Package edu.umd.cs.findbugs.detect
Class FindPotentialSecurityCheckBasedOnUntrustedSource
- java.lang.Object
-
- edu.umd.cs.findbugs.visitclass.BetterVisitor
-
- edu.umd.cs.findbugs.visitclass.PreorderVisitor
-
- edu.umd.cs.findbugs.visitclass.AnnotationVisitor
-
- edu.umd.cs.findbugs.visitclass.DismantleBytecode
-
- edu.umd.cs.findbugs.BytecodeScanningDetector
-
- edu.umd.cs.findbugs.bcel.OpcodeStackDetector
-
- edu.umd.cs.findbugs.detect.FindPotentialSecurityCheckBasedOnUntrustedSource
-
- All Implemented Interfaces:
Detector
,Priorities
,org.apache.bcel.classfile.Visitor
public class FindPotentialSecurityCheckBasedOnUntrustedSource extends OpcodeStackDetector
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private static class
FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo
private static class
FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo
private static class
FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair
private static class
FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo
private static class
FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo
-
Nested classes/interfaces inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
OpcodeStackDetector.WithCustomJumpInfo
-
-
Field Summary
Fields Modifier and Type Field Description private BugAccumulator
bugAccumulator
private FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo
currentLambda
private boolean
isDoPrivileged
private boolean
isDoPrivilegedRun
private boolean
isLambdaCalledInDoPrivileged
private java.util.Map<org.apache.bcel.classfile.Method,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo>
lambdaCalledInDoPrivileged
private java.util.Map<OpcodeStack.Item,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo>
lambdaFunctions
private java.util.Map<XMethod,java.util.Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo>>
methodsCalledInsidePrivilegedAction
private static java.util.regex.Pattern
NESTED_CLASS_VARIABLE_NAME_PATTERN
private java.util.Map<XMethod,java.util.Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo>>
nonFinalMethodsCalledOnParam
private java.util.Stack<java.lang.String>
parameterNameStack
-
Fields inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
stack
-
Fields inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode
codeBytes, lineNumberTable, M_BR, M_CP, M_INT, M_PAD, M_R, M_UINT
-
Fields inherited from interface edu.umd.cs.findbugs.Priorities
EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY
-
-
Constructor Summary
Constructors Constructor Description FindPotentialSecurityCheckBasedOnUntrustedSource(BugReporter bugReporter)
-
Method Summary
-
Methods inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
beforeOpcode, getStack, isUsingCustomUserValue, visitCode
-
Methods inherited from class edu.umd.cs.findbugs.BytecodeScanningDetector
getClassContext, report, shouldVisitCode, visitClassContext
-
Methods inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode
areOppositeBranches, atCatchBlock, getBranchFallThrough, getBranchOffset, getBranchTarget, getClassConstantOperand, getClassDescriptorOperand, getCodeByte, getConstantRefOperand, getDefaultSwitchOffset, getDottedClassConstantOperand, getFieldDescriptorOperand, getIntConstant, getLongConstant, getMaxPC, getMethodDescriptorOperand, getNameConstantOperand, getNextCodeByte, getNextOpcode, getNextPC, getOpcode, getPC, getPrevOpcode, getRefConstantOperand, getRefFieldIsStatic, getRegisterOperand, getSigConstantOperand, getStringConstantOperand, getSwitchLabels, getSwitchOffsets, getXClassOperand, getXFieldOperand, getXMethodOperand, isBranch, isMethodCall, isRegisterLoad, isRegisterStore, isRegisterStore, isReturn, isShift, isSwitch, isWideOpcode, printOpCode, sawBranchTo, sawClass, sawDouble, sawField, sawFloat, sawIMethod, sawInt, sawLong, sawMethod, sawRegister, sawString
-
Methods inherited from class edu.umd.cs.findbugs.visitclass.AnnotationVisitor
getAnnotationParameterAsString, getAnnotationParameterAsStringArray, visitAnnotation, visitAnnotation, visitParameterAnnotation, visitParameterAnnotation, visitSyntheticParameterAnnotation
-
Methods inherited from class edu.umd.cs.findbugs.visitclass.PreorderVisitor
amVisitingMainMethod, asUnsignedByte, doVisitMethod, getClassDescriptor, getClassName, getCode, getConstantPool, getDottedClassName, getDottedFieldSig, getDottedMethodSig, getDottedSuperclassName, getField, getFieldDescriptor, getFieldIsStatic, getFieldName, getFieldSig, getFullyQualifiedFieldName, getFullyQualifiedMethodName, getMethod, getMethodDescriptor, getMethodName, getMethodSig, getMethodVisitOrder, getNumberArguments, getNumberMethodArguments, getPackageName, getSizeOfSurroundingTryBlock, getSizeOfSurroundingTryBlock, getSourceFile, getStringFromIndex, getSuperclassName, getSurroundingCaughtExceptions, getSurroundingCaughtExceptions, getSurroundingCaughtExceptionTypes, getSurroundingTryBlock, getSurroundingTryBlock, getThisClass, getXClass, getXField, getXMethod, hasInterestingClass, hasInterestingMethod, isVisitMethodsInCallOrder, setupVisitorForClass, setVisitMethodsInCallOrder, shouldVisit, toString, visitAfter, visitAnnotationDefault, visitAnnotationEntry, visitBootstrapMethods, visitConstantInvokeDynamic, visitConstantMethodHandle, visitConstantMethodType, visitConstantModule, visitConstantPackage, visitConstantPool, visitEnclosingMethod, visitingField, visitingMethod, visitInnerClasses, visitJavaClass, visitLineNumberTable, visitLocalVariableTable, visitMethodParameters, visitParameterAnnotationEntry, visitStackMap, visitStackMapEntry
