Class FindPotentialSecurityCheckBasedOnUntrustedSource

java.lang.Object

edu.umd.cs.findbugs.visitclass.BetterVisitor

edu.umd.cs.findbugs.visitclass.PreorderVisitor

edu.umd.cs.findbugs.visitclass.AnnotationVisitor

edu.umd.cs.findbugs.visitclass.DismantleBytecode

edu.umd.cs.findbugs.BytecodeScanningDetector

edu.umd.cs.findbugs.bcel.OpcodeStackDetector

edu.umd.cs.findbugs.detect.FindPotentialSecurityCheckBasedOnUntrustedSource

All Implemented Interfaces:

Detector, Priorities, org.apache.bcel.classfile.Visitor

public class FindPotentialSecurityCheckBasedOnUntrustedSource
extends OpcodeStackDetector

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
private static class	FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo
private static class	FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo
private static class	FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair
private static class	FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo
private static class	FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo

Nested classes/interfaces inherited from class OpcodeStackDetector

OpcodeStackDetector.WithCustomJumpInfo

Field Summary

Fields

Modifier and Type	Field	Description
private final BugAccumulator	bugAccumulator
private FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo	currentLambda
private boolean	isDoPrivileged
private boolean	isDoPrivilegedDeprecated
private boolean	isDoPrivilegedRun
private boolean	isLambdaCalledInDoPrivileged
private Map<org.apache.bcel.classfile.Method, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo>	lambdaCalledInDoPrivileged
private Map<OpcodeStack.Item, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo>	lambdaFunctions
private Map<XMethod, Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo>>	methodsCalledInsidePrivilegedAction
private static final Pattern	NESTED_CLASS_VARIABLE_NAME_PATTERN
private Map<XMethod, Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo>>	nonFinalMethodsCalledOnParam
private Stack<String>	parameterNameStack

Fields inherited from class OpcodeStackDetector

stack

Fields inherited from class DismantleBytecode

codeBytes, lineNumberTable, M_BR, M_CP, M_INT, M_PAD, M_R, M_UINT

Fields inherited from interface Priorities

EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY

Constructor Summary

Constructors

Constructor	Description
FindPotentialSecurityCheckBasedOnUntrustedSource(BugReporter bugReporter)

Method Summary

Modifier and Type	Method	Description
private void	addToMethodsCalledInsidePrivilegedAction(XMethod calledMethod, OpcodeStack.Item object)
private void	addToNonFinalMethodsCalledOnParam(ClassDescriptor calledClass, XMethod calledMethod, OpcodeStack.Item object)
void	afterOpcode(int seen)	Note that stack might be TOP when this method is called.
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo	getCalledInside(OpcodeStack.Item action, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleeInfo)
private String[]	getParamNames()
private boolean	isLambdaNestingMethodLocalVariable(OpcodeStack.Item object, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo lambdaCall)
private boolean	isNestingMethodLocalVariable(OpcodeStack.Item object)
private boolean	isTheSame(FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo inside, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo outside, OpcodeStack.Item action)
private FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo	lookForCalledOutside(org.apache.bcel.classfile.JavaClass callerClass, XMethod callerMethod, XClass calledClass, XMethod calledMethod, String argumentName)
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair	lookForCalledOutsideAndInside(OpcodeStack.Item action)
private void	reportBug(FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair callPair)
private void	reportBug(org.apache.bcel.classfile.JavaClass cls, XMethod method, SourceLineAnnotation srcLine, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleInfo, SourceLineAnnotation insideSrcLine)
void	sawOpcode(int seen)	By default, this method will not be called when stack is TOP.
void	visit(org.apache.bcel.classfile.Code obj)
void	visit(org.apache.bcel.classfile.JavaClass obj)
void	visit(org.apache.bcel.classfile.Method obj)
void	visitAfter(org.apache.bcel.classfile.JavaClass obj)

