/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { if ($stackPtr > 0) { return; } $fileName = $phpcsFile->getFileName(); if (!preg_match('/includes\\/bootstrap\\.inc$/', $fileName)) { return; } $utils = Security_Sniffs_UtilsFactory::getInstance('Drupal7'); $tokens = $phpcsFile->getTokens(); if ($tokens[$stackPtr]['content'] == "'VERSION'") { $s = $phpcsFile->findNext(T_CONSTANT_ENCAPSED_STRING, $stackPtr + 1); if (preg_match('/(\\d+)\\.(\\d+)/', $tokens[$s]['content'], $m)) { // Check if it's the right Drupal version if ($m[1] != 7) { return; } $minorversion = $m[2]; } else { // This is not the right Drupal file? return; } foreach ($utils::$CoreAdvisories as $key => $value) { if ($minorversion < $key) { // TODO clean the error and maybe the variable in Utils.. make a loop for fetch all bugs and addErrors? $phpcsFile->addError("FOUND core out of date {$minorversion} {$key}, " . $value[0][0] . " cves: " . $value[0][1], $stackPtr, 'D7AdvCore'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if (preg_match('/<|>/', $tokens[$stackPtr]['content'])) { $end = $phpcsFile->findNext(T_SEMICOLON, $stackPtr + 1); $next = $stackPtr; while ($next && ($next = $phpcsFile->findNext(array_merge(array(T_STRING_CONCAT), PHP_CodeSniffer_Tokens::$emptyTokens), $next + 1, $end, true))) { // Next token will be checked with this sniff, no need to go further if (in_array($tokens[$next]['code'], $this->register())) { return; } if ($next && !in_array($tokens[$next]['content'], $utils::getXSSMitigationFunctions())) { if ($utils::is_direct_user_input($tokens[$next]['content'])) { $phpcsFile->addError('HTML construction with direct user input ' . $tokens[$next]['content'] . ' detected.', $stackPtr, 'D7XSSHTMLConstructErr'); } elseif (PHP_CodeSniffer::getConfigData('ParanoiaMode') && !in_array($tokens[$next]['code'], array_merge(array(T_INLINE_ELSE, T_COMMA), PHP_CodeSniffer_Tokens::$booleanOperators))) { if ($tokens[$next]['code'] == T_CLOSE_PARENTHESIS) { $f = $phpcsFile->findPrevious(T_STRING, $next); if ($f) { $phpcsFile->addWarning('HTML construction with ' . $tokens[$f]['content'] . '() detected.', $stackPtr, 'D7XSSHTMLConstructWarnF'); } } else { $phpcsFile->addWarning('HTML construction with ' . $tokens[$next]['content'] . ' detected.', $stackPtr, 'D7XSSHTMLConstructWarn'); } } } $next = $phpcsFile->findNext(T_STRING_CONCAT, $next + 1, $end); } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if ($tokens[$stackPtr]['content'] == "'#value'" || $tokens[$stackPtr]['content'] == '"#value"') { $closer = $phpcsFile->findNext(T_SEMICOLON, $stackPtr); $next = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$bracketTokens, PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$assignmentTokens), $stackPtr + 1, $closer + 1, true); if ($next == $closer && $tokens[$next]['code'] == T_SEMICOLON) { // Case of $label = $element['#value']; $next = $phpcsFile->findPrevious(PHP_CodeSniffer_Tokens::$assignmentTokens, $next); $next = $phpcsFile->findPrevious(T_VARIABLE, $next); $phpcsFile->addWarning('Potential XSS found with #value on ' . $tokens[$next]['content'], $next, 'D7XSSWarFormValue'); } elseif ($next && $utils::is_token_user_input($tokens[$next])) { $phpcsFile->addError('XSS found with #value on ' . $tokens[$next]['content'], $next, 'D7XSSErrFormValue'); } elseif ($next && PHP_CodeSniffer::getConfigData('ParanoiaMode')) { if (in_array($tokens[$next]['content'], $utils::getXSSMitigationFunctions())) { $n = $phpcsFile->findNext($utils::getVariableTokens(), $next + 1, $closer); if ($n) { $phpcsFile->addWarning('Potential XSS found with #value on ' . $tokens[$n]['content'], $n, 'D7XSSWarFormValue'); } } else { $phpcsFile->addWarning('Potential XSS found with #value on ' . $tokens[$next]['content'], $next, 'D7XSSWarFormValue'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if (in_array($tokens[$stackPtr]['content'], $utils::getFilesystemFunctions())) { if ($tokens[$stackPtr]['content'] == 'symlink') { $phpcsFile->addWarning('Allowing symlink() while open_basedir is used is actually a security risk. Disabled by default in Suhosin >= 0.9.6', $stackPtr, 'WarnSymlink'); } $s = $stackPtr + 1; $opener = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true); if (!