Esempio n. 1
0
  // Resolve the name of include/require files.
  // The resolution can be a normal path or a concatenation of parts of the path (inclusive vars)
  public String resolveVarInclude(Scope scp, SymbolTable st) {
    Symbol sym;
    String ss, s, string_final = "";
    Scope scp_aux = scp;

    // verifica se o nome da var a resolver não se chama a si propria. $a = $var.$a
    // evita ciclo infinito, na resolucao.
    Boolean call_Itself = verifyCallItself(scp, scp.getScopeName());
    if (call_Itself == true) return string_final;

    for (Iterator<Symbol> it = scp_aux.getMembers().iterator(); it.hasNext(); ) {
      sym = it.next();
      if (sym.getRootScope() != null && sym.getAlfanumeric() == false) {
        scp_aux = (Scope) sym;
        try {
          ss = scp_aux.resolveVarInclude(scp_aux, st);
          string_final = string_final + ss;
        } catch (Exception e) {
        }
      } else {
        if (sym.getAlfanumeric() == true) {
          ss = sym.getName();
          if (ss.startsWith("\"") || ss.startsWith("\'")) ss = ss.substring(1, ss.length() - 1);
        }

        Boolean found = false;
        ss = sym.getName();
        for (Iterator<Symbol> it1 = st.getMembers().iterator(); it1.hasNext(); ) {
          sym = it1.next();
          s = sym.getName();
          if (s.equals(ss) == true) {
            int i = st.getMembers().indexOf(sym);
            scp_aux = (Scope) st.getMembers().get(i);
            try {
              ss = scp_aux.resolveVarInclude(scp_aux, st);
            } catch (Exception e) {
            }
            found = true;
            break;
          }
        }
        string_final = string_final + ss;
      }
    }

    try {
      // remover ' ou " do path do file
      String AA[];
      AA = string_final.split("\"");
      if (AA[0].equals(string_final)) AA = string_final.split("\'");

      String sss = "";
      for (int i = 0; i < AA.length; i++) {
        sss = sss + AA[i];
      }

      if (sss.isEmpty() == false) string_final = sss;
      // fim remover
    } catch (Exception e) {
    }
    return string_final;
  }
Esempio n. 2
0
  /*
   * Move include file symbolTable from mst to mift
   */
  public void mvIncludeFiles(List fileList) throws IOException {
    for (Iterator<String> it1 = this.getIncludeFiles().iterator(); it1.hasNext(); ) {
      String s = it1.next();
      if (GlobalDataApp.args_flags[3] == 1) {
        if (GlobalDataSqli.MainSymbolTable.containsKey(s) == true) {
          GlobalDataSqli.MainIncludeFilesTable.put(
              s, (SymbolTable) GlobalDataSqli.MainSymbolTable.get(s));
          GlobalDataSqli.MainSymbolTable.remove(s);
        } else {
          if (GlobalDataSqli.MainIncludeFilesTable.containsKey(s) == false) {
            try {
              // file include do not exists in mst and mift
              // Create AST
              buildAST ast = new buildAST(s, 0);
              CommonTreeNodeStream nodes = ast.getNodes();

              // build walker tree to SQLI
              buildWalkerTree_sqli sqli =
                  new buildWalkerTree_sqli(
                      nodes,
                      s,
                      GlobalDataSqli.MainSymbolTable,
                      GlobalDataSqli.MainIncludeFilesTable,
                      GlobalDataSqli.MainFunctionsTable,
                      GlobalDataSqli.MainFunctionsTaintedTable,
                      GlobalDataSqli.MainTaintedTable,
                      GlobalDataSqli.mus,
                      GlobalDataSqli.MainLinesToCorrect,
                      GlobalDataSqli.MainClassesTable,
                      GlobalDataSqli.MainInstancesTable,
                      fileList);

              GlobalDataSqli.MainIncludeFilesTable.put(
                  s, (SymbolTable) GlobalDataSqli.MainSymbolTable.get(s));
              GlobalDataSqli.MainSymbolTable.remove(s);
            } catch (RecognitionException ex) {
              Logger.getLogger(SymbolTable.class.getName()).log(Level.SEVERE, null, ex);
            }
          }
        }

