Reporting location fix to source methods with tainted parameters.

Author: arktt

de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysis.java

@@ -21,6 +21,7 @@
 import boomerang.scene.AnalysisScope;
 import boomerang.scene.ControlFlowGraph.Edge;
 import boomerang.scene.Val;
+import boomerang.scene.jimple.JimpleStatement;
 import boomerang.scene.jimple.SootCallGraph;
 import boomerang.util.AccessPath;
 import de.fraunhofer.iem.secucheck.analysis.Analysis;
@@ -36,7 +37,9 @@
 import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowQueryResult;
 import soot.Body;
 import soot.SootMethod;
+import soot.jimple.IdentityStmt;
 import soot.jimple.JimpleBody;
+import soot.jimple.ParameterRef;
 import soot.jimple.internal.JNopStmt;
 import wpds.impl.Weight;
 import wpds.impl.Weight.NoWeight;
@@ -211,11 +214,24 @@ private SameTypedPair<LocationDetails> getLocationDetailsPair(TaintFlowQueryImpl
 		startDetails.setSourceClassName(start.cfgEdge().getMethod().getDeclaringClass().getName());
 		startDetails.setMethodSignature(start.cfgEdge().getMethod().getSubSignature());
 
-		// TODO: Confirm that the destination is always Y.		
-		startDetails.setUsageStartLineNumber(start.cfgEdge().getY().getStartLineNumber());
-		startDetails.setUsageEndLineNumber(start.cfgEdge().getY().getEndLineNumber());
-		startDetails.setUsageStartColumnNumber(start.cfgEdge().getY().getStartColumnNumber());	
-		startDetails.setUsageEndColumnNumber(start.cfgEdge().getY().getEndColumnNumber());	
+		// When parameter is tainted.
+		// Left and Right Op() methods don't work for IdentityStmt inside JimpleStatement.
+		if (start.cfgEdge().getY().isIdentityStmt() && start.cfgEdge().getY() instanceof JimpleStatement) {
+			JimpleStatement jimpleStament = (JimpleStatement) start.cfgEdge().getY();
+			IdentityStmt identityStmt = (IdentityStmt)jimpleStament.getDelegate();
+			if (identityStmt.getRightOp() instanceof ParameterRef) {
+				SootMethod sootMethod = Utility.getSootMethod(start.cfgEdge().getY().getMethod());				
+				startDetails.setUsageStartLineNumber(sootMethod.getJavaSourceStartLineNumber());
+				startDetails.setUsageEndLineNumber(-1);
+				startDetails.setUsageStartColumnNumber(sootMethod.getJavaSourceStartColumnNumber());	
+				startDetails.setUsageEndColumnNumber(-1);
+			}
+		} else {
+			startDetails.setUsageStartLineNumber(start.cfgEdge().getY().getStartLineNumber());
+			startDetails.setUsageEndLineNumber(start.cfgEdge().getY().getEndLineNumber());
+			startDetails.setUsageStartColumnNumber(start.cfgEdge().getY().getStartColumnNumber());	
+			startDetails.setUsageEndColumnNumber(start.cfgEdge().getY().getEndColumnNumber());
+		}		
 
 		startDetails.setUsageMethodSignature(start.cfgEdge().getY().getMethod().getSubSignature());
 		startDetails.setUsageClassName(start.cfgEdge().getY().getMethod().getDeclaringClass().getName());
@@ -224,8 +240,7 @@ private SameTypedPair<LocationDetails> getLocationDetailsPair(TaintFlowQueryImpl
 		LocationDetails endDetails = new LocationDetails();
 		endDetails.setSourceClassName(end.cfgEdge().getMethod().getDeclaringClass().getName());
 		endDetails.setMethodSignature(end.cfgEdge().getMethod().getSubSignature());
-		
-		// TODO: Confirm that the destination is always Y.	
+			
 		endDetails.setUsageStartLineNumber(end.cfgEdge().getY().getStartLineNumber());
 		endDetails.setUsageEndLineNumber(end.cfgEdge().getY().getEndLineNumber());
 		endDetails.setUsageStartColumnNumber(end.cfgEdge().getY().getStartColumnNumber());

de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/SingleFlowAnalysisScope.java

