/**
  * 分离isset结构中的类型
  * isset($id) ? $_GET['id'] : 2;
  * 转为:
  * 		array($_GET[id],2)
  * @param unknown $node
  */
 public function setItemByNode($node)
 {
     //处理三元表达式
     if ($node->getType() == "Expr_Ternary") {
         if ($node->if->getType() == "Expr_Ternary") {
             $this->setItemByNode($node->if);
         }
         if ($node->else->getType() == "Expr_Ternary") {
             $this->setItemByNode($node->else);
         }
         $if_node = SymbolUtils::getSymbolByNode($node->if);
         $else_node = SymbolUtils::getSymbolByNode($node->else);
         $if_node && $this->addSymbol($if_node);
         $else_node && $this->addSymbol($else_node);
     } else {
         return;
     }
 }
 /**
  * @param Node $node
  * @param 数据流 $dataFlow
  */
 public static function setSanitiInfo($node, $dataFlow, $block, $fileSummary)
 {
     $dataFlows = $block->getBlockSummary()->getDataFlowMap();
     $sanitiInfo = self::SantiniFuncHandler($node, $fileSummary);
     $sanitiInfo = null;
     if ($sanitiInfo) {
         $args = NodeUtils::getFuncParamsNode($node);
         if (count($args) > 0) {
             if (!$dataFlow->getValue()) {
                 $arg = SymbolUtils::getSymbolByNode($args[0]);
                 $dataFlow->setValue($arg);
             }
         }
         //向上追踪变量,相同变量的净化信息,全部添加
         $funcParams = NodeUtils::getNodeFuncParams($node);
         //traceback
         $sameVarSanitiInfo = array();
         foreach ($funcParams as $param) {
             $dataFlows = $block->getBlockSummary()->getDataFlowMap();
             $dataFlows = array_reverse($dataFlows);
             $ret = self::sanitiSameVarMultiBlockHandler($param, $block, $dataFlows, $fileSummary);
             //如果一个参数没有净化,则未净化
             if (!$ret[0]) {
                 $sameVarSanitiInfo = array();
                 break;
             }
             $sameVarSanitiInfo = array_merge($sameVarSanitiInfo, $ret['funcs']);
         }
         //加入此变量的净化信息中
         foreach ($sameVarSanitiInfo as $oneFunction) {
             $dataFlow->getLocation()->addSanitization($oneFunction);
         }
         $dataFlow->getLocation()->addSanitization($sanitiInfo);
     }
     $funcName = NodeUtils::getNodeFunctionName($node);
     //清除反作用的函数
     SanitizationHandler::clearSantiInfo($funcName, $node, $dataFlow);
 }
 /**
  * 处理赋值性的一些内置函数
  * 比如:
  * 		$id = urlencode($_GET['id']) ;
  * @param unknown $part
  * @param unknown $type
  * @param unknown $dataFlow
  */
 public static function assignFuncHandler($part, $type, $dataFlow, $funcName)
 {
     $single_func = self::getSingleFuncs();
     $encoding_convert = array('iconv');
     if ($type == "right" && array_key_exists($funcName, $single_func)) {
         //首先搜索不安全字符的转换函数
         if (in_array($funcName, $encoding_convert)) {
             $oneFunction = new OneFunction($funcName);
             $dataFlow->getLocation()->addSanitization($oneFunction);
         }
         $position = $single_func[$funcName];
         $value = $part->args[$position]->value;
         //解决trim(urlencode($id))的方法嵌套问题
         if ($value->getType() == 'Expr_FuncCall') {
             $new_name = NodeUtils::getNodeFunctionName($value);
             self::assignFuncHandler($value, $type, $dataFlow, $new_name);
         }
         if ($dataFlow->getValue() != null) {
             return;
         }
         $vars = SymbolUtils::getSymbolByNode($value);
         $dataFlow->setValue($vars);
     }
 }
 /**
  * 根据sink的类型、危险参数的净化信息列表、编码列表
  * 判断是否是有效的净化
  * 返回:
  * 		(1)true		=>得到净化
  * 		(2)false	=>没有净化
  * 'XSS','SQLI','HTTP','CODE','EXEC','LDAP','INCLUDE','FILE','XPATH','FILEAFFECT'
  * @param string $type 漏洞的类型,使用TypeUtils可以获取
  * @param Symbol $var 危险参数
  * @param array $saniArr 危险参数的净化信息栈
  * @param array $encodingArr 危险参数的编码信息栈
  */
 public function isSanitization($type, $var, $saniArr_obj, $encodingArr)
 {
     //整理saniArr
     $saniArr = array();
     if (is_object($saniArr_obj)) {
         foreach ($saniArr_obj as $value) {
