function parse()
{
// scan all tokens
for ($i = 0, $tokencount = count($this->tokens); $i < $tokencount; $i++, $this->tif++) {
if (is_array($this->tokens[$i])) {
$token_name = $this->tokens[$i][0];
$token_value = $this->tokens[$i][1];
$line_nr = $this->tokens[$i][2];
// add preloader info for big files
if ($line_nr % PRELOAD_SHOW_LINE == 0) {
echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . ' (line ' . $line_nr . ')|' . $GLOBALS['timeleft'] . '|' . "\n";
@ob_flush();
flush();
}
# debug
#echo "file:".$file_name.",line:".$line_nr.",token:".token_name($token_name).",";
#echo "value:".htmlentities($token_value).",";
#echo "in_function:".$in_function.",in_class:".$in_class."<br>";
/*************************
T_VARIABLE
*************************/
if ($token_name === T_VARIABLE) {
// $var()
if ($this->tokens[$i + 1][0] === '(') {
$this->variable_scan($i, 0, 'eval', 'Userinput is used as dynamic function name. Arbitrary functions may be called.');
} else {
if (($this->tokens[$i - 1] === '$' || $this->tokens[$i - 1] === '{' && $this->tokens[$i - 2] === '$') && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) {
$this->variable_scan($i, $this->tokens[$i - 1] === '{' ? 2 : 1, 'extract', 'Userinput is used to build the variable name. Arbitrary variables may be overwritten/initialized which may lead to further vulnerabilities.');
} else {
if ($this->tokens[$i - 1][0] === T_AS || $this->tokens[$i - 1][0] === T_DOUBLE_ARROW && $this->tokens[$i - 2][0] === T_VARIABLE && $this->tokens[$i - 3][0] === T_AS) {
$c = 3;
while ($this->tokens[$i - $c][0] !== T_FOREACH) {
$c++;
if ($i - $c < 0 || $this->tokens[$i - $c] === ';') {
addError('Could not find FOREACH token before AS token', array_slice($this->tokens, $i - 5, 10), $this->tokens[$i - 1][2], $this->file_pointer);
break;
}
}
$this->variable_add($token_value, array_slice($this->tokens, $i - $c, $c + Analyzer::getBraceEnd($this->tokens, $i)), '', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($this->tokens[$i - 2][0] === T_FOR && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) {
$c = 1;
$newbraceopen = 1;
$firstsemi = 0;
// do not use getBraceEnd() here, because we dont want to stop at ';' in for(;;)
while ($newbraceopen !== 0) {
// watch function calls in function call
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' && $firstsemi < 1) {
$firstsemi = $c;
}
}
}
$c++;
if (!isset($this->tokens[$i + $c])) {
addError('Could not find closing parenthesis of for-statement.', array_slice($this->tokens, $i - 2, 10), $this->tokens[$i - 2][2], $this->file_pointer);
break;
}
}
// overwrite value of first var because it is looped
// this is an assumption, other vars could be declared for($var1=1;$var2=2;...)
$this->tokens[$i + 2][0] = T_ENCAPSED_AND_WHITESPACE;
$this->tokens[$i + 2][1] = '*';
$this->variable_add($token_value, array_slice($this->tokens, $i - 2, $c + 2), '', 1, 2 + $firstsemi, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT)) {
$vardeclare = array();
// $var = array(1,2,3,4);
if ($this->tokens[$i + 2][0] === T_ARRAY && $this->tokens[$i + 3] === '(' && $this->tokens[$i + 4] !== ')') {
$d = 4;
$keyindex = 0;
$newbraceopen = 1;
$keytokens = array();
$valuetokens = array();
while (!($newbraceopen === 0 || $this->tokens[$i + $d] === ';') && $keyindex < MAX_ARRAY_ELEMENTS) {
// count parameters
if ($newbraceopen === 1 && ($this->tokens[$i + $d] === ',' || $this->tokens[$i + $d] === ')')) {
$newindexvar = $this->tokens[$i];
$newindexvar[3][] = empty($keytokens) ? $keyindex : $keytokens;
$this->variable_add($token_value, array_merge(array($newindexvar, $this->tokens[$i + 1]), $valuetokens), ' array() ', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array(), empty($keytokens) ? $keyindex : $keytokens);
$keyindex++;
$keytokens = array();
$valuetokens = array();
} else {
if ($this->tokens[$i + $d] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $d] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $d][0] === T_DOUBLE_ARROW) {
$keytokens = $valuetokens;
$valuetokens = array();
} else {
$valuetokens[] = $this->tokens[$i + $d];
}
}
}
}
$d++;
if (!isset($this->tokens[$i + $d])) {
addError('Could not find closing parenthesis of array()-declaration.', array_slice($this->tokens, $i, 10), $this->tokens[$i + 2][2], $this->file_pointer);
break;
}
}
$vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1;
// $var = anything;
} else {
