function processTaint($current_node, $user_tainted_variables_map, $secret_tainted_variables_map, $cfg_taint_map) { // Check if the current node is a statement node with a // non-null statement. if (CFGNode::isCFGNodeStmt($current_node) && $current_node->stmt) { $stmt = $current_node->stmt; // Check to see if the statement is an assigment, // and the right hand side is tainted. if ($stmt instanceof PhpParser\Node\Expr\Assign || $stmt instanceof PhpParser\Node\Expr\AssignOp) { // Accounting for simple LHS variables and array indexing. $lhs = $stmt->var; if ($lhs instanceof PhpParser\Node\Expr\Variable) { $lhs_var = $lhs->name; } else { if ($lhs instanceof PhpParser\Node\Expr\ArrayDimFetch) { $lhs_var = $lhs->var->name; } else { $lhs_var = null; print "ERROR: Unrecognized LHS type of an assignment while performing taint analysis.\n"; } } if ($lhs_var && !$user_tainted_variables_map[$current_node]->contains($lhs_var) && isTainted($stmt->expr, $user_tainted_variables_map[$current_node], True)) { $user_tainted_variables_map[$current_node]->attach($lhs_var); print "The variable " . $lhs_var . " became user-tainted.\n"; } if ($lhs_var && !$secret_tainted_variables_map[$current_node]->contains($lhs_var) && isTainted($stmt->expr, $secret_tainted_variables_map[$current_node], False)) { $secret_tainted_variables_map[$current_node]->attach($lhs_var); print "The variable " . $lhs_var . " became secret-tainted.\n"; } } else { if ($stmt instanceof PhpParser\Node\Stmt\Return_) { // If the expression of the return statement is tainted, we label the CFG // as producing a taint return value. if (isTainted($stmt->expr, $user_tainted_variables_map[$current_node], True)) { print "The return statement is user-tainted.\n"; $cfgTaintMap->setReturnsUserTaint(True); } if (isTainted($stmt->expr, $secret_tainted_variables_map[$current_node], False)) { print "The return statement is secret-tainted.\n"; $cfgTaintMap->setReturnsSecretTaint(True); } } } } else { if (CFGNode::isCFGNodeCond($current_node) && $current_node->expr) { // If the conditional contains an assignment, propagate its taint // besides checking for taint in the conditional. if ($current_node->expr instanceof PhpParser\Node\Expr\Assign) { if (!$user_tainted_variables_map[$current_node]->contains($current_node->expr->var->name) && isTainted($current_node->expr->expr, $user_tainted_variables_map[$current_node], True)) { print "The variable " . $current_node->expr->var->name . "became user tainted.\n"; $user_tainted_variables_map[$current_node]->attach($current_node->expr->var->name); print "WARNING: Conditional node is user-tainted:\n"; } if (!$secret_tainted_variables_map[$current_node]->contains($current_node->expr->var->name) && isTainted($current_node->expr->expr, $secret_tainted_variables_map[$current_node], False)) { print "The variable " . $current_node->expr->var->name . "became secret tainted.\n"; $secret_tainted_variables_map[$current_node]->attach($current_node->expr->var->name); print "WARNING: Conditional node is secret-tainted:\n"; } } else { if (isTainted($current_node->expr, $secret_tainted_variables_map[$current_node], False)) { print "WARNING: Conditional node is secret-tainted:\n"; } if (isTainted($current_node->expr, $user_tainted_variables_map[$current_node], True)) { print "WARNING: Conditional node is user-tainted:\n"; } } } else { if (CFGNode::isCFGNodeLoopHeader($current_node) && $current_node->expr) { print "Analyzing loop header.\n"; // The conditional covers the case when the condition is a boolean expression or an // assignment that propagates taint. if ($current_node->isWhileLoop()) { // Propagate taint when the conditional consists of an assignment. if ($current_node->expr->cond instanceof PhpParser\Node\Expr\Assign) { if (!