private boolean isStringAppend(Instruction ins, ConstantPoolGen cpg) { if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) ins; if ("append".equals(invoke.getMethodName(cpg)) && invoke.getClassName(cpg).startsWith("java.lang.StringB")) { String sig = invoke.getSignature(cpg); char firstChar = sig.charAt(1); return firstChar == '[' || firstChar == 'L'; } } return false; }
@Override public void visitINVOKEVIRTUAL(INVOKEVIRTUAL obj) { if ("cast".equals(obj.getMethodName(cpg)) && "java.lang.Class".equals(obj.getClassName(cpg))) { // treat as no-op try { ValueNumberFrame frame = getFrame(); ValueNumber resultType = frame.popValue(); frame.popValue(); frame.pushValue(resultType); } catch (DataflowAnalysisException e) { AnalysisContext.logError("oops", e); } return; } handleNormalInstruction(obj); }
public boolean preScreen(MethodGen mg) { ConstantPoolGen cpg = mg.getConstantPool(); int lockCount = mg.isSynchronized() ? 1 : 0; boolean sawWaitOrNotify = false; InstructionHandle handle = mg.getInstructionList().getStart(); while (handle != null && !(lockCount >= 2 && sawWaitOrNotify)) { Instruction ins = handle.getInstruction(); if (ins instanceof MONITORENTER) { ++lockCount; } else if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL inv = (INVOKEVIRTUAL) ins; String methodName = inv.getMethodName(cpg); if ("wait".equals(methodName) || methodName.startsWith("notify")) { sawWaitOrNotify = true; } } handle = handle.getNext(); } return lockCount >= 2 && sawWaitOrNotify; }
"init".equals(invoke.getMethodName(cpg))) { ICONST iconst = ByteCode.getPrevInstruction(location.getHandle(), ICONST.class); if (iconst != null) { "getIV".equals(invoke.getMethodName(cpg))) { ivFetchFromCipher = true; INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) inst; if ("java.security.SecureRandom".equals(invoke.getClassName(cpg)) && "nextBytes".equals(invoke.getMethodName(cpg))) { foundSafeIvGeneration = true;
if ("java.security.MessageDigest".equals(invoke.getClassName(cpg)) && "digest".equals(invoke.getMethodName(cpg))) { invokeMessageDigest = true;
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
if ("javax.crypto.KeyGenerator".equals(invoke.getClassName(cpg)) && "init".equals(invoke.getMethodName(cpg))) { Number n = null;
String methodName = invokeVirtual.getMethodName(classContext.getConstantPoolGen()); String methodSig = invokeVirtual.getSignature(classContext.getConstantPoolGen()); if (!"close".equals(methodName)) {
INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) nextInst; String methodNameWithSignature = invoke.getClassName(cpg) + "." + invoke.getMethodName(cpg);
INVOKEVIRTUAL iv = (INVOKEVIRTUAL) ins; String methodName = iv.getMethodName(cpg); String methodSig = iv.getSignature(cpg); if ("wait".equals(methodName)
private boolean isStringAppend(Instruction ins, ConstantPoolGen cpg) { if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) ins; if ("append".equals(invoke.getMethodName(cpg)) && invoke.getClassName(cpg).startsWith("java.lang.StringB")) { String sig = invoke.getSignature(cpg); char firstChar = sig.charAt(1); return firstChar == '[' || firstChar == 'L'; } } return false; }
private Map<String, List<Location>> get_line_location(Method m, ClassContext classContext){ HashMap<String, List<Location>> all_line_location = new HashMap<>(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = null; try { cfg = classContext.getCFG(m); } catch (CFGBuilderException e) { e.printStackTrace(); return all_line_location; } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if(inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) inst; // if (classname.equals(invoke.getClassName(cpg)) && // methodName.equals(invoke.getMethodName(cpg))) { if(all_line_location.containsKey(invoke.getMethodName(cpg))){ all_line_location.get(invoke.getMethodName(cpg)).add(loc); }else { LinkedList<Location> loc_list = new LinkedList<>(); loc_list.add(loc); all_line_location.put(invoke.getMethodName(cpg), loc_list); } // } } } return all_line_location; }
public static String getCallMethodName(Instruction ins, ConstantPoolGen cp) { if (ins instanceof INVOKESTATIC) { INVOKESTATIC invst = (INVOKESTATIC) ins; return invst.getMethodName(cp); } else if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invst = (INVOKEVIRTUAL) ins; return invst.getMethodName(cp); } else if (ins instanceof INVOKEINTERFACE) { INVOKEINTERFACE invst = (INVOKEINTERFACE) ins; return invst.getMethodName(cp); } else if (ins instanceof INVOKESPECIAL) { INVOKESPECIAL invst = (INVOKESPECIAL) ins; return invst.getMethodName(cp); } else { return null; } }
