Java Code Examples for org.apache.bcel.classfile.AnnotationEntry

The following examples show how to use org.apache.bcel.classfile.AnnotationEntry. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
private void analyzeField(Field field, JavaClass javaClass) {
    for (AnnotationEntry annotation : field.getAnnotationEntries())  {
        if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) ||
                annotation.getAnnotationType().contains("JsonTypeInfo")) {
            for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) {
                if ("use".equals((elementValuePair.getNameString())) &&
                        VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) {
                    bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY)
                            .addClass(javaClass)
                            .addString(javaClass.getClassName() + " on field " +
                                    field.getName() + " of type " + field.getType() +
                                    " annotated with " + annotation.toShortString())
                            .addField(FieldAnnotation.fromBCELField(javaClass, field))
                            .addString("")
                    );
                }
            }
        }
    }
}
 
Example 2
private static boolean isVulnerable(Method method) {

        // If the method is not annotated with `@RequestMapping`, there is no vulnerability.
        AnnotationEntry requestMappingAnnotation = findRequestMappingAnnotation(method);
        if (requestMappingAnnotation == null) {
            return false;
        }

        // If the `@RequestMapping` annotation is used without the `method` annotation attribute,
        // there is a vulnerability.
        ElementValuePair methodAnnotationAttribute = findMethodAnnotationAttribute(requestMappingAnnotation);
        if (methodAnnotationAttribute == null) {
            return true;
        }

        // If the `@RequestMapping` annotation is used with the `method` annotation attribute equal to `{}`,
        // there is a vulnerability.
        ElementValue methodAnnotationAttributeValue = methodAnnotationAttribute.getValue();
        if (isEmptyArray(methodAnnotationAttributeValue)) {
            return true;
        }

        // If the `@RequestMapping` annotation is used with the `method` annotation attribute but contains a mix of
        // unprotected and protected HTTP request methods, there is a vulnerability.
        return isMixOfUnprotectedAndProtectedHttpRequestMethods(methodAnnotationAttributeValue);
    }
 
Example 3
@Override
public void visitAnnotation(Annotations arg0) {
    for (AnnotationEntry ae : arg0.getAnnotationEntries()) {
        boolean runtimeVisible = ae.isRuntimeVisible();
        String name = ClassName.fromFieldSignature(ae.getAnnotationType());
        if (name == null) {
            continue;
        }
        name = ClassName.toDottedClassName(name);
        Map<String, ElementValue> map = new HashMap<>();
        for (ElementValuePair ev : ae.getElementValuePairs()) {
            map.put(ev.getNameString(), ev.getValue());
        }
        visitAnnotation(name, map, runtimeVisible);

    }

}
 
Example 4
@Override
public void visitMethod(Method obj) {
    if (!obj.isPrivate() || obj.isSynthetic()) {
        return;
    }
    super.visitMethod(obj);
    String methodName = getMethodName();
    if (!"writeReplace".equals(methodName) && !"readResolve".equals(methodName)
            && !"readObject".equals(methodName) && !"readObjectNoData".equals(methodName)
            && !"writeObject".equals(methodName)
            && methodName.indexOf("debug") == -1 && methodName.indexOf("Debug") == -1
            && methodName.indexOf("trace") == -1 && methodName.indexOf("Trace") == -1
            && !Const.CONSTRUCTOR_NAME.equals(methodName) && !Const.STATIC_INITIALIZER_NAME.equals(methodName)) {
        for (AnnotationEntry a : obj.getAnnotationEntries()) {
            String typeName = a.getAnnotationType();
            if ("Ljavax/annotation/PostConstruct;".equals(typeName)
                    || "Ljavax/annotation/PreDestroy;".equals(typeName)) {
                return;
            }
        }
        definedPrivateMethods.add(MethodAnnotation.fromVisitedMethod(this));
    }
}
 
