development Static Analysis for Communication using HTTP ... · Java Servlets and JSP A powerful...

1

Static Analysis for Static Analysis for Java Java ServletsServlets and JSPand JSP

Christian Kirkegaard & Anders Møller

BRICS, University of Aarhus

2 / 20

Java Servlets and JSPJava Servlets and JSP

A powerful framework for Web application developmentCommunication using HTTP:

JSP pages are compiled into servlets...

response (XHTML)response (XHTML)

request (URL + form fields) request (URL + form fields) serverserverclientclient

3 / 20

The The ServletServlet APIAPI

A Web application contains a collection of servletsA configuration file maps URL requests to servlet namesEach servlet receives user input(form fields) and produces XHTML output

The output is generated by printing characters to a stream!

4 / 20

ExampleExample

5 / 20

Source code (1/3)Source code (1/3)

public class Entry extends javax.servlet.http.HttpServlet {

protected void doGet(HttpServletRequest request,HttpServletResponse response)

throws ServletException, IOException {

HttpSession session = request.getSession();

String url = response.encodeURL(request.getContextPath()+"/show");

session.setAttribute("timestamp", new Date());

response.setContentType("application/xhtml+xml");

PrintWriter out = response.getWriter();

Wrapper.printHeader(out, "Enter name", session);

out.print("<form action=\""+url+"\" method=\"POST\">"+"<input type=\"text\" name=\"NAME\"/>"+"<input type=\"submit\" value=\"lookup\"/>"+"</form>");

Wrapper.printFooter(out);

} }

public class Entry extends javax.servlet.http.HttpServlet {

protected void doGet(HttpServletRequest request,HttpServletResponse response)


HttpSession session = request.getSession();

String url = response.encodeURL(request.getContextPath()+"/show");

session.setAttribute("timestamp", new Date());



Wrapper.printHeader(out, "Enter name", session);

out.print("<form action=\""+url+"\" method=\"POST\">"+"<input type=\"text\" name=\"NAME\"/>"+"<input type=\"submit\" value=\"lookup\"/>"+"</form>");


} }

6 / 20

public class Show extends javax.servlet.http.HttpServlet {

protected void doPost(HttpServletRequest request,HttpServletResponse response)


Directory directory = new Directory("ldap://ldap.widgets.org");

String name =misc.encodeXML(request.getParameter("NAME"));



Wrapper.printHeader(out, name, request.getSession());

out.print("<b>Phone:</b> "+directory.phone(name));


}

}

public class Show extends javax.servlet.http.HttpServlet {

protected void doPost(HttpServletRequest request,HttpServletResponse response)


Directory directory = new Directory("ldap://ldap.widgets.org");

String name =misc.encodeXML(request.getParameter("NAME"));



Wrapper.printHeader(out, name, request.getSession());

out.print("<b>Phone:</b> "+directory.phone(name));


}

}


2

7 / 20


public class Wrapper {

static void printHeader(PrintWriter pw, String title,

HttpSession session) {

pw.print("<html xmlns=\"http://www.w3.org/1999/xhtml\">"+

"<head><title>"+title+"</title></head><body>"+

"<hr size=\"1\"/>"+

"<div align=\"right\"><small>"+

"Session initiated ["+

session.getAttribute("timestamp")+"]"+

"</small></div><hr size=\"1\"/>"+

"<h3>"+title+"</h3>");

}

static void printFooter(PrintWriter pw) {

pw.print("<hr size=\"1\"/></body></html>");

}

}

public class Wrapper {

static void printHeader(PrintWriter pw, String title,

HttpSession session) {

pw.print("<html xmlns=\"http://www.w3.org/1999/xhtml\">"+

"<head><title>"+title+"</title></head><body>"+

"<hr size=\"1\"/>"+

"<div align=\"right\"><small>"+

"Session initiated ["+

session.getAttribute("timestamp")+"]"+

"</small></div><hr size=\"1\"/>"+

"<h3>"+title+"</h3>");

}

static void printFooter(PrintWriter pw) {

pw.print("<hr size=\"1\"/></body></html>");

}

}

8 / 20

Two challenges for Web app developersTwo challenges for Web app developers

1. Is the response always well-formed and valid?

2. Do forms and fieldsbeing generated always match the code that receives the input?

9 / 20

Overview of the analysisOverview of the analysis

Java codeJava code

flow graphflow graph

contextcontext--free grammarfree grammar

grammar on taggrammar on tag--formform

XML graphXML graph

Soot (Hendren et al.) + string analysis (SAS’03)

balanced grammars (Knuth)+ much more...

XML Schema validation (PLAN-X’06) 10 / 20

Our resultsOur results

Construction of context-free grammarsthat approximate the possible outputon output streams in Java

Checks for XML well-formedness and XML Schema validity on context-free grammars

Inter-servlet control flow for Web apps

11 / 20

Flow graphsFlow graphs

Nodes:append[regular language]

invoke[possible targets]

nop

return

Edges represent control flow

– Soot (Hendren et al.) gives us Jimple code, control flow analysis, and alias analysis

– String analysis (SAS’03) gives us a regular language for each string expression

Java codeJava code




XML graphXML graph

12 / 20

Flow graph for the exampleFlow graph for the exampleJava codeJava code




XML graphXML graph

3

13 / 20

Flow graphs Flow graphs →→ contextcontext--free grammarsfree grammarsJava codeJava code




XML graphXML graphappend[L ]append[L ]

n

m

Nn → RL Nm

ninvoke[t ]invoke[t ]

m

Nn → Nt Nm

nopnopn

m

Nn → Nm

returnreturnn Nn → ε

14 / 20

Grammar for the exampleGrammar for the exampleJava codeJava code




XML graphXML graph

15 / 20

TagTag--formform

C → << T A >> C </</ T >> (element)C → X (text)C → C C (content sequence)A → W T == ”” V ”” (attribute)A → A A (attribute sequence)A → ε (empty attr. seq.)

– if the grammar can’t be brought on this form,its language is not well-formed XML

– on tag-form, we can easily check the remaining properties for well-formedness...

Java codeJava code




XML graphXML graph

16 / 20

Transforming to tagTransforming to tag--formform

1. make </ a single symbol2. obtain balanced grammar

with respect to < and </– Knuth ’67– Mohri & Nederhof ’01

3. obtain unique contexts (tag / element content / attribute value) – if possible

4. apply standard grammar transformations (inlining, expansion)...

Java codeJava code




XML graphXML graph

17 / 20

TagTag--form grammar for the exampleform grammar for the exampleJava codeJava code




XML graphXML graph

18 / 20

Checking validity with XML graphsChecking validity with XML graphs

An XML graph is like an XML tree but with• choices and loops• attribute/element names and text described

with regular string languages(so one XML graph represents a set of concrete XML trees)

Converting a context-free grammar on tag form into an XML graph is straightforwardWe have a tool for validating XML graphs relative to schemas (using XML Schema)!

Java codeJava code




XML graphXML graph

4

19 / 20

XML graph for the exampleXML graph for the exampleJava codeJava code




XML graphXML graph

20 / 20

ConclusionConclusion

Construction of context-free grammarsthat approximate the possible outputon output streams in Java

Sound and complete checks for XML well-formedness and XML Schema validityon context-free grammars

Inter-servlet control flowfor Servlets/JSP Web apps

...and the implementation is on the way – reeeal soon now ☺

Java codeJava code




XML graphXML graph

development Static Analysis for Communication using HTTP ... · Java Servlets and JSP A powerful...

Documents

Transcript of development Static Analysis for Communication using HTTP ... · Java Servlets and JSP A powerful...