        SymbolTable st_aux = GlobalDataSqli.MainIncludeFilesTable.get(s);
        if (st_aux.getIncludeFiles().isEmpty() == false) {
          st_aux.mvIncludeFiles(fileList);
        }
      }

      if (GlobalDataApp.args_flags[6] == 1) {
        if (GlobalDataCodeInj.MainSymbolTable.containsKey(s) == true) {
          GlobalDataCodeInj.MainIncludeFilesTable.put(
              s, (SymbolTable) GlobalDataCodeInj.MainSymbolTable.get(s));
          GlobalDataCodeInj.MainSymbolTable.remove(s);
        } else {
          if (GlobalDataCodeInj.MainIncludeFilesTable.containsKey(s) == false) {
            // file include do not exists in mst and mift
            // Create AST
            buildAST ast = new buildAST(s, 0);
            CommonTreeNodeStream nodes = ast.getNodes();

            // build walker tree to SQLI
            buildWalkerTree_CodeInj ci =
                new buildWalkerTree_CodeInj(
                    nodes,
                    s,
                    GlobalDataCodeInj.MainSymbolTable,
                    GlobalDataCodeInj.MainIncludeFilesTable,
                    GlobalDataCodeInj.MainFunctionsTable,
                    GlobalDataCodeInj.MainFunctionsTaintedTable,
                    GlobalDataCodeInj.MainTaintedTable,
                    GlobalDataCodeInj.mus,
                    GlobalDataCodeInj.MainLinesToCorrect,
                    GlobalDataCodeInj.MainClassesTable,
                    GlobalDataCodeInj.MainInstancesTable,
                    fileList);

            GlobalDataCodeInj.MainIncludeFilesTable.put(
                s, (SymbolTable) GlobalDataCodeInj.MainSymbolTable.get(s));
            GlobalDataCodeInj.MainSymbolTable.remove(s);
          }
        }

        SymbolTable st_aux = GlobalDataCodeInj.MainIncludeFilesTable.get(s);
        if (st_aux.getIncludeFiles().isEmpty() == false) {
          st_aux.mvIncludeFiles(fileList);
        }
      }

      if (GlobalDataApp.args_flags[7] == 1) {
        if (GlobalDataXSS.MainSymbolTable.containsKey(s) == true) {
          GlobalDataXSS.MainIncludeFilesTable.put(
              s, (SymbolTable) GlobalDataXSS.MainSymbolTable.get(s));
          GlobalDataXSS.MainSymbolTable.remove(s);
        } else {
          if (GlobalDataXSS.MainIncludeFilesTable.containsKey(s) == false) {
            // file include do not exists in mst and mift
            // Create AST
            buildAST ast = new buildAST(s, 0);
            CommonTreeNodeStream nodes = ast.getNodes();

            // build walker tree to SQLI
            buildWalkerTree_XSS xss =
                new buildWalkerTree_XSS(
                    nodes,
                    s,
                    GlobalDataXSS.MainSymbolTable,
                    GlobalDataXSS.MainIncludeFilesTable,
                    GlobalDataXSS.MainFunctionsTable,
                    GlobalDataXSS.MainFunctionsTaintedTable,
                    GlobalDataXSS.MainTaintedTable,
                    GlobalDataXSS.mus,
                    GlobalDataXSS.MainLinesToCorrect,
                    GlobalDataXSS.MainClassesTable,
                    GlobalDataXSS.MainInstancesTable,
                    fileList);

            GlobalDataXSS.MainIncludeFilesTable.put(
                s, (SymbolTable) GlobalDataXSS.MainSymbolTable.get(s));
            GlobalDataXSS.MainSymbolTable.remove(s);
          }
        }

        SymbolTable st_aux = GlobalDataXSS.MainIncludeFilesTable.get(s);
        if (st_aux.getIncludeFiles().isEmpty() == false) {
          st_aux.mvIncludeFiles(fileList);
        }
      }
    }
  }
  public static void outputAnalysis(
      String type_analyse, FileWriter outFile, String diff_date_ldapi, List files)
      throws IOException {
    int vuu = 0, fpp = 0;
    Integer j;
    for (Iterator<Integer> it = GlobalDataLDAPi.MainNumVul.values().iterator(); it.hasNext(); ) {
      j = it.next();
      vuu += j;
    }

    for (Iterator<Integer> it = GlobalDataLDAPi.MainNumFP.values().iterator(); it.hasNext(); ) {
      j = it.next();
      fpp += j;
    }

