if (!xmethod.getSignature().endsWith(")V")) { returnValueAnnotation = TypeQualifierApplications.getEffectiveTypeQualifierAnnotation(xmethod, typeQualifierValue); } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (ins instanceof ReturnInstruction && !(ins instanceof RETURN)) { // Return instruction which returns a value modelReturn(returnValueAnnotation, location); } else { short opcode = ins.getOpcode(); if (opcode == Const.PUTFIELD || opcode == Const.PUTSTATIC) { modelFieldStore(location); } else if (location.getHandle().getInstruction() instanceof InvokeInstruction) { modelArguments(location); } } } }
/** * Get a Collection of Locations which specify the instruction at given * bytecode offset. * * @param offset * the bytecode offset * @return all Locations referring to the instruction at that offset */ public Collection<Location> getLocationsContainingInstructionWithOffset(int offset) { LinkedList<Location> result = new LinkedList<>(); for (Iterator<Location> i = locationIterator(); i.hasNext();) { Location location = i.next(); if (location.getHandle().getPosition() == offset) { result.add(location); } } return result; }
private boolean isConstantStringLoad(Location location, ConstantPoolGen cpg) { Instruction ins = location.getHandle().getInstruction(); if (ins instanceof LDC) { LDC load = (LDC) ins; Object value = load.getValue(cpg); if (value instanceof String) { return true; } } return false; }
private void analyzeMethod(ClassContext classContext, Method method) throws CFGBuilderException, ClassNotFoundException, DataflowAnalysisException { CFG cfg = classContext.getCFG(method); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (ins instanceof InvokeInstruction) { if (TARGET_METHOD != null && !((InvokeInstruction) ins).getMethodName(classContext.getConstantPoolGen()).equals(TARGET_METHOD)) { continue; } System.out.println("\n*******************************************************\n"); System.out.println("Method invocation: " + location.getHandle()); System.out.println("\tInvoking: " + SignatureConverter.convertMethodSignature((InvokeInstruction) ins, classContext.getConstantPoolGen())); JavaClassAndMethod proto = Hierarchy.findInvocationLeastUpperBound((InvokeInstruction) ins, classContext.getConstantPoolGen()); if (proto == null) { System.out.println("\tUnknown prototype method"); } else { System.out.println("\tPrototype method: class=" + proto.getJavaClass().getClassName() + ", method=" + proto.getMethod()); } Set<JavaClassAndMethod> calledMethodSet = Hierarchy.resolveMethodCallTargets((InvokeInstruction) ins, classContext.getTypeDataflow(method).getFactAtLocation(location), classContext.getConstantPoolGen()); System.out.println("\tTarget method set: " + calledMethodSet); } } }
private boolean mightCloseResource(ClassContext classContext, Method method, ResourceTrackerType resourceTracker) throws CFGBuilderException, DataflowAnalysisException { CFG cfg = classContext.getCFG(method); ConstantPoolGen cpg = classContext.getConstantPoolGen(); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); if (resourceTracker.mightCloseResource(location.getBasicBlock(), location.getHandle(), cpg)) { return true; } } return false; }
private void registerLDCValueSource(Location location) throws DataflowAnalysisException { LDC instruction = (LDC) location.getHandle().getInstruction(); Object constantValue = instruction.getValue(cpg); registerConstantSource(location, constantValue); } private void registerLDC2ValueSource(Location location) throws DataflowAnalysisException {
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof LDC) { LDC ldc = (LDC) inst; if (ldc != null) { if("java.naming.security.authentication".equals(ldc.getValue(cpg)) && "none".equals(ByteCode.getConstantLDC(location.getHandle().getNext(), cpg, String.class))){ JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, LDAP_ANONYMOUS, Priorities.LOW_PRIORITY) // .addClass(clz) .addMethod(clz, m) .addSourceLine(classContext, m, location)); break; } } } } }
/** * Get a Location matching the given PC value. Because of JSR subroutines, * there may be multiple Locations referring to the given instruction. This * method simply returns one of them arbitrarily. * * @param classContext * the ClassContext containing the method * @param method * the method * @param pc * a PC value of an instruction in the method * @return a Location corresponding to the PC value, or null if no such * Location can be found * @throws CFGBuilderException */ private static Location pcToLocation(ClassContext classContext, Method method, int pc) throws CFGBuilderException { CFG cfg = classContext.getCFG(method); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); if (location.getHandle().getPosition() == pc) { return location; } } return null; }
private void registerLDC2ValueSource(Location location) throws DataflowAnalysisException { LDC2_W instruction = (LDC2_W) location.getHandle().getInstruction(); Object constantValue = instruction.getValue(cpg); registerConstantSource(location, constantValue); } private void registerPushNullSource(Location location) throws DataflowAnalysisException {
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }