Package edu.umd.cs.findbugs.detect
Class FindPotentialSecurityCheckBasedOnUntrustedSource
java.lang.Object
edu.umd.cs.findbugs.visitclass.BetterVisitor
edu.umd.cs.findbugs.visitclass.PreorderVisitor
edu.umd.cs.findbugs.visitclass.AnnotationVisitor
edu.umd.cs.findbugs.visitclass.DismantleBytecode
edu.umd.cs.findbugs.BytecodeScanningDetector
edu.umd.cs.findbugs.bcel.OpcodeStackDetector
edu.umd.cs.findbugs.detect.FindPotentialSecurityCheckBasedOnUntrustedSource
- All Implemented Interfaces:
Detector
,Priorities
,org.apache.bcel.classfile.Visitor
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class
private static class
private static class
private static class
private static class
Nested classes/interfaces inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
OpcodeStackDetector.WithCustomJumpInfo
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final BugAccumulator
private boolean
private boolean
private boolean
private Map
<org.apache.bcel.classfile.Method, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo> private static final Pattern
Fields inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
stack
Fields inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode
codeBytes, lineNumberTable, M_BR, M_CP, M_INT, M_PAD, M_R, M_UINT
Fields inherited from interface edu.umd.cs.findbugs.Priorities
EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate void
addToMethodsCalledInsidePrivilegedAction
(XMethod calledMethod, OpcodeStack.Item object) private void
addToNonFinalMethodsCalledOnParam
(ClassDescriptor calledClass, XMethod calledMethod, OpcodeStack.Item object) void
afterOpcode
(int seen) Note that stack might be TOP when this method is called.getCalledInside
(OpcodeStack.Item action, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleeInfo) private String[]
private boolean
isLambdaNestingMethodLocalVariable
(OpcodeStack.Item object, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo lambdaCall) private boolean
private boolean
isTheSame
(FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo inside, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo outside, OpcodeStack.Item action) lookForCalledOutside
(org.apache.bcel.classfile.JavaClass callerClass, XMethod callerMethod, XClass calledClass, XMethod calledMethod, String argumentName) private void
private void
reportBug
(org.apache.bcel.classfile.JavaClass cls, XMethod method, SourceLineAnnotation srcLine, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleInfo, SourceLineAnnotation insideSrcLine) void
sawOpcode
(int seen) By default, this method will not be called when stack is TOP.void
visit
(org.apache.bcel.classfile.Code obj) void
visit
(org.apache.bcel.classfile.JavaClass obj) void
visit
(org.apache.bcel.classfile.Method obj) void
visitAfter
(org.apache.bcel.classfile.JavaClass obj) Methods inherited from class edu.umd.cs.findbugs.bcel.OpcodeStackDetector
beforeOpcode, getStack, isUsingCustomUserValue, visitCode
Methods inherited from class edu.umd.cs.findbugs.BytecodeScanningDetector
getClassContext, report, shouldVisitCode, visitClassContext
Methods inherited from class edu.umd.cs.findbugs.visitclass.DismantleBytecode
areOppositeBranches, atCatchBlock, getBranchFallThrough, getBranchOffset, getBranchTarget, getClassConstantOperand, getClassDescriptorOperand, getCodeByte, getConstantRefOperand, getDefaultSwitchOffset, getDottedClassConstantOperand, getFieldDescriptorOperand, getIntConstant, getLongConstant, getMaxPC, getMethodDescriptorOperand, getNameConstantOperand, getNextCodeByte, getNextOpcode, getNextPC, getOpcode, getPC, getPrevOpcode, getRefConstantOperand, getRefFieldIsStatic, getRegisterOperand, getSigConstantOperand, getStringConstantOperand, getSwitchLabels, getSwitchOffsets, getXClassOperand, getXFieldOperand, getXMethodOperand, isBranch, isMethodCall, isRegisterLoad, isRegisterStore, isRegisterStore, isReturn, isShift, isSwitch, isWideOpcode, printOpCode, sawBranchTo, sawClass, sawDouble, sawField, sawFloat, sawIMethod, sawInt, sawLong, sawMethod, sawRegister, sawString
Methods inherited from class edu.umd.cs.findbugs.visitclass.AnnotationVisitor
getAnnotationParameterAsString, getAnnotationParameterAsStringArray, visitAnnotation, visitAnnotation, visitParameterAnnotation, visitParameterAnnotation, visitSyntheticParameterAnnotation
Methods inherited from class edu.umd.cs.findbugs.visitclass.PreorderVisitor
amVisitingMainMethod, asUnsignedByte, doVisitMethod, getClassDescriptor, getClassName, getCode, getConstantPool, getDottedClassName, getDottedFieldSig, getDottedMethodSig, getDottedSuperclassName, getField, getFieldDescriptor, getFieldIsStatic, getFieldName, getFieldSig, getFullyQualifiedFieldName, getFullyQualifiedMethodName, getMethod, getMethodDescriptor, getMethodName, getMethodSig, getMethodVisitOrder, getNumberArguments, getNumberMethodArguments, getPackageName, getSizeOfSurroundingTryBlock, getSizeOfSurroundingTryBlock, getSourceFile, getStringFromIndex, getSuperclassName, getSurroundingCaughtExceptions, getSurroundingCaughtExceptions, getSurroundingCaughtExceptionTypes, getSurroundingTryBlock, getSurroundingTryBlock, getThisClass, getXClass, getXField, getXMethod, hasInterestingClass, hasInterestingMethod, isVisitMethodsInCallOrder, setupVisitorForClass, setVisitMethodsInCallOrder, shouldVisit, toString, visitAfter, visitAnnotationDefault, visitAnnotationEntry, visitBootstrapMethods, visitConstantInvokeDynamic, visitConstantMethodHandle, visitConstantMethodType, visitConstantModule, visitConstantPackage, visitConstantPool, visitEnclosingMethod, visitingField, visitingMethod, visitInnerClasses, visitJavaClass, visitLineNumberTable, visitLocalVariableTable, visitMethodParameters, visitParameterAnnotationEntry, visitStackMap, visitStackMapEntry
