Optimization for unsanitized and fix for ARG.

fabsx00 · Mar 9, 2014 · 2ca8ff3 · 2ca8ff3
1 parent deafe7a
commit 2ca8ff3
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 7 deletions.
diff --git a/joern/joernsteps/ast.groovy b/joern/joernsteps/ast.groovy
@@ -11,7 +11,7 @@
 
 
 Gremlin.defineStep('astNodes', [Vertex, Pipe], {
-	x = [] as Set;
+	def x = [] as Set;
 	_().children().loop(1){true}{true}
 	.store(x).optional(2).transform{x+it}.scatter()
 })

diff --git a/joern/joernsteps/dataflow.groovy b/joern/joernsteps/dataflow.groovy
@@ -22,14 +22,14 @@ Gremlin.defineStep('sources', [Vertex,Pipe], {
 /**
    For a set of destination nodes: all paths in the control flow graph
    from data sources where no node on the path redefines the produced
-   symbol and not node on the path matches a sanitizer description.
+   symbol and no node on the path matches a sanitizer description.
    
    @return A pipe containing valid source nodes
 
 */
 
-Gremlin.defineStep('unsanitized', [Vertex, Pipe], { sanitizer ->
-  _().uPath(sanitizer).firstElem()
+Gremlin.defineStep('unsanitized', [Vertex, Pipe], { sanitizer, src = { [1]._() } ->
+  _().uPath(sanitizer, src).firstElem()
 })
 
 Gremlin.defineStep('firstElem', [Vertex, Pipe], {
@@ -45,10 +45,11 @@ Gremlin.defineStep('firstElem', [Vertex, Pipe], {
    
 */
 
-Gremlin.defineStep('uPath', [Vertex, Pipe], { sanitizer ->
+Gremlin.defineStep('uPath', [Vertex, Pipe], { sanitizer, src = { [1]._() } ->
   _().sideEffect{ dst = it; }
   .uses().sideEffect{ symbol = it.code }
   .transform{ dst.producers([symbol]) }.scatter()
+  .filter{ src(it).toList() != [] }
   .transform{ cfgPaths(symbol, sanitizer, it, dst) }.scatter()
 
 })
@@ -128,7 +129,7 @@ isTerminationNode = { symbol, sanitizer, curNode, visited ->
 
   def curNodeId = curNode.toString()
 
-  sanitizer(curNode) != [] ||
+  sanitizer(curNode).toList() != [] ||
   (curNode.defines().filter{ it.code == symbol}.toList() != []) ||
   (visited.get(curNodeId) == 2)
 }
diff --git a/joern/joernsteps/info.groovy b/joern/joernsteps/info.groovy
@@ -8,7 +8,7 @@ Gremlin.defineStep('locations', [Vertex,Pipe], {
 })
 
 Gremlin.defineStep('functions', [Vertex,Pipe],{
-	_().functionId.idToNode()
+	_().functionId.idsToNodes()
 });
 
 Gremlin.defineStep("functionToFiles", [Vertex,Pipe], {

diff --git a/joern/joernsteps/match.groovy b/joern/joernsteps/match.groovy
@@ -0,0 +1,34 @@
+
+/**
+   Match descriptions as presented in the paper. Please note, that
+   tradeoffs in efficiency are made for increased robustness and ease
+   of formulation.
+ */
+
+/** 
+    
+*/
+
+Gremlin.defineStep('match', [Vertex, Pipe], { p ->
+  _().astNodes().filter(p)
+})
+
+/**
+   
+*/
+
+Gremlin.defineStep('arg', [Vertex, Pipe], { f, i ->
+  _().astNodes().filter{ it.type == 'CallExpression' && it.code.startsWith(f)}
+  .out(AST_EDGE).filter{ it.childNum == '1' }.out(AST_EDGE).filter{ it.childNum == i}
+})
+
+/**
+   
+*/
+
+Gremlin.defineStep('param', [Vertex, Pipe], { x ->
+  p = { it.type == 'Parameter' && it.code.matches(x) } 
+  _().match(p)
+
+})
+
diff --git a/joern/joernsteps/misc.groovy b/joern/joernsteps/misc.groovy
@@ -18,3 +18,13 @@ Gremlin.defineStep('In', [Vertex, Pipe], { edgeType, key, vals ->
 Gremlin.defineStep('idsToNodes', [Vertex,Pipe], {
 	_().transform{ g.v(it) }.scatter()
 })
+
+Gremlin.defineStep('isCheck', [Vertex, Pipe], { symbol ->
+
+   _().astNodes().filter{ it.type in ['EqualityExpression', 'RelationalExpression'] }
+   .filter{ it.code.matches(symbol) }
+})
+
+Gremlin.defineStep('codeContains', [Vertex, Pipe], { symbol ->
+	_().filter{it.code != null}.filter{ it.code.matches(symbol) }
+})