public Stream createStream(Location location, ObjectType type, ConstantPoolGen cpg, RepositoryLookupFailureCallback lookupFailureCallback) { Instruction ins = location.getHandle().getInstruction(); try { if (ins instanceof InvokeInstruction) { if (!Hierarchy.isSubtype(type, baseClassType)) return null; Stream stream = new Stream(location, type.getClassName(), baseClassType.getClassName()) .setIsOpenOnCreation(true) .setIgnoreImplicitExceptions(true); if (bugType != null) stream.setInteresting(bugType); return stream; } } catch (ClassNotFoundException e) { lookupFailureCallback.reportMissingClass(e); } return null; }
public Stream createStream(Location location, ObjectType type, ConstantPoolGen cpg, RepositoryLookupFailureCallback lookupFailureCallback) { Instruction ins = location.getHandle().getInstruction(); if (ins.getOpcode() != Constants.GETSTATIC) return null; GETSTATIC getstatic = (GETSTATIC) ins; if (!className.equals(getstatic.getClassName(cpg)) || !fieldName.equals(getstatic.getName(cpg)) || !fieldSig.equals(getstatic.getSignature(cpg))) return null; return new Stream(location, type.getClassName(), streamBaseClass) .setIgnoreImplicitExceptions(true) .setIsOpenOnCreation(true); }
public void transferInstruction(InstructionHandle handle, BasicBlock basicBlock, ValueNumberFrame fact) throws DataflowAnalysisException { Location location = new Location(handle, basicBlock); ValueNumberFrame atLocation = getFactAtLocation(location); copy(fact, atLocation); visitor.setFrame(fact); visitor.setHandle(handle); Instruction ins = handle.getInstruction(); ins.accept(visitor); ValueNumberFrame afterLocation = getFactAfterLocation(location); copy(fact, afterLocation); }
public void transferInstruction(InstructionHandle handle, BasicBlock basicBlock, LockSet fact) throws DataflowAnalysisException { Instruction ins = handle.getInstruction(); short opcode = ins.getOpcode(); if (opcode == Constants.MONITORENTER || opcode == Constants.MONITOREXIT) { ValueNumberFrame frame = vnaDataflow.getFactAtLocation(new Location(handle, basicBlock)); // NOTE: if the CFG is pruned, there may be unreachable instructions, // so make sure frame is valid. if (frame.isValid()) { int lockNumber = frame.getTopValue().getNumber(); lockOp(fact, lockNumber, opcode == Constants.MONITORENTER ? 1 : -1); } } else if ((ins instanceof ReturnInstruction) && isSynchronized && !isStatic) { lockOp(fact, vna.getThisValue().getNumber(), -1); } }
/** * Check if the readObject is doing multiple external call beyond the basic readByte, readBoolean, etc.. * @param m * @param classContext * @return * @throws CFGBuilderException * @throws DataflowAnalysisException */ private boolean hasCustomReadObject(Method m, ClassContext classContext,List<String> classesToIgnore) throws CFGBuilderException, DataflowAnalysisException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); int count = 0; for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); //ByteCode.printOpCode(inst,cpg); if(inst instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) inst; if (!READ_DESERIALIZATION_METHODS.contains(invoke.getMethodName(cpg)) && !classesToIgnore.contains(invoke.getClassName(cpg))) { count +=1; } } } return count > 3; }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { MethodGen methodGen = classContext.getMethodGen(m); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); if (methodGen == null || methodGen.getInstructionList() == null) { return; //No instruction .. nothing to do } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) inst; String methodName = invoke.getMethodName(cpg); if ("enableDefaultTyping".equals(methodName)) { JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(clz) .addMethod(clz, m) .addCalledMethod(cpg, invoke) .addSourceLine(classContext, m, location) ); } } } }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof LDC) { LDC ldc = (LDC) inst; if (ldc != null) { if("java.naming.security.authentication".equals(ldc.getValue(cpg)) && "none".equals(ByteCode.getConstantLDC(location.getHandle().getNext(), cpg, String.class))){ JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, LDAP_ANONYMOUS, Priorities.LOW_PRIORITY) // .addClass(clz) .addMethod(clz, m) .addSourceLine(classContext, m, location)); break; } } } } }
