org.apache.bcel.classfile.ElementValuePair Java Examples
The following examples show how to use
org.apache.bcel.classfile.ElementValuePair.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: UnsafeJacksonDeserializationDetector.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 6 votes |
|
private void analyzeField(Field field, JavaClass javaClass) {
for (AnnotationEntry annotation : field.getAnnotationEntries()) {
if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) ||
annotation.getAnnotationType().contains("JsonTypeInfo")) {
for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) {
if ("use".equals((elementValuePair.getNameString())) &&
VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) {
bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY)
.addClass(javaClass)
.addString(javaClass.getClassName() + " on field " +
field.getName() + " of type " + field.getType() +
" annotated with " + annotation.toShortString())
.addField(FieldAnnotation.fromBCELField(javaClass, field))
.addString("")
);
}
}
}
}
}
Example #2
| Source File: SpringCsrfUnrestrictedRequestMappingDetector.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 6 votes |
|
private static boolean isVulnerable(Method method) {
// If the method is not annotated with `@RequestMapping`, there is no vulnerability.
AnnotationEntry requestMappingAnnotation = findRequestMappingAnnotation(method);
if (requestMappingAnnotation == null) {
return false;
}
// If the `@RequestMapping` annotation is used without the `method` annotation attribute,
// there is a vulnerability.
ElementValuePair methodAnnotationAttribute = findMethodAnnotationAttribute(requestMappingAnnotation);
if (methodAnnotationAttribute == null) {
return true;
}
// If the `@RequestMapping` annotation is used with the `method` annotation attribute equal to `{}`,
// there is a vulnerability.
ElementValue methodAnnotationAttributeValue = methodAnnotationAttribute.getValue();
if (isEmptyArray(methodAnnotationAttributeValue)) {
return true;
}
// If the `@RequestMapping` annotation is used with the `method` annotation attribute but contains a mix of
// unprotected and protected HTTP request methods, there is a vulnerability.
return isMixOfUnprotectedAndProtectedHttpRequestMethods(methodAnnotationAttributeValue);
}
Example #3
| Source File: AnnotationVisitor.java From spotbugs with GNU Lesser General Public License v2.1 | 6 votes |
|
@Override
public void visitAnnotation(Annotations arg0) {
for (AnnotationEntry ae : arg0.getAnnotationEntries()) {
boolean runtimeVisible = ae.isRuntimeVisible();
String name = ClassName.fromFieldSignature(ae.getAnnotationType());
if (name == null) {
continue;
}
name = ClassName.toDottedClassName(name);
Map<String, ElementValue> map = new HashMap<>();
for (ElementValuePair ev : ae.getElementValuePairs()) {
map.put(ev.getNameString(), ev.getValue());
}
visitAnnotation(name, map, runtimeVisible);
}
}
Example #4
| Source File: ElementValuePairGen.java From commons-bcel with Apache License 2.0 | 6 votes |
|
public ElementValuePairGen(final ElementValuePair nvp, final ConstantPoolGen cpool,
final boolean copyPoolEntries)
{
this.constantPoolGen = cpool;
// J5ASSERT:
// Could assert nvp.getNameString() points to the same thing as
// constantPoolGen.getConstant(nvp.getNameIndex())
// if
// (!nvp.getNameString().equals(((ConstantUtf8)constantPoolGen.getConstant(nvp.getNameIndex())).getBytes()))
// {
// throw new IllegalArgumentException("envp buggered");
// }
if (copyPoolEntries)
{
nameIdx = cpool.addUtf8(nvp.getNameString());
}
else
{
nameIdx = nvp.getNameIndex();
}
value = ElementValueGen.copy(nvp.getValue(), cpool, copyPoolEntries);
}
Example #5
| Source File: FieldAnnotationsTestCase.java From commons-bcel with Apache License 2.0 | 6 votes |
|
private void checkAnnotationEntry(final AnnotationEntry a, final String name, final String elementname,