$opener) { // No opener found, so it's probably not a function call if (PHP_CodeSniffer::getConfigData('ParanoiaMode')) { $phpcsFile->addWarning('Filesystem function ' . $tokens[$stackPtr]['content'] . ' used but not as a function', $stackPtr, 'WarnWeirdFilesystem'); } return; } $closer = $tokens[$opener]['parenthesis_closer']; $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens), $s, $closer, true); if ($s) { $msg = 'Filesystem function ' . $tokens[$stackPtr]['content'] . '() detected with dynamic parameter'; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrFilesystem'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFilesystem'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $tokens = $phpcsFile->getTokens(); $utils = Security_Sniffs_UtilsFactory::getInstance($this->CmsFramework); if (in_array($tokens[$stackPtr]['content'], $utils::getCallbackFunctions())) { $opener = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true); $closer = $tokens[$opener]['parenthesis_closer']; $s = $stackPtr + 1; if ($tokens[$stackPtr]['content'] == 'array_filter') { // Case of array_filter() with only one argument $s = $phpcsFile->findNext(T_COMMA, $s, $closer); if (!$s) { return; } } $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens, array(T_STRING_CONCAT)), $s, $closer, true); $msg = 'Function ' . $tokens[$stackPtr]['content'] . '() that supports callback detected'; if ($s) { if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' with parameter directly from user input', $stackPtr, 'ErrFringestuff'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFringestuff'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if ($tokens[$stackPtr]['content'] == 'preg_replace') { $s = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr); $closer = $tokens[$s]['parenthesis_closer']; $s = $phpcsFile->findNext(PHP_CodeSniffer_Tokens::$emptyTokens, $s + 1, $closer, true); if ($tokens[$s]['code'] == T_CONSTANT_ENCAPSED_STRING) { $pattern = $tokens[$s]['content']; if (substr($pattern, 1, 1) === '/') { // $pattern is a regex if (preg_match('/(\\/|\\))\\w*e\\w*"$/', $pattern)) { $phpcsFile->addWarning("Usage of preg_replace with /e modifier is not recommended.", $stackPtr, 'PregReplaceE'); $s = $phpcsFile->findNext(array(T_COMMA, T_WHITESPACE, T_COMMENT, T_DOC_COMMENT), $s + 1, $closer, true); if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError("User input and /e modifier found in preg_replace, remote code execution possible.", $stackPtr, 'PregReplaceUserInputE'); } } } else { $phpcsFile->addWarning("Weird usage of preg_replace, please check manually for /e modifier.", $stackPtr, 'PregReplaceWeird'); } } elseif ($tokens[$s]['code'] == T_VARIABLE && $utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError("User input found in preg_replace, /e modifier could be used for malicious intent.", $stackPtr, 'PregReplaceUserInput'); } else { $phpcsFile->addWarning("Dynamic usage of preg_replace, please check manually for /e modifier or user input.", $stackPtr, 'PregReplaceDyn'); } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); if ($this->forceParanoia >= 0) { $parano = $this->forceParanoia ? 1 : 0; } else { $parano = PHP_CodeSniffer::getConfigData('ParanoiaMode') ? 