public boolean matches(Instruction instruction, ConstantPoolGen cpg) { if(instruction != null && instruction instanceof InvokeInstruction) { InvokeInstruction invokeInstruction = (InvokeInstruction) instruction; if (classesNames.size() != 0 && !classesNames.contains(invokeInstruction.getClassName(cpg))) { return false; } else if (methodNames.size() != 0 && !methodNames.contains(invokeInstruction.getMethodName(cpg))) { return false; } else if (argSignatures.size() != 0 && !argSignatures.contains(invokeInstruction.getSignature(cpg))) { return false; } return true; } return false; }
void rewriteLocal(InstructionHandle fromH, InstructionHandle toH, int oldindex, int newindex) { InstructionHandle h = fromH; if (h.getPrev() != null) { h = h.getPrev(); // This instruction should contain the store. } while (h != null && h != toH) { Instruction ins = h.getInstruction(); if (ins instanceof LocalVariableInstruction) { LocalVariableInstruction lins = (LocalVariableInstruction) ins; if (lins.getIndex() == oldindex) { lins.setIndex(newindex); } } h = h.getNext(); } }
boolean containsSpawnedCall(MethodGen m) { InstructionList code = m.getInstructionList(); if (code == null) { return false; } InstructionHandle ih[] = code.getInstructionHandles(); for (int i = 0; i < ih.length; i++) { Instruction ins = ih[i].getInstruction(); if (ins instanceof INVOKEVIRTUAL) { Method target = self.findMethod((INVOKEVIRTUAL) (ins)); JavaClass cl = self.findMethodClass((INVOKEVIRTUAL) (ins)); if (isSpawnable(target, cl)) { return true; } } } return false; }
InstructionHandle insertDeleteSpawncounter(InstructionList il, InstructionHandle i, int maxLocals) { // In this case, jumps to the return must in fact jump to // the new instruction sequence! So, we change the instruction // at the handle. // First, save the return instruction. Instruction r = i.getInstruction(); i.setInstruction(new ALOAD(maxLocals)); i = il .append(i, ins_f.createInvoke( "ibis.cashmere.impl.spawnSync.SpawnCounter", "deleteSpawnCounter", Type.VOID, new Type[] { spawnCounterType }, Constants.INVOKESTATIC)); i = il.append(i, r); return i; }
private boolean callsSync() { ConstantPoolGen cpg = getConstantPool(); InstructionList instructionList = getInstructionList(); InstructionHandle handle = instructionList.getStart(); while (handle != null) { Instruction ins = handle.getInstruction(); if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL inv = (INVOKEVIRTUAL) ins; if (inv.getMethodName(cpg).equals("sync") && inv.getSignature(cpg).equals("()V")) { JavaClass cl = findMethodClass(inv, cpg); if (cl != null && cl.getClassName().equals("ibis.cashmere.CashmereObject")) { return true; } } } handle = handle.getNext(); } return false; }
@Override public void onInstruction(Instruction i) { //if (shouldVisit(i)) { if (i instanceof FieldInstruction) { registerCoupling(((FieldInstruction) i).getFieldType(constants())); } else if (i instanceof InvokeInstruction) { final InvokeInstruction ii = (InvokeInstruction) i; registerCoupling(ii.getReferenceType(constants())); Stream.of(ii.getArgumentTypes(constants())).forEach(a -> registerCoupling(a)); registerCoupling(ii.getReturnType(constants())); } /* else if (i instanceof TypedInstruction) { final Type ti = ((TypedInstruction) i).getType(constants()); if (!ti.getSignature().equals("<null object>")) { registerCoupling(ti); } }*/ //} }
public boolean isAssertionHandle(InstructionHandle handle, ConstantPoolGen cpg) { Instruction ins = handle.getInstruction(); if (isAssertionInstruction(ins, cpg)) return true; if (ins instanceof SIPUSH) { int v = ((SIPUSH) ins).getValue().intValue(); if (v == 500) { Instruction next = handle.getNext().getInstruction(); if (next instanceof INVOKEINTERFACE) { INVOKEINTERFACE iInterface = (INVOKEINTERFACE) next; String className = iInterface.getClassName(cpg); String fieldName = iInterface.getMethodName(cpg); if (className.equals("javax.servlet.http.HttpServletResponse") && fieldName.equals("setStatus")) return true; } } } return false; }