$this->variable_add($token_value, array_slice($this->tokens, $i, $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1), '', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
}
// save var and var declare scope for data leak scan
$vardeclare['start'] = $i;
$vardeclare['name'] = $token_value;
$vardeclare['linenr'] = $line_nr;
$vardeclare['end'] += $i - 1;
}
}
}
}
}
// $class->var
//else if ($token_name === T_STRING && $tokens[$i-1][0] === T_OBJECT_OPERATOR && $tokens[$i-2][0] === T_VARIABLE)
// add user input variables to global finding list
if (in_array($token_value, Sources::$V_USERINPUT)) {
if (isset($this->tokens[$i][3])) {
if (!is_array($this->tokens[$i][3][0])) {
$GLOBALS['user_input'][$token_value . '[' . $this->tokens[$i][3][0] . ']'][$this->file_pointer][] = $line_nr;
} else {
$GLOBALS['user_input'][$token_value . '[' . Analyzer::get_tokens_value($this->file_pointer, $this->tokens[$i][3][0], $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i) . ']'][$this->file_pointer][] = $line_nr;
}
} else {
$GLOBALS['user_input'][$token_value][$this->file_pointer][] = $line_nr;
}
// count found userinput in function for graphs
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][5]++;
} else {
$GLOBALS['user_functions_offset']['__main__'][5]++;
}
}
} else {
if (in_array($token_name, Tokens::$T_FUNCTIONS) || in_array($token_name, Tokens::$T_XSS) && ($_POST['vector'] == 'client' || $_POST['vector'] == 'xss' || $_POST['vector'] == 'all')) {
$class = '';
/*************************
T_STRING
*************************/
if ($token_name === T_STRING && $this->tokens[$i + 1] === '(') {
// define("FOO", $_GET['asd']);
if ($token_value === 'define') {
$c = 1;
while ($this->tokens[$i + $c] !== ',') {
$c++;
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Second parameter of define() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$this->variable_add(str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]), array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' define() ', $c, 0, $line_nr, $i);
} else {
if ($token_value === 'ini_set') {
$setting = str_replace(array("'", '"'), '', $this->tokens[$i + 2][1]);
// ini_set('include_path', 'foo/bar')
if ($setting === 'include_path') {
$path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 4, Analyzer::getBraceEnd($this->tokens, $i + 4) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
$this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path)));
}
} else {
if ($token_value === 'set_include_path') {
$path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
$this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path)));
} else {
if ($token_value === 'set_error_handler') {
$token_value = str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]);
} else {
if ($token_value === 'compact' && $this->tokens[$i - 2][0] === T_VARIABLE) {
$f = 2;
while ($this->tokens[$i + $f] !== ')') {
// for all array keys save new variable declarations
if ($this->tokens[$i + $f][0] === T_CONSTANT_ENCAPSED_STRING) {
$this->variable_add($this->tokens[$i - 2][1], array(array(T_VARIABLE, $this->tokens[$i - 2][1], $line_nr, array(str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]))), '=', array(T_VARIABLE, '$' . str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]), $line_nr), ';'), ' compact() ', 2, 0, $line_nr, $i, $tokens[$i - 2][3], str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]));
}
$f++;
if ($this->tokens[$i + $f] === ';' || !isset($this->tokens[$i + $f])) {
addError('Closing parenthesis of compact() is missing.', array_slice($this->tokens, $i, $f), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
} else {
if ($token_value === 'preg_match' || $token_value === 'preg_match_all') {
$c = 2;
$parameter = 1;
$newbraceopen = 1;
while ($newbraceopen !== 0) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 3) {
// add variable declaration to beginning of varlist
// fake assignment parameter so it will not get traced
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' preg_match() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
} else {
if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
} else {
if ($token_value === 'import_request_variables') {
// add register_globals implementation
$this->variable_add('register_globals', array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($token_value === 'parse_str') {
$c = 2;
$parameter = 1;
$newbraceopen = 1;
while ($newbraceopen !== 0) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 2) {
// add variable declaration to beginning of varlist
