/**
* 处理赋值的assign语句,添加至dataFlows中
* @param AST $node
* @param DataFlow $dataFlow
* @param string $type
*/
public function assignHandler($node, $dataFlow, $type, $block, $fileSummary)
{
$part = null;
if ($type == "left") {
$part = $node->var;
} else {
if ($type == "right") {
$part = $node->expr;
} else {
return;
}
}
//处理$GLOBALS的赋值
//$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ;
if ($part && SymbolUtils::isArrayDimFetch($part) && substr(NodeUtils::getNodeStringName($part), 0, 7) == "GLOBALS") {
//加入dataFlow
$arr = new ArrayDimFetchSymbol();
$arr->setValue($part);
if ($type == "left") {
$dataFlow->setLocation($arr);
$dataFlow->setName(NodeUtils::getNodeGLOBALSNodeName($part));
} else {
if ($type == "right") {
$dataFlow->setValue($arr);
}
}
return;
}
//处理赋值语句,存放在DataFlow
//处理赋值语句的左边
if ($part && SymbolUtils::isValue($part)) {
//在DataFlow加入Location以及name
$vs = new ValueSymbol();
$vs->setValueByNode($part);
if ($type == "left") {
$dataFlow->setLocation($vs);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($vs);
}
}
} elseif ($part && SymbolUtils::isVariable($part)) {
//加入dataFlow
$vars = new VariableSymbol();
$vars->setValue($part);
if ($type == "left") {
$dataFlow->setLocation($vars);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($part);
}
}
} elseif ($part && SymbolUtils::isConstant($part)) {
//加入dataFlow
$con = new ConstantSymbol();
$con->setValueByNode($part);
$con->setName($part->name->parts[0]);
if ($type == "left") {
$dataFlow->setLocation($con);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($con);
}
}
} elseif ($part && SymbolUtils::isArrayDimFetch($part)) {
//加入dataFlow
$arr = new ArrayDimFetchSymbol();
$arr->setValue($part);
if ($type == "left") {
$dataFlow->setLocation($arr);
$dataFlow->setName(NodeUtils::getNodeStringName($part));
} else {
if ($type == "right") {
$dataFlow->setValue($arr);
}
}
} elseif ($part && SymbolUtils::isConcat($part)) {
$concat = new ConcatSymbol();
$concat->setItemByNode($part);
if ($type == "left") {
$dataFlow->setLocation($concat);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($concat);
}
}
} else {
//不属于已有的任何一个symbol类型,如函数调用
if ($part && ($part->getType() == "Expr_FuncCall" || $part->getType() == "Expr_MethodCall" || $part->getType() == "Expr_StaticCall")) {
if ($type == "left") {
$dataFlow->setLocation($arr);
$dataFlow->setName(NodeUtils::getNodeStringName($part));
} else {
if ($type == "right") {
//处理净化信息和编码信息
SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $fileSummary);
EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $fileSummary);
}
}
}
//处理三元表达式
if ($part && $part->getType() == "Expr_Ternary") {
BIFuncUtils::ternaryHandler($type, $part, $dataFlow);
}
}
}
/**
* 分析传入node赋值语句,以及当前block,
* 生成block summary中的一条记录
* @param ASTNode $node 赋值语句
* @param BasicBlock $block
* @param string $type 处理赋值语句的var和expr类型(left or right)
*/
private function assignHandler($node, $block, $dataFlow, $type)
{
global $scan_type;
$part = null;
if ($type == "left") {
$part = $node->var;
} else {
if ($type == "right") {
$part = $node->expr;
} else {
return;
}
}
//处理$GLOBALS的赋值
//$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ;
if ($part && SymbolUtils::isArrayDimFetch($part) && substr(NodeUtils::getNodeStringName($part), 0, 7) == "GLOBALS") {
//加入dataFlow
$arr = new ArrayDimFetchSymbol();
$arr->setValue($part);
if ($type == "left") {
$dataFlow->setLocation($arr);
$dataFlow->setName(NodeUtils::getNodeGLOBALSNodeName($part));
//加入registerglobal
$this->registerGLOBALSHandler($part, $block);
} else {
if ($type == "right") {
$dataFlow->setValue($arr);
}
}
return;
}
//处理赋值语句,存放在DataFlow
//处理赋值语句的左边
if ($part && SymbolUtils::isValue($part)) {
//在DataFlow加入Location以及name
$vs = new ValueSymbol();
$vs->setValueByNode($part);
if ($type == "left") {
$dataFlow->setLocation($vs);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($vs);
}
}
} elseif ($part && SymbolUtils::isVariable($part)) {
//加入dataFlow
$vars = new VariableSymbol();
$vars->setValue($part);
if ($type == "left") {
$dataFlow->setLocation($vars);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($part);
}
}
} elseif ($part && SymbolUtils::isConstant($part)) {
//加入dataFlow
$con = new ConstantSymbol();
$con->setValueByNode($part);
$con->setName($part->name->parts[0]);
if ($type == "left") {
$dataFlow->setLocation($con);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($con);
}
}
} elseif ($part && SymbolUtils::isArrayDimFetch($part)) {
//加入dataFlow
$arr = new ArrayDimFetchSymbol();
$arr->setValue($part);
$arr->setNameByNode($node);
if ($type == "left") {
$dataFlow->setLocation($arr);
$dataFlow->setName(NodeUtils::getNodeStringName($part));
} else {
if ($type == "right") {
$dataFlow->setValue($arr);
}
}
} elseif ($part && SymbolUtils::isConcat($part)) {
$concat = new ConcatSymbol();
$concat->setItemByNode($part);
if ($type == "left") {
$dataFlow->setLocation($concat);
$dataFlow->setName($part->name);
} else {
if ($type == "right") {
$dataFlow->setValue($concat);
}
}
} else {
//不属于已有的任何一个symbol类型,如函数调用,类型转换
if ($part && ($part->getType() == "Expr_FuncCall" || $part->getType() == "Expr_MethodCall" || $part->getType() == "Expr_StaticCall")) {
//处理 id = urlencode($_GET['id']) ;
if ($type == 'right' && !SymbolUtils::isValue($part)) {
$funcName = NodeUtils::getNodeFunctionName($part);
BIFuncUtils::assignFuncHandler($part, $type, $dataFlow, $funcName);
if ($dataFlow->getValue() != null) {
//如果处理完函数赋值,则立即返回
$block->getBlockSummary()->addDataFlowItem($dataFlow);
return;
} else {
//处理 id = urlencode($_GET['id']) ;
//检查是否为sink函数
$this->functionHandler($part, $block, $this->fileSummary);
//处理净化信息和编码信息
SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $this->fileSummary);
EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $this->fileSummary);
}
}
}
//处理类型强制转换
if ($part && ($part->getType() == "Expr_Cast_Int" || $part->getType() == "Expr_Cast_Double") && $type == "right") {
$dataFlow->getLocation()->setType("int");
$symbol = SymbolUtils::getSymbolByNode($part->expr);
$dataFlow->setValue($symbol);
}
//处理三元表达式
if ($part && $part->getType() == "Expr_Ternary") {
BIFuncUtils::ternaryHandler($type, $part, $dataFlow);
}
//处理双引号中包含的变量
if ($part && $part->getType() == "Scalar_Encapsed") {
$symbol = SymbolUtils::getSymbolByNode($part);
$dataFlow->setValue($symbol);
}
}
//else
//处理完一条赋值语句,加入DataFlowMap
if ($type == "right") {
$block->getBlockSummary()->addDataFlowItem($dataFlow);
}
}
