private Variable DefaultServerVariable()
{
var server = new Variable("_SERVER", VariableScope.SuperGlobal)
{
Info = {
NestedVariableDefaultTaintFactory = _taintedTaintFactory,
DefaultDimensionTaintFactory = _taintedTaintFactory,
NestedVariablePossibleStoredDefaultTaintFactory = _untaintedTaintFactory
}
};
var safeServerVars = new[]
{
// IDEA - These could easily be defined in an external file, to allow for changes without recompiling.
new Variable("GATEWAY_INTERFACE", VariableScope.Instance),
new Variable("HTTPS", VariableScope.Instance),
new Variable("REMOTE_ADDR", VariableScope.Instance),
new Variable("REMOTE_HOST", VariableScope.Instance),
new Variable("REMOTE_PORT", VariableScope.Instance),
new Variable("REQUEST_TIME", VariableScope.Instance),
new Variable("SCRIPT_FILENAME", VariableScope.Instance),
new Variable("SCRIPT_NAME", VariableScope.Instance),
new Variable("SERVER_ADDR", VariableScope.Instance),
new Variable("SERVER_ADMIN", VariableScope.Instance),
new Variable("SERVER_PROTOCOL", VariableScope.Instance),
new Variable("SERVER_PORT", VariableScope.Instance),
new Variable("SERVER_SIGNATURE", VariableScope.Instance),
new Variable("SERVER_SOFTWARE", VariableScope.Instance),
};
foreach (var safeServerVar in safeServerVars)
{
safeServerVar.Info.Taints = _untaintedTaintFactory();
safeServerVar.Info.DefaultDimensionTaintFactory = _untaintedTaintFactory;
safeServerVar.Info.NestedVariableDefaultTaintFactory = _untaintedTaintFactory;
safeServerVar.Info.NestedVariablePossibleStoredDefaultTaintFactory = _untaintedTaintFactory;
server.Info.Variables.Add(new VariableTreeDimension() { Key = safeServerVar.Name }, safeServerVar);
}
var serverName = new Variable("SERVER_NAME", VariableScope.Instance)
{
// SERVER_NAME seems to be XSS safe, but not necessarily SQLi safe: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
Info =
{
Taints = new TaintSets(new SQLITaintSet(SQLITaint.SQL_ALL), new XSSTaintSet()),
DefaultDimensionTaintFactory = _untaintedTaintFactory,
NestedVariableDefaultTaintFactory = _untaintedTaintFactory,
NestedVariablePossibleStoredDefaultTaintFactory = _untaintedTaintFactory
}
};
server.Info.Variables.Add(new VariableTreeDimension() { Key = serverName.Name }, serverName );
return server;
}