// fake assignment parameter so it will not get traced
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' parse_str() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
} else {
if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
}
}
}
}
}
}
}
}
//add interesting function calls to info gathering
if (isset($this->info_functions[$token_value])) {
$GLOBALS['info'][] = $this->info_functions[$token_value];
} else {
if ($this->tokens[$i - 1][0] !== T_NEW && isset($this->vuln_classes[$token_value])) {
$this->class_vars[$this->tokens[$i - 2][1]] = $token_value;
} else {
// $classvar->bla()
if ($this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) {
$classvar = $this->tokens[$i - 2][1];
if ($classvar[0] !== '$') {
$classvar = '$' . $classvar;
}
$class = $classvar === '$this' || $classvar === '$self' ? $this->class_name : $this->class_vars[$classvar];
} else {
if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON) {
$class = $this->tokens[$i - 2][1];
}
}
// save function call for graph
if (isset($GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value])) {
$GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value][3][] = array($this->file_pointer, $line_nr);
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][4][] = $token_value;
} else {
$GLOBALS['user_functions_offset']['__main__'][4][] = $token_value;
}
}
// check if token is function call that affects variable scope (global)
if (isset($this->globals_from_function[$token_value])) {
// put all previously saved global var assignments to global scope
foreach ($this->globals_from_function[$token_value] as $var_name => $new_vars) {
foreach ($new_vars as $new_var) {
$new_var->comment = $new_var->comment . " by {$token_value}()";
if (!isset($this->var_declares_global[$var_name])) {
$this->var_declares_global[$var_name] = array($new_var);
} else {
array_unshift($this->var_declares_global[$var_name], $new_var);
}
}
}
}
}
}
} else {
if (in_array($token_name, Tokens::$T_INCLUDES) && !$this->in_function) {
$GLOBALS['count_inc']++;
// include('xxx')
if ($this->tokens[$i + 1] === '(' && $this->tokens[$i + 2][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 3] === ')' || is_array($this->tokens[$i + 1]) && $this->tokens[$i + 1][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 2] === ';') {
// include('file')
if ($this->tokens[$i + 1] === '(') {
$inc_file = substr($this->tokens[$i + 2][1], 1, -1);
$skip = 5;
} else {
$inc_file = substr($this->tokens[$i + 1][1], 1, -1);
$skip = 3;
}
} else {
$inc_file = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, $c = Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
// in case the get_var_value added several php files, take the first
$several = explode('.php', $inc_file);
if (count($several) > 1) {
$try_file = $several[0] . '.php';
}
$skip = $c + 1;
// important to save $c+1 here
}
$try_file = $inc_file;
// try absolute include path
foreach ($this->include_paths as $include_path) {
if (is_file("{$include_path}/{$try_file}")) {
$try_file = "{$include_path}/{$try_file}";
break;
}
}
// if dirname(__FILE__) appeared it was an absolute path
if (!is_file($try_file)) {
// check relativ path
$try_file = dirname($this->file_name) . '/' . $inc_file;
if (!is_file($try_file)) {
$other_try_file = dirname($this->file_pointer) . '/' . $inc_file;
// if file can not be found check include_path if set
if (!is_file($other_try_file)) {
if (isset($this->include_paths[0])) {
foreach ($this->include_paths as $include_path) {
if (is_file(dirname($this->file_name) . '/' . $include_path . '/' . $inc_file)) {
$try_file = dirname($this->file_name) . '/' . $include_path . '/' . $inc_file;
break;
} else {
if (is_file(dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file)) {
$try_file = dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file;
break;
}
}
}
}
// if still not a valid file, look a directory above
if (!is_file($try_file)) {
$try_file = str_replace('\\', '/', $try_file);
$pos = strlen($try_file);
// replace each found / with /../, start from the end of file name
for ($c = 1; $c < substr_count($try_file, '/'); $c++) {
$pos = strripos(substr($try_file, 1, $pos), '/');
if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) {
$try_file = substr_replace($try_file, '/../', $pos + 1, 1);
break;
}
}
if (!is_file($try_file)) {
$try_file = str_replace('\\', '/', $other_try_file);
$pos = strlen($try_file);
// replace each found / with /../, start from the end of file name
for ($c = 1; $c < substr_count($try_file, '/'); $c++) {
$pos = strripos(substr($try_file, 1, $pos), '/');
if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) {
$try_file = substr_replace($try_file, '/../', $pos + 1, 1);
break;
}
}
// if still not a valid file, guess it
if (!is_file($try_file)) {
$searchfile = basename($try_file);
if (!strstr($searchfile, '$_USERINPUT')) {
foreach ($GLOBALS['files'] as $cfile) {
if (basename($cfile) == $searchfile) {
$try_file = $cfile;
break;
}
}
}
}
}
}
} else {
$try_file = $other_try_file;
}
}
}
$try_file_unreal = $try_file;
$try_file = realpath($try_file);
// file is valid
if (!empty($try_file_unreal) && !empty($try_file) && ($inc_lines = @file($try_file_unreal))) {
// file name has not been included
if (!in_array($try_file, $this->inc_map)) {
// Tokens
$tokenizer = new Tokenizer($try_file);
$inc_tokens = $tokenizer->tokenize(implode('', $inc_lines));
unset($tokenizer);
// if(include('file')) { - include tokens after { and not into the condition :S
if ($this->in_condition) {
$this->tokens = array_merge(array_slice($this->tokens, 0, $this->in_condition + 1), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $this->in_condition + 1));
} else {
// insert included tokens in current tokenlist and mark end
$this->tokens = array_merge(array_slice($this->tokens, 0, $i + $skip), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $i + $skip));
}
$tokencount = count($this->tokens);
// set lines pointer to included lines, save last pointer
// (the following tokens will be the included ones)
$this->lines_stack[] = $inc_lines;
$this->lines_pointer = end($this->lines_stack);
// tokennr in file
$this->tif_stack[] = $this->tif;
$this->tif = -$skip;
// set the current file pointer
$this->file_pointer = $try_file;
if (!isset($GLOBALS['file_sinks_count'][$this->file_pointer])) {
$GLOBALS['file_sinks_count'][$this->file_pointer] = 0;
}
echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . '|' . $GLOBALS['timeleft'] . '|' . "\n";
@ob_flush();
flush();
$this->comment = basename($inc_file);
$this->inc_file_stack[] = $try_file;
// build include map for file list
$this->inc_map[] = $try_file;
// all basic includes
}
} else {
$GLOBALS['count_inc_fail']++;
// add information about include error in debug mode
if ($GLOBALS['verbosity'] == 5) {
// add include command to output
$found_value = highlightline(array_slice($this->tokens, $i, $skip), $this->comment, $line_nr, $token_value);
$new_find = new InfoTreeNode($found_value);
$new_find->lines[] = $line_nr;
$new_find->filename = $this->file_pointer;
$new_find->title = "Include error: tried to include: " . $try_file_unreal;
if (isset($GLOBALS['output'][$this->file_name]['inc'])) {
$GLOBALS['output'][$this->file_name]['inc']->treenodes[] = $new_find;
} else {
$new_block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'Debug');
$new_block->treenodes[] = $new_find;
$new_block->vuln = true;
$GLOBALS['output'][$this->file_name]['inc'] = $new_block;
}
}
}
}
}
/*************************
TAINT ANALYSIS
*************************/
if (isset($this->scan_functions[$token_value]) && $GLOBALS['verbosity'] != 5 && (empty($class) || ($this->in_function && is_array($function_obj->parameters) && in_array($classvar, $function_obj->parameters) || @in_array($token_value, $this->vuln_classes[$class])))) {
if (!$this->already_scanned($i)) {
// build new find
$new_find = new VulnTreeNode();
$new_find->name = $token_value;
$new_find->lines[] = $line_nr;
// add dependencies (already here, because checked during var trace
foreach ($this->dependencies as $deplinenr => $dependency) {
if (!empty($dependency)) {
$new_find->dependencies[$deplinenr] = $dependency;
}
}
// count sinks
$GLOBALS['file_sinks_count'][$this->file_pointer]++;
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][6]++;
} else {
$GLOBALS['user_functions_offset']['__main__'][6]++;
}
$parameter = 1;
$var_counter = 0;
$vulnparams = array(0);
$has_vuln_parameters = false;
$parameter_has_userinput = false;
$parameter_func_depend = false;
$secured_by_start = false;
// function calls without quotes (require $inc;) --> no brace count
$parentheses_open = $this->tokens[$i + 1] === '(' ? 1 : -2;
// -2: detection of braces doesnt matter
$parentheses_save = -1;
$in_securing = false;
$ignore_securing = false;
$c = $this->tokens[$i + 1] === '(' ? 2 : 1;
// important
$tainted_vars = array();
$reconstructstr = '';
$addtitle = '';
$this->securedby = array();
// get all variables in parameter list between (...)