    String setPlainText = "";
    String setBoldText = "";
    if (GlobalDataApp.isWindows.booleanValue() == false) {
      setPlainText = "\033[0;0m";
      setBoldText = "\033[0;1m";
    }

    System.out.println(setBoldText + "\n\n  + Type of Analysis: LDAPI");
    System.out.println("     > Summary:" + setPlainText);

    if (GlobalDataApp.args_flags[4] == 1) {
      outFile.write("\n\n  + Type of Analysis: LDAPI\n");
      outFile.write("     > Summary:\n");
    }

    if (vuu + fpp > 0) {
      System.out.println("        - Time of analysis: " + diff_date_ldapi);
      System.out.println(
          "        - Number of vulnerabilities detected: "
              + setBoldText
              + (vuu + fpp)
              + setPlainText);
      System.out.println("           - Real vulnerabilities: " + setBoldText + vuu + setPlainText);
      System.out.println("           - False positives: " + setBoldText + fpp + setPlainText);
      System.out.println(
          "        - Number of vulnerable files: "
              + setBoldText
              + GlobalDataLDAPi.MainListVulners.size()
              + setPlainText);
      System.out.println("        - List of vulnerable files:");

      if (GlobalDataApp.args_flags[4] == 1) {
        outFile.write("        - Time of analysis: " + diff_date_ldapi + "\n");
        outFile.write("        - Number of vulnerabilities detected: " + (vuu + fpp) + "\n");
        outFile.write("           - Real vulnerabilities: " + vuu + "\n");
        outFile.write("           - False positives: " + fpp + "\n");
        outFile.write(
            "        - Number of vulnerable files: "
                + GlobalDataLDAPi.MainListVulners.size()
                + "\n");
        outFile.write("        - List of vulnerable files:\n");
      }

      for (Iterator<ListVulners> it = GlobalDataLDAPi.MainListVulners.values().iterator();
          it.hasNext(); ) {
        ListVulners lv = it.next();
        System.out.println("\t    " + lv.getFilename());

        if (GlobalDataApp.args_flags[4] == 1) {
          outFile.write("\t    " + lv.getFilename() + "\n");
        }
      }

      if (GlobalDataApp.args_flags[5] == 0) {
        // code needed for keyboard input
        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
        String temp;
        System.out.println("\n\nPress enter to view vulnerabilities...");
        temp = br.readLine();
      }
    } else {
      System.out.println("        - Time of analysis: " + diff_date_ldapi);
      System.out.println(
          "        - Number of vulnerabilities detected: " + setBoldText + "none" + setPlainText);
      if (GlobalDataApp.args_flags[4] == 1) {
        outFile.write("        - Time of analysis: " + diff_date_ldapi + "\n");
        outFile.write("        - Number of vulnerabilities detected: none\n");
      }

      return;
    }

    ListVulners lv = null;
    for (Iterator<ListVulners> it = GlobalDataLDAPi.MainListVulners.values().iterator();
        it.hasNext(); ) {
      lv = it.next();
      if (GlobalDataApp.args_flags[5] == 0) {
        String file = lv.getFilename();
        ManageFiles ff = new ManageFiles(file);
        System.out.println(
            setBoldText
                + "\n> > > >  File: "
                + setPlainText
                + file
                + setBoldText
                + " < < < <"
                + setPlainText);
        System.out.println(setBoldText + "     > Information:" + setPlainText);
        System.out.println("        - Number of Lines of Code: " + ff.getNumberLinesFile());

        if (GlobalDataApp.args_flags[4] == 1) {
          outFile.write("\n> > > >  File: " + file + " < < < <\n");
          outFile.write("     > Information:\n");
          outFile.write("        - Number of Lines of Code: " + ff.getNumberLinesFile() + "\n");
        }

        // is a include file?
        if (GlobalDataLDAPi.MainIncludeFilesTable.containsKey(file) == true) {
          System.out.println("        - It is a include file: yes");