Methods inherited from class OpcodeStackDetector

beforeOpcode, getStack, isUsingCustomUserValue, visitCode

Methods inherited from class BytecodeScanningDetector

getClassContext, report, shouldVisitCode, visitClassContext

Methods inherited from class DismantleBytecode

areOppositeBranches, atCatchBlock, getBranchFallThrough, getBranchOffset, getBranchTarget, getClassConstantOperand, getClassDescriptorOperand, getCodeByte, getConstantRefOperand, getDefaultSwitchOffset, getDottedClassConstantOperand, getFieldDescriptorOperand, getIntConstant, getLongConstant, getMaxPC, getMethodDescriptorOperand, getNameConstantOperand, getNextCodeByte, getNextOpcode, getNextPC, getOpcode, getPC, getPrevOpcode, getRefConstantOperand, getRefFieldIsStatic, getRegisterOperand, getSigConstantOperand, getStringConstantOperand, getSwitchLabels, getSwitchOffsets, getXClassOperand, getXFieldOperand, getXMethodOperand, isBranch, isMethodCall, isRegisterLoad, isRegisterStore, isRegisterStore, isReturn, isShift, isSwitch, isWideOpcode, printOpCode, sawBranchTo, sawClass, sawDouble, sawField, sawFloat, sawIMethod, sawInt, sawLong, sawMethod, sawRegister, sawString

Methods inherited from class AnnotationVisitor

getAnnotationParameterAsEnum, getAnnotationParameterAsString, getAnnotationParameterAsStringArray, visitAnnotation, visitAnnotation, visitParameterAnnotation, visitParameterAnnotation, visitSyntheticParameterAnnotation

Methods inherited from class PreorderVisitor

amVisitingMainMethod, asUnsignedByte, doVisitMethod, getClassDescriptor, getClassName, getCode, getConstantPool, getDottedClassName, getDottedFieldSig, getDottedMethodSig, getDottedSuperclassName, getField, getFieldDescriptor, getFieldIsStatic, getFieldName, getFieldSig, getFullyQualifiedFieldName, getFullyQualifiedMethodName, getMethod, getMethodDescriptor, getMethodName, getMethodSig, getMethodVisitOrder, getNumberArguments, getNumberMethodArguments, getPackageName, getSizeOfSurroundingTryBlock, getSizeOfSurroundingTryBlock, getSourceFile, getStringFromIndex, getSuperclassName, getSurroundingCaughtExceptions, getSurroundingCaughtExceptions, getSurroundingCaughtExceptionTypes, getSurroundingTryBlock, getSurroundingTryBlock, getThisClass, getXClass, getXField, getXMethod, hasInterestingClass, hasInterestingMethod, isVisitMethodsInCallOrder, setupVisitorForClass, setVisitMethodsInCallOrder, shouldVisit, toString, visitAfter, visitAnnotationDefault, visitAnnotationEntry, visitBootstrapMethods, visitConstantInvokeDynamic, visitConstantMethodHandle, visitConstantMethodType, visitConstantModule, visitConstantPackage, visitConstantPool, visitEnclosingMethod, visitingField, visitingMethod, visitInnerClasses, visitJavaClass, visitLineNumberTable, visitLocalVariableTable, visitMethodParameters, visitParameterAnnotationEntry, visitStackMap, visitStackMapEntry

Methods inherited from class BetterVisitor

clone, report, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visitCodeException, visitConstantClass, visitConstantDouble, visitConstantFieldref, visitConstantFloat, visitConstantInteger, visitConstantInterfaceMethodref, visitConstantLong, visitConstantMethodref, visitConstantNameAndType, visitConstantString, visitConstantUtf8, visitConstantValue, visitDeprecated, visitExceptionTable, visitField, visitInnerClass, visitLineNumber, visitLocalVariable, visitLocalVariableTypeTable, visitMethod, visitSignature, visitSourceFile, visitSynthetic, visitUnknown

Methods inherited from class Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.bcel.classfile.Visitor

visitConstantDynamic, visitMethodParameter, visitModule, visitModuleExports, visitModuleMainClass, visitModuleOpens, visitModulePackages, visitModuleProvides, visitModuleRequires, visitNestHost, visitNestMembers, visitRecord, visitRecordComponent, visitStackMapType