$user_tainted_variables_map[$current_node]->contains($current_node->expr->cond->var->name) && isTainted($current_node->expr->cond->expr, $user_tainted_variables_map[$current_node], True)) { print "The variable " . $current_node->expr->cond->var->name . "became user tainted.\n"; $user_tainted_variables_map[$current_node]->attach($current_node->expr->cond->var->name); print "WARNING: Loop header node is user-tainted:\n"; } if (!$secret_tainted_variables_map[$current_node]->contains($current_node->expr->cond->var->name) && isTainted($current_node->expr->cond->expr, $secret_tainted_variables_map[$current_node], False)) { print "The variable " . $current_node->expr->cond->var->name . "became secret tainted.\n"; $secret_tainted_variables_map[$current_node]->attach($current_node->expr->cond->var->name); print "WARNING: Loop header node is secret-tainted:\n"; } } else { if (isTainted($current_node->expr->cond, $user_tainted_variables_map[$current_node], True)) { print "While Loop is user-tainted.\n"; } if (isTainted($current_node->expr->cond, $secret_tainted_variables_map[$current_node], False)) { print "While Loop is secret-tainted.\n"; } } } else { if ($current_node->isForLoop()) { // Detect taint for conditional expressions of the for loop. foreach ($current_node->expr->cond as $condExpr) { if (isTainted($condExpr, $user_tainted_variables_map[$current_node], True)) { print "For Loop condition is user-tainted.\n"; } if (isTainted($condExpr, $secret_tainted_variables_map[$current_node], False)) { print "For Loop is secret-tainted.\n"; } } } else { if ($current_node->isForeachLoop()) { // Detect taint for source expression of the foreach loop. foreach ($current_node->expr->expr as $sourceExpr) { if (isTainted($sourceExpr, $user_tainted_variables_map[$current_node], True)) { print "Foreach Loop condition is user-tainted.\n"; } if (isTainted($sourceExpr, $secret_tainted_variables_map[$current_node], False)) { print "Foreach Loop is secret-tainted.\n"; } } } } } } } } }
public function __construct() { parent::__construct(); $expr = NULL; }
public function __construct() { parent::__construct(); $this->expr = NULL; $this->loop_type = NULL; }
public function processCFGNode($cfgNode, $callGraphNode, $functionSignatures) { print "The node.\n"; $cfgNode->printCFGNode(); print "The class " . get_class($cfgNode) . "\n"; if (CFGNode::isCFGNodeStmt($cfgNode) && $cfgNode->stmt) { $stmt = $cfgNode->getStmt(); if ($stmt instanceof PhpParser\Node\Expt\Assign || $stmt instanceof PhpParser\Node\Expr\AssignOp) { $this->processCFGNodeExpr($stmt->expr, $callGraphNode, $functionSignatures); } else { $this->processCFGNodeExpr($stmt, $callGraphNode, $functionSignatures); } } else { if (CFGNode::isCFGNodeCond($cfgNode) && $cfgNode->expr) { $expr = $cfgNode->expr; if ($expr instanceof PhpParser\Node\Expt\Assign || $expr instanceof PhpParser\Node\Expr\AssignOp) { $this->processCFGNodeExpr($expr, $callGraphNode, $functionSignatures); } else { $this->processCFGNodeExpr($expr, $callGraphNode, $functionSignatures); } } else { if (CFGNode::isCFGNodeLoopHeader($cfgNode)) { // TODO: Process Foreach and For loops. if ($cfgNode->isWhileLoop()) { $this->processCFGNodeExpr($cfgNode->expr->cond, $callGraphNode, $functionSignatures); } } } } }
public function __construct() { parent::__construct(); $this->stmt = NULL; $this->back_edge = FALSE; }
function print_preorder($cfg_node, $visited) { if (!$cfg_node || $visited->contains($cfg_node)) { return; } $visited->attach($cfg_node); if (CFGNode::isCFGNodeStmt($cfg_node)) { if ($cfg_node->stmt) { printStmts(array($cfg_node->stmt)); } } else { if (CFGNode::isCFGNodeCond($cfg_node)) { // TODO: Figure out how to print // conditional nodes. print "WARNING: Conditional node not printed\n"; } } for ($i = 0; $i < count($cfg_node->successors); $i++) { CFG::print_preorder($cfg_node->successors[$i], $visited); } }