/// List of exceptions that aren't errors (function declarations, comments, adodb usage from adodb drivers and harcoded strings). Non reportable false positives $excludes = '/(function |^\\s*\\*|^\\s*\\/\\/|\\$this-\\>adodb-\\>(Execute|Connect|PConnect|ErrorMsg|MetaTables|MetaIndexes|MetaColumns|MetaColumnNames|MetaPrimaryKeys|)|protected \\$[a-zA-Z]*db|Incorrect |check find_index_name|not available anymore|output|Replace it with the correct use of|where order of parameters is|_moodle_database|invaliddbtype|has been deprecated in Moodle 2\\.0\\. Will be out in Moodle 2\\.1|Potential SQL injection detected|requires at least two parameters|hint_database = install_db_val|Current database \\(|admin_setting_configselect|(if|while|for|return).*\\>get_recordset(_list|_select|_sql)?.*\\>valid\\(\\)|NEWNAMEGOESHERE.*XMLDB_LINEFEED)/'; /// Getting current dir $dir = dirname(__FILE__); /// Check if the dir seems to be moodle root (with some random shots) $is_moodle_root = false; if (file_exists($dir . '/lang/en') && file_exists($dir . '/lib/db') && file_exists($dir . '/install/lang/en')) { $is_moodle_root = true; } /// Calculating megarules $newapi_megarule = calculate_megarule($newapi, array('[ =@.]'), array('( )?\\('), 'i'); $obsoleteconstants_megarule = calculate_megarule($obsoleteconstants); $pixlinks_megarule = calculate_megarule($pixlinks); $errorfunc_megarule = calculate_megarule($errorfunc, array('[ =@.]'), array('( )?\\(')); $fileapi_megarule = calculate_megarule($fileapi, array('[ =@.]'), array('( )?\\(')); $htmlapi_megarule = calculate_megarule($htmlapi); /// All rules $all_megarules = array('NEW_API' => $newapi_megarule, 'OBSOLETE_CONSTANTS' => $obsoleteconstants_megarule, 'PIX_LINKS' => $pixlinks_megarule, 'ERROR_FUNC' => $errorfunc_megarule, 'NEW_FILEAPI' => $fileapi_megarule, 'HTMLAPI' => $htmlapi_megarule); /// To store errors found $errors = array(); $counterrors = 0; /// To store known false positives $falsepositives = array(); $countfalsepositives = 0; /// Process starts here echo "Checking the {$dir} directory recursively" . LINEFEED; if ($is_moodle_root) { echo "(detected Moodle root directory - false positive detection enabled)" . LINEFEED; } else { echo "(executed from custom directory - false positive detection DISABLED!)" . LINEFEED; }
// Getting current dir. $dir = dirname(__FILE__); // Check if the dir seems to be moodle root (with some random shots). $is_moodle_root = false; if (file_exists($dir . '/lang/en') && file_exists($dir . '/lib/db') && file_exists($dir . '/install/lang/en')) { $is_moodle_root = true; } // Calculating megarules. $dml_megarule = calculate_megarule($dml, array('[ =@.]'), array('( )?\\('), 'i'); $helper_megarule = calculate_megarule($helper, array('[ =@.]'), array('( )?\\('), 'i'); $ddl_megarule = calculate_megarule($ddl, array('[ =@.]'), array('( )?\\('), 'i'); $coreonly_megarule = calculate_megarule($coreonly, array('[ =@.]'), array('( )?\\('), 'i'); $enum_megarule = calculate_megarule($enum); $internal_megarule = calculate_megarule($internal, array('[ =@.]'), array('( )?\\('), 'i'); $unsupported_megarule = calculate_megarule($unsupported, array('[ \\>=@,.]'), array('( )?\\(')); $other_megarule = calculate_megarule($other); // All rules. $all_megarules = array('DML' => $dml_megarule, 'HELPER' => $helper_megarule, 'DDL' => $ddl_megarule, 'COREONLY' => $coreonly_megarule, 'ENUM' => $enum_megarule, 'INTERNAL' => $internal_megarule, 'UNSUPPORTED' => $unsupported_megarule, 'OTHER' => $other_megarule); // To store errors found. $errors = array(); $counterrors = 0; // To store known false positives. $falsepositives = array(); $countfalsepositives = 0; // Process starts here. echo "Checking the {$dir} directory recursively" . LINEFEED; if ($is_moodle_root) { echo "(detected Moodle root directory - false positive detection enabled)" . LINEFEED; } else { echo "(executed from custom directory - false positive detection DISABLED!)" . LINEFEED; }
