예제 #1
0
 public function init()
 {
     $this->dataFlow = DataFlow::getInstance();
     $this->validate();
 }
 /**
  * 处理赋值的assign语句,添加至dataFlows中
  * @param AST $node
  * @param DataFlow $dataFlow
  * @param string $type
  */
 public function assignHandler($node, $dataFlow, $type, $block, $fileSummary)
 {
     $part = null;
     if ($type == "left") {
         $part = $node->var;
     } else {
         if ($type == "right") {
             $part = $node->expr;
         } else {
             return;
         }
     }
     //处理$GLOBALS的赋值
     //$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ;
     if ($part && SymbolUtils::isArrayDimFetch($part) && substr(NodeUtils::getNodeStringName($part), 0, 7) == "GLOBALS") {
         //加入dataFlow
         $arr = new ArrayDimFetchSymbol();
         $arr->setValue($part);
         if ($type == "left") {
             $dataFlow->setLocation($arr);
             $dataFlow->setName(NodeUtils::getNodeGLOBALSNodeName($part));
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($arr);
             }
         }
         return;
     }
     //处理赋值语句,存放在DataFlow
     //处理赋值语句的左边
     if ($part && SymbolUtils::isValue($part)) {
         //在DataFlow加入Location以及name
         $vs = new ValueSymbol();
         $vs->setValueByNode($part);
         if ($type == "left") {
             $dataFlow->setLocation($vs);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($vs);
             }
         }
     } elseif ($part && SymbolUtils::isVariable($part)) {
         //加入dataFlow
         $vars = new VariableSymbol();
         $vars->setValue($part);
         if ($type == "left") {
             $dataFlow->setLocation($vars);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($part);
             }
         }
     } elseif ($part && SymbolUtils::isConstant($part)) {
         //加入dataFlow
         $con = new ConstantSymbol();
         $con->setValueByNode($part);
         $con->setName($part->name->parts[0]);
         if ($type == "left") {
             $dataFlow->setLocation($con);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($con);
             }
         }
     } elseif ($part && SymbolUtils::isArrayDimFetch($part)) {
         //加入dataFlow
         $arr = new ArrayDimFetchSymbol();
         $arr->setValue($part);
         if ($type == "left") {
             $dataFlow->setLocation($arr);
             $dataFlow->setName(NodeUtils::getNodeStringName($part));
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($arr);
             }
         }
     } elseif ($part && SymbolUtils::isConcat($part)) {
         $concat = new ConcatSymbol();
         $concat->setItemByNode($part);
         if ($type == "left") {
             $dataFlow->setLocation($concat);
             $dataFlow->setName($part->name);
         } else {
             if ($type == "right") {
                 $dataFlow->setValue($concat);
             }
         }
     } else {
         //不属于已有的任何一个symbol类型,如函数调用
         if ($part && ($part->getType() == "Expr_FuncCall" || $part->getType() == "Expr_MethodCall" || $part->getType() == "Expr_StaticCall")) {
             if ($type == "left") {
                 $dataFlow->setLocation($arr);
                 $dataFlow->setName(NodeUtils::getNodeStringName($part));
             } else {
                 if ($type == "right") {
                     //处理净化信息和编码信息
                     SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $fileSummary);
                     EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $fileSummary);
                 }
             }
         }
         //处理三元表达式
         if ($part && $part->getType() == "Expr_Ternary") {
             BIFuncUtils::ternaryHandler($type, $part, $dataFlow);
         }
     }
 }
예제 #3
0
파일: Base.php 프로젝트: yinliguo/phpBase
 /**
  * 查询并把结果放到dataFlow中
  *
  * @param array $filter
  * @param array $field
  * @param array $options
  */
 public function fetchToDataFlow(array $filter = [], array $field = [], array $options = [])
 {
     $ret = $this->fetch($filter, $field, $options);
     $flowData = array();
     foreach ($ret as $item) {
         $flowData[$item['_id']] = $item;
     }
     DataFlow::getInstance()->toFlow(array(strtoupper($this->getCollectionName()) . 'S' => $flowData));