Methods inherited from class edu.umd.cs.findbugs.visitclass.BetterVisitor
clone, report, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visit, visitCodeException, visitConstantClass, visitConstantDouble, visitConstantFieldref, visitConstantFloat, visitConstantInteger, visitConstantInterfaceMethodref, visitConstantLong, visitConstantMethodref, visitConstantNameAndType, visitConstantString, visitConstantUtf8, visitConstantValue, visitDeprecated, visitExceptionTable, visitField, visitInnerClass, visitLineNumber, visitLocalVariable, visitLocalVariableTypeTable, visitMethod, visitSignature, visitSourceFile, visitSynthetic, visitUnknown
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.apache.bcel.classfile.Visitor
visitConstantDynamic, visitMethodParameter, visitModule, visitModuleExports, visitModuleMainClass, visitModuleOpens, visitModulePackages, visitModuleProvides, visitModuleRequires, visitNestHost, visitNestMembers, visitStackMapType
-
Field Details
-
NESTED_CLASS_VARIABLE_NAME_PATTERN
-
nonFinalMethodsCalledOnParam
private Map<XMethod,Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo>> nonFinalMethodsCalledOnParam -
methodsCalledInsidePrivilegedAction
private Map<XMethod,Set<FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo>> methodsCalledInsidePrivilegedAction -
lambdaFunctions
private Map<OpcodeStack.Item,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaInfo> lambdaFunctions -
lambdaCalledInDoPrivileged
private Map<org.apache.bcel.classfile.Method,FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo> lambdaCalledInDoPrivileged -
parameterNameStack
-
currentLambda
-
isDoPrivileged
private boolean isDoPrivileged -
isDoPrivilegedRun
private boolean isDoPrivilegedRun -
isLambdaCalledInDoPrivileged
private boolean isLambdaCalledInDoPrivileged -
bugAccumulator
-
-
Constructor Details
-
FindPotentialSecurityCheckBasedOnUntrustedSource
-
-
Method Details
-
visit
public void visit(org.apache.bcel.classfile.JavaClass obj) - Overrides:
visit
in classBetterVisitor
-
visit
public void visit(org.apache.bcel.classfile.Method obj) - Overrides:
visit
in classBetterVisitor
-
visit
public void visit(org.apache.bcel.classfile.Code obj) - Overrides:
visit
in classDismantleBytecode
-
visitAfter
public void visitAfter(org.apache.bcel.classfile.JavaClass obj) - Overrides:
visitAfter
in classPreorderVisitor
-
sawOpcode
public void sawOpcode(int seen) Description copied from class:OpcodeStackDetector
By default, this method will not be called when stack is TOP. To change this behavior, override
#beforeOpcode(int)
and change to return true even if stack is TOP.see Using FindBugs for Research to learn lattice and what TOP means.
- Specified by:
sawOpcode
in classOpcodeStackDetector
- See Also:
-
getParamNames
-
isNestingMethodLocalVariable
-
isLambdaNestingMethodLocalVariable
private boolean isLambdaNestingMethodLocalVariable(OpcodeStack.Item object, FindPotentialSecurityCheckBasedOnUntrustedSource.LambdaCallInfo lambdaCall) -
addToMethodsCalledInsidePrivilegedAction
private void addToMethodsCalledInsidePrivilegedAction(XMethod calledMethod, OpcodeStack.Item object) -
addToNonFinalMethodsCalledOnParam
private void addToNonFinalMethodsCalledOnParam(ClassDescriptor calledClass, XMethod calledMethod, OpcodeStack.Item object) -
lookForCalledOutsideAndInside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallPair lookForCalledOutsideAndInside(OpcodeStack.Item action) -
getCalledInside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo getCalledInside(OpcodeStack.Item action, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleeInfo) -
lookForCalledOutside
private FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo lookForCalledOutside(org.apache.bcel.classfile.JavaClass callerClass, XMethod callerMethod, XClass calledClass, XMethod calledMethod, String argumentName) -
isTheSame
private boolean isTheSame(FindPotentialSecurityCheckBasedOnUntrustedSource.CallerInfo inside, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo outside, OpcodeStack.Item action) -
reportBug
-
reportBug
private void reportBug(org.apache.bcel.classfile.JavaClass cls, XMethod method, SourceLineAnnotation srcLine, FindPotentialSecurityCheckBasedOnUntrustedSource.CalleeInfo calleInfo, SourceLineAnnotation insideSrcLine) -
afterOpcode
public void afterOpcode(int seen) Description copied from class:OpcodeStackDetector
Note that stack might be TOP when this method is called.
- Overrides:
afterOpcode
in classOpcodeStackDetector
- See Also:
-