protected function resolveFuncResultTaint(FuncCall $exp)
{
$args = $exp->args;
if (Sinks::isSinkFunction($exp)) {
$argTaints = $this->getArgumentsTaintValuesForAnalysis($args);
$this->sinkNodes[$exp->getLine()] = new FunctionSinkNode($exp, $argTaints);
return;
}
$result = parent::resolveFuncResultTaint($exp);
foreach ($args as $arg) {
$argExpName = $arg->value->name;
$this->addAffectingParameterToAnalysisResult($result, $argExpName);
}
return $result;
}
protected function isVulnerabilitySink(FuncCall $funcCall)
{
return Sinks::isCodeInjectionSinkFunction($funcCall);
}
protected function resolveFuncResultTaint(Expr\FuncCall $exp)
{
if (InputSources::isInputReadFuncCall($exp)) {
return $this->createTaintResult(Annotation::TAINTED);
}
$func_name = $exp->name;
if ($func_name instanceof Expr) {
//cannot evaluate the taint when the function's name is dynamically determined
return $this->createTaintResult(Annotation::UNKNOWN);
}
$func_name_str = $func_name->getLast();
if (SanitisingFunctions::isSanitisingFunction($func_name_str)) {
return $this->resolveSanitisationFuncCall($exp);
} else {
if (Sinks::isSinkFunction($exp) && !empty($this->vulnerabilityReporter)) {
$args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
$this->vulnerabilityReporter->runNodeVulnerabilityChecks($exp, $args_with_taints);
} else {
$func_analyser = FunctionAnalyser::getFunctionAnalyser($exp->environment, $func_name);
$args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
$analysis_res = $func_analyser->analyseFunctionCall($args_with_taints, $this->vulnerabilityReporter);
return $analysis_res;
}
}
}