Example 5
Source Project: commons-bcel   Source File: FieldGen.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Instantiate from existing field.
 *
 * @param field Field object
 * @param cp constant pool (must contain the same entries as the field's constant pool)
 */
public FieldGen(final Field field, final ConstantPoolGen cp) {
    this(field.getAccessFlags(), Type.getType(field.getSignature()), field.getName(), cp);
    final Attribute[] attrs = field.getAttributes();
    for (final Attribute attr : attrs) {
        if (attr instanceof ConstantValue) {
            setValue(((ConstantValue) attr).getConstantValueIndex());
        } else if (attr instanceof Annotations) {
            final Annotations runtimeAnnotations = (Annotations)attr;
            final AnnotationEntry[] annotationEntries = runtimeAnnotations.getAnnotationEntries();
            for (final AnnotationEntry element : annotationEntries) {
                addAnnotationEntry(new AnnotationEntryGen(element,cp,false));
            }
        } else {
            addAttribute(attr);
        }
    }
}
 
Example 6
Source Project: commons-bcel   Source File: FieldAnnotationsTestCase.java    License: Apache License 2.0 6 votes vote down vote up
private void checkAnnotationEntry(final AnnotationEntry a, final String name, final String elementname,
        final String elementvalue)
{
    assertTrue("Expected AnnotationEntry to have name " + name
            + " but it had name " + a.getAnnotationType(), a.getAnnotationType()
            .equals(name));
    assertTrue("Expected AnnotationEntry to have one element but it had "
            + a.getElementValuePairs().length, a.getElementValuePairs().length == 1);
    final ElementValuePair envp = a.getElementValuePairs()[0];
    assertTrue("Expected element name " + elementname + " but was "
            + envp.getNameString(), elementname
            .equals(envp.getNameString()));
    assertTrue("Expected element value " + elementvalue + " but was "
            + envp.getValue().stringifyValue(), elementvalue.equals(envp
            .getValue().stringifyValue()));
}
 
Example 7
Source Project: commons-bcel   Source File: FieldAnnotationsTestCase.java    License: Apache License 2.0 6 votes vote down vote up
public void checkValue(final AnnotationEntry a, final String name, final String tostring)
{
    for (int i = 0; i < a.getElementValuePairs().length; i++)
    {
        final ElementValuePair element = a.getElementValuePairs()[i];
        if (element.getNameString().equals(name))
        {
            if (!element.getValue().stringifyValue().equals(tostring))
            {
                fail("Expected element " + name + " to have value "
                        + tostring + " but it had value "
                        + element.getValue().stringifyValue());
            }
            return;
        }
    }
    fail("Didnt find named element " + name);
}
 
Example 8
private void assertParameterAnnotations(final Method method, final int... expectedNumberOfParmeterAnnotations)
{
    final String methodName= "For "+method.getName();
    final ParameterAnnotationEntry[] parameterAnnotations= method.getParameterAnnotationEntries();
    assertEquals(methodName, expectedNumberOfParmeterAnnotations.length, parameterAnnotations.length);

    int i= 0;
    for (final ParameterAnnotationEntry parameterAnnotation : parameterAnnotations)
    {
        final AnnotationEntry[] annos= parameterAnnotation.getAnnotationEntries();
        final int expectedLength = expectedNumberOfParmeterAnnotations[i++];
        assertEquals(methodName+" parameter "+i, expectedLength, annos.length);
        if(expectedLength!=0)
        {
            assertSimpleElementValue(annos[0]);
        }
    }
}
 
Example 9
private boolean hasRequestMapping(JavaClass clazz) {
    Method[] methods = clazz.getMethods();
    for (Method m: methods) {
        AnnotationEntry[] annotations = m.getAnnotationEntries();

        for (AnnotationEntry ae: annotations) {
            if (REQUEST_MAPPING_ANNOTATION_TYPES.contains(ae.getAnnotationType())) {
                return true;
            }
        }
    }
    return false;
}
 
Example 10
private static AnnotationEntry findRequestMappingAnnotation(Method method) {
    for (AnnotationEntry annotationEntry : method.getAnnotationEntries()) {
        if (REQUEST_MAPPING_ANNOTATION_TYPE.equals(annotationEntry.getAnnotationType())) {
            return annotationEntry;
        }
    }
    return null;
}
 