Field Details

NESTED_CLASS_VARIABLE_NAME_PATTERN

private static final Pattern NESTED_CLASS_VARIABLE_NAME_PATTERN

nonFinalMethodsCalledOnParam

private Map<XMethod, Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo>> nonFinalMethodsCalledOnParam

methodsCalledInsidePrivilegedAction

private Map<XMethod, Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo>> methodsCalledInsidePrivilegedAction

lambdaFunctions

private Map<OpcodeStack.Item, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo> lambdaFunctions

lambdaCalledInDoPrivileged

private Map<org.apache.bcel.classfile.Method, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo> lambdaCalledInDoPrivileged

parameterNameStack

private Stack<String> parameterNameStack

currentLambda

private FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo currentLambda

isDoPrivilegedDeprecated

private boolean isDoPrivilegedDeprecated

isDoPrivileged

private boolean isDoPrivileged

isDoPrivilegedRun

private boolean isDoPrivilegedRun

isLambdaCalledInDoPrivileged

private boolean isLambdaCalledInDoPrivileged

bugAccumulator

private final BugAccumulator bugAccumulator

Constructor Details

FindPotentialSecurityCheckBasedOnUntrustedSource

public FindPotentialSecurityCheckBasedOnUntrustedSource(BugReporter bugReporter)

Method Details

visit

public void visit(org.apache.bcel.classfile.JavaClass obj)

Overrides:

visit in class BetterVisitor

visit

public void visit(org.apache.bcel.classfile.Method obj)

Overrides:

visit in class BetterVisitor

visit

public void visit(org.apache.bcel.classfile.Code obj)

Overrides:

visit in class DismantleBytecode

visitAfter

public void visitAfter(org.apache.bcel.classfile.JavaClass obj)

Overrides:

visitAfter in class PreorderVisitor

sawOpcode

public void sawOpcode(int seen)

Description copied from class: OpcodeStackDetector

By default, this method will not be called when stack is TOP. To change this behavior, override #beforeOpcode(int) and change to return true even if stack is TOP.

see Using FindBugs for Research to learn lattice and what TOP means.

Specified by:

sawOpcode in class OpcodeStackDetector

See Also:

• OpcodeStackDetector.beforeOpcode(int)

getParamNames

private String[] getParamNames()

isNestingMethodLocalVariable

private boolean isNestingMethodLocalVariable(OpcodeStack.Item object)

isLambdaNestingMethodLocalVariable

private boolean isLambdaNestingMethodLocalVariable(OpcodeStack.Item object,
 FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo lambdaCall)

addToMethodsCalledInsidePrivilegedAction

private void addToMethodsCalledInsidePrivilegedAction(XMethod calledMethod,
 OpcodeStack.Item object)

addToNonFinalMethodsCalledOnParam

private void addToNonFinalMethodsCalledOnParam(ClassDescriptor calledClass,
 XMethod calledMethod,
 OpcodeStack.Item object)

lookForCalledOutsideAndInside

private FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair lookForCalledOutsideAndInside(OpcodeStack.Item action)

getCalledInside

private FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo getCalledInside(OpcodeStack.Item action,
 FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleeInfo)

lookForCalledOutside

private FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo lookForCalledOutside(org.apache.bcel.classfile.JavaClass callerClass,
 XMethod callerMethod,
 XClass calledClass,
 XMethod calledMethod,
 String argumentName)

isTheSame

private boolean isTheSame(FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo inside,
 FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo outside,
 OpcodeStack.Item action)

reportBug

private void reportBug(FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair callPair)

reportBug

private void reportBug(org.apache.bcel.classfile.JavaClass cls,
 XMethod method,
 SourceLineAnnotation srcLine,
 FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleInfo,
 SourceLineAnnotation insideSrcLine)

afterOpcode

public void afterOpcode(int seen)

Description copied from class: OpcodeStackDetector

Note that stack might be TOP when this method is called.

Overrides:

afterOpcode in class OpcodeStackDetector

See Also:

• OpcodeStackDetector.sawOpcode(int)