     return $flowData;
 }
 /**
  * 查看净化栈中是否有可以抵消的元素
  *	[+]'html_entity_decode',
  *	[+]'stripslashes',
  * @param string $funcName
  * @param Node $node
  * @param DataFlow $dataFlow
  */
 public static function clearSantiInfo($funcName, $node, $dataFlow)
 {
     global $F_INSECURING_STRING;
     //判断$funcName相反的函数是否在净化Map中
     //比如调用stripslashes($funcName=stripslashes)
     if (in_array($funcName, $F_INSECURING_STRING)) {
         switch ($funcName) {
             case 'stripslashes':
                 //去除净化Map中最近的addslashes净化
                 $map = $dataFlow->getLocation()->getSanitization();
                 foreach ($map as $position => $oneFunction) {
                     if ($oneFunction['funcName'] == 'addslashes') {
                         array_splice($map, $position, 1);
                     }
                 }
                 break;
             case 'html_entity_decode':
                 //去除htmlentities净化
                 $map = $dataFlow->getLocation()->getSanitization();
                 foreach ($map as $position => $oneFunction) {
                     if ($oneFunction['funcName'] == 'htmlentities') {
                         array_splice($map, $position, 1);
                     }
                 }
                 break;
             case 'htmlspecialchars_decode':
                 //去除htmlspecialchars净化
                 $map = $dataFlow->getLocation()->getSanitization();
                 foreach ($map as $position => $oneFunction) {
                     if ($oneFunction['funcName'] == 'htmlspecialchars') {
                         array_splice($map, $position, 1);
                     }
                 }
                 break;
         }
     }
 }
예제 #5
0
 /**
  * 处理foreach语句:
  * foreach($_GET['id'] as $key => $value)
  * 转为两条赋值:
  * 		$key = $_GET
  * 		$value = $_GET
  * 即key和value全部被传染
  * 存入block的summary中
  * @param BasicBlock $block
  * @param Node $node
  */
 public function foreachHandler($block, $node)
 {
     if ($node->expr->getType() == "Expr_ArrayDimFetch") {
         // 处理$key
         if ($node->keyVar != null) {
             $keyFlow = new DataFlow();
             $keyFlow->setName(NodeUtils::getNodeStringName($node->keyVar));
             $location = new ArrayDimFetchSymbol();
             $location->setValue($node->keyVar);
             $keyFlow->setLocation($location);
             $keyFlow->setValue($node->expr);
             $block->getBlockSummary()->addDataFlowItem($keyFlow);
         }
         //处理$value
         if ($node->valueVar != null) {
             $valueFlow = new DataFlow();
             $valueFlow->setName(NodeUtils::getNodeStringName($node->valueVar));
             $location = new ArrayDimFetchSymbol();
             $location->setValue($node->valueVar);
             $valueFlow->setLocation($location);
             $valueFlow->setValue($node->expr);
             $block->getBlockSummary()->addDataFlowItem($valueFlow);
         }
     }
 }
 /**
  * 清除相应的编码效果
  * 	[+]'rawurldecode', - rawurlencode
  *	[+]'urldecode', - urlencode
  *	[+]'base64_decode', - base64_encode
  * @param string $funcName
  * @param Node $node
  * @param DataFlow $dataFlow
  */
 public static function clearEncodeInfo($funcName, $node, $dataFlow)
 {
     global $F_DECODING_STRING;
     if (in_array($funcName, $F_DECODING_STRING)) {
         switch ($funcName) {
             case 'rawurldecode' or 'urldecode':
                 //去除净化Map中最近的addslashes净化
                 $map = $dataFlow->getLocation()->getEncoding();
                 $position = array_search('urlencode', $map);
                 array_splice($map, $position, 1);
                 break;
             case 'base64_decode':
                 //去除Map中最近的base64编码操作
                 $map = $dataFlow->getLocation()->getEncoding();
                 $position = array_search('base64_encode', $map);
                 array_splice($map, $position, 1);
                 break;
             case 'html_entity_decode':
                 //去除Map中最近的base64编码操作
                 $map = $dataFlow->getLocation()->getEncoding();
                 $position = array_search('html_entity_decode', $map);
                 array_splice($map, $position, 1);
                 break;
         }
     }
 }