/**
* 得到一个文件基本信息FileSummary,包括路径,基本块,包含的文件等
* @param string $absPath
*/
public static function getFileSummary($absPath)
{
if (!$absPath) {
return;
}
$visitor = new MyVisitor();
$parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative());
$traverser = new PhpParser\NodeTraverser();
$code = file_get_contents($absPath);
try {
$stmts = $parser->parse($code);
} catch (Exception $e) {
return;
}
$traverser->addVisitor($visitor);
$traverser->traverse($stmts);
$nodes = $visitor->getNodes();
$fileSummary = new FileSummary();
$fileSummary->setPath($absPath);
$currBlock = new BasicBlock();
foreach ($nodes as $node) {
if (!is_object($node)) {
continue;
}
//不分析函数定义
if ($node->getType() == "Stmt_Function") {
continue;
}
$currBlock->addNode($node);
}
$fileSummaryGenerator = new FileSummaryGenerator();
$fileSummaryGenerator->simulate($currBlock, $fileSummary);
return $fileSummary;
}
function display(array $data = array())
{
$data = parent::display($data);
if (!defined('CALENDAR_ROOT')) {
define('CALENDAR_ROOT', xarModVars::get('calendar', 'pearcalendar_root'));
}
include_once CALENDAR_ROOT . 'Month/Weekdays.php';
include_once CALENDAR_ROOT . 'Decorator/Textual.php';
sys::import("modules.calendar.class.Calendar.Decorator.Xaraya");
// Build the month
$data['content'] = xarMod::apiFunc('calendar', 'user', 'getuserdatetimeinfo');
$data['content']['MonthCal'] = new Calendar_Month_Weekdays($data['content']['cal_year'], $data['content']['cal_month'], CALENDAR_FIRST_DAY_OF_WEEK);
$data['content']['MonthCal']->build();
return $data;
}
/**
* Display func.
* @param $blockinfo array
* @returns $blockinfo array
*/
function display(array $data = array())
{
$data = parent::display($data);
if (empty($data)) {
return;
}
if (!defined('CALENDAR_ROOT')) {
define('CALENDAR_ROOT', xarModVars::get('calendar', 'pearcalendar_root'));
}
include_once CALENDAR_ROOT . 'Calendar.php';
$tplData['form_action'] = xarModURL('calendar', 'user', 'changecalnav');
$tplData['blockid'] = $data['bid'];
if (xarServer::getVar('REQUEST_METHOD') == 'GET') {
// URL of this page
$tplData['return_url'] = xarServer::getCurrentURL();
} else {
// Base URL of the site
$tplData['return_url'] = xarServer::getBaseURL();
}
$data['content'] = $tplData;
return $data;
}
/**
* 污点分析中,对当前基本块的探测
* @param BasicBlock $block 当前基本块
* @param Node $node 当前调用sink的node
* @param string $argName 危险参数的名称
* @param FileSummary $fileSummary 当前文件的文件摘要
*
*/
public function currBlockTaintHandler($block, $node, $argName, $fileSummary, $flowNum = 0)
{
$tempNum = $flowNum;
//获取数据流信息
$flows = $block->getBlockSummary()->getDataFlowMap();
$flows = array_reverse($flows);
//逆序处理flows
//将处理过的flow移除
while ($tempNum) {
$tempNum--;
array_shift($flows);
}
foreach ($flows as $flow) {
$flowNum++;
if ($flow->getName() == $argName) {
//处理净化信息,如果被编码或者净化则返回safe
//先对左边的变量进行查询
if (is_object($flow->getLocation())) {
$target = $flow->getLocation();
$type = TypeUtils::getTypeByFuncName(NodeUtils::getNodeFunctionName($node));
$encodingArr = $target->getEncoding();
$saniArr = $target->getSanitization();
$res = $this->isSanitization($type, $target, $saniArr, $encodingArr);
if ($res == true) {
return "safe";
}
}
//获取flow中的右边赋值变量
//得到flow->getValue()的变量node
//$sql = $a . $b ; => array($a,$b)
$vars = $this->getVarsByFlow($flow);
foreach ($vars as $var) {
if ($var instanceof ValueSymbol || !is_object($var)) {
continue;
}
$varName = $this->getVarName($var);
//如果var右边有source项
if (in_array($varName, $this->sourcesArr)) {
// $ret = $this->multiFileHandler($block, $varName, $node, $fileSummary) ;
// if($ret == 'safe'){
// continue ;
// }
//报告漏洞
$path = $fileSummary->getPath();
$this->report($path, $path, $node, $flow->getLocation(), $type);
continue;
} else {
//首先进行文件夹的分析
$this->multiFileHandler($block, $varName, $node, $fileSummary);
//文件间分析失败,递归
$this->currBlockTaintHandler($block, $node, $varName, $fileSummary, $flowNum);
}
}
}
}
}
/**
* sink单块回溯
* @param string $argName
* @param BasicBlock $block
* @param flowNum 遍历过的flow数量
* @return array
*/
public function sinkTracebackBlock($argName, $block, $flowsNum)
{
$flows = $block->getBlockSummary()->getDataFlowMap();
//需要将遍历过的dataflow删除
$temp = $flowsNum;
while ($temp > 0) {
array_pop($flows);
$temp--;
}
//将块内数据流逆序,从后往前遍历
$flows = array_reverse($flows);
foreach ($flows as $flow) {
$flowsNum++;
//trace back
if ($flow->getName() == $argName) {
//处理净化信息
if ($flow->getLocation()->getSanitization()) {
return "safe";
}
//得到flow->getValue()的变量node
//$sql = $a . $b ; => array($a,$b)
if ($flow->getValue() instanceof ConcatSymbol) {
$vars = $flow->getValue()->getItems();
} else {
$vars = array($flow->getValue());
}
$retarr = array();
foreach ($vars as $var) {
$var = NodeUtils::getNodeStringName($var);
$ret = $this->sinkMultiBlockTraceback($var, $block, $flowsNum);
//变量经过净化,这不需要跟踪该变量
if ($ret == "safe") {
$retarr = array_slice($retarr, array_search($var, $retarr));
} else {
$retarr = array_merge($ret, $retarr);
}
}
return $retarr;
}
}
if ($argName instanceof Node) {
$argName = NodeUtils::getNodeStringName($argName);
return array($argName);
}
return $this->sinkMultiBlockTraceback($argName, $block, $flowsNum);
}