@@ -88,7 +88,7 @@ private Collection<Val> generateSourceVariables(TaintFlowQuery partialFlow,
 			if (ToStringEquals(statement.getMethod(), sourceSootSignature) && 
 					statement.isIdentityStmt()) {	
 
-				// Left and Right Op() methods don't work for JimpleIdentityStmt.
+				// Left and Right Op() methods don't work for IdentityStmt inside JimpleStatement.
 				if (statement instanceof JimpleStatement) {
 
 					JimpleStatement jimpleStament = (JimpleStatement) statement;

de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/Utility.java

@@ -4,9 +4,9 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import boomerang.scene.WrappedClass;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
 import de.fraunhofer.iem.secucheck.analysis.query.Method;
-import de.fraunhofer.iem.secucheck.analysis.query.MethodImpl;
 import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowQuery;
 import soot.Scene;
 import soot.SootClass;
@@ -15,16 +15,16 @@
 
 class Utility {
 
-	static List<Method> getMethods(CompositeTaintFlowQuery flowQuery) {
-		List<Method> methods = new ArrayList<Method>();
+	static List<de.fraunhofer.iem.secucheck.analysis.query.Method> getMethods(CompositeTaintFlowQuery flowQuery) {
+		List<de.fraunhofer.iem.secucheck.analysis.query.Method> methods = new ArrayList<>();
 		for (TaintFlowQuery singleFlow: flowQuery.getTaintFlowQueries()) {
 			methods.addAll(getMethods(singleFlow));
 		}
 		return methods;
 	}
 
-	static List<Method> getMethods(TaintFlowQuery flowQuery) {
-		List<Method> methods = new ArrayList<Method>();
+	static List<de.fraunhofer.iem.secucheck.analysis.query.Method> getMethods(TaintFlowQuery flowQuery) {
+		List<de.fraunhofer.iem.secucheck.analysis.query.Method> methods = new ArrayList<>();
 		flowQuery.getFrom().forEach(y -> methods.add((Method)y));
 		flowQuery.getTo().forEach(y -> methods.add((Method)y));
 
@@ -37,7 +37,13 @@ static List<Method> getMethods(TaintFlowQuery flowQuery) {
 		return methods;
 	}
 
-	static SootMethod getSootMethod(Method method) {
+	static SootMethod getSootMethod(boomerang.scene.Method method) {
+		WrappedClass wrappedClass = method.getDeclaringClass();
+		SootClass clazz = (SootClass) wrappedClass.getDelegate();
+		return clazz.getMethod(method.getSubSignature());
+	}
+	
+	static SootMethod getSootMethod(de.fraunhofer.iem.secucheck.analysis.query.Method method) {
 		String[] signatures = method.getSignature().split(":");
 		SootClass sootClass = Scene.v().forceResolve(signatures[0], SootClass.BODIES);
 		if (sootClass != null && signatures.length >= 2) {
@@ -48,7 +54,7 @@ static SootMethod getSootMethod(Method method) {
 
 	static SootMethod findSourceMethodDefinition(TaintFlowQuery partialFlow, 
 			SootMethod method, Stmt actualStatement) {
-		for (Method sourceMethod : partialFlow.getFrom()) {
+		for (de.fraunhofer.iem.secucheck.analysis.query.Method sourceMethod : partialFlow.getFrom()) {
 			String sourceSootSignature = "<" + sourceMethod.getSignature() + ">";
 			if (method.getSignature().equals(sourceSootSignature)) {
 				return method;
@@ -62,7 +68,7 @@ static SootMethod findSourceMethodDefinition(TaintFlowQuery partialFlow,
 
 	static SootMethod findSinkMethodDefinition(TaintFlowQuery partialFlow,
 			SootMethod method, Stmt actualStatement) {
-		for (Method sinkMethod : partialFlow.getTo()) {
+		for (de.fraunhofer.iem.secucheck.analysis.query.Method sinkMethod : partialFlow.getTo()) {
 			String sinkSootSignature = "<" + sinkMethod.getSignature() + ">";
 			if (actualStatement.containsInvokeExpr() &&
 					actualStatement.toString().contains(sinkSootSignature)) {