             array_push($saniArr, $value->funcName);
         }
     } else {
         $saniArr = $saniArr_obj;
     }
     $is_clean = null;
     $var_type = '';
     if ($var instanceof Node) {
         $var = SymbolUtils::getSymbolByNode($var);
     }
     if ($var instanceof ValueSymbol) {
         return true;
     }
     //如果symbol类型为int,直接返回安全true
     if (!in_array($var->getType(), array('string', 'valueInt'))) {
         return true;
     }
     //根据不同的漏洞类型进行判断
     switch ($type) {
         case 'SQLI':
             $sql_analyser = new SqliAnalyser();
             $is_clean = $sql_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'XSS':
             $xss_analyser = new XssAnalyser();
             $is_clean = $xss_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'HTTP':
             $http_analyser = new HeaderAnalyser();
             $is_clean = $http_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'CODE':
             $code_analyser = new CodeAnalyser();
             $is_clean = $code_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'EXEC':
             $exec_analyser = new ExecAnalyser();
             $is_clean = $exec_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'LDAP':
             $ldap_analyser = new LDPAAnalyser();
             $is_clean = $ldap_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'INCLUDE':
             $include_analyser = new IncludeAnalyser();
             $is_clean = $include_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'FILE':
             $file_analyser = new FileAnalyser();
             $is_clean = $file_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'XPATH':
             $xpath_analyser = new XPathAnalyser();
             $is_clean = $xpath_analyser->analyse($var, $saniArr, $encodingArr);
             break;
         case 'FILEAFFECT':
             $file_affect_analyser = new FileAffectAnalyser();
             $is_clean = $file_affect_analyser->analyse($var, $saniArr, $encodingArr);
             break;
     }
     return $is_clean;
 }
 public function leaveNode(Node $node)
 {
     $type = $node->getType();
     if ($type == "Expr_BinaryOp_Concat") {
         if ($node->right) {
             //转为symbol
             $right_symbol = SymbolUtils::getSymbolByNode($node->right);
             $right_symbol != null && array_push($this->items, $right_symbol);
         }
         if ($node->left->getType() != "Expr_BinaryOp_Concat") {
             $left_symbol = SymbolUtils::getSymbolByNode($node->left);
             $left_symbol != null && array_push($this->items, $left_symbol);
         }
     } else {
         if ($type == "Scalar_Encapsed") {
             foreach ($node->parts as $item) {
                 if (!is_object($item)) {
                     $valueSymbol = new ValueSymbol();
                     $valueSymbol->setValue($item);
                     $valueSymbol != null && array_push($this->items, $valueSymbol);
                 } else {
                     $setItem = SymbolUtils::getSymbolByNode($item);
                     $setItem != null && array_push($this->items, $setItem);
                 }
             }
         }
     }
 }
 /**
  * 分析传入node赋值语句,以及当前block,
  * 生成block summary中的一条记录
  * @param ASTNode $node 赋值语句
  * @param BasicBlock $block
  * @param string $type 处理赋值语句的var和expr类型(left or right)
  */
 private function assignHandler($node, $block, $dataFlow, $type)
 {
     global $scan_type;
     $part = null;
     if ($type == "left") {
         $part = $node->var;
     } else {
         if ($type == "right") {
             $part = $node->expr;
         } else {
             return;
         }
     }
     //处理$GLOBALS的赋值
     //$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ;
     if ($part && SymbolUtils::isArrayDimFetch($part) && substr(NodeUtils::getNodeStringName($part), 0, 7) == "GLOBALS") {
         //加入dataFlow
         $arr = new ArrayDimFetchSymbol();
         $arr->setValue($part);
         if ($type == "left") {
             $dataFlow->setLocation($arr);