private void registerInstructionSinks() throws DataflowAnalysisException { TypeQualifierAnnotation returnValueAnnotation = null; if (!xmethod.getSignature().endsWith(")V")) { returnValueAnnotation = TypeQualifierApplications.getEffectiveTypeQualifierAnnotation(xmethod, typeQualifierValue); } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext();) { Location location = i.next(); Instruction ins = location.getHandle().getInstruction(); if (ins instanceof ReturnInstruction && !(ins instanceof RETURN)) { // Return instruction which returns a value modelReturn(returnValueAnnotation, location); } else { short opcode = ins.getOpcode(); if (opcode == Constants.PUTFIELD || opcode == Constants.PUTSTATIC) { modelFieldStore(location); } else if (location.getHandle().getInstruction() instanceof InvokeInstruction) { modelArguments(location); } } } }
public static boolean isThrower(BasicBlock target) { InstructionHandle ins = target.getFirstInstruction(); int maxCount = 7; while (ins != null) { if (maxCount-- <= 0) break; Instruction i = ins.getInstruction(); if (i instanceof ATHROW) { return true; } if (i instanceof InstructionTargeter || i instanceof ReturnInstruction) return false; ins = ins.getNext(); } return false; }
private StringAppendState updateStringAppendState(Location location, ConstantPoolGen cpg, StringAppendState stringAppendState) { InstructionHandle handle = location.getHandle(); Instruction ins = handle.getInstruction(); if (!isConstantStringLoad(location, cpg)) { throw new IllegalArgumentException("instruction must be LDC"); } LDC load = (LDC) ins; Object value = load.getValue(cpg); String stringValue = ((String) value).trim(); if (stringValue.startsWith(",") || stringValue.endsWith(",")) stringAppendState.setSawComma(handle); if (isCloseQuote(stringValue) && stringAppendState.getSawOpenQuote(handle)) stringAppendState.setSawCloseQuote(handle); if (isOpenQuote(stringValue)) stringAppendState.setSawOpenQuote(handle); return stringAppendState; }
private boolean isPreparedStatementDatabaseSink(Instruction ins, ConstantPoolGen cpg) { if (!(ins instanceof INVOKEINTERFACE)) { return false; } INVOKEINTERFACE invoke = (INVOKEINTERFACE) ins; String methodName = invoke.getMethodName(cpg); String methodSignature = invoke.getSignature(cpg); String interfaceName = invoke.getClassName(cpg); if (methodName.equals("prepareStatement") && interfaceName.equals("java.sql.Connection") && methodSignature.startsWith("(Ljava/lang/String;")) { return true; } return false; }
public boolean preScreen(MethodGen mg) { ConstantPoolGen cpg = mg.getConstantPool(); int lockCount = mg.isSynchronized() ? 1 : 0; boolean sawWaitOrNotify = false; InstructionHandle handle = mg.getInstructionList().getStart(); while (handle != null && !(lockCount >= 2 && sawWaitOrNotify)) { Instruction ins = handle.getInstruction(); if (ins instanceof MONITORENTER) ++lockCount; else if (ins instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL inv = (INVOKEVIRTUAL) ins; String methodName = inv.getMethodName(cpg); if (methodName.equals("wait") || methodName.startsWith("notify")) sawWaitOrNotify = true; } handle = handle.getNext(); } return lockCount >= 2 && sawWaitOrNotify; }
private static boolean apply_permfilter(Instruction instr, PermissionFilter pf, ConstantPoolGen cpgen) { boolean ret = false; if (instr instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) instr; String isig = get_invoke_sig(invoke, cpgen); // Util.log(isig); for (String perm : pf.filters) { boolean used = PermissionMap.checkPermUse(isig, perm); if (used) { Util.log("Matched: " + isig + " <==> " + perm); ret = true; break; } } } return ret; }