1 : 0; } $tokens = $phpcsFile->getTokens(); $s = $phpcsFile->findNext(PHP_CodeSniffer_Tokens::$emptyTokens, $stackPtr, null, true, null, true); if ($tokens[$stackPtr]['code'] == T_OPEN_TAG_WITH_ECHO) { $closer = $phpcsFile->findNext(T_CLOSE_TAG, $stackPtr); } elseif ($tokens[$s]['code'] == T_OPEN_PARENTHESIS) { $closer = $tokens[$s]['parenthesis_closer']; } else { $closer = $phpcsFile->findNext(array(T_SEMICOLON, T_CLOSE_TAG), $stackPtr); $s = $stackPtr; } $warn = false; while ($s) { $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens), $s + 1, $closer, true); if ($s && $utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError('Easy XSS detected because of direct user input with ' . $tokens[$s]['content'] . ' on ' . $tokens[$stackPtr]['content'], $s, 'EasyXSSerr'); } elseif ($s && $utils::is_XSS_mitigation($tokens[$s]['content'])) { $s = $tokens[$s + 1]['parenthesis_closer']; } elseif ($s && $parano && !$warn) { $warn = $s; } } if ($warn) { $phpcsFile->addWarning('Possible XSS detected with ' . $tokens[$warn]['content'] . ' on ' . $tokens[$stackPtr]['content'], $warn, 'EasyXSSwarn'); } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { if ($stackPtr > 0) { return; } $dversion = '7'; $fileName = $phpcsFile->getFileName(); if (!preg_match('/\\.info$/', $fileName)) { return; } $utils = Security_Sniffs_UtilsFactory::getInstance('Drupal7'); $tokens = $phpcsFile->getTokens(); $info = $utils->drupal_parse_info_format(file_get_contents($fileName)); if (isset($info) && count($info) && array_key_exists('project', $info) && array_key_exists($info['project'], $utils::$ContribAdvisories)) { if ($utils::$ContribAdvisories[$info['project']][0][0] == 'abandoned') { $phpcsFile->addError("Module " . $info['project'] . " is abandoned due to a security issue the maintainer never fixed. Details: " . $utils::$ContribAdvisories[$info['project']][0][1], $stackPtr, 'D7ErrAdvisoriesContribAbandonned'); return; } if ($utils::$ContribAdvisories[$info['project']][0][0] == 'unsupported') { $phpcsFile->addError("Module " . $info['project'] . " is unsupported due to unfixed security issue. The Drupal Security Team recommends that this module be uninstalled immediately Details: " . $utils::$ContribAdvisories[$info['project']][0][1], $stackPtr, 'D7ErrAdvisoriesContribUnsupported'); return; } if (array_key_exists('core', $info) && array_key_exists('version', $info)) { if (strpos($info['core'], $dversion) === 0) { foreach ($utils::$ContribAdvisories[$info['project']] as $vcve) { list($a, $CVEversion) = explode('-', $vcve[0]); if ($a != $info['core']) { echo "WARNING Drupal core version inconsistence!!"; } list($a, $mversion) = explode('-', $info['version']); $CVEversion = (double) $CVEversion; if (preg_match('/dev/', $vcve[0])) { $phpcsFile->addWarning("WARNING module " . $info['project'] . " does not have any release for the security fix, manual checking required. Details: " . $vcve[1], $stackPtr, 'D7WarnAdvisoriesContribDev'); } if (preg_match('/rc|alpha|beta/', $vcve[0])) { $phpcsFile->addWarning("WARNING module " . $info['project'] . " is using special version tagging around the security fix, manual checking recommanded. Details: " . $vcve[1], $stackPtr, 'D7WarnAdvisoriesContribrc'); } $mversion = (double) $mversion; $diff = $CVEversion - $mversion; if ($diff > 0 && $diff < 1) { $phpcsFile->addError("Module " . $info['project'] . " " . $info['version'] . " contains security issue and must be updated to at least {$vcve['0']}. Details: " . $vcve[1], $stackPtr, 'D7ErrAdvisoriesContribFoundMinor'); } elseif ($diff >= 1) { $phpcsFile->addWarning("Module " . $info['project'] . " " . $info['version'] . " is out of date a major version and might contains security issue. " . $vcve[1], $stackPtr, 'D7WarnAdvisoriesContribFoundMajor'); } elseif ($diff <= 0) { if (preg_match('/x$/', $vcve[0])) { $phpcsFile->addError("Module " . $info['project'] . " " . $info['version'] . " contains security issue to all {$vcve['0']} versions. " . $vcve[1], $stackPtr, 'D7ErrAdvisoriesContribFoundMajor'); } else { //echo "$fileName: SAFE! " . $info['version'] . "\n"; } } else { echo "MAJOR ERROR IN LOGIC!!!!!