$reservedlist[$key] = '(?: AS\\s+|:)' . trim($word); } /// Define some known false positives to take them out from errors report (nested array of => file => regular expressions considered false positives) $fp = array('install.php' => array('empty\\(\\$distro-\\>dbtype\\)', '= trim\\(\\$_POST\\[\'dbtype\'\\]', 'get_driver_instance\\(\\$config-|>dbtype'), 'admin/blocks.php' => array('drop_plugin_tables.*\\/blocks'), 'admin/health.php' => array('\\. \\$CFG-\\>prefix \\.'), 'admin/modules.php' => array('drop_plugin_tables.*\\/mod'), 'admin/qtypes.php' => array('drop_plugin_tables.*\\$QTYPES\\[\\$delete\\]-\\>'), 'admin/xmldb/actions/check_bigints/check_bigints.class.php' => array('this->dbfamily'), 'auth/cas/CAS/CAS/client.php' => array('this->setAttributes'), 'backup/util/dbops/backup_structure_dbops.class.php' => array('element->get_source_.*convert_params_to_values'), 'backup/util/helper/restore_decode_content.class.php' => array('return.*get_recordset_sql'), 'blocks/html/backup/moodle2/restore_html_block_task.class.php' => array('return.*get_recordset_sql'), 'lib/adminlib.php' => array('drop_plugin_tables\\(\\$pluginname', 'used_tables = get_used_table_names', 'dbdirs = get_db_directories'), 'lib/ddl/database_manager.php' => array('dbdirs = get_db_directories'), 'lib/ddl/simpletest/testddl.php' => array('DB2 = moodle_database::get_driver_instance'), 'lib/dml/moodle_database.php' => array('cfg-\\>dbtype = \\$this-\\>get_dbtype', 'cfg-\\>dblibrary = \\$this-\\>get_dblibrary', 'return \\$this-\\>get_recordset_select\\(\\$table, \\$select, \\$params', 'return \\$this-\\>get_recordset_sql\\(\\$sql, \\$params, \\$limitfrom'), 'lib/dml/simpletest/testdml.php' => array('DB2 = moodle_database::get_driver_instance'), 'lib/form/recaptcha.php' => array('this->setAttributes'), 'mod/assignment/lib.php' => array('mform->setAttributes'), 'mod/scorm/datamodels/scorm_13.js.php' => array('max.*delimiter.*(unique|duplicate).*(:true|:false)', 'cmi\\.objectives\\.n\\..*defaultvalue.*:null'), 'mod/workshop/form/accumulative/lib.php' => array('return \\$DB-\\>get_recordset_sql\\('), 'mod/workshop/form/comments/lib.php' => array('return \\$DB-\\>get_recordset_sql\\('), 'mod/workshop/form/numerrors/lib.php' => array('return \\$DB-\\>get_recordset_sql\\('), 'mod/workshop/form/rubric/lib.php' => array('return \\$DB-\\>get_recordset_sql\\('), 'admin/xmldb/actions/generate_all_documentation/generate_all_documentation.class.php' => array('dbdirs = get_db_directories'), 'admin/xmldb/actions/get_db_directories/get_db_directories.class.php' => array('db_directories = get_db_directories')); /// List of exceptions that aren't errors (function declarations, comments, adodb usage from adodb drivers and harcoded strings). Non reportable false positives $excludes = '/(function |^\\s*\\*|^\\s*\\/\\/|\\$this-\\>adodb-\\>(Execute|Connect|PConnect|ErrorMsg|MetaTables|MetaIndexes|MetaColumns|MetaColumnNames|MetaPrimaryKeys|)|protected \\$[a-zA-Z]*db|Incorrect |check find_index_name|not available anymore|output|Replace it with the correct use of|where order of parameters is|_moodle_database|invaliddbtype|has been deprecated in Moodle 2\\.0\\. Will be out in Moodle 2\\.1|Potential SQL injection detected|requires at least two parameters|hint_database = install_db_val|Current database \\(|admin_setting_configselect|(if|while|for|return).*\\>get_recordset(_list|_select|_sql)?.*\\>valid\\(\\)|NEWNAMEGOESHERE.*XMLDB_LINEFEED|has_capability\\(.*:view.*context)|die(.*result.*:null.*errstr)|CAST\\(.+AS\\s+(INT|FLOAT|DECIMAL|NUM|REAL)/'; /// Calculating megarules $dml_megarule = calculate_megarule($dml, array('[ =@.]'), array('( )?\\('), 'i'); $helper_megarule = calculate_megarule($helper, array('[ =@.]'), array('( )?\\('), 'i'); $ddl_megarule = calculate_megarule($ddl, array('[ =@.]'), array('( )?\\('), 'i'); $coreonly_megarule = calculate_megarule($coreonly, array('[ =@.]'), array('( )?\\('), 'i'); $enum_megarule = calculate_megarule($enum); $internal_megarule = calculate_megarule($internal, array('[ =@.]'), array('( )?\\('), 'i'); $unsupported_megarule = calculate_megarule($unsupported, array('[ \\>=@,.]'), array('( )?\\(')); $other_megarule = calculate_megarule($other); $reserved_megarule = calculate_megarule($reservedlist, array("[ =('\"]"), array("[ ,)'\"]"), 'i'); /// All rules $all_megarules = array('DML' => $dml_megarule, 'HELPER' => $helper_megarule, 'DDL' => $ddl_megarule, 'COREONLY' => $coreonly_megarule, 'ENUM' => $enum_megarule, 'INTERNAL' => $internal_megarule, 'UNSUPPORTED' => $unsupported_megarule, 'OTHER' => $other_megarule, 'RESERVED_WORD' => $reserved_megarule); /// To store errors found $errors = array(); $counterrors = 0; /// To store known false positives $falsepositives = array(); $countfalsepositives = 0; /// Process starts here echo "Checking the {$dir} directory recursively" . LINEFEED; if ($is_moodle_root) { echo "(detected Moodle root directory - false positive detection enabled)" . LINEFEED; } else { echo "(executed from custom directory - false positive detection DISABLED!)" . LINEFEED; }