          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - It is a include file: yes\n");
          }
        } else {
          System.out.println("        - It is a include file: no");

          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - It is a include file: no\n");
          }
        }

        // list of included files from "regular" or include file
        SymbolTable st = null;
        if (GlobalDataLDAPi.MainSymbolTable.containsKey(file) == true)
          st = GlobalDataLDAPi.MainSymbolTable.get(file);
        else st = GlobalDataLDAPi.MainIncludeFilesTable.get(file);

        if (st.getIncludeFiles().isEmpty() == false) {
          System.out.println("        - Included files:");
          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - Included files:\n");
          }

          for (int i = 0; i < st.getIncludeFiles().size(); i++) {
            System.out.println("\t    " + st.getIncludeFiles().get(i));

            if (GlobalDataApp.args_flags[4] == 1) {
              outFile.write("\t    " + st.getIncludeFiles().get(i) + "\n");
            }
          }
        } else {
          System.out.println("        - Included files: none");

          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - Included files: none\n");
          }
        }

        // list of defined user functioms
        if (GlobalDataLDAPi.MainFunctionsTable.containsKey(file) == true) {
          MethodTable mt = GlobalDataLDAPi.MainFunctionsTable.get(file);
          System.out.println("        - Defined user functions:");
          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - Defined user functions:\n");
          }

          for (Iterator<MethodSymbol> it1 = mt.getMembers().iterator(); it1.hasNext(); ) {
            MethodSymbol ms = it1.next();
            System.out.println("\t  " + ms.getFunctionName());
            if (GlobalDataApp.args_flags[4] == 1) {
              outFile.write("\t  " + ms.getFunctionName() + "\n");
            }
          }
        } else {
          System.out.println("        - Defined user function: none");
          if (GlobalDataApp.args_flags[4] == 1) {
            outFile.write("        - Defined user function: none\n");
          }
        }

        // list of vulnerabilities of file
        VulnerLDAPI v;
        vuu = lv.getListOfVulners().size();
        fpp = 0;
        for (Iterator<VulnerLDAPI> it1 = lv.getListOfVulners().iterator(); it1.hasNext(); ) {
          v = it1.next();
          if (v.IsFP() == 1) fpp++;
        }
        vuu -= fpp;

        System.out.println(
            "        - Number of Vulnerabilities detected: "
                + setBoldText
                + lv.getListOfVulners().size()
                + setPlainText);
        System.out.println(
            "           - Real Vulnerabilities: " + setBoldText + vuu + setPlainText);
        System.out.println("           - False positives: " + setBoldText + fpp + setPlainText);
        if (GlobalDataApp.args_flags[4] == 1) {
          outFile.write(
              "        - Number of Vulnerabilities detected: "
                  + lv.getListOfVulners().size()
                  + "\n");
          outFile.write("           - Real Vulnerabilities: " + vuu + "\n");
          outFile.write("           - False positives: " + fpp + "\n");
        }

        analysisOfFile(lv, outFile, file.toString());
        if (it.hasNext() && GlobalDataApp.args_flags[0] == 1) {
          // code needed for keyboard input
          BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
          String temp;
          System.out.println("\n\nPress enter to view vulnerabilities of next file...");
          temp = br.readLine();
        }
      }
    }

    // CORRECAO no file
    if (GlobalDataApp.args_flags[0] == 0) {
      // code needed for keyboard input
      BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
      String temp;

      System.out.println("\n\nPress enter to proceed automatic correction...");
      temp = br.readLine();

      try {
        LinesToCorrect ltc;
        int i = GlobalDataLDAPi.MainLinesToCorrect.size();
        for (Iterator<LinesToCorrect> it = GlobalDataLDAPi.MainLinesToCorrect.values().iterator();
            it.hasNext(); ) {
          ltc = it.next();
          OutputAnalysisLDAPi.outputAnalysisWithCorrection(type_analyse, ltc.getNameFile(), ltc, i);
          i--;
        }
      } catch (Exception e) {
      }

      System.out.println("\n\nAutomatic correction complete !!!");
      if (GlobalDataApp.args_flags[4] == 1) {
        outFile.write("\n\nAutomatic correction complete !!!\n");
      }
    }
  }