[Fb-contrib-commit] SF.net SVN: fb-contrib: [1032] trunk/fb-contrib/src/com/mebigfatguy/ fbcontrib/detect/SuspiciousClusteredSessionSupport.java

[<dbr...@us...>]

Revision: 1032
          http://fb-contrib.svn.sourceforge.net/fb-contrib/?rev=1032&view=rev
Author:   dbrosius
Date:     2008-06-02 01:03:33 -0700 (Mon, 02 Jun 2008)

Log Message:
-----------
starting to work

Modified Paths:
--------------
    trunk/fb-contrib/src/com/mebigfatguy/fbcontrib/detect/SuspiciousClusteredSessionSupport.java

Modified: trunk/fb-contrib/src/com/mebigfatguy/fbcontrib/detect/SuspiciousClusteredSessionSupport.java
===================================================================
--- trunk/fb-contrib/src/com/mebigfatguy/fbcontrib/detect/SuspiciousClusteredSessionSupport.java	2008-06-02 07:36:55 UTC (rev 1031)
+++ trunk/fb-contrib/src/com/mebigfatguy/fbcontrib/detect/SuspiciousClusteredSessionSupport.java	2008-06-02 08:03:33 UTC (rev 1032)
@@ -19,15 +19,17 @@
 package com.mebigfatguy.fbcontrib.detect;
 
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.bcel.classfile.Code;
+import org.apache.bcel.generic.Type;
 
 import com.mebigfatguy.fbcontrib.utils.Integer14;
 import com.mebigfatguy.fbcontrib.utils.RegisterUtils;
 
+import edu.umd.cs.findbugs.BugInstance;
 import edu.umd.cs.findbugs.BugReporter;
 import edu.umd.cs.findbugs.BytecodeScanningDetector;
 import edu.umd.cs.findbugs.OpcodeStack;
@@ -40,10 +42,11 @@
  */
 public class SuspiciousClusteredSessionSupport extends BytecodeScanningDetector {
 	
+	private static final Pattern modifyingNames = Pattern.compile("(add|insert|put|remove|clear|set).*");
+	
 	private BugReporter bugReporter;
 	private OpcodeStack stack;
-	private Map<String, Integer> attributes;
-	private Set<String> changedAttributes;
+	private Map<String, Integer> changedAttributes;
 	private Map<Integer, String> savedAttributes;
 	
 	public SuspiciousClusteredSessionSupport(BugReporter bugReporter) {
@@ -54,24 +57,28 @@
 	public void visitClassContext(ClassContext classContext) {
 		try {
 			stack = new OpcodeStack();
-			attributes = new HashMap<String, Integer>();
-			changedAttributes = new HashSet<String>();
+			changedAttributes = new HashMap<String, Integer>();
 			savedAttributes = new HashMap<Integer, String>();
 			super.visitClassContext(classContext);
 		} finally {
 			stack = null;
-			attributes = null;
 			changedAttributes = null;
+			savedAttributes = null;
 		}
 	}
 	
 	@Override
 	public void visitCode(Code obj) {
 		stack.resetForMethodEntry(this);
-		attributes.clear();
 		changedAttributes.clear();
 		savedAttributes.clear();
 		super.visitCode(obj);
+		for (Integer pc : changedAttributes.values()) {
+			bugReporter.reportBug(new BugInstance(this, "SCSS_SUSPICIOUS_CLUSTERED_SESSION_SUPPORT", NORMAL_PRIORITY)
+					   .addClass(this)
+					   .addMethod(this)
+					   .addSourceLine(this, pc.intValue()));
+		}
 	}
 	
 	@Override
@@ -81,7 +88,7 @@
 		try {
 			if (seen == INVOKEINTERFACE) {
 				String clsName = getClassConstantOperand();
-				if ("javax.servlet.http.HttpSession".equals(clsName)) {
+				if ("javax/servlet/http/HttpSession".equals(clsName)) {
 					String methodName = getNameConstantOperand();
 					if ("getAttribute".equals(methodName)) {
 						if (stack.getStackDepth() > 0) {
@@ -89,7 +96,6 @@
 							Object con = item.getConstant();
 							if (con instanceof String) {
 								attributeName = (String)con;
-								attributes.put(attributeName, Integer14.valueOf(getPC()));
 								sawGetAttribute = true;
 							}
 						}
@@ -99,17 +105,15 @@
 							Object con = item.getConstant();
 							if (con instanceof String) {
 								attributeName = (String)con;
-								attributes.remove(attributeName);
+								changedAttributes.remove(attributeName);
 							}
 						}
 					}
 				}
 			} else if (((seen >= ALOAD_0) && (seen <= ALOAD_3)) || (seen == ALOAD)) {
-				if (stack.getStackDepth() > 0) {
-					int reg = RegisterUtils.getALoadReg(this, seen);
-					attributeName = savedAttributes.get(Integer14.valueOf(reg));
-					sawGetAttribute = attributeName != null;
-				}
+				int reg = RegisterUtils.getALoadReg(this, seen);
+				attributeName = savedAttributes.get(Integer14.valueOf(reg));
+				sawGetAttribute = attributeName != null;
 			} else if (((seen >= ASTORE_0) && (seen <= ASTORE_3)) || (seen == ASTORE)) {
 				if (stack.getStackDepth() > 0) {
 					OpcodeStack.Item item = stack.getStackItem(0);
@@ -118,6 +122,22 @@
 					savedAttributes.put(Integer14.valueOf(reg), attributeName);
 				}
 			}
+			
+			if ((seen == INVOKEINTERFACE) || (seen == INVOKEVIRTUAL)) {
+				String methodName = getNameConstantOperand();
+				Matcher m = modifyingNames.matcher(methodName);
+				if (m.matches()) {
+					String signature = getSigConstantOperand();
+					int numArgs = Type.getArgumentTypes(signature).length;
+					if (stack.getStackDepth() >= numArgs) {
+						OpcodeStack.Item item = stack.getStackItem(numArgs);
+						attributeName = (String)item.getUserValue();
+						if (attributeName != null) {
+							changedAttributes.put(attributeName, Integer14.valueOf(getPC()));
+						}
+					}
+				}
+			}
 		} finally {
 			stack.sawOpcode(this, seen);
 			if (sawGetAttribute)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.