// not only until ';' because: system(get($a),$b,strstr($c));
while ($parentheses_open !== 0 && $this->tokens[$i + $c] !== ';') {
$this_one_is_secure = false;
if (is_array($this->tokens[$i + $c])) {
// scan variables and constants
if ($this->tokens[$i + $c][0] === T_VARIABLE && $this->tokens[$i + $c + 1][0] !== T_OBJECT_OPERATOR || $this->tokens[$i + $c][0] === T_STRING && $this->tokens[$i + $c + 1] !== '(') {
$var_counter++;
// scan only potential vulnerable parameters of function call
if (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0) {
$has_vuln_parameters = true;
if (is_array($this->tokens[$i + $c - 1]) && in_array($this->tokens[$i + $c - 1][0], Tokens::$T_CASTS) || is_array($this->tokens[$i + $c + 1]) && in_array($this->tokens[$i + $c + 1][0], Tokens::$T_ARITHMETIC) || $in_securing) {
$secured_by_start = true;
$this_one_is_secure = true;
}
if ($in_securing && !$ignore_securing) {
$this->securedby[] = $securing_function;
}
// trace back parameters and look for userinput, trace constants globally
$userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, false, $this->scan_functions[$token_value][1], false, $ignore_securing, $this_one_is_secure || $in_securing);
$reconstructstr .= Analyzer::get_var_value($this->file_pointer, $this->tokens[$i + $c], $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i + $c, $this->source_functions);
if ($userinput) {
$vulnparams[] = $parameter;
if ($userinput == 1) {
$parameter_has_userinput = true;
} else {
if ($userinput == 2) {
$parameter_func_depend = true;
}
}
$tainted_vars[] = $var_counter;
}
}
// mark userinput for quote analysis
if (in_array($this->tokens[$i + $c][1], Sources::$V_USERINPUT)) {
$reconstructstr .= '$_USERINPUT';
}
} else {
if ($this->tokens[$i + $c][0] === T_STRING && in_array($this->tokens[$i + $c][1], $this->source_functions) && (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0)) {
$has_vuln_parameters = true;
$parameter_has_userinput = true;
$new_find->marker = 1;
$reconstructstr .= '$_USERINPUT';
$new_find->title = 'Userinput returned by function <i>' . $this->tokens[$i + $c][1] . '</i> reaches sensitive sink';
$this->addtriggerfunction($new_find);
} else {
if ($this->tokens[$i + $c][0] === T_STRING && isset($this->tokens[$i + $c][1]) && in_array($this->tokens[$i + $c][1], $GLOBALS['F_INSECURING_STRING']) && $parentheses_save == -1) {
$parentheses_save = $parentheses_open;
$ignore_securing = true;
} else {
if (!$ignore_securing && ($this->tokens[$i + $c][0] === T_STRING && (is_array($this->scan_functions[$token_value][1]) && in_array($this->tokens[$i + $c][1], $this->scan_functions[$token_value][1]) || in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURING_STRING']))) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS) && $this->tokens[$i + $c + 1] === '(') {
$securing_function = $this->tokens[$i + $c][1];
$parentheses_save = $parentheses_open;
$in_securing = true;
$secured_by_start = true;
} else {
if ($this->tokens[$i + $c][0] === T_CONSTANT_ENCAPSED_STRING) {
$reconstructstr .= substr($this->tokens[$i + $c][1], 1, -1);
} else {
if ($this->tokens[$i + $c][0] === T_ENCAPSED_AND_WHITESPACE) {
$reconstructstr .= $this->tokens[$i + $c][1];
}
}
}
}
}
}
} else {
if ($parentheses_open === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$parentheses_open++;
} else {
if ($this->tokens[$i + $c] === ')') {
$parentheses_open--;
if ($parentheses_open === $parentheses_save) {
$parentheses_save = -1;
$in_securing = false;
$securing_function = '';
$ignore_securing = false;
}
} else {
if (!isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
// quote analysis for securing functions F_QUOTE_ANALYSIS
// they only protect when return value is embedded into quotes
if ($this->quote_analysis_needed() && substr_count($reconstructstr, '$_USERINPUT') > 0) {
// idea: explode on $_USERINPUT and count quotes in SQL query before
// if not even, then the $_USERINPUT is in an open quote
$parts = explode('$_USERINPUT', $reconstructstr);
foreach ($this->securedby as $var => $securefunction) {
if (in_array($securefunction, $GLOBALS['F_QUOTE_ANALYSIS'])) {
// extract the string before the userinput
$checkstring = '';
$d = 1;
foreach ($parts as $part) {
$checkstring .= $part;
if ($d >= $var) {
break;
}
$d++;
}
// even amount of quotes (or none) in string
// --> no quotes around userinput
// --> securing function is useless
if (substr_count($checkstring, "'") % 2 === 0 && substr_count($checkstring, '"') % 2 === 0) {
$has_vuln_parameters = true;
$parameter_has_userinput = true;
$new_find->title .= "Userinput reaches sensitive sink due to insecure usage of {$securefunction}() without quotes";
}
}
}
}
// add find to output if function call has variable parameters (With userinput)
