Beispiel #1
0
 protected function resolveFuncResultTaint(FuncCall $exp)
 {
     $args = $exp->args;
     if (Sinks::isSinkFunction($exp)) {
         $argTaints = $this->getArgumentsTaintValuesForAnalysis($args);
         $this->sinkNodes[$exp->getLine()] = new FunctionSinkNode($exp, $argTaints);
         return;
     }
     $result = parent::resolveFuncResultTaint($exp);
     foreach ($args as $arg) {
         $argExpName = $arg->value->name;
         $this->addAffectingParameterToAnalysisResult($result, $argExpName);
     }
     return $result;
 }
Beispiel #2
0
 protected function isVulnerabilitySink(FuncCall $funcCall)
 {
     return Sinks::isCodeInjectionSinkFunction($funcCall);
 }
Beispiel #3
0
 protected function resolveFuncResultTaint(Expr\FuncCall $exp)
 {
     if (InputSources::isInputReadFuncCall($exp)) {
         return $this->createTaintResult(Annotation::TAINTED);
     }
     $func_name = $exp->name;
     if ($func_name instanceof Expr) {
         //cannot evaluate the taint when the function's name is dynamically determined
         return $this->createTaintResult(Annotation::UNKNOWN);
     }
     $func_name_str = $func_name->getLast();
     if (SanitisingFunctions::isSanitisingFunction($func_name_str)) {
         return $this->resolveSanitisationFuncCall($exp);
     } else {
         if (Sinks::isSinkFunction($exp) && !empty($this->vulnerabilityReporter)) {
             $args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
             $this->vulnerabilityReporter->runNodeVulnerabilityChecks($exp, $args_with_taints);
         } else {
             $func_analyser = FunctionAnalyser::getFunctionAnalyser($exp->environment, $func_name);
             $args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
             $analysis_res = $func_analyser->analyseFunctionCall($args_with_taints, $this->vulnerabilityReporter);
             return $analysis_res;
         }
     }
 }