org.apache.bcel.classfile.ElementValuePair Java Examples

The following examples show how to use org.apache.bcel.classfile.ElementValuePair. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: UnsafeJacksonDeserializationDetector.java    From Android_Code_Arbiter with GNU Lesser General Public License v3.0 6 votes vote down vote up
private void analyzeField(Field field, JavaClass javaClass) {
    for (AnnotationEntry annotation : field.getAnnotationEntries())  {
        if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) ||
                annotation.getAnnotationType().contains("JsonTypeInfo")) {
            for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) {
                if ("use".equals((elementValuePair.getNameString())) &&
                        VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) {
                    bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY)
                            .addClass(javaClass)
                            .addString(javaClass.getClassName() + " on field " +
                                    field.getName() + " of type " + field.getType() +
                                    " annotated with " + annotation.toShortString())
                            .addField(FieldAnnotation.fromBCELField(javaClass, field))
                            .addString("")
                    );
                }
            }
        }
    }
}
 
Example #2
Source File: SpringCsrfUnrestrictedRequestMappingDetector.java    From Android_Code_Arbiter with GNU Lesser General Public License v3.0 6 votes vote down vote up
private static boolean isVulnerable(Method method) {

        // If the method is not annotated with `@RequestMapping`, there is no vulnerability.
        AnnotationEntry requestMappingAnnotation = findRequestMappingAnnotation(method);
        if (requestMappingAnnotation == null) {
            return false;
        }

        // If the `@RequestMapping` annotation is used without the `method` annotation attribute,
        // there is a vulnerability.
        ElementValuePair methodAnnotationAttribute = findMethodAnnotationAttribute(requestMappingAnnotation);
        if (methodAnnotationAttribute == null) {
            return true;
        }

        // If the `@RequestMapping` annotation is used with the `method` annotation attribute equal to `{}`,
        // there is a vulnerability.
        ElementValue methodAnnotationAttributeValue = methodAnnotationAttribute.getValue();
        if (isEmptyArray(methodAnnotationAttributeValue)) {
            return true;
        }

        // If the `@RequestMapping` annotation is used with the `method` annotation attribute but contains a mix of
        // unprotected and protected HTTP request methods, there is a vulnerability.
        return isMixOfUnprotectedAndProtectedHttpRequestMethods(methodAnnotationAttributeValue);
    }
 
Example #3
Source File: AnnotationVisitor.java    From spotbugs with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void visitAnnotation(Annotations arg0) {
    for (AnnotationEntry ae : arg0.getAnnotationEntries()) {
        boolean runtimeVisible = ae.isRuntimeVisible();
        String name = ClassName.fromFieldSignature(ae.getAnnotationType());
        if (name == null) {
            continue;
        }
        name = ClassName.toDottedClassName(name);
        Map<String, ElementValue> map = new HashMap<>();
        for (ElementValuePair ev : ae.getElementValuePairs()) {
            map.put(ev.getNameString(), ev.getValue());
        }
        visitAnnotation(name, map, runtimeVisible);

    }

}
 
Example #4
Source File: ElementValuePairGen.java    From commons-bcel with Apache License 2.0 6 votes vote down vote up
public ElementValuePairGen(final ElementValuePair nvp, final ConstantPoolGen cpool,
        final boolean copyPoolEntries)
{
    this.constantPoolGen = cpool;
    // J5ASSERT:
    // Could assert nvp.getNameString() points to the same thing as
    // constantPoolGen.getConstant(nvp.getNameIndex())
    // if
    // (!nvp.getNameString().equals(((ConstantUtf8)constantPoolGen.getConstant(nvp.getNameIndex())).getBytes()))
    // {
    // throw new IllegalArgumentException("envp buggered");
    // }
    if (copyPoolEntries)
    {
        nameIdx = cpool.addUtf8(nvp.getNameString());
    }
    else
    {
        nameIdx = nvp.getNameIndex();
    }
    value = ElementValueGen.copy(nvp.getValue(), cpool, copyPoolEntries);
}
 