\n"; } } } } else { $phpcsFile->addWarning("Module " . $info['project'] . " is listed in advisories but file doesn't provide version information. Please use packages from drupal.org", $stackPtr, 'D7WarnAdvisoriesContribNoInfo'); } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $tokens = $phpcsFile->getTokens(); $utils = Security_Sniffs_UtilsFactory::getInstance($this->CmsFramework); if ($tokens[$stackPtr]['content'] == 'phpinfo') { $phpcsFile->addWarning('phpinfo() function detected', $stackPtr, 'WarnPhpinfo'); } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); // http://www.php.net/manual/en/book.mysqli.php $mysqlifunctions = array('query', 'prepare', 'multi_query', 'real_query'); if ($tokens[$stackPtr]['code'] == T_NEW) { $s = $phpcsFile->findNext(T_STRING, $stackPtr); if ($tokens[$s]['content'] == 'mysqli') { $s = $phpcsFile->findPrevious(T_VARIABLE, $stackPtr); if ($s) { $utils::addSQLObjects($tokens[$s]['content']); } } } elseif ($tokens[$stackPtr]['code'] == T_OBJECT_OPERATOR) { $prev = $phpcsFile->findPrevious(T_VARIABLE, $stackPtr); if ($prev && in_array($tokens[$prev]['content'], $utils::getSQLObjects())) { $next = $phpcsFile->findNext(T_STRING, $stackPtr); if ($next && in_array($tokens[$next]['content'], $mysqlifunctions)) { $s = $utils::findDirtyParam($phpcsFile, $next); if ($s) { $msg = 'MYSQLi function ' . $tokens[$next]['content'] . '() detected with dynamic parameter '; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrMysqli'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnMysqli'); } } } } } elseif ($tokens[$stackPtr]['code'] == T_STRING && $tokens[$stackPtr]['content'] == 'mysqli_connect') { $prev = $phpcsFile->findPrevious(T_VARIABLE, $stackPtr); if ($prev) { $utils::addSQLObjects($tokens[$prev]['content']); } $s = $utils::findDirtyParam($phpcsFile, $stackPtr); if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError('mysqli_connect() param directly from user input', $stackPtr, 'ErrMysqliconnect'); } } elseif ($tokens[$stackPtr]['code'] == T_STRING && in_array($tokens[$stackPtr]['content'], array_map(function ($v) { return 'mysqli_' . $v; }, $mysqlifunctions))) { // The first parameter is always the link $p2 = $utils::get_param_tokens($phpcsFile, $stackPtr, 2); $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens, array(T_STRING_CONCAT)), $p2[0]['stackPtr'], end($p2)['stackPtr'] + 1, true); if ($s) { $msg = 'MYSQLi function ' . $tokens[$stackPtr]['content'] . '() detected with dynamic parameter '; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrMysqli' . $tokens[$stackPtr]['content']); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnMysqli' . $tokens[$stackPtr]['content']); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { // Run this sniff only in paranoia mode if (!PHP_CodeSniffer::getConfigData('ParanoiaMode')) { return; } $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if (preg_match("/^mcrypt_/", $tokens[$stackPtr]['content']) || in_array($tokens[$stackPtr]['content'], $utils::getCryptoFunctions())) { $phpcsFile->addWarning('Crypto function ' . $tokens[$stackPtr]['content'] . ' used.', $stackPtr, 'WarnCryptoFunc'); } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); if ($tokens[$stackPtr]['content'] == "'#theme'" || $tokens[$stackPtr]['content'] == '"#theme"') { $next = $phpcsFile->findNext(PHP_CodeSniffer_Tokens::$stringTokens, $stackPtr + 1); if (PHP_CodeSniffer::getConfigData('ParanoiaMode') && $tokens[$next]['content'] == "'html_tag'") { $phpcsFile->addWarning('Potential XSS found with #theme and html_tag', $stackPtr, 'D7XSSWarhtmltag'); } else { $next = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$bracketTokens, PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$assignmentTokens), $stackPtr + 1, null, true); if ($next && PHP_CodeSniffer::getConfigData('ParanoiaMode') && $tokens[$next]['code'] != T_CONSTANT_ENCAPSED_STRING) { $phpcsFile->addWarning('Potential XSS found with #theme on ' . $tokens[$next]['content'], $stackPtr, 'D7XSSWarTheme'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); $closer = $phpcsFile->findNext(T_BACKTICK, $stackPtr + 1, null, false, null, true); if (!