/** * 处理summary的编码信息 * @param node $node * @param DataFlow $dataFlow * @param block $block * @param fileSummary $fileSummary */ public static function setEncodeInfo($node, $dataFlow, $block, $fileSummary) { global $F_ENCODING_STRING; $funcName = NodeUtils::getNodeFunctionName($node); //发现有编码操作的函数,将编码信息加入至map中 if (in_array($funcName, $F_ENCODING_STRING)) { $dataFlow->getLocation()->addEncoding($funcName); //向上追踪变量,相同变量的净化信息,全部添加 $funcParams = NodeUtils::getNodeFuncParams($node); //traceback $sameVarEncodeInfo = array(); foreach ($funcParams as $param) { $dataFlows = $block->getBlockSummary()->getDataFlowMap(); $dataFlows = array_reverse($dataFlows); $ret = self::encodeSameVarMultiBlockHandler($param, $block, $dataFlows); //如果一个参数没有净化,则未净化 if (!$ret[0]) { $sameVarEncodeInfo = array(); break; } $sameVarEncodeInfo = array_merge($sameVarEncodeInfo, $ret['funcs']); } //加入此变量的净化信息中 foreach ($sameVarEncodeInfo as $funcName) { $dataFlow->getLocation()->addEncoding($funcName); } } //清除解码 EncodingHandler::clearEncodeInfo($funcName, $node, $dataFlow); //print_r($dataFlow); }
/** * @param Node $node * @param 数据流 $dataFlow */ public static function setSanitiInfo($node, $dataFlow, $block, $fileSummary) { $dataFlows = $block->getBlockSummary()->getDataFlowMap(); $sanitiInfo = self::SantiniFuncHandler($node, $fileSummary); $sanitiInfo = null; if ($sanitiInfo) { $args = NodeUtils::getFuncParamsNode($node); if (count($args) > 0) { if (!$dataFlow->getValue()) { $arg = SymbolUtils::getSymbolByNode($args[0]); $dataFlow->setValue($arg); } } //向上追踪变量,相同变量的净化信息,全部添加 $funcParams = NodeUtils::getNodeFuncParams($node); //traceback $sameVarSanitiInfo = array(); foreach ($funcParams as $param) { $dataFlows = $block->getBlockSummary()->getDataFlowMap(); $dataFlows = array_reverse($dataFlows); $ret = self::sanitiSameVarMultiBlockHandler($param, $block, $dataFlows, $fileSummary); //如果一个参数没有净化,则未净化 if (!$ret[0]) { $sameVarSanitiInfo = array(); break; } $sameVarSanitiInfo = array_merge($sameVarSanitiInfo, $ret['funcs']); } //加入此变量的净化信息中 foreach ($sameVarSanitiInfo as $oneFunction) { $dataFlow->getLocation()->addSanitization($oneFunction); } $dataFlow->getLocation()->addSanitization($sanitiInfo); } $funcName = NodeUtils::getNodeFunctionName($node); //清除反作用的函数 SanitizationHandler::clearSantiInfo($funcName, $node, $dataFlow); }
public function leaveNode(Node $node) { //处理过程间代码,即调用的方法定义中的源码 if ($node->getType() == 'Expr_FuncCall' || $node->getType() == 'Expr_MethodCall' || $node->getType() == 'Expr_StaticCall') { //获取到方法的名称 $nodeName = NodeUtils::getNodeFunctionName($node); $ret = NodeUtils::isSinkFunction($nodeName, $this->scan_type); //进行危险参数的辨别 if ($ret[0] == true) { //处理系统内置的sink //找到了mysql_query $cfg = new CFGGenerator(); //array(where)找到危险参数的位置 $args = $ret[1]; if (is_array($args[0])) { $args = $args[0]; } $vars = $this->senstivePostion($node, $this->block, $args); $type = TypeUtils::getTypeByFuncName($nodeName); if ($vars) { //返回处理结果,将多个相关变量位置返回 $this->vars = array_merge($this->vars, $vars); } if ($type) { //返回sink类型 $this->sinkType = $type; } } elseif (array_key_exists($nodeName, $this->sinkContext->getAllSinks())) { //处理已经加入sinksContext用户自定义函数 //处理用户定义的sink $type = TypeUtils::getTypeByFuncName($nodeName); if ($type) { //返回sink类型 $this->sinkType = $type; } $context = Context::getInstance(); $funcName = NodeUtils::getNodeFunctionName($node); $funcBody = $context->getClassMethodBody($funcName, $this->fileSummary->getPath(), $this->fileSummary->getIncludeMap()); if (!$funcBody) { break; } $cfg = new CFGGenerator(); //$this->block->function[$nodeName] $arr = $this->sinkContext->getAllSinks(); $arr = $arr[$nodeName]; foreach ($arr as $pos) { $argName = NodeUtils::getNodeFuncParams($node); $argName = $argName[$pos]; $this->vars = $this->sinkMultiBlockTraceback($argName, $this->block, 0); } } else { } } }