Package edu.umd.cs.findbugs.detect

Class CrossSiteScripting

java.lang.Object

edu.umd.cs.findbugs.visitclass.BetterVisitor

edu.umd.cs.findbugs.visitclass.PreorderVisitor

edu.umd.cs.findbugs.visitclass.AnnotationVisitor

edu.umd.cs.findbugs.visitclass.DismantleBytecode

edu.umd.cs.findbugs.BytecodeScanningDetector

edu.umd.cs.findbugs.bcel.OpcodeStackDetector

edu.umd.cs.findbugs.detect.CrossSiteScripting

All Implemented Interfaces:

Detector, Priorities, org.apache.bcel.classfile.Visitor

public class CrossSiteScripting
extends OpcodeStackDetector

Nested Class Summary

Nested classes/interfaces inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector

OpcodeStackDetector.WithCustomJumpInfo

Field Summary

Fields

Modifier and Type	Field	Description
(package private) BugAccumulator	accumulator
private java.util.Map<MethodDescriptor,int[]>	allFileNameStringMethods
(package private) BugReporter	bugReporter
(package private) boolean	isPlainText
(package private) java.util.Map<java.lang.String,OpcodeStack.Item>	map
(package private) OpcodeStack.Item	replaceTop
(package private) OpcodeStack.Item	top
(package private) java.util.regex.Pattern	xmlSafe

Fields inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector

stack

Fields inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode

codeBytes, lineNumberTable, M_BR, M_CP, M_INT, M_PAD, M_R, M_UINT

Fields inherited from interface edu.umd.cs.findbugs.Priorities

EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY

Constructor Summary

Constructors

Constructor	Description
CrossSiteScripting(BugReporter bugReporter)

Method Summary

Modifier and Type	Method	Description
private void	annotateAndReport(BugInstance bug, OpcodeStack.Item item)
private boolean	isTainted(OpcodeStack.Item writing)
void	sawOpcode(int seen)	By default, this method will not be called when stack is TOP.
private int	taintPriority(OpcodeStack.Item writing)
void	visit(org.apache.bcel.classfile.Code code)

Methods inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector

afterOpcode, beforeOpcode, getStack, isUsingCustomUserValue, visitCode

Methods inherited from class edu.umd.cs.findbugs.BytecodeScanningDetector

getClassContext, report, shouldVisitCode, visitClassContext

Methods inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode

areOppositeBranches, atCatchBlock, getBranchFallThrough, getBranchOffset, getBranchTarget, getClassConstantOperand, getClassDescriptorOperand, getCodeByte, getConstantRefOperand, getDefaultSwitchOffset, getDottedClassConstantOperand, getFieldDescriptorOperand, getIntConstant, getLongConstant, getMaxPC, getMethodDescriptorOperand, getNameConstantOperand, getNextCodeByte, getNextOpcode, getNextPC, getOpcode, getPC, getPrevOpcode, getRefConstantOperand, getRefFieldIsStatic, getRegisterOperand, getSigConstantOperand, getStringConstantOperand, getSwitchLabels, getSwitchOffsets, getXClassOperand, getXFieldOperand, getXMethodOperand, isBranch, isMethodCall, isRegisterLoad, isRegisterStore, isRegisterStore, isReturn, isShift, isSwitch, isWideOpcode, printOpCode, sawBranchTo, sawClass, sawDouble, sawField, sawFloat, sawIMethod, sawInt, sawLong, sawMethod, sawRegister, sawString

Methods inherited from class edu.umd.cs.findbugs.visitclass.AnnotationVisitor

getAnnotationParameterAsEnum, getAnnotationParameterAsString, getAnnotationParameterAsStringArray, visitAnnotation, visitAnnotation, visitParameterAnnotation, visitParameterAnnotation, visitSyntheticParameterAnnotation

Methods inherited from class edu.umd.cs.findbugs.visitclass.PreorderVisitor

amVisitingMainMethod, asUnsignedByte, doVisitMethod, getClassDescriptor, getClassName, getCode, getConstantPool, getDottedClassName, getDottedFieldSig, getDottedMethodSig, getDottedSuperclassName, getField, getFieldDescriptor, getFieldIsStatic, getFieldName, getFieldSig, getFullyQualifiedFieldName, getFullyQualifiedMethodName, getMethod, getMethodDescriptor, getMethodName, getMethodSig, getMethodVisitOrder, getNumberArguments, getNumberMethodArguments, getPackageName, getSizeOfSurroundingTryBlock, getSizeOfSurroundingTryBlock, getSourceFile, getStringFromIndex, getSuperclassName, getSurroundingCaughtExceptions, getSurroundingCaughtExceptions, getSurroundingCaughtExceptionTypes, getSurroundingTryBlock, getSurroundingTryBlock, getThisClass, getXClass, getXField, getXMethod, hasInterestingClass, hasInterestingMethod, isVisitMethodsInCallOrder, setupVisitorForClass, setVisitMethodsInCallOrder, shouldVisit, toString, visitAfter, visitAfter, visitAnnotationDefault, visitAnnotationEntry, visitBootstrapMethods, visitConstantInvokeDynamic, visitConstantMethodHandle, visitConstantMethodType, visitConstantModule, visitConstantPackage, visitConstantPool, visitEnclosingMethod, visitingField, visitingMethod, visitInnerClasses, visitJavaClass, visitLineNumberTable, visitLocalVariableTable, visitMethodParameters, visitParameterAnnotationEntry, visitStackMap, visitStackMapEntry

Methods inherited from class edu.umd.cs.findbugs.visitclass.BetterVisitor

clone, report, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visitCodeException, visitConstantClass, visitConstantDouble, visitConstantFieldref, visitConstantFloat, visitConstantInteger, visitConstantInterfaceMethodref, visitConstantLong, visitConstantMethodref, visitConstantNameAndType, visitConstantString, visitConstantUtf8, visitConstantValue, visitDeprecated, visitExceptionTable, visitField, visitInnerClass, visitLineNumber, visitLocalVariable, visitLocalVariableTypeTable, visitMethod, visitSignature, visitSourceFile, visitSynthetic, visitUnknown

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.bcel.classfile.Visitor

visitConstantDynamic, visitMethodParameter, visitModule, visitModuleExports, visitModuleMainClass, visitModuleOpens, visitModulePackages, visitModuleProvides, visitModuleRequires, visitNestHost, visitNestMembers, visitRecord, visitRecordComponent, visitStackMapType

Field Detail

bugReporter

final BugReporter bugReporter

accumulator

final BugAccumulator accumulator

allFileNameStringMethods

private final java.util.Map<MethodDescriptor,int[]> allFileNameStringMethods

map

java.util.Map<java.lang.String,OpcodeStack.Item> map

top

OpcodeStack.Item top

xmlSafe

java.util.regex.Pattern xmlSafe

replaceTop

OpcodeStack.Item replaceTop

isPlainText

boolean isPlainText

Constructor Detail

CrossSiteScripting

public CrossSiteScripting(BugReporter bugReporter)

Method Detail

visit

public void visit(org.apache.bcel.classfile.Code code)

Overrides:

visit in class DismantleBytecode

annotateAndReport

private void annotateAndReport(BugInstance bug,
                               OpcodeStack.Item item)

sawOpcode

public void sawOpcode(int seen)

Description copied from class: OpcodeStackDetector

By default, this method will not be called when stack is TOP. To change this behavior, override #beforeOpcode(int) and change to return true even if stack is TOP.

see Using FindBugs for Research to learn lattice and what TOP means.

Specified by:

sawOpcode in class OpcodeStackDetector

See Also:

OpcodeStackDetector.beforeOpcode(int)

isTainted

private boolean isTainted(OpcodeStack.Item writing)

taintPriority

private int taintPriority(OpcodeStack.Item writing)