Example 11
private static ElementValuePair findMethodAnnotationAttribute(AnnotationEntry requestMappingAnnotation) {
    for (ElementValuePair elementValuePair : requestMappingAnnotation.getElementValuePairs()) {
        if (METHOD_ANNOTATION_ATTRIBUTE_KEY.equals(elementValuePair.getNameString())) {
            return elementValuePair;
        }
    }
    return null;
}
 
Example 12
@Override
public void visitClassContext(ClassContext classContext) {
    JavaClass javaClass = classContext.getJavaClass();
    for (Method m : javaClass.getMethods()) {

        for (AnnotationEntry ae : m.getAnnotationEntries()) {

            //Every method mark with @javax.jws.WebMethod is mark as an Endpoint
            if (ae.getAnnotationType().equals("Ljavax/jws/WebMethod;")) {
                bugReporter.reportBug(new BugInstance(this, JAXWS_ENDPOINT_TYPE, Priorities.LOW_PRIORITY) //
                        .addClassAndMethod(javaClass, m));
            }
        }
    }
}
 
Example 13
@Override
public void visitClassContext(ClassContext classContext) {
    JavaClass javaClass = classContext.getJavaClass();
    method : for (Method m : javaClass.getMethods()) {

        for (AnnotationEntry ae : m.getAnnotationEntries()) {

            if (REQUEST_MAPPING_ANNOTATION_TYPES.contains(ae.getAnnotationType())) {
                bugReporter.reportBug(new BugInstance(this, SPRING_ENDPOINT_TYPE, Priorities.LOW_PRIORITY) //
                        .addClassAndMethod(javaClass, m));
                continue method;
            }
        }
    }
}
 
Example 14
@Override
public void visitClassContext(ClassContext classContext) {
    JavaClass javaClass = classContext.getJavaClass();
    for (Method m : javaClass.getMethods()) {

        for (AnnotationEntry ae : m.getAnnotationEntries()) {

            //Every method mark with @javax.ws.rs.Path is mark as an Endpoint
            if (ae.getAnnotationType().equals("Ljavax/ws/rs/Path;")) {
                bugReporter.reportBug(new BugInstance(this, JAXRS_ENDPOINT_TYPE, Priorities.LOW_PRIORITY) //
                        .addClassAndMethod(javaClass, m));
            }
        }
    }
}
 
Example 15
@Override
public void visitParameterAnnotation(ParameterAnnotations arg0) {
    ParameterAnnotationEntry[] parameterAnnotationEntries = arg0.getParameterAnnotationEntries();
    int numParametersToMethod = getNumberMethodArguments();
    int offset = 0;
    if (numParametersToMethod > parameterAnnotationEntries.length) {
        offset = 1;
    }
    for (int i = 0; i < parameterAnnotationEntries.length; i++) {
        ParameterAnnotationEntry e = parameterAnnotationEntries[i];
        for (AnnotationEntry ae : e.getAnnotationEntries()) {
            boolean runtimeVisible = ae.isRuntimeVisible();

            String name = ClassName.fromFieldSignature(ae.getAnnotationType());
            if (name == null) {
                continue;
            }
            name = ClassName.toDottedClassName(name);
            Map<String, ElementValue> map = new HashMap<>();
            for (ElementValuePair ev : ae.getElementValuePairs()) {
                map.put(ev.getNameString(), ev.getValue());
            }
            visitParameterAnnotation(offset + i, name, map, runtimeVisible);

        }
    }
}
 
Example 16
/**
 * Try to find default {@link CheckReturnValueAnnotation} for methods inside of target class.
 *
 */
@CheckForNull
private CheckReturnValueAnnotation parsePackage(@DottedClassName String packageName) {
    String className = ClassName.toSlashedClassName(packageName) + "/package-info";
    ClassDescriptor descriptor = DescriptorFactory.createClassDescriptor(className);
    // ClassInfoAnalysisEngine doesn't support parsing package-info to generate XClass, so use JavaClass instead
    JavaClass clazz;
    try {
        clazz = AnalysisContext.currentAnalysisContext().lookupClass(descriptor);
    } catch (ClassNotFoundException e) {
        // no annotation on package
        return null;
    }

    for (AnnotationEntry entry : clazz.getAnnotationEntries()) {
        @SlashedClassName
        String type = entry.getAnnotationType();

