function processTaint($current_node, $user_tainted_variables_map, $secret_tainted_variables_map, $cfg_taint_map)
{
// Check if the current node is a statement node with a
// non-null statement.
if (CFGNode::isCFGNodeStmt($current_node) && $current_node->stmt) {
$stmt = $current_node->stmt;
// Check to see if the statement is an assigment,
// and the right hand side is tainted.
if ($stmt instanceof PhpParser\Node\Expr\Assign || $stmt instanceof PhpParser\Node\Expr\AssignOp) {
// Accounting for simple LHS variables and array indexing.
$lhs = $stmt->var;
if ($lhs instanceof PhpParser\Node\Expr\Variable) {
$lhs_var = $lhs->name;
} else {
if ($lhs instanceof PhpParser\Node\Expr\ArrayDimFetch) {
$lhs_var = $lhs->var->name;
} else {
$lhs_var = null;
print "ERROR: Unrecognized LHS type of an assignment while performing taint analysis.\n";
}
}
if ($lhs_var && !$user_tainted_variables_map[$current_node]->contains($lhs_var) && isTainted($stmt->expr, $user_tainted_variables_map[$current_node], True)) {
$user_tainted_variables_map[$current_node]->attach($lhs_var);
print "The variable " . $lhs_var . " became user-tainted.\n";
}
if ($lhs_var && !$secret_tainted_variables_map[$current_node]->contains($lhs_var) && isTainted($stmt->expr, $secret_tainted_variables_map[$current_node], False)) {
$secret_tainted_variables_map[$current_node]->attach($lhs_var);
print "The variable " . $lhs_var . " became secret-tainted.\n";
}
} else {
if ($stmt instanceof PhpParser\Node\Stmt\Return_) {
// If the expression of the return statement is tainted, we label the CFG
// as producing a taint return value.
if (isTainted($stmt->expr, $user_tainted_variables_map[$current_node], True)) {
print "The return statement is user-tainted.\n";
$cfgTaintMap->setReturnsUserTaint(True);
}
if (isTainted($stmt->expr, $secret_tainted_variables_map[$current_node], False)) {
print "The return statement is secret-tainted.\n";
$cfgTaintMap->setReturnsSecretTaint(True);
}
}
}
} else {
if (CFGNode::isCFGNodeCond($current_node) && $current_node->expr) {
// If the conditional contains an assignment, propagate its taint
// besides checking for taint in the conditional.
if ($current_node->expr instanceof PhpParser\Node\Expr\Assign) {
if (!$user_tainted_variables_map[$current_node]->contains($current_node->expr->var->name) && isTainted($current_node->expr->expr, $user_tainted_variables_map[$current_node], True)) {
print "The variable " . $current_node->expr->var->name . "became user tainted.\n";
$user_tainted_variables_map[$current_node]->attach($current_node->expr->var->name);
print "WARNING: Conditional node is user-tainted:\n";
}
if (!$secret_tainted_variables_map[$current_node]->contains($current_node->expr->var->name) && isTainted($current_node->expr->expr, $secret_tainted_variables_map[$current_node], False)) {
print "The variable " . $current_node->expr->var->name . "became secret tainted.\n";
$secret_tainted_variables_map[$current_node]->attach($current_node->expr->var->name);
print "WARNING: Conditional node is secret-tainted:\n";
}
} else {
if (isTainted($current_node->expr, $secret_tainted_variables_map[$current_node], False)) {
print "WARNING: Conditional node is secret-tainted:\n";
}
if (isTainted($current_node->expr, $user_tainted_variables_map[$current_node], True)) {
print "WARNING: Conditional node is user-tainted:\n";
}
}
} else {
if (CFGNode::isCFGNodeLoopHeader($current_node) && $current_node->expr) {
print "Analyzing loop header.\n";
// The conditional covers the case when the condition is a boolean expression or an
// assignment that propagates taint.
if ($current_node->isWhileLoop()) {
// Propagate taint when the conditional consists of an assignment.
