All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.h3xstream.findsecbugs.common.JspUtils Maven / Gradle / Ivy

/**
 * Find Security Bugs
 * Copyright (c) Philippe Arteau, All rights reserved.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 3.0 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.
 */
package com.h3xstream.findsecbugs.common;

import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.INVOKESTATIC;
import org.apache.bcel.generic.INVOKEVIRTUAL;
import org.apache.bcel.generic.Instruction;
import org.apache.bcel.generic.LDC;

import java.util.Iterator;
import java.util.LinkedList;
import java.util.NoSuchElementException;

import static com.h3xstream.findsecbugs.common.matcher.InstructionDSL.*;

public class JspUtils {


    /**
     *
     * @param precedingInstructions Instructions preceding the call.
     * @param cpg Constant Pool Gen (need to get constant value such as strings and class names)
     * @return The string value found or null
     */
    public static String getContanstBooleanAsString(LinkedList precedingInstructions, ConstantPoolGen cpg) {
        //Heuristic to find static
        Iterator it = precedingInstructions.descendingIterator();

// Weblogic 12
//     [0076]  ldc_w   "true"
//     [0079]  invokestatic   weblogic/utils/StringUtils.valueOf (Ljava/lang/Object;)Ljava/lang/String;
//     [0082]  invokestatic   java/lang/Boolean.valueOf (Ljava/lang/String;)Ljava/lang/Boolean;
//     [0085]  invokevirtual   java/lang/Boolean.booleanValue ()Z
//     [0088]  invokevirtual   org/apache/taglibs/standard/tag/rt/core/OutTag.setEscapeXml (Z)V

        try {
            it.next();
            INVOKEVIRTUAL inv1 = (INVOKEVIRTUAL) it.next();
            INVOKESTATIC inv2 = (INVOKESTATIC) it.next();
            INVOKESTATIC inv3 = (INVOKESTATIC) it.next();
            if (invokeInstruction().atClass("java.lang.Boolean").atMethod("booleanValue").matches(inv1, cpg) &&
                    invokeInstruction().atClass("java.lang.Boolean").atMethod("valueOf").matches(inv2, cpg) &&
                    invokeInstruction().atClass("weblogic.utils.StringUtils").atMethod("valueOf").matches(inv3, cpg)) {
                LDC ldc = (LDC) it.next();
                return String.valueOf(ldc.getValue(cpg));
            }
        }
        catch (NoSuchElementException e) { }
        catch (ClassCastException e) { }
/**
// WebLogic Unknown
//     [0076]  ldc_w   "false"
//     [0079]  ldc   java/lang/String
//     [0081]  ldc_w   "escapeXml"
//     [0084]  invokestatic   weblogic/jsp/internal/jsp/utils/JspRuntimeUtils.convertType (Ljava/lang/String;Ljava/lang/Class;Ljava/lang/String;)Ljava/lang/Object;
//     [0087]  checkcast
//     [0090]  invokevirtual   org/apache/taglibs/standard/tag/el/core/OutTag.setEscapeXml (Ljava/lang/String;)V

        it = precedingInstructions.descendingIterator();

        try {
            it.next();
            CHECKCAST checkcast = (CHECKCAST) it.next();
            INVOKESTATIC inv1 = (INVOKESTATIC) it.next();
            if (invokeInstruction().atClass("weblogic.jsp.internal.jsp.utils.JspRuntimeUtils").atMethod("convertType").matches(inv1, cpg)) {
                LDC ldc1 = (LDC) it.next(); //property name
                LDC ldc2 = (LDC) it.next(); //type
                LDC ldc3 = (LDC) it.next(); //value
                return String.valueOf(ldc3.getValue(cpg));
            }
        }
        catch (NoSuchElementException e) { }
        catch (ClassCastException e) { }
*/
        return null;
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy