/**
* 处理summary的编码信息
* @param node $node
* @param DataFlow $dataFlow
* @param block $block
* @param fileSummary $fileSummary
*/
public static function setEncodeInfo($node, $dataFlow, $block, $fileSummary)
{
global $F_ENCODING_STRING;
$funcName = NodeUtils::getNodeFunctionName($node);
//发现有编码操作的函数,将编码信息加入至map中
if (in_array($funcName, $F_ENCODING_STRING)) {
$dataFlow->getLocation()->addEncoding($funcName);
//向上追踪变量,相同变量的净化信息,全部添加
$funcParams = NodeUtils::getNodeFuncParams($node);
//traceback
$sameVarEncodeInfo = array();
foreach ($funcParams as $param) {
$dataFlows = $block->getBlockSummary()->getDataFlowMap();
$dataFlows = array_reverse($dataFlows);
$ret = self::encodeSameVarMultiBlockHandler($param, $block, $dataFlows);
//如果一个参数没有净化,则未净化
if (!$ret[0]) {
$sameVarEncodeInfo = array();
break;
}
$sameVarEncodeInfo = array_merge($sameVarEncodeInfo, $ret['funcs']);
}
//加入此变量的净化信息中
foreach ($sameVarEncodeInfo as $funcName) {
$dataFlow->getLocation()->addEncoding($funcName);
}
}
//清除解码
EncodingHandler::clearEncodeInfo($funcName, $node, $dataFlow);
//print_r($dataFlow);
}
/**
* @param Node $node
* @param 数据流 $dataFlow
*/
public static function setSanitiInfo($node, $dataFlow, $block, $fileSummary)
{
$dataFlows = $block->getBlockSummary()->getDataFlowMap();
$sanitiInfo = self::SantiniFuncHandler($node, $fileSummary);
$sanitiInfo = null;
if ($sanitiInfo) {
$args = NodeUtils::getFuncParamsNode($node);
if (count($args) > 0) {
if (!$dataFlow->getValue()) {
$arg = SymbolUtils::getSymbolByNode($args[0]);
$dataFlow->setValue($arg);
}
}
//向上追踪变量,相同变量的净化信息,全部添加
$funcParams = NodeUtils::getNodeFuncParams($node);
//traceback
$sameVarSanitiInfo = array();
foreach ($funcParams as $param) {
$dataFlows = $block->getBlockSummary()->getDataFlowMap();
$dataFlows = array_reverse($dataFlows);
$ret = self::sanitiSameVarMultiBlockHandler($param, $block, $dataFlows, $fileSummary);
//如果一个参数没有净化,则未净化
if (!$ret[0]) {
$sameVarSanitiInfo = array();
break;
}
$sameVarSanitiInfo = array_merge($sameVarSanitiInfo, $ret['funcs']);
}
//加入此变量的净化信息中
foreach ($sameVarSanitiInfo as $oneFunction) {
$dataFlow->getLocation()->addSanitization($oneFunction);
}
$dataFlow->getLocation()->addSanitization($sanitiInfo);
}
$funcName = NodeUtils::getNodeFunctionName($node);
//清除反作用的函数
SanitizationHandler::clearSantiInfo($funcName, $node, $dataFlow);
}
public function leaveNode(Node $node)
{
//处理过程间代码,即调用的方法定义中的源码
if ($node->getType() == 'Expr_FuncCall' || $node->getType() == 'Expr_MethodCall' || $node->getType() == 'Expr_StaticCall') {
//获取到方法的名称
$nodeName = NodeUtils::getNodeFunctionName($node);
$ret = NodeUtils::isSinkFunction($nodeName, $this->scan_type);
//进行危险参数的辨别
if ($ret[0] == true) {
//处理系统内置的sink
//找到了mysql_query
$cfg = new CFGGenerator();
//array(where)找到危险参数的位置
$args = $ret[1];
if (is_array($args[0])) {
$args = $args[0];
}
$vars = $this->senstivePostion($node, $this->block, $args);
$type = TypeUtils::getTypeByFuncName($nodeName);
if ($vars) {
//返回处理结果,将多个相关变量位置返回
$this->vars = array_merge($this->vars, $vars);
}
if ($type) {
//返回sink类型
$this->sinkType = $type;
}
} elseif (array_key_exists($nodeName, $this->sinkContext->getAllSinks())) {
//处理已经加入sinksContext用户自定义函数
//处理用户定义的sink
$type = TypeUtils::getTypeByFuncName($nodeName);
if ($type) {
//返回sink类型
$this->sinkType = $type;
}
$context = Context::getInstance();
$funcName = NodeUtils::getNodeFunctionName($node);
$funcBody = $context->getClassMethodBody($funcName, $this->fileSummary->getPath(), $this->fileSummary->getIncludeMap());
if (!$funcBody) {
break;
}
$cfg = new CFGGenerator();
//$this->block->function[$nodeName]
$arr = $this->sinkContext->getAllSinks();
$arr = $arr[$nodeName];
foreach ($arr as $pos) {
$argName = NodeUtils::getNodeFuncParams($node);
$argName = $argName[$pos];
$this->vars = $this->sinkMultiBlockTraceback($argName, $this->block, 0);
}
} else {
}
}
}