if ($has_vuln_parameters && ($parameter_has_userinput || $parameter_func_depend) || $GLOBALS['verbosity'] == 4 || isset($this->scan_functions[$token_value][3])) {
$vulnstart = $i;
$vulnadd = 1;
// prepend $var assignment
if (isset($vardeclare)) {
$vulnstart = $vardeclare['start'];
$vulnadd = $vardeclare['end'] - $vardeclare['start'] - $c + 1;
//3;
} else {
if (isset($GLOBALS['F_XSS'][$this->tokens[$i - 1][1]])) {
$vulnstart = $i - 1;
$vulnadd = 2;
} else {
if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON || $this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) {
$vulnstart = $i - 2;
$vulnadd = 2;
}
}
}
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
$found_line = '<A NAME="' . $token_value . '_call" class="jumplink"></A>';
$found_line .= highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, false, $token_value);
} else {
$found_line = highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, $token_value, false, $tainted_vars);
}
$new_find->value = $found_line;
$new_find->filename = $this->file_pointer;
if ($secured_by_start) {
$new_find->marker = 2;
}
// only show vuln user defined functions
// if call with userinput has been found
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
$GLOBALS['user_functions'][$this->file_name][$token_value]['called'] = true;
}
if ($this->in_function) {
$this->ignore_securing_function = true;
// mark function in class as vuln
if ($this->in_class) {
$this->vuln_classes[$this->class_name][] = $this->function_obj->name;
}
}
// putenv with userinput --> getenv is treated as userinput
if ($token_value === 'putenv') {
$this->source_functions[] = 'getenv';
$GLOBALS['source_functions'][] = 'getenv';
$new_find->title = 'User can set PHP enviroment variables. Adding getenv() to tainting functions';
} else {
if ($token_value === 'apache_setenv') {
$this->source_functions[] = 'apache_getenv';
$GLOBALS['source_functions'][] = 'apache_getenv';
$new_find->title = 'User can set Apache enviroment variables. Adding apache_getenv() to tainting functions';
} else {
if ($token_value === 'extract' || $token_value === 'parse_str' || $token_value === 'mb_parse_str') {
// add register_globals implementation
$this->variable_add('register_globals', array_slice($this->tokens, $vulnstart, $c + $vulnadd), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
}
}
}
// add to output
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
if (!empty($GLOBALS['output'][$this->file_name])) {
foreach ($GLOBALS['output'][$this->file_name] as $block) {
$calleesadded = array();
foreach ($block->treenodes as $tree) {
if ($tree->funcdepend === $token_value && (array_intersect($tree->funcparamdepend, $vulnparams) || isset($this->scan_functions[$token_value][3]))) {
// if funcdependend already found and added, just add foundcallee=true and continue
// dont add tree again, it is already added to the vulnblock
if (in_array($tree->funcdepend, $calleesadded)) {
$tree->foundcallee = true;
continue;
}
if (isset($this->scan_functions[$token_value][3])) {
$new_find->title = 'Call triggers vulnerability in function <i>' . $token_value . '()</i>';
} else {
if (empty($new_find->title)) {
$new_find->title = 'Userinput is passed through function parameters.';
}
}
$block->treenodes[] = $new_find;
if (!$block->vuln && ($parameter_has_userinput || isset($this->scan_functions[$token_value][3]) || $GLOBALS['verbosity'] == 4)) {
$block->vuln = true;
increaseVulnCounter($block->sink);
}
$tree->foundcallee = true;
$calleesadded[] = $token_value;
}
}
}
// else: dont use the result
}
} else {
if (empty($new_find->title)) {
$new_find->title = 'Userinput reaches sensitive sink. For more information, press the help icon on the left side.';
}
$block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), getVulnNodeTitle($token_value), $token_value);
$block->treenodes[] = $new_find;
if ($parameter_has_userinput || $GLOBALS['verbosity'] == 4) {
$block->vuln = true;
increaseVulnCounter($token_value);
}
// if sink in var declare, offer a data leak scan - save infos for that
if (isset($vardeclare)) {
$block->dataleakvar = array($vardeclare['linenr'], $vardeclare['name']);
}
$GLOBALS['output'][$this->file_name][] = $block;
}
}
// if classvar depends on function parameter, add this parameter to list
if (isset($this->classvar) && $this->in_function && in_array($this->classvar, $this->function_obj->parameters)) {
$param = array_search($this->classvar, $this->function_obj->parameters);
$GLOBALS['user_functions'][$this->file_name][$this->function_obj->name][0][$param] = $param + 1;
}
}
}
// taint analysis
} else {
if (in_array($token_name, Tokens::$T_LOOP_CONTROL)) {
// ignore in requirements output: while, for, foreach
// DO..WHILE was rewritten to WHILE in tokenizer
$this->ignore_requirement = true;
$c = 1;
// get variables in loop condition
while ($this->tokens[$i + $c] !== '{') {
