com.h3xstream.findsecbugs.injection

Class AbstractInjectionDetector

java.lang.Object

com.h3xstream.findsecbugs.injection.AbstractTaintDetector

com.h3xstream.findsecbugs.injection.AbstractInjectionDetector

All Implemented Interfaces:

edu.umd.cs.findbugs.Detector, edu.umd.cs.findbugs.Priorities

Direct Known Subclasses:

BasicInjectionDetector

public abstract class AbstractInjectionDetector
extends AbstractTaintDetector

Detector designed for extension to detect injection vulnerabilities

Author:

David Formanek (Y Soft Corporation, a.s.)

Field Summary

Fields

Modifier and Type	Field and Description
protected Map<String,Set<InjectionSink>>	injectionSinks

Fields inherited from class com.h3xstream.findsecbugs.injection.AbstractTaintDetector

bugReporter

Fields inherited from interface edu.umd.cs.findbugs.Priorities

EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	AbstractInjectionDetector(edu.umd.cs.findbugs.BugReporter bugReporter)

Method Summary

Modifier and Type	Method and Description
protected void	analyzeLocation(edu.umd.cs.findbugs.ba.ClassContext classContext, org.apache.bcel.classfile.Method method, org.apache.bcel.generic.InstructionHandle handle, org.apache.bcel.generic.ConstantPoolGen cpg, org.apache.bcel.generic.InvokeInstruction invoke, TaintFrame fact, String currentMethod)
protected abstract InjectionPoint	getInjectionPoint(org.apache.bcel.generic.InvokeInstruction invoke, org.apache.bcel.generic.ConstantPoolGen cpg, org.apache.bcel.generic.InstructionHandle handle)
protected int	getPriority(Taint taint) The default implementation of getPriority() can be overridden if the severity and the confidence for risk is particular.
protected int	getPriorityFromTaintFrame(TaintFrame fact, int offset) The default implementation of getPriorityFromTaintFrame() can be overridden if the detector must base its priority on multiple parameters or special conditions like constant values.
void	report() Once the analysis is completed, all the collected sinks are reported as bugs.

Methods inherited from class com.h3xstream.findsecbugs.injection.AbstractTaintDetector

analyzeMethod, shouldAnalyzeClass, visitClassContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

injectionSinks

protected final Map<String,Set<InjectionSink>> injectionSinks

Constructor Detail

AbstractInjectionDetector

protected AbstractInjectionDetector(edu.umd.cs.findbugs.BugReporter bugReporter)

Method Detail

report

public void report()

Once the analysis is completed, all the collected sinks are reported as bugs.

Specified by:

report in interface edu.umd.cs.findbugs.Detector

Overrides:

report in class AbstractTaintDetector

analyzeLocation

protected void analyzeLocation(edu.umd.cs.findbugs.ba.ClassContext classContext,
                               org.apache.bcel.classfile.Method method,
                               org.apache.bcel.generic.InstructionHandle handle,
                               org.apache.bcel.generic.ConstantPoolGen cpg,
                               org.apache.bcel.generic.InvokeInstruction invoke,
                               TaintFrame fact,
                               String currentMethod)
                        throws edu.umd.cs.findbugs.ba.DataflowAnalysisException

Specified by:

analyzeLocation in class AbstractTaintDetector

Throws:

edu.umd.cs.findbugs.ba.DataflowAnalysisException

getPriorityFromTaintFrame

protected int getPriorityFromTaintFrame(TaintFrame fact,
                                        int offset)
                                 throws edu.umd.cs.findbugs.ba.DataflowAnalysisException

The default implementation of getPriorityFromTaintFrame() can be overridden if the detector must base its priority on multiple parameters or special conditions like constant values. By default, this method will call the getPriority() method with the parameter taint at the specified offset.

Parameters:

fact - The TaintFrame for the inspected instruction call.

offset - The offset of the checked parameter.

Returns:

Priorities interface values from 1 to 5 (Enum-like interface)

Throws:

edu.umd.cs.findbugs.ba.DataflowAnalysisException - An exception thrown when the TaintFrame cannot be analyzed.

getPriority

protected int getPriority(Taint taint)

The default implementation of getPriority() can be overridden if the severity and the confidence for risk is particular. By default, injection will be rated "High" if the complete link between source and sink is made. If it is not the case but concatenation with external source is made, "Medium" is used.

Parameters:

taint - Detail about the state of the value passed (Cumulative information leading to the variable passed).

Returns:

Priorities interface values from 1 to 5 (Enum-like interface)

getInjectionPoint

protected abstract InjectionPoint getInjectionPoint(org.apache.bcel.generic.InvokeInstruction invoke,
                                                    org.apache.bcel.generic.ConstantPoolGen cpg,
                                                    org.apache.bcel.generic.InstructionHandle handle)