        switch (type) {
        case NAME_OF_CHECK_RETURN_NULL_SPOTBUGS:
            return createSpotBugsAnnotation(entry);
        case NAME_OF_CHECK_RETURN_NULL_JSR305:
            return createJSR305Annotation(entry);
        case NAME_OF_CHECK_RETURN_NULL_ERRORPRONE:
            return CheckReturnValueAnnotation.createFor(When.ALWAYS);
        case NAME_OF_CAN_IGNORE_RETURN_VALUE:
            return CheckReturnValueAnnotation.createFor(When.NEVER);
        default:
            // check next annotation
        }
    }

    return null;
}
 
Example 17
private CheckReturnValueAnnotation createJSR305Annotation(AnnotationEntry entry) {
    for (ElementValuePair pair : entry.getElementValuePairs()) {
        if (pair.getNameString().equals("when")) {
            return CheckReturnValueAnnotation.createFor(When.valueOf(pair.getValue().stringifyValue()));
        }
    }
    // use default value
    return CheckReturnValueAnnotation.createFor(When.ALWAYS);
}
 
Example 18
private CheckReturnValueAnnotation createSpotBugsAnnotation(AnnotationEntry entry) {
    for (ElementValuePair pair : entry.getElementValuePairs()) {
        if (pair.getNameString().equals("confidence")) {
            return CheckReturnValueAnnotation.parse(pair.getValue().stringifyValue());
        }
    }
    // use default value
    return CheckReturnValueAnnotation.parse(Confidence.MEDIUM.name());
}
 
Example 19
Source Project: google-http-java-client   Source File: BetaDetector.java    License: Apache License 2.0 5 votes vote down vote up
/** Returns true if the given annotations contain {@link Beta}. */
private static boolean isBeta(AnnotationEntry[] annotationEntries) {
  for (AnnotationEntry annotation : annotationEntries) {
    if (BETA_ANNOTATION.equals(annotation.getAnnotationType())) {
      return true;
    }
  }
  return false;
}
 
Example 20
Source Project: commons-bcel   Source File: MethodGen.java    License: Apache License 2.0 5 votes vote down vote up
private List<AnnotationEntryGen> makeMutableVersion(final AnnotationEntry[] mutableArray)
{
    final List<AnnotationEntryGen> result = new ArrayList<>();
    for (final AnnotationEntry element : mutableArray) {
        result.add(new AnnotationEntryGen(element, getConstantPool(),
                false));
    }
    return result;
}
 
Example 21
Source Project: commons-bcel   Source File: AnnotationEntryGen.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Here we are taking a fixed annotation of type Annotation and building a
 * modifiable AnnotationGen object. If the pool passed in is for a different
 * class file, then copyPoolEntries should have been passed as true as that
 * will force us to do a deep copy of the annotation and move the cpool
 * entries across. We need to copy the type and the element name value pairs
 * and the visibility.
 */
public AnnotationEntryGen(final AnnotationEntry a, final ConstantPoolGen cpool,
                          final boolean copyPoolEntries) {
    this.cpool = cpool;
    if (copyPoolEntries) {
        typeIndex = cpool.addUtf8(a.getAnnotationType());
    } else {
        typeIndex = a.getAnnotationTypeIndex();
    }
    isRuntimeVisible = a.isRuntimeVisible();
    evs = copyValues(a.getElementValuePairs(), cpool, copyPoolEntries);
}
 
Example 22
Source Project: commons-bcel   Source File: AnnotationEntryGen.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Retrieve an immutable version of this AnnotationGen
 */
public AnnotationEntry getAnnotation() {
    final AnnotationEntry a = new AnnotationEntry(typeIndex, cpool.getConstantPool(),
            isRuntimeVisible);
    for (final ElementValuePairGen element : evs) {
        a.addElementNameValuePair(element.getElementNameValuePair());
    }
    return a;
}
 