if ($current_node->expr->cond instanceof PhpParser\Node\Expr\Assign) {
if (!$user_tainted_variables_map[$current_node]->contains($current_node->expr->cond->var->name) && isTainted($current_node->expr->cond->expr, $user_tainted_variables_map[$current_node], True)) {
print "The variable " . $current_node->expr->cond->var->name . "became user tainted.\n";
$user_tainted_variables_map[$current_node]->attach($current_node->expr->cond->var->name);
print "WARNING: Loop header node is user-tainted:\n";
}
if (!$secret_tainted_variables_map[$current_node]->contains($current_node->expr->cond->var->name) && isTainted($current_node->expr->cond->expr, $secret_tainted_variables_map[$current_node], False)) {
print "The variable " . $current_node->expr->cond->var->name . "became secret tainted.\n";
$secret_tainted_variables_map[$current_node]->attach($current_node->expr->cond->var->name);
print "WARNING: Loop header node is secret-tainted:\n";
}
} else {
if (isTainted($current_node->expr->cond, $user_tainted_variables_map[$current_node], True)) {
print "While Loop is user-tainted.\n";
}
if (isTainted($current_node->expr->cond, $secret_tainted_variables_map[$current_node], False)) {
print "While Loop is secret-tainted.\n";
}
}
} else {
if ($current_node->isForLoop()) {
// Detect taint for conditional expressions of the for loop.
foreach ($current_node->expr->cond as $condExpr) {
if (isTainted($condExpr, $user_tainted_variables_map[$current_node], True)) {
print "For Loop condition is user-tainted.\n";
}
if (isTainted($condExpr, $secret_tainted_variables_map[$current_node], False)) {
print "For Loop is secret-tainted.\n";
}
}
} else {
if ($current_node->isForeachLoop()) {
// Detect taint for source expression of the foreach loop.
foreach ($current_node->expr->expr as $sourceExpr) {
if (isTainted($sourceExpr, $user_tainted_variables_map[$current_node], True)) {
print "Foreach Loop condition is user-tainted.\n";
}
if (isTainted($sourceExpr, $secret_tainted_variables_map[$current_node], False)) {
print "Foreach Loop is secret-tainted.\n";
}
}
}
}
}
}
}
}
}
public function __construct()
{
parent::__construct();
$expr = NULL;
}
public function __construct()
{
parent::__construct();
$this->expr = NULL;
$this->loop_type = NULL;
}
public function processCFGNode($cfgNode, $callGraphNode, $functionSignatures)
{
print "The node.\n";
$cfgNode->printCFGNode();
print "The class " . get_class($cfgNode) . "\n";
if (CFGNode::isCFGNodeStmt($cfgNode) && $cfgNode->stmt) {
$stmt = $cfgNode->getStmt();
if ($stmt instanceof PhpParser\Node\Expt\Assign || $stmt instanceof PhpParser\Node\Expr\AssignOp) {
$this->processCFGNodeExpr($stmt->expr, $callGraphNode, $functionSignatures);
} else {
$this->processCFGNodeExpr($stmt, $callGraphNode, $functionSignatures);
}
} else {
if (CFGNode::isCFGNodeCond($cfgNode) && $cfgNode->expr) {
$expr = $cfgNode->expr;
if ($expr instanceof PhpParser\Node\Expt\Assign || $expr instanceof PhpParser\Node\Expr\AssignOp) {
$this->processCFGNodeExpr($expr, $callGraphNode, $functionSignatures);
} else {
$this->processCFGNodeExpr($expr, $callGraphNode, $functionSignatures);
}
} else {
if (CFGNode::isCFGNodeLoopHeader($cfgNode)) {
// TODO: Process Foreach and For loops.
if ($cfgNode->isWhileLoop()) {
$this->processCFGNodeExpr($cfgNode->expr->cond, $callGraphNode, $functionSignatures);
}
}
}
}
}
public function __construct()
{
parent::__construct();
$this->stmt = NULL;
$this->back_edge = FALSE;
}
function print_preorder($cfg_node, $visited)
{
if (!$cfg_node || $visited->contains($cfg_node)) {
return;
}
$visited->attach($cfg_node);
if (CFGNode::isCFGNodeStmt($cfg_node)) {
if ($cfg_node->stmt) {
printStmts(array($cfg_node->stmt));
}
} else {
if (CFGNode::isCFGNodeCond($cfg_node)) {
// TODO: Figure out how to print
// conditional nodes.
print "WARNING: Conditional node not printed\n";
}
}
for ($i = 0; $i < count($cfg_node->successors); $i++) {
CFG::print_preorder($cfg_node->successors[$i], $visited);
}
}
