// Resolve the name of include/require files.
// The resolution can be a normal path or a concatenation of parts of the path (inclusive vars)
public String resolveVarInclude(Scope scp, SymbolTable st) {
Symbol sym;
String ss, s, string_final = "";
Scope scp_aux = scp;
// verifica se o nome da var a resolver não se chama a si propria. $a = $var.$a
// evita ciclo infinito, na resolucao.
Boolean call_Itself = verifyCallItself(scp, scp.getScopeName());
if (call_Itself == true) return string_final;
for (Iterator<Symbol> it = scp_aux.getMembers().iterator(); it.hasNext(); ) {
sym = it.next();
if (sym.getRootScope() != null && sym.getAlfanumeric() == false) {
scp_aux = (Scope) sym;
try {
ss = scp_aux.resolveVarInclude(scp_aux, st);
string_final = string_final + ss;
} catch (Exception e) {
}
} else {
if (sym.getAlfanumeric() == true) {
ss = sym.getName();
if (ss.startsWith("\"") || ss.startsWith("\'")) ss = ss.substring(1, ss.length() - 1);
}
Boolean found = false;
ss = sym.getName();
for (Iterator<Symbol> it1 = st.getMembers().iterator(); it1.hasNext(); ) {
sym = it1.next();
s = sym.getName();
if (s.equals(ss) == true) {
int i = st.getMembers().indexOf(sym);
scp_aux = (Scope) st.getMembers().get(i);
try {
ss = scp_aux.resolveVarInclude(scp_aux, st);
} catch (Exception e) {
}
found = true;
break;
}
}
string_final = string_final + ss;
}
}
try {
// remover ' ou " do path do file
String AA[];
AA = string_final.split("\"");
if (AA[0].equals(string_final)) AA = string_final.split("\'");
String sss = "";
for (int i = 0; i < AA.length; i++) {
sss = sss + AA[i];
}
if (sss.isEmpty() == false) string_final = sss;
// fim remover
} catch (Exception e) {
}
return string_final;
}
/*
* Move include file symbolTable from mst to mift
*/
public void mvIncludeFiles(List fileList) throws IOException {
for (Iterator<String> it1 = this.getIncludeFiles().iterator(); it1.hasNext(); ) {
String s = it1.next();
if (GlobalDataApp.args_flags[3] == 1) {
if (GlobalDataSqli.MainSymbolTable.containsKey(s) == true) {
GlobalDataSqli.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataSqli.MainSymbolTable.get(s));
GlobalDataSqli.MainSymbolTable.remove(s);
} else {
if (GlobalDataSqli.MainIncludeFilesTable.containsKey(s) == false) {
try {
// file include do not exists in mst and mift
// Create AST
buildAST ast = new buildAST(s, 0);
CommonTreeNodeStream nodes = ast.getNodes();
// build walker tree to SQLI
buildWalkerTree_sqli sqli =
new buildWalkerTree_sqli(
nodes,
s,
GlobalDataSqli.MainSymbolTable,
GlobalDataSqli.MainIncludeFilesTable,
GlobalDataSqli.MainFunctionsTable,
GlobalDataSqli.MainFunctionsTaintedTable,
GlobalDataSqli.MainTaintedTable,
GlobalDataSqli.mus,
GlobalDataSqli.MainLinesToCorrect,
GlobalDataSqli.MainClassesTable,
GlobalDataSqli.MainInstancesTable,
fileList);
GlobalDataSqli.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataSqli.MainSymbolTable.get(s));
GlobalDataSqli.MainSymbolTable.remove(s);
} catch (RecognitionException ex) {
Logger.getLogger(SymbolTable.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
SymbolTable st_aux = GlobalDataSqli.MainIncludeFilesTable.get(s);
if (st_aux.getIncludeFiles().isEmpty() == false) {
st_aux.mvIncludeFiles(fileList);
}
}
if (GlobalDataApp.args_flags[6] == 1) {
if (GlobalDataCodeInj.MainSymbolTable.containsKey(s) == true) {
GlobalDataCodeInj.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataCodeInj.MainSymbolTable.get(s));
GlobalDataCodeInj.MainSymbolTable.remove(s);
} else {
if (GlobalDataCodeInj.MainIncludeFilesTable.containsKey(s) == false) {
// file include do not exists in mst and mift
// Create AST
buildAST ast = new buildAST(s, 0);
CommonTreeNodeStream nodes = ast.getNodes();
// build walker tree to SQLI
buildWalkerTree_CodeInj ci =
new buildWalkerTree_CodeInj(
nodes,
s,
GlobalDataCodeInj.MainSymbolTable,
GlobalDataCodeInj.MainIncludeFilesTable,
GlobalDataCodeInj.MainFunctionsTable,
GlobalDataCodeInj.MainFunctionsTaintedTable,
GlobalDataCodeInj.MainTaintedTable,
GlobalDataCodeInj.mus,
GlobalDataCodeInj.MainLinesToCorrect,
GlobalDataCodeInj.MainClassesTable,
GlobalDataCodeInj.MainInstancesTable,
fileList);
GlobalDataCodeInj.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataCodeInj.MainSymbolTable.get(s));
GlobalDataCodeInj.MainSymbolTable.remove(s);
}
}
SymbolTable st_aux = GlobalDataCodeInj.MainIncludeFilesTable.get(s);
if (st_aux.getIncludeFiles().isEmpty() == false) {
st_aux.mvIncludeFiles(fileList);
}
}
if (GlobalDataApp.args_flags[7] == 1) {
if (GlobalDataXSS.MainSymbolTable.containsKey(s) == true) {
GlobalDataXSS.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataXSS.MainSymbolTable.get(s));
GlobalDataXSS.MainSymbolTable.remove(s);
} else {
if (GlobalDataXSS.MainIncludeFilesTable.containsKey(s) == false) {
// file include do not exists in mst and mift
// Create AST
buildAST ast = new buildAST(s, 0);
CommonTreeNodeStream nodes = ast.getNodes();
// build walker tree to SQLI
buildWalkerTree_XSS xss =
new buildWalkerTree_XSS(
nodes,
s,
GlobalDataXSS.MainSymbolTable,
GlobalDataXSS.MainIncludeFilesTable,
GlobalDataXSS.MainFunctionsTable,
GlobalDataXSS.MainFunctionsTaintedTable,
GlobalDataXSS.MainTaintedTable,
GlobalDataXSS.mus,
GlobalDataXSS.MainLinesToCorrect,
GlobalDataXSS.MainClassesTable,
GlobalDataXSS.MainInstancesTable,
fileList);
GlobalDataXSS.MainIncludeFilesTable.put(
s, (SymbolTable) GlobalDataXSS.MainSymbolTable.get(s));
GlobalDataXSS.MainSymbolTable.remove(s);
}
}
SymbolTable st_aux = GlobalDataXSS.MainIncludeFilesTable.get(s);
if (st_aux.getIncludeFiles().isEmpty() == false) {
st_aux.mvIncludeFiles(fileList);
}
}
}
}
public static void outputAnalysis(
String type_analyse, FileWriter outFile, String diff_date_ldapi, List files)
throws IOException {
int vuu = 0, fpp = 0;
Integer j;
for (Iterator<Integer> it = GlobalDataLDAPi.MainNumVul.values().iterator(); it.hasNext(); ) {
j = it.next();
vuu += j;
}
for (Iterator<Integer> it = GlobalDataLDAPi.MainNumFP.values().iterator(); it.hasNext(); ) {
j = it.next();
fpp += j;
}
String setPlainText = "";
String setBoldText = "";
if (GlobalDataApp.isWindows.booleanValue() == false) {
setPlainText = "\033[0;0m";
setBoldText = "\033[0;1m";
}
System.out.println(setBoldText + "\n\n + Type of Analysis: LDAPI");
System.out.println(" > Summary:" + setPlainText);
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\n\n + Type of Analysis: LDAPI\n");
outFile.write(" > Summary:\n");
}
if (vuu + fpp > 0) {
System.out.println(" - Time of analysis: " + diff_date_ldapi);
System.out.println(
" - Number of vulnerabilities detected: "
+ setBoldText
+ (vuu + fpp)
+ setPlainText);
System.out.println(" - Real vulnerabilities: " + setBoldText + vuu + setPlainText);
System.out.println(" - False positives: " + setBoldText + fpp + setPlainText);
System.out.println(
" - Number of vulnerable files: "
+ setBoldText
+ GlobalDataLDAPi.MainListVulners.size()
+ setPlainText);
System.out.println(" - List of vulnerable files:");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Time of analysis: " + diff_date_ldapi + "\n");
outFile.write(" - Number of vulnerabilities detected: " + (vuu + fpp) + "\n");
outFile.write(" - Real vulnerabilities: " + vuu + "\n");
outFile.write(" - False positives: " + fpp + "\n");
outFile.write(
" - Number of vulnerable files: "
+ GlobalDataLDAPi.MainListVulners.size()
+ "\n");
outFile.write(" - List of vulnerable files:\n");
}
for (Iterator<ListVulners> it = GlobalDataLDAPi.MainListVulners.values().iterator();
it.hasNext(); ) {
ListVulners lv = it.next();
System.out.println("\t " + lv.getFilename());
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\t " + lv.getFilename() + "\n");
}
}
if (GlobalDataApp.args_flags[5] == 0) {
// code needed for keyboard input
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
String temp;
System.out.println("\n\nPress enter to view vulnerabilities...");
temp = br.readLine();
}
} else {
System.out.println(" - Time of analysis: " + diff_date_ldapi);
System.out.println(
" - Number of vulnerabilities detected: " + setBoldText + "none" + setPlainText);
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Time of analysis: " + diff_date_ldapi + "\n");
outFile.write(" - Number of vulnerabilities detected: none\n");
}
return;
}
ListVulners lv = null;
for (Iterator<ListVulners> it = GlobalDataLDAPi.MainListVulners.values().iterator();
it.hasNext(); ) {
lv = it.next();
if (GlobalDataApp.args_flags[5] == 0) {
String file = lv.getFilename();
ManageFiles ff = new ManageFiles(file);
System.out.println(
setBoldText
+ "\n> > > > File: "
+ setPlainText
+ file
+ setBoldText
+ " < < < <"
+ setPlainText);
System.out.println(setBoldText + " > Information:" + setPlainText);
System.out.println(" - Number of Lines of Code: " + ff.getNumberLinesFile());
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\n> > > > File: " + file + " < < < <\n");
outFile.write(" > Information:\n");
outFile.write(" - Number of Lines of Code: " + ff.getNumberLinesFile() + "\n");
}
// is a include file?