-
Methods inherited from class edu.umd.cs.findbugs.visitclass.BetterVisitor
clone, report, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visitCodeException, visitConstantClass, visitConstantDouble, visitConstantFieldref, visitConstantFloat, visitConstantInteger, visitConstantInterfaceMethodref, visitConstantLong, visitConstantMethodref, visitConstantNameAndType, visitConstantString, visitConstantUtf8, visitConstantValue, visitDeprecated, visitExceptionTable, visitField, visitInnerClass, visitLineNumber, visitLocalVariable, visitLocalVariableTypeTable, visitMethod, visitSignature, visitSourceFile, visitSynthetic, visitUnknown
-
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.apache.bcel.classfile.Visitor
visitConstantDynamic, visitMethodParameter, visitModule, visitModuleExports, visitModuleMainClass, visitModuleOpens, visitModulePackages, visitModuleProvides, visitModuleRequires, visitNestHost, visitNestMembers, visitRecord, visitRecordComponent, visitStackMapType
-
-
-
-
Field Detail
-
NESTED_CLASS_VARIABLE_NAME_PATTERN
private static final java.util.regex.Pattern NESTED_CLASS_VARIABLE_NAME_PATTERN
-
nonFinalMethodsCalledOnParam
private java.util.Map<XMethod,java.util.Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo>> nonFinalMethodsCalledOnParam
-
methodsCalledInsidePrivilegedAction
private java.util.Map<XMethod,java.util.Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo>> methodsCalledInsidePrivilegedAction
-
lambdaFunctions
private java.util.Map<OpcodeStack.Item,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo> lambdaFunctions
-
lambdaCalledInDoPrivileged
private java.util.Map<org.apache.bcel.classfile.Method,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo> lambdaCalledInDoPrivileged
-
parameterNameStack
private java.util.Stack<java.lang.String> parameterNameStack
-
currentLambda
private FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo currentLambda
-
isDoPrivileged
private boolean isDoPrivileged
-
isDoPrivilegedRun
private boolean isDoPrivilegedRun
-
isLambdaCalledInDoPrivileged
private boolean isLambdaCalledInDoPrivileged
-
bugAccumulator
private final BugAccumulator bugAccumulator
-
-
Constructor Detail
-
FindPotentialSecurityCheckBasedOnUntrustedSource
public FindPotentialSecurityCheckBasedOnUntrustedSource(BugReporter bugReporter)
-
-
Method Detail
-
visit
public void visit(org.apache.bcel.classfile.JavaClass obj)
- Overrides:
visit
in classBetterVisitor
-
visit
public void visit(org.apache.bcel.classfile.Method obj)
- Overrides:
visit
in classBetterVisitor
-
visit
public void visit(org.apache.bcel.classfile.Code obj)
- Overrides:
visit
in classDismantleBytecode
-
visitAfter
public void visitAfter(org.apache.bcel.classfile.JavaClass obj)
- Overrides:
visitAfter
in classPreorderVisitor
-
sawOpcode
public void sawOpcode(int seen)
Description copied from class:OpcodeStackDetector
By default, this method will not be called when stack is TOP. To change this behavior, override
#beforeOpcode(int)
and change to return true even if stack is TOP.see Using FindBugs for Research to learn lattice and what TOP means.
- Specified by:
sawOpcode
in classOpcodeStackDetector
- See Also:
OpcodeStackDetector.beforeOpcode(int)
-
getParamNames
private java.lang.String[] getParamNames()
-
isNestingMethodLocalVariable
private boolean isNestingMethodLocalVariable(OpcodeStack.Item object)
-
isLambdaNestingMethodLocalVariable
private boolean isLambdaNestingMethodLocalVariable(OpcodeStack.Item object, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo lambdaCall)
-
addToMethodsCalledInsidePrivilegedAction
private void addToMethodsCalledInsidePrivilegedAction(XMethod calledMethod, OpcodeStack.Item object)
-
addToNonFinalMethodsCalledOnParam
private void addToNonFinalMethodsCalledOnParam(ClassDescriptor calledClass, XMethod calledMethod, OpcodeStack.Item object)
-
lookForCalledOutsideAndInside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair lookForCalledOutsideAndInside(OpcodeStack.Item action)
-
getCalledInside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo getCalledInside(OpcodeStack.Item action, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleeInfo)
-
lookForCalledOutside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo lookForCalledOutside(org.apache.bcel.classfile.JavaClass callerClass, XMethod callerMethod, XClass calledClass, XMethod calledMethod, java.lang.String argumentName)
-
isTheSame
private boolean isTheSame(FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo inside, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo outside, OpcodeStack.Item action)
-
reportBug
private void reportBug(FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair callPair)
-
reportBug
private void reportBug(org.apache.bcel.classfile.JavaClass cls, XMethod method, SourceLineAnnotation srcLine, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleInfo, SourceLineAnnotation insideSrcLine)
-
afterOpcode
public void afterOpcode(int seen)
Description copied from class:OpcodeStackDetector
Note that stack might be TOP when this method is called.
- Overrides:
afterOpcode
in classOpcodeStackDetector
- See Also:
OpcodeStackDetector.sawOpcode(int)
-
-