def swallows_exceptions(js_dest: str, exclude: list = None) -> bool: """ Search for ``catch`` blocks that are empty or only have comments. See `REQ.161 <https://fluidattacks.com/web/rules/161/>`_. See `CWE-391 <https://cwe.mitre.org/data/definitions/391.html>`_. :param js_dest: Path to a JavaScript source file or package. :param exclude: Paths that contains any string from this list are ignored. """ # Empty() grammar matches 'anything' # ~Empty() grammar matches 'not anything' or 'nothing' classic = Suppress(Keyword('catch')) + nestedExpr(opener='(', closer=')') \ + nestedExpr(opener='{', closer='}', content=~Empty()) modern = Suppress('.' + Keyword('catch')) + nestedExpr( opener='(', closer=')', content=~Empty()) grammar = MatchFirst([classic, modern]) grammar.ignore(cppStyleComment) try: matches = lang.path_contains_grammar(grammar, js_dest, LANGUAGE_SPECS, exclude) except FileNotFoundError: show_unknown('File does not exist', details=dict(code_dest=js_dest)) else: if matches: show_open('Code has empty "catch" blocks', details=dict(matched=matches)) return True show_close('Code does not have empty "catch" blocks', details=dict(code_dest=js_dest)) return False
def mlsqlparser(): #Define all keywords LOAD = define_load() READ = define_read() SPLIT = define_split() REGRESS = define_regress() CLASSIFY = define_classify() CLUSTER = define_cluster() REPLACE = define_replace() SAVE = define_save() #Define comment comment = _define_comment() #Combining READ and SPLIT keywords into one clause for combined use read_split = READ + SPLIT read_split_classify = READ + SPLIT + CLASSIFY read_split_classify_regress = READ + SPLIT + CLASSIFY + REGRESS read_replace_split_classify_regress = READ + REPLACE + SPLIT + CLASSIFY + REGRESS read_replace_split_classify_regress_cluster = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER read_replace_split_classify_regress_cluster_save = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER + SAVE load_read_replace_split_classify_regress_cluster_save = MatchFirst( [read_replace_split_classify_regress_cluster_save, LOAD]) return load_read_replace_split_classify_regress_cluster_save.ignore( comment)
def mlsqlparser(): #Define all keywords LOAD = define_load() READ = define_read() SPLIT = define_split() REGRESS = define_regress() CLASSIFY = define_classify() CLUSTER = define_cluster() REPLACE = define_replace() SAVE = define_save() #Define comment comment = _define_comment() #Combining READ and SPLIT keywords into one clause for combined use read_split = READ + SPLIT read_split_classify = READ + SPLIT + CLASSIFY read_split_classify_regress = READ + SPLIT + CLASSIFY + REGRESS read_replace_split_classify_regress = READ + REPLACE + SPLIT + CLASSIFY + REGRESS read_replace_split_classify_regress_cluster = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER read_replace_split_classify_regress_cluster_save = READ + REPLACE + SPLIT + CLASSIFY + REGRESS + CLUSTER + SAVE load_read_replace_split_classify_regress_cluster_save = MatchFirst([read_replace_split_classify_regress_cluster_save, LOAD]) return load_read_replace_split_classify_regress_cluster_save.ignore(comment)
def targetComponentsForOperatorsInString(operatorNames, codeBlock): """ Return a list of pairs of operator names and their targets that are in `codeString`. The valid operator names searched for are `operatorNames`. For example, if 'L' is in `operatorNames`, then in the code ``L[phi]`` the return value would be ``('L', 'phi', slice(firstCharacterIndex, lastCharacterIndex))``. """ parser = MatchFirst(Keyword(operatorName) for operatorName in operatorNames).setResultsName('name') \ + Optional(nestedExpr('[', ']', baseExpr, ignoreExpr).setResultsName('target')) parser.ignore(cppStyleComment.copy()) parser.ignore(quotedString.copy()) results = [] for tokens, start, end in parser.scanString(codeBlock.codeString): if 'target' in tokens: results.append((tokens.name, ''.join(tokens.target.asList()[0]), slice(start, end))) else: raise CodeParserException(codeBlock, start, "Invalid use of '%s' operator in code block." % tokens.name) return results
def has_insecure_randoms(java_dest: str, exclude: list = None) -> bool: r""" Check if code uses insecure random generators. - ``java.util.Random()``. - ``java.lang.Math.random()``. See `REQ.224 <https://fluidattacks.com/web/rules/224/>`_. :param java_dest: Path to a Java source file or package. :param exclude: Paths that contains any string from this list are ignored. """ _java = Keyword('java') _util = Keyword('util') _lang = Keyword('lang') _math = Keyword('Math') _import = Keyword('import') _random_minus = Keyword('random') _random_mayus = Keyword('Random') _args = nestedExpr() insecure_randoms = MatchFirst([ # util.Random() _util + '.' + _random_mayus + _args, # Math.random() _math + '.' + _random_minus + _args, # import java.util.Random _import + _java + '.' + _util + '.' + _random_mayus, # import java.lang.Math.random _import + _java + '.' + _lang + '.' + _math + '.' + _random_minus, ]) insecure_randoms.ignore(javaStyleComment) insecure_randoms.ignore(L_CHAR) insecure_randoms.ignore(L_STRING) try: matches = lang.path_contains_grammar(insecure_randoms, java_dest, LANGUAGE_SPECS, exclude) except FileNotFoundError: show_unknown('File does not exist', details=dict(location=java_dest)) return False if not matches: show_close('Code does not use insecure random generators', details=dict(location=java_dest)) return False show_open('Code uses insecure random generators', details=dict(matches=matches)) return True