private boolean hasManyPreceedingNullTests(int pc) { int ifNullTests = 0; BitSet seen = new BitSet(); try { for (Iterator<Location> i = classContext.getCFG(method).locationIterator(); i.hasNext();) { Location loc = i.next(); int pc2 = loc.getHandle().getPosition(); if (pc2 >= pc || pc2 < pc - 30) continue; Instruction ins = loc.getHandle().getInstruction(); if ((ins instanceof IFNONNULL || ins instanceof IFNULL || ins instanceof NullnessConversationInstruction) && !seen.get(pc2)) { ifNullTests++; seen.set(pc2); } } boolean result = ifNullTests > 2; // System.out.println("Preceeding null tests " + ifNullTests + " " + // ifNonnullTests + " " + result); return result; } catch (CFGBuilderException e) { return false; } }
public Stream createStream(Location location, ObjectType type, ConstantPoolGen cpg, RepositoryLookupFailureCallback lookupFailureCallback) { try { Instruction ins = location.getHandle().getInstruction(); if (ins.getOpcode() != Constants.NEW) return null; if (Hierarchy.isSubtype(type, baseClassType)) { boolean isUninteresting = false; for (int i = 0; i < uninterestingSubclassTypeList.length; ++i) { if (Hierarchy.isSubtype(type, uninterestingSubclassTypeList[i])) { isUninteresting = true; break; } } Stream result = new Stream(location, type.getClassName(), baseClassType.getClassName()) .setIgnoreImplicitExceptions(true); if (!isUninteresting) result.setInteresting(bugType); return result; } } catch (ClassNotFoundException e) { lookupFailureCallback.reportMissingClass(e); } return null; }
public Stream createStream(Location location, ObjectType type, ConstantPoolGen cpg, RepositoryLookupFailureCallback lookupFailureCallback) { Instruction ins = location.getHandle().getInstruction(); if (ins.getOpcode() != Constants.GETFIELD) return null; String fieldClass = type.getClassName(); try { if (fieldClass.startsWith("[")) return null; if (!Hierarchy.isSubtype(fieldClass, streamBaseClass)) return null; Stream stream = new Stream(location, fieldClass, streamBaseClass); stream.setIsOpenOnCreation(true); stream.setOpenLocation(location); if (bugPatternType != null) stream.setInteresting(bugPatternType); //System.out.println("Instance field stream at " + location); return stream; } catch (ClassNotFoundException e) { lookupFailureCallback.reportMissingClass(e); return null; } }
public int getDelta(Instruction ins, ValueNumberFrame frame) throws DataflowAnalysisException { int delta = 0; if (ins instanceof MONITORENTER) { if (frame == null || !isThisValue(frame.getTopValue())) ++delta; } else if (ins instanceof MONITOREXIT) { if (frame == null || !isThisValue(frame.getTopValue())) --delta; } return delta; }
public void transferInstruction(InstructionHandle handle, BasicBlock basicBlock, StackDepth fact) throws DataflowAnalysisException { Instruction ins = handle.getInstruction(); int produced = ins.produceStack(cpg); int consumed = ins.consumeStack(cpg); if (produced == Constants.UNPREDICTABLE || consumed == Constants.UNPREDICTABLE) throw new IllegalStateException("Unpredictable stack delta for instruction: " + handle); int depth = fact.getDepth(); depth += (produced - consumed); if (depth < 0) fact.setDepth(BOTTOM); else fact.setDepth(depth); }
public MatchResult match(InstructionHandle handle, ConstantPoolGen cpg, ValueNumberFrame before, ValueNumberFrame after, BindingSet bindingSet) throws DataflowAnalysisException { Instruction ins = handle.getInstruction(); if (!(ins instanceof NEW)) return null; LocalVariable result = new LocalVariable(after.getTopValue()); return addOrCheckDefinition(result, bindingSet); }