final String elementvalue)
{
assertTrue("Expected AnnotationEntry to have name " + name
+ " but it had name " + a.getAnnotationType(), a.getAnnotationType()
.equals(name));
assertTrue("Expected AnnotationEntry to have one element but it had "
+ a.getElementValuePairs().length, a.getElementValuePairs().length == 1);
final ElementValuePair envp = a.getElementValuePairs()[0];
assertTrue("Expected element name " + elementname + " but was "
+ envp.getNameString(), elementname
.equals(envp.getNameString()));
assertTrue("Expected element value " + elementvalue + " but was "
+ envp.getValue().stringifyValue(), elementvalue.equals(envp
.getValue().stringifyValue()));
}
Example #6
| Source File: FieldAnnotationsTestCase.java From commons-bcel with Apache License 2.0 | 6 votes |
|
public void checkValue(final AnnotationEntry a, final String name, final String tostring)
{
for (int i = 0; i < a.getElementValuePairs().length; i++)
{
final ElementValuePair element = a.getElementValuePairs()[i];
if (element.getNameString().equals(name))
{
if (!element.getValue().stringifyValue().equals(tostring))
{
fail("Expected element " + name + " to have value "
+ tostring + " but it had value "
+ element.getValue().stringifyValue());
}
return;
}
}
fail("Didnt find named element " + name);
}
Example #7
| Source File: SpringCsrfUnrestrictedRequestMappingDetector.java From Android_Code_Arbiter with GNU Lesser General Public License v3.0 | 5 votes |
|
private static ElementValuePair findMethodAnnotationAttribute(AnnotationEntry requestMappingAnnotation) {
for (ElementValuePair elementValuePair : requestMappingAnnotation.getElementValuePairs()) {
if (METHOD_ANNOTATION_ATTRIBUTE_KEY.equals(elementValuePair.getNameString())) {
return elementValuePair;
}
}
return null;
}
Example #8
| Source File: AnnotationVisitor.java From spotbugs with GNU Lesser General Public License v2.1 | 5 votes |
|
@Override
public void visitParameterAnnotation(ParameterAnnotations arg0) {
ParameterAnnotationEntry[] parameterAnnotationEntries = arg0.getParameterAnnotationEntries();
int numParametersToMethod = getNumberMethodArguments();
int offset = 0;
if (numParametersToMethod > parameterAnnotationEntries.length) {
offset = 1;
}
for (int i = 0; i < parameterAnnotationEntries.length; i++) {
ParameterAnnotationEntry e = parameterAnnotationEntries[i];
for (AnnotationEntry ae : e.getAnnotationEntries()) {
boolean runtimeVisible = ae.isRuntimeVisible();
String name = ClassName.fromFieldSignature(ae.getAnnotationType());
if (name == null) {
continue;
}
name = ClassName.toDottedClassName(name);
Map<String, ElementValue> map = new HashMap<>();
for (ElementValuePair ev : ae.getElementValuePairs()) {
map.put(ev.getNameString(), ev.getValue());
}
visitParameterAnnotation(offset + i, name, map, runtimeVisible);
}
}
}
Example #9
| Source File: CheckReturnAnnotationDatabase.java From spotbugs with GNU Lesser General Public License v2.1 | 5 votes |
|
private CheckReturnValueAnnotation createJSR305Annotation(AnnotationEntry entry) {
for (ElementValuePair pair : entry.getElementValuePairs()) {
if (pair.getNameString().equals("when")) {
return CheckReturnValueAnnotation.createFor(When.valueOf(pair.getValue().stringifyValue()));
}
}
// use default value
return CheckReturnValueAnnotation.createFor(When.ALWAYS);
}
Example #10
| Source File: CheckReturnAnnotationDatabase.java From spotbugs with GNU Lesser General Public License v2.1 | 5 votes |
|
private CheckReturnValueAnnotation createSpotBugsAnnotation(AnnotationEntry entry) {
for (ElementValuePair pair : entry.getElementValuePairs()) {
if (pair.getNameString().equals("confidence")) {
return CheckReturnValueAnnotation.parse(pair.getValue().stringifyValue());
}
}
// use default value
return CheckReturnValueAnnotation.parse(Confidence.MEDIUM.name());
}