if (GlobalDataLDAPi.MainIncludeFilesTable.containsKey(file) == true) {
System.out.println(" - It is a include file: yes");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - It is a include file: yes\n");
}
} else {
System.out.println(" - It is a include file: no");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - It is a include file: no\n");
}
}
// list of included files from "regular" or include file
SymbolTable st = null;
if (GlobalDataLDAPi.MainSymbolTable.containsKey(file) == true)
st = GlobalDataLDAPi.MainSymbolTable.get(file);
else st = GlobalDataLDAPi.MainIncludeFilesTable.get(file);
if (st.getIncludeFiles().isEmpty() == false) {
System.out.println(" - Included files:");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Included files:\n");
}
for (int i = 0; i < st.getIncludeFiles().size(); i++) {
System.out.println("\t " + st.getIncludeFiles().get(i));
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\t " + st.getIncludeFiles().get(i) + "\n");
}
}
} else {
System.out.println(" - Included files: none");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Included files: none\n");
}
}
// list of defined user functioms
if (GlobalDataLDAPi.MainFunctionsTable.containsKey(file) == true) {
MethodTable mt = GlobalDataLDAPi.MainFunctionsTable.get(file);
System.out.println(" - Defined user functions:");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Defined user functions:\n");
}
for (Iterator<MethodSymbol> it1 = mt.getMembers().iterator(); it1.hasNext(); ) {
MethodSymbol ms = it1.next();
System.out.println("\t " + ms.getFunctionName());
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\t " + ms.getFunctionName() + "\n");
}
}
} else {
System.out.println(" - Defined user function: none");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(" - Defined user function: none\n");
}
}
// list of vulnerabilities of file
VulnerLDAPI v;
vuu = lv.getListOfVulners().size();
fpp = 0;
for (Iterator<VulnerLDAPI> it1 = lv.getListOfVulners().iterator(); it1.hasNext(); ) {
v = it1.next();
if (v.IsFP() == 1) fpp++;
}
vuu -= fpp;
System.out.println(
" - Number of Vulnerabilities detected: "
+ setBoldText
+ lv.getListOfVulners().size()
+ setPlainText);
System.out.println(
" - Real Vulnerabilities: " + setBoldText + vuu + setPlainText);
System.out.println(" - False positives: " + setBoldText + fpp + setPlainText);
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write(
" - Number of Vulnerabilities detected: "
+ lv.getListOfVulners().size()
+ "\n");
outFile.write(" - Real Vulnerabilities: " + vuu + "\n");
outFile.write(" - False positives: " + fpp + "\n");
}
analysisOfFile(lv, outFile, file.toString());
if (it.hasNext() && GlobalDataApp.args_flags[0] == 1) {
// code needed for keyboard input
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
String temp;
System.out.println("\n\nPress enter to view vulnerabilities of next file...");
temp = br.readLine();
}
}
}
// CORRECAO no file
if (GlobalDataApp.args_flags[0] == 0) {
// code needed for keyboard input
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
String temp;
System.out.println("\n\nPress enter to proceed automatic correction...");
temp = br.readLine();
try {
LinesToCorrect ltc;
int i = GlobalDataLDAPi.MainLinesToCorrect.size();
for (Iterator<LinesToCorrect> it = GlobalDataLDAPi.MainLinesToCorrect.values().iterator();
it.hasNext(); ) {
ltc = it.next();
OutputAnalysisLDAPi.outputAnalysisWithCorrection(type_analyse, ltc.getNameFile(), ltc, i);
i--;
}
} catch (Exception e) {
}
System.out.println("\n\nAutomatic correction complete !!!");
if (GlobalDataApp.args_flags[4] == 1) {
outFile.write("\n\nAutomatic correction complete !!!\n");
}
}
}