if ($this->tokens[$i + $c][0] === T_VARIABLE) {
$this->tokens[$i + $c][3][] = '*';
} else {
if (!isset($this->tokens[$i + $c])) {
addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$c++;
}
} else {
if (in_array($token_name, Tokens::$T_FLOW_CONTROL)) {
$c = 1;
while ($this->tokens[$i + $c] !== '{') {
$c++;
if (!isset($this->tokens[$i + $c])) {
addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$this->in_condition = $i + $c;
$this->dependencytokens = array_slice($this->tokens, $i, $c);
} else {
if ($token_name === T_FUNCTION) {
if ($this->in_function) {
#addError('New function declaration in function declaration of '.$this->function_obj->name.'() found. This is valid PHP syntax but not supported by RIPS now.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
} else {
$this->in_function++;
// the next token is the "function name()"
$i++;
$function_name = isset($this->tokens[$i][1]) ? $this->tokens[$i][1] : $this->tokens[$i + 1][1];
$ref_name = ($this->in_class ? $this->class_name . '::' : '') . $function_name;
// add POP gadgets to info
if (isset($this->info_functions[$function_name])) {
$GLOBALS['info'][] = $ref_name;
// add gadget to output
$found_line = highlightline(array_slice($this->tokens, $i - 1, 4), $this->comment, $line_nr, $function_name, false, $function_name);
$new_find = new InfoTreeNode($found_line);
$new_find->title = "POP gadget {$ref_name}";
$new_find->lines[] = $line_nr;
$new_find->filename = $this->file_pointer;
if (isset($GLOBALS['output'][$this->file_name]['gadgets'])) {
$GLOBALS['output'][$this->file_name]['gadgets']->treenodes[] = $new_find;
} else {
$block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'POP gadgets');
$block->vuln = true;
$block->treenodes[] = $new_find;
$GLOBALS['output'][$this->file_name]['gadgets'] = $block;
}
}
$c = 3;
while ($this->tokens[$i + $c] !== '{' && $this->tokens[$i + $c] !== ';') {
$c++;
}
// abstract functions ended
if ($this->tokens[$i + $c] === ';') {
$this->in_function--;
}
// write to user_functions offset list for referencing in output
$GLOBALS['user_functions_offset'][$ref_name][0] = $this->file_pointer;
$GLOBALS['user_functions_offset'][$ref_name][1] = $line_nr - 1;
// save function as object
$this->function_obj = new FunctionDeclare($this->dependencytokens = array_slice($this->tokens, $i - 1, $c + 1));
$this->function_obj->lines[] = $line_nr;
$this->function_obj->name = $function_name;
// save all function parameters
$this->function_obj->parameters = array();
$e = 1;
// until function test(...) {
// OR
// interface test { public function test(...); }
while ($this->tokens[$i + $e] !== '{' && $this->tokens[$i + $e] !== ';') {
if (is_array($this->tokens[$i + $e]) && $this->tokens[$i + $e][0] === T_VARIABLE) {
$this->function_obj->parameters[] = $this->tokens[$i + $e][1];
}
$e++;
}
// now skip the params from rest of scan,
// or function test($a=false, $b=false) will be detected as var declaration
$i += $e - 1;
// -1, because '{' must be evaluated again
}
} else {
if ($token_name === T_GLOBAL && $this->in_function) {
$this->globals_from_function[$this->function_obj->name] = array();
// get all globaled variables
$b = 1;
while ($this->tokens[$i + $b] !== ';') {
if ($this->tokens[$i + $b][0] === T_VARIABLE) {
// mark variable as global scope affecting
$this->put_in_global_scope[] = $this->tokens[$i + $b][1];
// add variable declaration to beginning of varlist
$new_var = new VarDeclare(array(array(T_GLOBAL, 'global', $line_nr), array(T_VARIABLE, $this->tokens[$i + $b][1], $line_nr), ';'), $this->comment);
$new_var->line = $line_nr;
$new_var->id = $i;
// overwrite old local vars
$this->var_declares_local[$this->tokens[$i + $b][1]] = array($new_var);
}
$b++;
}
} else {
if ($token_name === T_RETURN && $this->in_function == 1) {
$GLOBALS['userfunction_taints'] = false;
$GLOBALS['userfunction_secures'] = false;
$c = 1;
// get all variables in parameter list
while ($this->tokens[$i + $c] !== ';') {
if (is_array($this->tokens[$i + $c])) {
if ($this->tokens[$i + $c][0] === T_VARIABLE) {
// check if returned var is secured --> securing function
$new_find = new VulnTreeNode();
$userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->var_declares_local, $this->var_declares_global, false, $GLOBALS['F_SECURES_ALL'], TRUE);
// add function to securing functions
// if it returns no userinput/function param
if ((!$userinput || $GLOBALS['userfunction_secures']) && !$this->ignore_securing_function) {
$GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name;
}
// add function to userinput functions if userinput
// is fetched in the function and then returned (userinput == 1)
if ($userinput == 1 || $GLOBALS['userfunction_taints']) {
$this->source_functions[] = $this->function_obj->name;
}
} else {