Example #5
Source File: FieldAnnotationsTestCase.java    From commons-bcel with Apache License 2.0 6 votes vote down vote up
private void checkAnnotationEntry(final AnnotationEntry a, final String name, final String elementname,
        final String elementvalue)
{
    assertTrue("Expected AnnotationEntry to have name " + name
            + " but it had name " + a.getAnnotationType(), a.getAnnotationType()
            .equals(name));
    assertTrue("Expected AnnotationEntry to have one element but it had "
            + a.getElementValuePairs().length, a.getElementValuePairs().length == 1);
    final ElementValuePair envp = a.getElementValuePairs()[0];
    assertTrue("Expected element name " + elementname + " but was "
            + envp.getNameString(), elementname
            .equals(envp.getNameString()));
    assertTrue("Expected element value " + elementvalue + " but was "
            + envp.getValue().stringifyValue(), elementvalue.equals(envp
            .getValue().stringifyValue()));
}
 
Example #6
Source File: FieldAnnotationsTestCase.java    From commons-bcel with Apache License 2.0 6 votes vote down vote up
public void checkValue(final AnnotationEntry a, final String name, final String tostring)
{
    for (int i = 0; i < a.getElementValuePairs().length; i++)
    {
        final ElementValuePair element = a.getElementValuePairs()[i];
        if (element.getNameString().equals(name))
        {
            if (!element.getValue().stringifyValue().equals(tostring))
            {
                fail("Expected element " + name + " to have value "
                        + tostring + " but it had value "
                        + element.getValue().stringifyValue());
            }
            return;
        }
    }
    fail("Didnt find named element " + name);
}
 
Example #7
Source File: SpringCsrfUnrestrictedRequestMappingDetector.java    From Android_Code_Arbiter with GNU Lesser General Public License v3.0 5 votes vote down vote up
private static ElementValuePair findMethodAnnotationAttribute(AnnotationEntry requestMappingAnnotation) {
    for (ElementValuePair elementValuePair : requestMappingAnnotation.getElementValuePairs()) {
        if (METHOD_ANNOTATION_ATTRIBUTE_KEY.equals(elementValuePair.getNameString())) {
            return elementValuePair;
        }
    }
    return null;
}
 
Example #8
Source File: AnnotationVisitor.java    From spotbugs with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public void visitParameterAnnotation(ParameterAnnotations arg0) {
    ParameterAnnotationEntry[] parameterAnnotationEntries = arg0.getParameterAnnotationEntries();
    int numParametersToMethod = getNumberMethodArguments();
    int offset = 0;
    if (numParametersToMethod > parameterAnnotationEntries.length) {
        offset = 1;
    }
    for (int i = 0; i < parameterAnnotationEntries.length; i++) {
        ParameterAnnotationEntry e = parameterAnnotationEntries[i];
        for (AnnotationEntry ae : e.getAnnotationEntries()) {
            boolean runtimeVisible = ae.isRuntimeVisible();

            String name = ClassName.fromFieldSignature(ae.getAnnotationType());
            if (name == null) {
                continue;
            }
            name = ClassName.toDottedClassName(name);
            Map<String, ElementValue> map = new HashMap<>();
            for (ElementValuePair ev : ae.getElementValuePairs()) {
                map.put(ev.getNameString(), ev.getValue());
            }
            visitParameterAnnotation(offset + i, name, map, runtimeVisible);

        }
    }
}
 
Example #9
Source File: CheckReturnAnnotationDatabase.java    From spotbugs with GNU Lesser General Public License v2.1 5 votes vote down vote up
private CheckReturnValueAnnotation createJSR305Annotation(AnnotationEntry entry) {
    for (ElementValuePair pair : entry.getElementValuePairs()) {
        if (pair.getNameString().equals("when")) {
            return CheckReturnValueAnnotation.createFor(When.valueOf(pair.getValue().stringifyValue()));
        }
    }
    // use default value
    return CheckReturnValueAnnotation.createFor(When.ALWAYS);
}
 
Example #10
Source File: CheckReturnAnnotationDatabase.java    From spotbugs with GNU Lesser General Public License v2.1 5 votes vote down vote up
private CheckReturnValueAnnotation createSpotBugsAnnotation(AnnotationEntry entry) {
    for (ElementValuePair pair : entry.getElementValuePairs()) {
        if (pair.getNameString().equals("confidence")) {
            return CheckReturnValueAnnotation.parse(pair.getValue().stringifyValue());
        }
    }
    // use default value
    return CheckReturnValueAnnotation.parse(Confidence.MEDIUM.name());
}
 