public MatchResult match(InstructionHandle handle, ConstantPoolGen cpg, ValueNumberFrame before, ValueNumberFrame after, BindingSet bindingSet) throws DataflowAnalysisException { // See if the instruction is an InvokeInstruction Instruction ins = handle.getInstruction(); if (!(ins instanceof InvokeInstruction)) return null; InvokeInstruction inv = (InvokeInstruction) ins; String methodName = inv.getMethodName(cpg); boolean isStatic = inv.getOpcode() == Constants.INVOKESTATIC; boolean isCtor = methodName.equals("<init>"); int actualMode = 0; if (isStatic) actualMode |= STATIC; if (isCtor) actualMode |= CONSTRUCTOR; if (!isStatic && !isCtor) actualMode |= INSTANCE; // Intersection of actual and desired modes must be nonempty. if ((actualMode & mode) == 0) return null; // Check class name, method name, and method signature. if (!methodNameMatcher.match(methodName) || !methodSigMatcher.match(inv.getSignature(cpg)) || !classNameMatcher.match(inv.getClassName(cpg))) return null; // It's a match! return new MatchResult(this, bindingSet); }
public MatchResult match(InstructionHandle handle, ConstantPoolGen cpg, ValueNumberFrame before, ValueNumberFrame after, BindingSet bindingSet) throws DataflowAnalysisException { // Instruction must be MONITORENTER. Instruction ins = handle.getInstruction(); if (!(ins instanceof MONITORENTER)) return null; // Ensure the object being locked matches any previous // instructions which bound our variable name to a value. Variable lock = new LocalVariable(before.getTopValue()); return addOrCheckDefinition(lock, bindingSet); }
public int getDelta(Instruction ins, ValueNumberFrame frame) throws DataflowAnalysisException { int delta = 0; if (ins instanceof MONITORENTER) ++delta; else if (ins instanceof MONITOREXIT) --delta; return delta; }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException{ JavaClass clazz = classContext.getJavaClass(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if (inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL)inst; if( "java.lang.StringBuilder".equals(invoke.getClassName(cpg)) && "append".equals(invoke.getMethodName(cpg))) { Instruction prev = loc.getHandle().getPrev().getInstruction(); if (prev instanceof LDC) { LDC ldc = (LDC)prev; Object value = ldc.getValue(cpg); if (value instanceof String) { String v = (String)value; if ("redirect:".equals(v)) { BugInstance bug = new BugInstance(this, SPRING_UNVALIDATED_REDIRECT_TYPE, Priorities.NORMAL_PRIORITY); bug.addClass(clazz).addMethod(clazz,m).addSourceLine(classContext,m,loc); reporter.reportBug(bug); } } } } } } }
@Override public void analyzeInstruction(Instruction ins) throws DataflowAnalysisException { //Print the bytecode instruction if it is globally configured if (FindSecBugsGlobalConfig.getInstance().isDebugPrintInvocationVisited() && ins instanceof InvokeInstruction) { ByteCode.printOpCode(ins, cpg); } else if (FindSecBugsGlobalConfig.getInstance().isDebugPrintInstructionVisited()) { ByteCode.printOpCode(ins, cpg); } super.analyzeInstruction(ins); }
private TaintLocation getTaintLocation() { Instruction inst = getLocation().getHandle().getInstruction(); if(inst instanceof InvokeInstruction) { InvokeInstruction invoke = (InvokeInstruction) inst; String sig = invoke.getClassName(cpg).replaceAll("\\.","/") + "." + invoke.getMethodName(cpg) + invoke.getSignature(cpg); return new TaintLocation(methodDescriptor, getLocation().getHandle().getPosition(), sig); } return new TaintLocation(methodDescriptor, getLocation().getHandle().getPosition(), "Oups!!"); }
/** * This method is used to track calls made on a specific object. For instance, this could be used to track if "setHttpOnly(true)" * was executed on a specific cookie object. * * This allows the detector to find interchanged calls like this * * Cookie cookie1 = new Cookie("f", "foo"); <- This cookie is unsafe * Cookie cookie2 = new Cookie("b", "bar"); <- This cookie is safe * cookie1.setHttpOnly(false); * cookie2.setHttpOnly(true); * * @param cpg ConstantPoolGen * @param startLocation The Location of the cookie initialization call. * @param objectStackLocation The index of the cookie on the stack. * @param invokeInstruction The instruction we want to detect.s * @return The location of the invoke instruction provided for the cookie at a specific index on the stack. */ private Location getCookieInstructionLocation(ConstantPoolGen cpg, Location startLocation, int objectStackLocation, String invokeInstruction) { Location location = startLocation; InstructionHandle handle = location.getHandle(); int loadedStackValue = 0; // Loop until we find the setSecure call for this cookie while (handle.getNext() != null) { handle = handle.getNext(); Instruction nextInst = handle.getInstruction(); // We check if the index of the cookie used for this invoke is the same as the one provided if (nextInst instanceof ALOAD) { ALOAD loadInst = (ALOAD)nextInst; loadedStackValue = loadInst.getIndex(); } if (nextInst instanceof INVOKEVIRTUAL && loadedStackValue == objectStackLocation) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) nextInst; String methodNameWithSignature = invoke.getClassName(cpg) + "." + invoke.getMethodName(cpg); if (methodNameWithSignature.equals(invokeInstruction)) { Integer val = ByteCode.getConstantInt(handle.getPrev()); if (val != null && val == TRUE_INT_VALUE) { return new Location(handle, location.getBasicBlock()); } } } } return null; }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); if (inst instanceof INVOKEINTERFACE) { INVOKEINTERFACE invoke = (INVOKEINTERFACE) inst; String methodName = invoke.getMethodName(cpg); String className = invoke.getClassName(cpg); if (className.equals("javax.servlet.http.HttpServletResponse") && (methodName.equals("addHeader") || methodName.equals("setHeader"))) { LDC ldc = ByteCode.getPrevInstruction(location.getHandle().getPrev(), LDC.class); if (ldc != null) { String headerValue = ByteCode.getConstantLDC(location.getHandle().getPrev(), cpg, String.class); if ("Access-Control-Allow-Origin".equalsIgnoreCase((String)ldc.getValue(cpg)) && (headerValue.contains("*") || "null".equalsIgnoreCase(headerValue))) { JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, PERMISSIVE_CORS, Priorities.HIGH_PRIORITY) .addClass(clz) .addMethod(clz, m) .addSourceLine(classContext, m, location)); } } } } } }
private void analyzeMethod(Method m, ClassContext classContext) throws CFGBuilderException, DataflowAnalysisException { MethodGen methodGen = classContext.getMethodGen(m); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = classContext.getCFG(m); if (methodGen == null || methodGen.getInstructionList() == null) { return; //No instruction .. nothing to do } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location location = i.next(); Instruction inst = location.getHandle().getInstruction(); // if (inst instanceof InvokeInstruction) { // System.out.println(inst.getName()); InvokeInstruction invoke = (InvokeInstruction) inst; String className = invoke.getClassName(cpg); if ("java.io.ObjectInputStream".equals(className) || className.contains("InputStream") || InterfaceUtils.isSubtype(className, "java.io.ObjectInputStream")) { String methodName = invoke.getMethodName(cpg); if (OBJECT_INPUTSTREAM_READ_METHODS.contains(methodName)) { JavaClass clz = classContext.getJavaClass(); bugReporter.reportBug(new BugInstance(this, OBJECT_DESERIALIZATION_TYPE, HIGH_PRIORITY) // .addClass(clz).addMethod(clz, m).addSourceLine(classContext,m,location)); } } } } }
private Map<String, List<Location>> get_line_location(Method m, ClassContext classContext){ HashMap<String, List<Location>> all_line_location = new HashMap<>(); ConstantPoolGen cpg = classContext.getConstantPoolGen(); CFG cfg = null; try { cfg = classContext.getCFG(m); } catch (CFGBuilderException e) { e.printStackTrace(); return all_line_location; } for (Iterator<Location> i = cfg.locationIterator(); i.hasNext(); ) { Location loc = i.next(); Instruction inst = loc.getHandle().getInstruction(); if(inst instanceof INVOKEVIRTUAL) { INVOKEVIRTUAL invoke = (INVOKEVIRTUAL) inst; // if (classname.equals(invoke.getClassName(cpg)) && // methodName.equals(invoke.getMethodName(cpg))) { if(all_line_location.containsKey(invoke.getMethodName(cpg))){ all_line_location.get(invoke.getMethodName(cpg)).add(loc); }else { LinkedList<Location> loc_list = new LinkedList<>(); loc_list.add(loc); all_line_location.put(invoke.getMethodName(cpg), loc_list); } // } } } return all_line_location; }