Example 23
Source Project: commons-bcel   Source File: FieldAnnotationsTestCase.java    License: Apache License 2.0 5 votes vote down vote up
public void checkAnnotatedField(final JavaClass clazz, final String fieldname,
        final String AnnotationEntryName, final String AnnotationEntryElementName,
        final String AnnotationEntryElementValue)
{
    final Field[] fields = clazz.getFields();
    for (final Field f : fields) {
        final AnnotationEntry[] fieldAnnotationEntrys = f.getAnnotationEntries();
        if (f.getName().equals(fieldname))
        {
            checkAnnotationEntry(fieldAnnotationEntrys[0], AnnotationEntryName,
                    AnnotationEntryElementName, AnnotationEntryElementValue);
        }
    }
}
 
Example 24
private void assertMethodAnnotations(final Method method, final int expectedNumberAnnotations, final int nExpectedArrayValues)
{
    final String methodName= method.getName();
    final AnnotationEntry[] annos= method.getAnnotationEntries();
    assertEquals("For "+methodName, expectedNumberAnnotations, annos.length);
    if(expectedNumberAnnotations!=0)
    {
        assertArrayElementValue(nExpectedArrayValues, annos[0]);
    }
}
 
Example 25
private void assertArrayElementValue(final int nExpectedArrayValues, final AnnotationEntry anno)
{
    final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
    assertEquals("value", elementValuePair.getNameString());
    final ArrayElementValue ev = (ArrayElementValue) elementValuePair.getValue();
    final ElementValue[] eva = ev.getElementValuesArray();
    assertEquals(nExpectedArrayValues, eva.length);
}
 
Example 26
private void assertSimpleElementValue(final AnnotationEntry anno)
{
    final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
    assertEquals("id", elementValuePair.getNameString());
    final SimpleElementValue ev = (SimpleElementValue)elementValuePair.getValue();
    assertEquals(42, ev.getValueInt());
}
 
Example 27
Source Project: commons-bcel   Source File: AbstractTestCase.java    License: Apache License 2.0 5 votes vote down vote up
protected String dumpAnnotationEntries(final AnnotationEntry[] as)
{
    final StringBuilder result = new StringBuilder();
    result.append("[");
    for (int i = 0; i < as.length; i++)
    {
        final AnnotationEntry annotation = as[i];
        result.append(annotation.toShortString());
        if (i + 1 < as.length) {
            result.append(",");
        }
    }
    result.append("]");
    return result.toString();
}
 
Example 28
@Override
public void visitAnnotationEntry(AnnotationEntry arg0) {
    // TODO Auto-generated method stub

}
 
Example 29
Source Project: commons-bcel   Source File: MethodGen.java    License: Apache License 2.0 4 votes vote down vote up
/**
 * Instantiate from existing method.
 *
 * @param method method
 * @param className class name containing this method
 * @param cp constant pool
 */
public MethodGen(final Method method, final String className, final ConstantPoolGen cp) {
    this(method.getAccessFlags(), Type.getReturnType(method.getSignature()),
        Type.getArgumentTypes(method.getSignature()), null /* may be overridden anyway */
        , method.getName(), className,
        ((method.getAccessFlags() & (Const.ACC_ABSTRACT | Const.ACC_NATIVE)) == 0)
            ? new InstructionList(getByteCodes(method))
            : null,
        cp);
    final Attribute[] attributes = method.getAttributes();
    for (final Attribute attribute : attributes) {
        Attribute a = attribute;
        if (a instanceof Code) {
            final Code c = (Code) a;
            setMaxStack(c.getMaxStack());
            setMaxLocals(c.getMaxLocals());
            final CodeException[] ces = c.getExceptionTable();
            if (ces != null) {
                for (final CodeException ce : ces) {
                    final int type = ce.getCatchType();
                    ObjectType c_type = null;
                    if (type > 0) {
                        final String cen = method.getConstantPool().getConstantString(type, Const.CONSTANT_Class);
                        c_type = ObjectType.getInstance(cen);
                    }
                    final int end_pc = ce.getEndPC();
                    final int length = getByteCodes(method).length;
                    InstructionHandle end;
                    if (length == end_pc) { // May happen, because end_pc is exclusive
                        end = il.getEnd();
                    } else {
                        end = il.findHandle(end_pc);
                        end = end.getPrev(); // Make it inclusive
                    }
                    addExceptionHandler(il.findHandle(ce.getStartPC()), end, il.findHandle(ce.getHandlerPC()),
                        c_type);
                }
            }
            final Attribute[] c_attributes = c.getAttributes();
            for (final Attribute c_attribute : c_attributes) {
                a = c_attribute;
                if (a instanceof LineNumberTable) {
                    final LineNumber[] ln = ((LineNumberTable) a).getLineNumberTable();
                    for (final LineNumber l : ln) {
                        final InstructionHandle ih = il.findHandle(l.getStartPC());
                        if (ih != null) {
                            addLineNumber(ih, l.getLineNumber());
                        }
                    }
                } else if (a instanceof LocalVariableTable) {
                    updateLocalVariableTable((LocalVariableTable) a);
                } else if (a instanceof LocalVariableTypeTable) {
                    this.localVariableTypeTable = (LocalVariableTypeTable) a.copy(cp.getConstantPool());
                } else {
                    addCodeAttribute(a);
                }
            }
        } else if (a instanceof ExceptionTable) {
            final String[] names = ((ExceptionTable) a).getExceptionNames();
            for (final String name2 : names) {
                addException(name2);
            }
        } else if (a instanceof Annotations) {
            final Annotations runtimeAnnotations = (Annotations) a;
            final AnnotationEntry[] aes = runtimeAnnotations.getAnnotationEntries();
            for (final AnnotationEntry element : aes) {
                addAnnotationEntry(new AnnotationEntryGen(element, cp, false));
            }
        } else {
            addAttribute(a);
        }
    }
}
 
