1
Static Analysis for Static Analysis for Java Java ServletsServlets and JSPand JSP
Christian Kirkegaard & Anders Møller
BRICS, University of Aarhus
2 / 20
Java Servlets and JSPJava Servlets and JSP
A powerful framework for Web application developmentCommunication using HTTP:
JSP pages are compiled into servlets...
response (XHTML)response (XHTML)
request (URL + form fields) request (URL + form fields) serverserverclientclient
3 / 20
The The ServletServlet APIAPI
A Web application contains a collection of servletsA configuration file maps URL requests to servlet namesEach servlet receives user input(form fields) and produces XHTML output
The output is generated by printing characters to a stream!
4 / 20
ExampleExample
5 / 20
Source code (1/3)Source code (1/3)
public class Entry extends javax.servlet.http.HttpServlet {
protected void doGet(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
HttpSession session = request.getSession();
String url = response.encodeURL(request.getContextPath()+"/show");
session.setAttribute("timestamp", new Date());
response.setContentType("application/xhtml+xml");
PrintWriter out = response.getWriter();
Wrapper.printHeader(out, "Enter name", session);
out.print("<form action=\""+url+"\" method=\"POST\">"+"<input type=\"text\" name=\"NAME\"/>"+"<input type=\"submit\" value=\"lookup\"/>"+"</form>");
Wrapper.printFooter(out);
} }
public class Entry extends javax.servlet.http.HttpServlet {
protected void doGet(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
HttpSession session = request.getSession();
String url = response.encodeURL(request.getContextPath()+"/show");
session.setAttribute("timestamp", new Date());
response.setContentType("application/xhtml+xml");
PrintWriter out = response.getWriter();
Wrapper.printHeader(out, "Enter name", session);
out.print("<form action=\""+url+"\" method=\"POST\">"+"<input type=\"text\" name=\"NAME\"/>"+"<input type=\"submit\" value=\"lookup\"/>"+"</form>");
Wrapper.printFooter(out);
} }
6 / 20
public class Show extends javax.servlet.http.HttpServlet {
protected void doPost(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
Directory directory = new Directory("ldap://ldap.widgets.org");
String name =misc.encodeXML(request.getParameter("NAME"));
response.setContentType("application/xhtml+xml");
PrintWriter out = response.getWriter();
Wrapper.printHeader(out, name, request.getSession());
out.print("<b>Phone:</b> "+directory.phone(name));
Wrapper.printFooter(out);
}
}
public class Show extends javax.servlet.http.HttpServlet {
protected void doPost(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
Directory directory = new Directory("ldap://ldap.widgets.org");
String name =misc.encodeXML(request.getParameter("NAME"));
response.setContentType("application/xhtml+xml");
PrintWriter out = response.getWriter();
Wrapper.printHeader(out, name, request.getSession());
out.print("<b>Phone:</b> "+directory.phone(name));
Wrapper.printFooter(out);
}
}
Source code (2/3)Source code (2/3)
2
7 / 20
Source code (3/3)Source code (3/3)
public class Wrapper {
static void printHeader(PrintWriter pw, String title,
HttpSession session) {
pw.print("<html xmlns=\"http://www.w3.org/1999/xhtml\">"+
"<head><title>"+title+"</title></head><body>"+
"<hr size=\"1\"/>"+
"<div align=\"right\"><small>"+
"Session initiated ["+
session.getAttribute("timestamp")+"]"+
"</small></div><hr size=\"1\"/>"+
"<h3>"+title+"</h3>");
}
static void printFooter(PrintWriter pw) {
pw.print("<hr size=\"1\"/></body></html>");
}
}
public class Wrapper {
static void printHeader(PrintWriter pw, String title,
HttpSession session) {
pw.print("<html xmlns=\"http://www.w3.org/1999/xhtml\">"+
"<head><title>"+title+"</title></head><body>"+
"<hr size=\"1\"/>"+
"<div align=\"right\"><small>"+
"Session initiated ["+
session.getAttribute("timestamp")+"]"+
"</small></div><hr size=\"1\"/>"+
"<h3>"+title+"</h3>");
}
static void printFooter(PrintWriter pw) {
pw.print("<hr size=\"1\"/></body></html>");
}
}
8 / 20
Two challenges for Web app developersTwo challenges for Web app developers
1. Is the response always well-formed and valid?
2. Do forms and fieldsbeing generated always match the code that receives the input?
9 / 20
Overview of the analysisOverview of the analysis
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
Soot (Hendren et al.) + string analysis (SAS’03)
balanced grammars (Knuth)+ much more...
XML Schema validation (PLAN-X’06) 10 / 20
Our resultsOur results
Construction of context-free grammarsthat approximate the possible outputon output streams in Java
Checks for XML well-formedness and XML Schema validity on context-free grammars
Inter-servlet control flow for Web apps
11 / 20
Flow graphsFlow graphs
Nodes:append[regular language]
invoke[possible targets]
nop
return
Edges represent control flow
– Soot (Hendren et al.) gives us Jimple code, control flow analysis, and alias analysis
– String analysis (SAS’03) gives us a regular language for each string expression
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
12 / 20
Flow graph for the exampleFlow graph for the exampleJava codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
3
13 / 20
Flow graphs Flow graphs →→ contextcontext--free grammarsfree grammarsJava codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graphappend[L ]append[L ]
n
m
Nn → RL Nm
ninvoke[t ]invoke[t ]
m
Nn → Nt Nm
nopnopn
m
Nn → Nm
returnreturnn Nn → ε
14 / 20
Grammar for the exampleGrammar for the exampleJava codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
15 / 20
TagTag--formform
C → << T A >> C </</ T >> (element)C → X (text)C → C C (content sequence)A → W T == ”” V ”” (attribute)A → A A (attribute sequence)A → ε (empty attr. seq.)
– if the grammar can’t be brought on this form,its language is not well-formed XML
– on tag-form, we can easily check the remaining properties for well-formedness...
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
16 / 20
Transforming to tagTransforming to tag--formform
1. make </ a single symbol2. obtain balanced grammar
with respect to < and </– Knuth ’67– Mohri & Nederhof ’01
3. obtain unique contexts (tag / element content / attribute value) – if possible
4. apply standard grammar transformations (inlining, expansion)...
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
17 / 20
TagTag--form grammar for the exampleform grammar for the exampleJava codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
18 / 20
Checking validity with XML graphsChecking validity with XML graphs
An XML graph is like an XML tree but with• choices and loops• attribute/element names and text described
with regular string languages(so one XML graph represents a set of concrete XML trees)
Converting a context-free grammar on tag form into an XML graph is straightforwardWe have a tool for validating XML graphs relative to schemas (using XML Schema)!
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
4
19 / 20
XML graph for the exampleXML graph for the exampleJava codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
20 / 20
ConclusionConclusion
Construction of context-free grammarsthat approximate the possible outputon output streams in Java
Sound and complete checks for XML well-formedness and XML Schema validityon context-free grammars
Inter-servlet control flowfor Servlets/JSP Web apps
...and the implementation is on the way – reeeal soon now ☺
Java codeJava code
flow graphflow graph
contextcontext--free grammarfree grammar
grammar on taggrammar on tag--formform
XML graphXML graph
Top Related