public boolean preScreen(MethodGen mg) { ConstantPoolGen cpg = mg.getConstantPool(); int lockCount = mg.isSynchronized() ? 1 : 0; boolean sawWaitOrNotify = false; InstructionHandle handle = mg.getInstructionList().getStart(); while (handle != null && !(lockCount >= 2 && sawWaitOrNotify)) { Instruction ins = handle.getInstruction(); if (ins instanceof MONITORENTER) { ++lockCount; } else if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL inv = (INVOKEVIRTUAL) ins; String methodName = inv.getMethodName(cpg); if ("wait".equals(methodName) || methodName.startsWith("notify")) { sawWaitOrNotify = true; } } handle = handle.getNext(); } return lockCount >= 2 && sawWaitOrNotify; }
@Override public void visitINVOKEVIRTUAL(INVOKEVIRTUAL obj) { if ("cast".equals(obj.getMethodName(cpg)) && "java.lang.Class".equals(obj.getClassName(cpg))) { // treat as no-op try { ValueNumberFrame frame = getFrame(); ValueNumber resultType = frame.popValue(); frame.popValue(); frame.pushValue(resultType); } catch (DataflowAnalysisException e) { AnalysisContext.logError("oops", e); } return; } handleNormalInstruction(obj); }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
/** Checks if the constraints of operands of the said instruction(s) are satisfied. */ public void visitINVOKEVIRTUAL(INVOKEVIRTUAL o){ // INVOKEVIRTUAL is a LoadClass; the Class where the referenced method is declared in, // is therefore resolved/verified. // INVOKEVIRTUAL is an InvokeInstruction, the argument and return types are resolved/verified, // too. So are the allowed method names. String classname = o.getClassName(cpg); JavaClass jc = Repository.lookupClass(classname); Method[] ms = jc.getMethods(); Method m = null; for (int i=0; i<ms.length; i++){ if ( (ms[i].getName().equals(o.getMethodName(cpg))) && (Type.getReturnType(ms[i].getSignature()).equals(o.getReturnType(cpg))) && (objarrayequals(Type.getArgumentTypes(ms[i].getSignature()), o.getArgumentTypes(cpg))) ){ m = ms[i]; break; } } if (m == null){ constraintViolated(o, "Referenced method '"+o.getMethodName(cpg)+"' with expected signature not found in class '"+jc.getClassName()+"'. The native verfier does allow the method to be declared in some superclass or implemented interface, which the Java Virtual Machine Specification, Second Edition does not."); } if (! (jc.isClass())){ constraintViolated(o, "Referenced class '"+jc.getClassName()+"' is an interface, but not a class as expected."); } }
private void analyzeMethod(JavaClass javaClass, Method m, ClassContext classContext) throws CFGBuilderException { MethodGen methodGen = classContext.getMethodGen(m); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); if (methodGen == null || methodGen.getInstructionList() == null) { bugReporter.reportBug(new BugInstance(this, WEBVIEW_RECEIVE_SSL_ERROR_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addMethod(javaClass, m) ); } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) inst; String methodName = invoke.getMethodName(cpg); if ("proceed".equals(methodName)) { bugReporter.reportBug(new BugInstance(this, WEBVIEW_RECEIVE_SSL_ERROR_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addMethod(javaClass, m) .addCalledMethod(cpg, invoke) .addSourceLine(classContext, m, location) ); } break; } } } }
INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) nextInst; String methodNameWithSignature = invoke.getClassName(cpg) + "." + invoke.getMethodName(cpg);
/** Checks if the constraints of operands of the said instruction(s) are satisfied. */ @Override public void visitINVOKEVIRTUAL(final INVOKEVIRTUAL o) { try { // INVOKEVIRTUAL is a LoadClass; the Class where the referenced method is declared in, // is therefore resolved/verified. // INVOKEVIRTUAL is an InvokeInstruction, the argument and return types are resolved/verified, // too. So are the allowed method names. final String classname = o.getClassName(cpg); final JavaClass jc = Repository.lookupClass(classname); final Method m = getMethodRecursive(jc, o); if (m == null) { constraintViolated(o, "Referenced method '"+o.getMethodName(cpg)+"' with expected signature '"+ o.getSignature(cpg)+"' not found in class '"+jc.getClassName()+"'."); } if (! (jc.isClass())) { constraintViolated(o, "Referenced class '"+jc.getClassName()+"' is an interface, but not a class as expected."); } } catch (final ClassNotFoundException e) { // FIXME: maybe not the best way to handle this throw new AssertionViolatedException("Missing class: " + e, e); } }