Example 30
Source Project: commons-bcel   Source File: ElementValueGen.java    License: Apache License 2.0 4 votes vote down vote up
public static ElementValueGen readElementValue(final DataInput dis,
        final ConstantPoolGen cpGen) throws IOException
{
    final int type = dis.readUnsignedByte();
    switch (type)
    {
    case 'B': // byte
        return new SimpleElementValueGen(PRIMITIVE_BYTE, dis
                .readUnsignedShort(), cpGen);
    case 'C': // char
        return new SimpleElementValueGen(PRIMITIVE_CHAR, dis
                .readUnsignedShort(), cpGen);
    case 'D': // double
        return new SimpleElementValueGen(PRIMITIVE_DOUBLE, dis
                .readUnsignedShort(), cpGen);
    case 'F': // float
        return new SimpleElementValueGen(PRIMITIVE_FLOAT, dis
                .readUnsignedShort(), cpGen);
    case 'I': // int
        return new SimpleElementValueGen(PRIMITIVE_INT, dis
                .readUnsignedShort(), cpGen);
    case 'J': // long
        return new SimpleElementValueGen(PRIMITIVE_LONG, dis
                .readUnsignedShort(), cpGen);
    case 'S': // short
        return new SimpleElementValueGen(PRIMITIVE_SHORT, dis
                .readUnsignedShort(), cpGen);
    case 'Z': // boolean
        return new SimpleElementValueGen(PRIMITIVE_BOOLEAN, dis
                .readUnsignedShort(), cpGen);
    case 's': // String
        return new SimpleElementValueGen(STRING, dis.readUnsignedShort(),
                cpGen);
    case 'e': // Enum constant
        return new EnumElementValueGen(dis.readUnsignedShort(), dis
                .readUnsignedShort(), cpGen);
    case 'c': // Class
        return new ClassElementValueGen(dis.readUnsignedShort(), cpGen);
    case '@': // Annotation
        // TODO: isRuntimeVisible ??????????
        // FIXME
        return new AnnotationElementValueGen(ANNOTATION,
                new AnnotationEntryGen(AnnotationEntry.read(dis, cpGen
                        .getConstantPool(), true), cpGen, false), cpGen);
    case '[': // Array
        final int numArrayVals = dis.readUnsignedShort();
        final ElementValue[] evalues = new ElementValue[numArrayVals];
        for (int j = 0; j < numArrayVals; j++)
        {
            evalues[j] = ElementValue.readElementValue(dis, cpGen
                    .getConstantPool());
        }
        return new ArrayElementValueGen(ARRAY, evalues, cpGen);
    default:
        throw new IllegalArgumentException("Unexpected element value kind in annotation: " + type);
    }
}