$closer) { return; } $s = $stackPtr + 1; $s = $phpcsFile->findNext(T_VARIABLE, $s, $closer); if ($s) { $msg = 'System execution with backticks detected with dynamic parameter'; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrSystemExec'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnSystemExec'); } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance($this->CmsFramework); $tokens = $phpcsFile->getTokens(); if (in_array($tokens[$stackPtr]['content'], $utils::getFunctionhandlingFunctions())) { $opener = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true); $closer = $tokens[$opener]['parenthesis_closer']; $s = $stackPtr + 1; $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens, array(T_STRING_CONCAT)), $s, $closer, true); if ($s) { $msg = 'Function handling function ' . $tokens[$stackPtr]['content'] . '() detected with dynamic parameter'; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrFunctionHandling'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFunctionHandling'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance(); $tokens = $phpcsFile->getTokens(); // http://www.php.net/manual/en/book.mysql.php if ($tokens[$stackPtr]['content'] == 'mysql_query') { $opener = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true); $closer = $tokens[$opener]['parenthesis_closer']; $s = $stackPtr + 1; $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens, array(T_STRING_CONCAT)), $s, $closer, true); if ($s) { $msg = 'SQL function ' . $tokens[$stackPtr]['content'] . '() detected with dynamic parameter '; if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' directly from user input', $stackPtr, 'ErrFilesystem'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFilesystem'); } } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $utils = Security_Sniffs_UtilsFactory::getInstance($this->CmsFramework); $tokens = $phpcsFile->getTokens(); $s = $phpcsFile->findNext(PHP_CodeSniffer_Tokens::$emptyTokens, $stackPtr, null, true, null, true); if ($tokens[$s]['code'] == T_OPEN_PARENTHESIS) { $closer = $tokens[$s]['parenthesis_closer']; } else { $closer = $phpcsFile->findNext(T_SEMICOLON, $stackPtr); $s = $stackPtr; } while ($s) { $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens), $s + 1, $closer, true); if ($s && $utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError('Easy RFI detected because of direct user input with ' . $tokens[$s]['content'] . ' on ' . $tokens[$stackPtr]['content'], $s, 'WarnEasyRFI'); } elseif ($s && $this->ParanoiaMode && $tokens[$s]['content'] != '.') { $phpcsFile->addWarning('Possible RFI detected with ' . $tokens[$s]['content'] . ' on ' . $tokens[$stackPtr]['content'], $s, 'WarnEasyRFI'); } } }
/** * Processes the tokens that this sniff is interested in. * * @param PHP_CodeSniffer_File $phpcsFile The file where the token was found. * @param int $stackPtr The position in the stack where * the token was found. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { $tokens = $phpcsFile->getTokens(); $utils = Security_Sniffs_UtilsFactory::getInstance($this->CmsFramework); if (preg_match("/^ftp_/", $tokens[$stackPtr]['content'])) { $opener = $phpcsFile->findNext(T_OPEN_PARENTHESIS, $stackPtr, null, false, null, true); $closer = $tokens[$opener]['parenthesis_closer']; $s = $stackPtr + 1; $s = $phpcsFile->findNext(array_merge(PHP_CodeSniffer_Tokens::$emptyTokens, PHP_CodeSniffer_Tokens::$bracketTokens, Security_Sniffs_Utils::$staticTokens, array(T_STRING_CONCAT)), $s, $closer, true); $msg = 'Unusual function ' . $tokens[$stackPtr]['content'] . '() detected'; if ($s) { if ($utils::is_token_user_input($tokens[$s])) { $phpcsFile->addError($msg . ' with parameter directly from user input', $stackPtr, 'ErrFringestuff'); } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFringestuff'); } } else { $phpcsFile->addWarning($msg, $stackPtr, 'WarnFringestuff'); } } }