public function init() { $this->dataFlow = DataFlow::getInstance(); $this->validate(); }
/** * 处理赋值的assign语句,添加至dataFlows中 * @param AST $node * @param DataFlow $dataFlow * @param string $type */ public function assignHandler($node, $dataFlow, $type, $block, $fileSummary) { $part = null; if ($type == "left") { $part = $node->var; } else { if ($type == "right") { $part = $node->expr; } else { return; } } //处理$GLOBALS的赋值 //$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ; if ($part && SymbolUtils::isArrayDimFetch($part) && substr(NodeUtils::getNodeStringName($part), 0, 7) == "GLOBALS") { //加入dataFlow $arr = new ArrayDimFetchSymbol(); $arr->setValue($part); if ($type == "left") { $dataFlow->setLocation($arr); $dataFlow->setName(NodeUtils::getNodeGLOBALSNodeName($part)); } else { if ($type == "right") { $dataFlow->setValue($arr); } } return; } //处理赋值语句,存放在DataFlow //处理赋值语句的左边 if ($part && SymbolUtils::isValue($part)) { //在DataFlow加入Location以及name $vs = new ValueSymbol(); $vs->setValueByNode($part); if ($type == "left") { $dataFlow->setLocation($vs); $dataFlow->setName($part->name); } else { if ($type == "right") { $dataFlow->setValue($vs); } } } elseif ($part && SymbolUtils::isVariable($part)) { //加入dataFlow $vars = new VariableSymbol(); $vars->setValue($part); if ($type == "left") { $dataFlow->setLocation($vars); $dataFlow->setName($part->name); } else { if ($type == "right") { $dataFlow->setValue($part); } } } elseif ($part && SymbolUtils::isConstant($part)) { //加入dataFlow $con = new ConstantSymbol(); $con->setValueByNode($part); $con->setName($part->name->parts[0]); if ($type == "left") { $dataFlow->setLocation($con); $dataFlow->setName($part->name); } else { if ($type == "right") { $dataFlow->setValue($con); } } } elseif ($part && SymbolUtils::isArrayDimFetch($part)) { //加入dataFlow $arr = new ArrayDimFetchSymbol(); $arr->setValue($part); if ($type == "left") { $dataFlow->setLocation($arr); $dataFlow->setName(NodeUtils::getNodeStringName($part)); } else { if ($type == "right") { $dataFlow->setValue($arr); } } } elseif ($part && SymbolUtils::isConcat($part)) { $concat = new ConcatSymbol(); $concat->setItemByNode($part); if ($type == "left") { $dataFlow->setLocation($concat); $dataFlow->setName($part->name); } else { if ($type == "right") { $dataFlow->setValue($concat); } } } else { //不属于已有的任何一个symbol类型,如函数调用 if ($part && ($part->getType() == "Expr_FuncCall" || $part->getType() == "Expr_MethodCall" || $part->getType() == "Expr_StaticCall")) { if ($type == "left") { $dataFlow->setLocation($arr); $dataFlow->setName(NodeUtils::getNodeStringName($part)); } else { if ($type == "right") { //处理净化信息和编码信息 SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $fileSummary); EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $fileSummary); } } } //处理三元表达式 if ($part && $part->getType() == "Expr_Ternary") { BIFuncUtils::ternaryHandler($type, $part, $dataFlow); } } }
/** * 查询并把结果放到dataFlow中 * * @param array $filter * @param array $field * @param array $options */ public function fetchToDataFlow(array $filter = [], array $field = [], array $options = []) { $ret = $this->fetch($filter, $field, $options); $flowData = array(); foreach ($ret as $item) { $flowData[$item['_id']] = $item; } DataFlow::getInstance()->toFlow(array(strtoupper($this->getCollectionName()) . 'S' => $flowData)); return $flowData; }
/** * 查看净化栈中是否有可以抵消的元素 * [+]'html_entity_decode', * [+]'stripslashes', * @param string $funcName * @param Node $node * @param DataFlow $dataFlow */ public static function clearSantiInfo($funcName, $node, $dataFlow) { global $F_INSECURING_STRING; //判断$funcName相反的函数是否在净化Map中 //比如调用stripslashes($funcName=stripslashes) if (in_array($funcName, $F_INSECURING_STRING)) { switch ($funcName) { case 'stripslashes': //去除净化Map中最近的addslashes净化 $map = $dataFlow->getLocation()->getSanitization(); foreach ($map as $position => $oneFunction) { if ($oneFunction['funcName'] == 'addslashes') { array_splice($map, $position, 1); } } break; case 'html_entity_decode': //去除htmlentities净化 $map = $dataFlow->getLocation()->getSanitization(); foreach ($map as $position => $oneFunction) { if ($oneFunction['funcName'] == 'htmlentities') { array_splice($map, $position, 1); } } break; case 'htmlspecialchars_decode': //去除htmlspecialchars净化 $map = $dataFlow->getLocation()->getSanitization(); foreach ($map as $position => $oneFunction) { if ($oneFunction['funcName'] == 'htmlspecialchars') { array_splice($map, $position, 1); } } break; } } }
/** * 处理foreach语句: * foreach($_GET['id'] as $key => $value) * 转为两条赋值: * $key = $_GET * $value = $_GET * 即key和value全部被传染 * 存入block的summary中 * @param BasicBlock $block * @param Node $node */ public function foreachHandler($block, $node) { if ($node->expr->getType() == "Expr_ArrayDimFetch") { // 处理$key if ($node->keyVar != null) { $keyFlow = new DataFlow(); $keyFlow->setName(NodeUtils::getNodeStringName($node->keyVar)); $location = new ArrayDimFetchSymbol(); $location->setValue($node->keyVar); $keyFlow->setLocation($location); $keyFlow->setValue($node->expr); $block->getBlockSummary()->addDataFlowItem($keyFlow); } //处理$value if ($node->valueVar != null) { $valueFlow = new DataFlow(); $valueFlow->setName(NodeUtils::getNodeStringName($node->valueVar)); $location = new ArrayDimFetchSymbol(); $location->setValue($node->valueVar); $valueFlow->setLocation($location); $valueFlow->setValue($node->expr); $block->getBlockSummary()->addDataFlowItem($valueFlow); } } }
/** * 清除相应的编码效果 * [+]'rawurldecode', - rawurlencode * [+]'urldecode', - urlencode * [+]'base64_decode', - base64_encode * @param string $funcName * @param Node $node * @param DataFlow $dataFlow */ public static function clearEncodeInfo($funcName, $node, $dataFlow) { global $F_DECODING_STRING; if (in_array($funcName, $F_DECODING_STRING)) { switch ($funcName) { case 'rawurldecode' or 'urldecode': //去除净化Map中最近的addslashes净化 $map = $dataFlow->getLocation()->getEncoding(); $position = array_search('urlencode', $map); array_splice($map, $position, 1); break; case 'base64_decode': //去除Map中最近的base64编码操作 $map = $dataFlow->getLocation()->getEncoding(); $position = array_search('base64_encode', $map); array_splice($map, $position, 1); break; case 'html_entity_decode': //去除Map中最近的base64编码操作 $map = $dataFlow->getLocation()->getEncoding(); $position = array_search('html_entity_decode', $map); array_splice($map, $position, 1); break; } } }