             $dataFlow->setName(NodeUtils::getNodeGLOBALSNodeName($part));
             //加入registerglobal
             $this->registerGLOBALSHandler($part, $block);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($arr);
             }
         }
         return;
     }
     //处理赋值语句,存放在DataFlow
     //处理赋值语句的左边
     if ($part && SymbolUtils::isValue($part)) {
         //在DataFlow加入Location以及name
         $vs = new ValueSymbol();
         $vs->setValueByNode($part);
         if ($type == "left") {
             $dataFlow->setLocation($vs);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($vs);
             }
         }
     } elseif ($part && SymbolUtils::isVariable($part)) {
         //加入dataFlow
         $vars = new VariableSymbol();
         $vars->setValue($part);
         if ($type == "left") {
             $dataFlow->setLocation($vars);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($part);
             }
         }
     } elseif ($part && SymbolUtils::isConstant($part)) {
         //加入dataFlow
         $con = new ConstantSymbol();
         $con->setValueByNode($part);
         $con->setName($part->name->parts[0]);
         if ($type == "left") {
             $dataFlow->setLocation($con);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($con);
             }
         }
     } elseif ($part && SymbolUtils::isArrayDimFetch($part)) {
         //加入dataFlow
         $arr = new ArrayDimFetchSymbol();
         $arr->setValue($part);
         $arr->setNameByNode($node);
         if ($type == "left") {
             $dataFlow->setLocation($arr);
             $dataFlow->setName(NodeUtils::getNodeStringName($part));
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($arr);
             }
         }
     } elseif ($part && SymbolUtils::isConcat($part)) {
         $concat = new ConcatSymbol();
         $concat->setItemByNode($part);
         if ($type == "left") {
             $dataFlow->setLocation($concat);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($concat);
             }
         }
     } else {
         //不属于已有的任何一个symbol类型,如函数调用,类型转换
         if ($part && ($part->getType() == "Expr_FuncCall" || $part->getType() == "Expr_MethodCall" || $part->getType() == "Expr_StaticCall")) {
             //处理 id = urlencode($_GET['id']) ;
             if ($type == 'right' && !SymbolUtils::isValue($part)) {
                 $funcName = NodeUtils::getNodeFunctionName($part);
                 BIFuncUtils::assignFuncHandler($part, $type, $dataFlow, $funcName);
                 if ($dataFlow->getValue() != null) {
                     //如果处理完函数赋值,则立即返回
                     $block->getBlockSummary()->addDataFlowItem($dataFlow);
                     return;
                 } else {
                     //处理 id = urlencode($_GET['id']) ;
                     //检查是否为sink函数
                     $this->functionHandler($part, $block, $this->fileSummary);
                     //处理净化信息和编码信息
                     SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $this->fileSummary);
                     EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $this->fileSummary);
                 }
             }
         }
         //处理类型强制转换
         if ($part && ($part->getType() == "Expr_Cast_Int" || $part->getType() == "Expr_Cast_Double") && $type == "right") {
             $dataFlow->getLocation()->setType("int");
             $symbol = SymbolUtils::getSymbolByNode($part->expr);
             $dataFlow->setValue($symbol);
         }
         //处理三元表达式
         if ($part && $part->getType() == "Expr_Ternary") {
             BIFuncUtils::ternaryHandler($type, $part, $dataFlow);
         }
         //处理双引号中包含的变量
         if ($part && $part->getType() == "Scalar_Encapsed") {
             $symbol = SymbolUtils::getSymbolByNode($part);
             $dataFlow->setValue($symbol);
         }
     }
     //else
     //处理完一条赋值语句,加入DataFlowMap
     if ($type == "right") {
         $block->getBlockSummary()->addDataFlowItem($dataFlow);
     }
 }