def swallows_exceptions(js_dest: str, exclude: list = None) -> bool:
"""
Search for ``catch`` blocks that are empty or only have comments.
See `REQ.161 <https://fluidattacks.com/web/rules/161/>`_.
See `CWE-391 <https://cwe.mitre.org/data/definitions/391.html>`_.
:param js_dest: Path to a JavaScript source file or package.
:param exclude: Paths that contains any string from this list are ignored.
"""
# Empty() grammar matches 'anything'
# ~Empty() grammar matches 'not anything' or 'nothing'
classic = Suppress(Keyword('catch')) + nestedExpr(opener='(', closer=')') \
+ nestedExpr(opener='{', closer='}', content=~Empty())
modern = Suppress('.' + Keyword('catch')) + nestedExpr(
opener='(', closer=')', content=~Empty())
grammar = MatchFirst([classic, modern])
grammar.ignore(cppStyleComment)
try:
matches = lang.path_contains_grammar(grammar, js_dest, LANGUAGE_SPECS,
exclude)
except FileNotFoundError:
show_unknown('File does not exist', details=dict(code_dest=js_dest))
else:
if matches:
show_open('Code has empty "catch" blocks',
details=dict(matched=matches))
return True
show_close('Code does not have empty "catch" blocks',
details=dict(code_dest=js_dest))
return False
def mlsqlparser():
#Define all keywords
LOAD = define_load()
READ = define_read()
SPLIT = define_split()
REGRESS = define_regress()
CLASSIFY = define_classify()
CLUSTER = define_cluster()
REPLACE = define_replace()
SAVE = define_save()
#Define comment
comment = _define_comment()
#Combining READ and SPLIT keywords into one clause for combined use
read_split = READ + SPLIT
read_split_classify = READ + SPLIT + CLASSIFY
read_split_classify_regress = READ + SPLIT + CLASSIFY + REGRESS
read_replace_split_classify_regress = READ + REPLACE + SPLIT + CLASSIFY + REGRESS
read_replace_split_classify_regress_cluster = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER
read_replace_split_classify_regress_cluster_save = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER + SAVE
load_read_replace_split_classify_regress_cluster_save = MatchFirst(
[read_replace_split_classify_regress_cluster_save, LOAD])
return load_read_replace_split_classify_regress_cluster_save.ignore(
comment)
def mlsqlparser():
#Define all keywords
LOAD = define_load()
READ = define_read()
SPLIT = define_split()
REGRESS = define_regress()
CLASSIFY = define_classify()
CLUSTER = define_cluster()
REPLACE = define_replace()
SAVE = define_save()
#Define comment
comment = _define_comment()
#Combining READ and SPLIT keywords into one clause for combined use
read_split = READ + SPLIT
read_split_classify = READ + SPLIT + CLASSIFY
read_split_classify_regress = READ + SPLIT + CLASSIFY + REGRESS
read_replace_split_classify_regress = READ + REPLACE + SPLIT + CLASSIFY + REGRESS
read_replace_split_classify_regress_cluster = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER
read_replace_split_classify_regress_cluster_save = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER + SAVE
load_read_replace_split_classify_regress_cluster_save = MatchFirst([read_replace_split_classify_regress_cluster_save, LOAD])
return load_read_replace_split_classify_regress_cluster_save.ignore(comment)
def targetComponentsForOperatorsInString(operatorNames, codeBlock):
"""
Return a list of pairs of operator names and their targets that are in `codeString`.
The valid operator names searched for are `operatorNames`. For example, if 'L' is in `operatorNames`,
then in the code ``L[phi]`` the return value would be ``('L', 'phi', slice(firstCharacterIndex, lastCharacterIndex))``.
"""
parser = MatchFirst(Keyword(operatorName) for operatorName in operatorNames).setResultsName('name') \
+ Optional(nestedExpr('[', ']', baseExpr, ignoreExpr).setResultsName('target'))
parser.ignore(cppStyleComment.copy())
parser.ignore(quotedString.copy())
results = []
for tokens, start, end in parser.scanString(codeBlock.codeString):
if 'target' in tokens:
results.append((tokens.name, ''.join(tokens.target.asList()[0]), slice(start, end)))
else:
raise CodeParserException(codeBlock, start, "Invalid use of '%s' operator in code block." % tokens.name)
return results
def has_insecure_randoms(java_dest: str, exclude: list = None) -> bool:
r"""
Check if code uses insecure random generators.
- ``java.util.Random()``.
- ``java.lang.Math.random()``.
See `REQ.224 <https://fluidattacks.com/web/rules/224/>`_.
:param java_dest: Path to a Java source file or package.
:param exclude: Paths that contains any string from this list are ignored.
"""
_java = Keyword('java')
_util = Keyword('util')
_lang = Keyword('lang')
_math = Keyword('Math')
_import = Keyword('import')
_random_minus = Keyword('random')
_random_mayus = Keyword('Random')
_args = nestedExpr()
insecure_randoms = MatchFirst([
# util.Random()
_util + '.' + _random_mayus + _args,
# Math.random()
_math + '.' + _random_minus + _args,
# import java.util.Random
_import + _java + '.' + _util + '.' + _random_mayus,
# import java.lang.Math.random
_import + _java + '.' + _lang + '.' + _math + '.' + _random_minus,
])
insecure_randoms.ignore(javaStyleComment)
insecure_randoms.ignore(L_CHAR)
insecure_randoms.ignore(L_STRING)
try:
matches = lang.path_contains_grammar(insecure_randoms, java_dest,
LANGUAGE_SPECS, exclude)
except FileNotFoundError:
show_unknown('File does not exist', details=dict(location=java_dest))
return False
if not matches:
show_close('Code does not use insecure random generators',
details=dict(location=java_dest))
return False
show_open('Code uses insecure random generators',
details=dict(matches=matches))
return True