Example #11
| Source File: ElementValuePairGen.java From commons-bcel with Apache License 2.0 | 5 votes |
|
/**
* Retrieve an immutable version of this ElementNameValuePairGen
*/
public ElementValuePair getElementNameValuePair()
{
final ElementValue immutableValue = value.getElementValue();
return new ElementValuePair(nameIdx, immutableValue, constantPoolGen
.getConstantPool());
}
Example #12
| Source File: AnnotationEntryGen.java From commons-bcel with Apache License 2.0 | 5 votes |
|
private List<ElementValuePairGen> copyValues(final ElementValuePair[] in, final ConstantPoolGen cpool,
final boolean copyPoolEntries) {
final List<ElementValuePairGen> out = new ArrayList<>();
for (final ElementValuePair nvp : in) {
out.add(new ElementValuePairGen(nvp, cpool, copyPoolEntries));
}
return out;
}
Example #13
| Source File: GeneratingAnnotatedClassesTestCase.java From commons-bcel with Apache License 2.0 | 5 votes |
|
private void assertArrayElementValue(final int nExpectedArrayValues, final AnnotationEntry anno)
{
final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
assertEquals("value", elementValuePair.getNameString());
final ArrayElementValue ev = (ArrayElementValue) elementValuePair.getValue();
final ElementValue[] eva = ev.getElementValuesArray();
assertEquals(nExpectedArrayValues, eva.length);
}
Example #14
| Source File: GeneratingAnnotatedClassesTestCase.java From commons-bcel with Apache License 2.0 | 5 votes |
|
private void assertSimpleElementValue(final AnnotationEntry anno)
{
final ElementValuePair elementValuePair = anno.getElementValuePairs()[0];
assertEquals("id", elementValuePair.getNameString());
final SimpleElementValue ev = (SimpleElementValue)elementValuePair.getValue();
assertEquals(42, ev.getValueInt());
}
Example #15
| Source File: GeneratingAnnotatedClassesTestCase.java From commons-bcel with Apache License 2.0 | 4 votes |
|
/**
* Steps in the test:
* <ol>
* <li>Programmatically construct the HelloWorld program</li>
* <li>Add two simple annotations at the class level</li>
* <li>Save the class to disk</li>
* <li>Reload the class using the 'static' variant of the BCEL classes</li>
* <li>Check the attributes are OK</li>
* </ol>
*/
public void testGenerateClassLevelAnnotations()
throws ClassNotFoundException
{
// Create HelloWorld
final ClassGen cg = createClassGen("HelloWorld");
cg.setMajor(49);
cg.setMinor(0);
final ConstantPoolGen cp = cg.getConstantPool();
final InstructionList il = new InstructionList();
cg.addAnnotationEntry(createSimpleVisibleAnnotation(cp));
cg.addAnnotationEntry(createSimpleInvisibleAnnotation(cp));
buildClassContents(cg, cp, il);
//System.out.println(cg.getJavaClass().toString());
dumpClass(cg, "HelloWorld.class");
final JavaClass jc = getClassFrom(".", "HelloWorld");
final AnnotationEntry[] as = jc.getAnnotationEntries();
assertTrue("Should be two AnnotationEntries but found " + as.length,
as.length == 2);
// TODO L??;
assertTrue(
"Name of annotation 1 should be LSimpleAnnotation; but it is "
+ as[0].getAnnotationType(), as[0].getAnnotationType()
.equals("LSimpleAnnotation;"));
assertTrue(
"Name of annotation 2 should be LSimpleAnnotation; but it is "
+ as[1].getAnnotationType(), as[1].getAnnotationType()
.equals("LSimpleAnnotation;"));
final ElementValuePair[] vals = as[0].getElementValuePairs();
final ElementValuePair nvp = vals[0];
assertTrue(
"Name of element in SimpleAnnotation should be 'id' but it is "
+ nvp.getNameString(), nvp.getNameString().equals("id"));
final ElementValue ev = nvp.getValue();
assertTrue("Type of element value should be int but it is "
+ ev.getElementValueType(),
ev.getElementValueType() == ElementValue.PRIMITIVE_INT);
assertTrue("Value of element should be 4 but it is "
+ ev.stringifyValue(), ev.stringifyValue().equals("4"));
assertTrue(createTestdataFile("HelloWorld.class").delete());
}