Example #11
Source File: ElementValuePairGen.java    From commons-bcel with Apache License 2.0 5 votes vote down vote up
/**
 * Retrieve an immutable version of this ElementNameValuePairGen
 */
public ElementValuePair getElementNameValuePair()
{
    final ElementValue immutableValue = value.getElementValue();
    return new ElementValuePair(nameIdx, immutableValue, constantPoolGen
            .getConstantPool());
}
 
Example #12
Source File: AnnotationEntryGen.java    From commons-bcel with Apache License 2.0 5 votes vote down vote up
private List<ElementValuePairGen> copyValues(final ElementValuePair[] in, final ConstantPoolGen cpool,
                                             final boolean copyPoolEntries) {
    final List<ElementValuePairGen> out = new ArrayList<>();
    for (final ElementValuePair nvp : in) {
        out.add(new ElementValuePairGen(nvp, cpool, copyPoolEntries));
    }
    return out;
}
 
Example #13
Source File: GeneratingAnnotatedClassesTestCase.java    From commons-bcel with Apache License 2.0 5 votes vote down vote up
private void assertArrayElementValue(final int nExpectedArrayValues, final AnnotationEntry anno)
{
    final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
    assertEquals("value", elementValuePair.getNameString());
    final ArrayElementValue ev = (ArrayElementValue) elementValuePair.getValue();
    final ElementValue[] eva = ev.getElementValuesArray();
    assertEquals(nExpectedArrayValues, eva.length);
}
 
Example #14
Source File: GeneratingAnnotatedClassesTestCase.java    From commons-bcel with Apache License 2.0 5 votes vote down vote up
private void assertSimpleElementValue(final AnnotationEntry anno)
{
    final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
    assertEquals("id", elementValuePair.getNameString());
    final SimpleElementValue ev = (SimpleElementValue)elementValuePair.getValue();
    assertEquals(42, ev.getValueInt());
}
 
Example #15
Source File: GeneratingAnnotatedClassesTestCase.java    From commons-bcel with Apache License 2.0 4 votes vote down vote up
/**
 * Steps in the test:
 * <ol>
 * <li>Programmatically construct the HelloWorld program</li>
 * <li>Add two simple annotations at the class level</li>
 * <li>Save the class to disk</li>
 * <li>Reload the class using the 'static' variant of the BCEL classes</li>
 * <li>Check the attributes are OK</li>
 * </ol>
 */
public void testGenerateClassLevelAnnotations()
        throws ClassNotFoundException
{
    // Create HelloWorld
    final ClassGen cg = createClassGen("HelloWorld");
    cg.setMajor(49);
    cg.setMinor(0);
    final ConstantPoolGen cp = cg.getConstantPool();
    final InstructionList il = new InstructionList();
    cg.addAnnotationEntry(createSimpleVisibleAnnotation(cp));
    cg.addAnnotationEntry(createSimpleInvisibleAnnotation(cp));
    buildClassContents(cg, cp, il);
    //System.out.println(cg.getJavaClass().toString());
    dumpClass(cg, "HelloWorld.class");
    final JavaClass jc = getClassFrom(".", "HelloWorld");
    final AnnotationEntry[] as = jc.getAnnotationEntries();
    assertTrue("Should be two AnnotationEntries but found " + as.length,
            as.length == 2);
    // TODO L??;
    assertTrue(
            "Name of annotation 1 should be LSimpleAnnotation; but it is "
                    + as[0].getAnnotationType(), as[0].getAnnotationType()
                    .equals("LSimpleAnnotation;"));
    assertTrue(
            "Name of annotation 2 should be LSimpleAnnotation; but it is "
                    + as[1].getAnnotationType(), as[1].getAnnotationType()
                    .equals("LSimpleAnnotation;"));
    final ElementValuePair[] vals = as[0].getElementValuePairs();
    final ElementValuePair nvp = vals[0];
    assertTrue(
            "Name of element in SimpleAnnotation should be 'id' but it is "
                    + nvp.getNameString(), nvp.getNameString().equals("id"));
    final ElementValue ev = nvp.getValue();
    assertTrue("Type of element value should be int but it is "
            + ev.getElementValueType(),
            ev.getElementValueType() == ElementValue.PRIMITIVE_INT);
    assertTrue("Value of element should be 4 but it is "
            + ev.stringifyValue(), ev.stringifyValue().equals("4"));
    assertTrue(createTestdataFile("HelloWorld.class").delete());
}