if (in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURES_ALL']) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS)) {
$GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name;
break;
}
}
}
$c++;
}
} else {
if ($token_name === T_CLASS) {
$i++;
$this->class_name = $this->tokens[$i][1];
$this->vuln_classes[$this->class_name] = array();
$this->in_class = true;
$GLOBALS['info'][] = '<font color="red">Code is object-oriented. This is not supported yet and can lead to false negatives.</font>';
} else {
if ($token_name === T_NEW && $this->tokens[$i - 2][0] === T_VARIABLE) {
$this->class_vars[$this->tokens[$i - 2][1]] = $this->tokens[$i + 1][1];
} else {
if ($token_name === T_EXTENDS && $this->in_class) {
$this->vuln_classes[$this->class_name] = $this->vuln_classes[$this->tokens[$i + 1][1]];
} else {
if ($token_name === T_LIST) {
$d = 2;
while ($this->tokens[$i + $d] !== ')' && $this->tokens[$i + $d] !== ';') {
$d++;
if ($this->tokens[$i + $d] === ';' || !isset($this->tokens[$i + $d])) {
addError('Closing parenthesis of list() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$tokenscanstart = 0;
if ($this->tokens[$i + $d + 1] === '=' || in_array($this->tokens[$i + $d + 1][0], Tokens::$T_ASSIGNMENT)) {
$tokenscanstart = $d + 1;
}
$c = 2;
for ($c = 2; $c < $d; $c++) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE) {
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' list() ', $tokenscanstart, 0, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
}
}
$i = $i + $c + 2;
} else {
if ($token_name === T_INCLUDE_END) {
array_pop($this->lines_stack);
$this->lines_pointer = end($this->lines_stack);
array_pop($this->inc_file_stack);
$this->file_pointer = end($this->inc_file_stack);
$this->comment = basename($this->file_pointer) == basename($this->file_name) ? '' : basename($this->file_pointer);
$this->tif = array_pop($this->tif_stack);
}
}
}
}
}
}
}
}
}
}
}
}
} else {
/*************************
BRACES
*************************/
// keep track of { program blocks }
// get current dependencies in program flow
if ($this->tokens[$i] === '{' && ($this->tokens[$i - 1] === ')' || $this->tokens[$i - 1] === ':' || $this->tokens[$i - 1] === ';' || is_array($this->tokens[$i - 1]) && ($this->tokens[$i - 1][0] === T_DO || $this->tokens[$i - 1][0] === T_ELSE || $this->tokens[$i - 1][0] === T_STRING || $this->tokens[$i - 1][0] === T_TRY || $this->tokens[$i - 1][0] === T_CATCH))) {
// save brace amount at start of function
if ($this->in_function && $this->brace_save_func < 0) {
$this->brace_save_func = $this->braces_open;
}
// save brace amount at start of class
if ($this->in_class && $this->brace_save_class < 0) {
$this->brace_save_class = $this->braces_open;
}
$this->in_condition = 0;
if (empty($e)) {
if (!$this->ignore_requirement) {
if (!empty($this->dependencytokens) && $this->dependencytokens[0][0] === T_ELSE && $this->dependencytokens[1][0] !== T_IF) {
$this->dependencytokens = $this->last_dependency;
$this->dependencytokens[] = array(T_ELSE, 'else', $this->dependencytokens[0][2]);
}
} else {
$this->ignore_requirement = false;
}
// add dependency (even push empty dependency on stack, it will get poped again)
$this->dependencies[$line_nr] = $this->dependencytokens;
$this->dependencytokens = array();
} else {
unset($e);
}
$this->braces_open++;
} else {
if ($this->tokens[$i] === '}' && ($this->tokens[$i - 1] === ';' || $this->tokens[$i - 1] === '}' || $this->tokens[$i - 1] === '{')) {
$this->braces_open--;
// delete current dependency
$this->last_dependency = array_pop($this->dependencies);
$this->dependencytokens = array();
// end of function found if brace amount = amount before function start
if ($this->in_function && $this->brace_save_func === $this->braces_open) {
$ref_name = ($this->in_class ? $this->class_name . '::' : '') . $this->function_obj->name;
// write ending to user_function list for referencing functions in output
$GLOBALS['user_functions_offset'][$ref_name][2] = $line_nr;
// reset vars for next function declaration
$this->brace_save_func = -1;
$this->ignore_securing_function = false;
$this->in_function--;
$this->function_obj = null;
$this->var_declares_local = array();
$this->put_in_global_scope = array();
// load new found vulnerable user functions to current scanlist
if (isset($GLOBALS['user_functions'][$this->file_name])) {
$this->scan_functions = array_merge($this->scan_functions, $GLOBALS['user_functions'][$this->file_name]);
}
}
// end of class found
if ($this->in_class && $this->brace_save_class === $this->braces_open) {
$this->brace_save_class = -1;
$this->in_class = false;
}
}
}
}
// token scanned
// detect if still in a vardeclare, otherwise delete saved infos
if (isset($vardeclare) && $vardeclare['end'] === $i) {
unset($vardeclare);
}
}
// all tokens scanned.
return $this->inc_map;
}