Merge remote-tracking branch 'origin/master'

Conflicts:
	CFGGenerator.php
	test/test.php
	utils/multiBlockHandlerUtils.class.php

Author: xyw55

CFGGenerator.php

@@ -87,7 +87,6 @@ public function getBranches($node){
 					$catch_branch = new Branch($catch->type, $catch->stmts) ;
 					array_push($branches, $catch_branch) ;
 				}
-				
 				break ;
 
 			case 'Expr_Ternary':
@@ -276,6 +275,12 @@ private function assignHandler($node,$block,$dataFlow,$type){
 		    if($part && $part->getType() == "Expr_Ternary"){
 		        BIFuncUtils::ternaryHandler($type, $part, $dataFlow) ;
 		    }
+		    
+		    //处理双引号中包含的变量
+		    if($part && $part->getType() == "Scalar_Encapsed"){
+		        $symbol = SymbolUtils::getSymbolByNode($part) ;
+		        $dataFlow->setValue($symbol) ;
+		    }
 
 
 		}//else
@@ -485,7 +490,8 @@ public function functionHandler($node, $block, $fileSummary){
 	    $funcName = NodeUtils::getNodeFunctionName($node);
 	    //判断是否为sink函数,返回格式为array(true,funcname) or array(false)
 	    $ret = NodeUtils::isSinkFunction($funcName, $scan_type);
-	    if($ret[0] != null){
+
+	    if($ret[0] != null && $ret[0] === true){
 	        //如果发现了sink调用，启动污点分析
 	        $analyser = new TaintAnalyser() ;
 	        //获取危险参数的位置
@@ -495,7 +501,6 @@ public function functionHandler($node, $block, $fileSummary){
 	        }
 	        //获取到危险参数位置的变量
 	        $argArr = NodeUtils::getFuncParamsByPos($node, $argPosition);
-
 	        //遍历危险参数名，调用污点分析函数
 	        if(count($argArr) > 0){
 	            foreach ($argArr as $item){
@@ -511,15 +516,14 @@ public function functionHandler($node, $block, $fileSummary){
 
 	        }
 	    }else{
-	        
 	        //如果不是sink调用，启动过程间分析
 	        $context = Context::getInstance() ;
             $funcBody = $context->getClassMethodBody(
             	$funcName,
             	$this->fileSummary->getPath(),
             	$this->fileSummary->getIncludeMap()
 	        );
-			
+
 			//check
 	        if(!$funcBody || !is_object($funcBody)) return ;
 
@@ -558,9 +562,10 @@ public function functionHandler($node, $block, $fileSummary){
 	        if($funcBody->getType() == "Stmt_ClassMethod"){
 	        	$funcBody->stmts = $funcBody->stmts[0] ;
 	        }
-	        
+            
 	        //构建相应方法体的block和summary
 	        $nextblock = $this->CFGBuilder($funcBody->stmts, NULL, NULL, NULL) ;
+            
 	        //ret危险参数的位置比如：array(0)
 	        $ret = $this->sinkFunctionHandler($funcBody, $nextblock, $block);
 
@@ -766,8 +771,8 @@ public function CFGBuilder($nodes,$condition,$pEntryBlock,$pNextBlock){
 				//print_r($currBlock->getBlockSummary()) ;
 				return $currBlock ;
 			}else{
-				$currBlock->addNode($node);
-				//print_r($currBlock->getBlockSummary()) ;
+			    $currBlock->addNode($node);
+			    //print_r($currBlock->getBlockSummary()) ;
 			}
 		}
 
@@ -1024,10 +1029,9 @@ public function leaveNode(Node $node){
 	 * @return array
 	 */
 	public function sinkMultiBlockTraceback($argName,$block,$flowsNum=0){
-	    //print_r("enter sinkMultiBlockTraceback<br/>");
 	    $mulitBlockHandlerUtils = new multiBlockHandlerUtils($block);
 	    $blockList = $mulitBlockHandlerUtils->getPathArr();
-	    
+
 	    $flows = $block->getBlockSummary()->getDataFlowMap();
 	    //当前块flows没有遍历完
 	    if(count($flows) != $flowsNum)
@@ -1148,10 +1152,19 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 // echo "<pre>" ;
 
 
+
 // //从用户那接受项目路径
 // $project_path = 'C:/Users/xyw55/Desktop/test/74cms_3.3';
 // //$project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
+
+
+// //从用户那接受项目路径
+// $project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
+// $project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
+// $project_path = "E:/School_of_software/information_security/PHPVulScanner_project/74cms_3.3/" ;
+
 // $allFiles = FileUtils::getPHPfile($project_path);
+
 // //初始化
 // $initModule = new InitModule() ;
 // $initModule->init($project_path, $allFiles) ;
@@ -1172,7 +1185,21 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 // $pEntryBlock->is_entry = true ;
 // $ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
-//echo '456';
+
+// $cfg = new CFGGenerator() ;
+// $visitor = new MyVisitor() ;
+// $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
+// $traverser = new PhpParser\NodeTraverser ;
+// $path = CURR_PATH . '/test/test.php';
+// $cfg->getFileSummary()->setPath($path);
+// $code = file_get_contents($path);
+// $stmts = $parser->parse($code) ;
+// $traverser->addVisitor($visitor) ;
+// $traverser->traverse($stmts) ;
+// $nodes = $visitor->getNodes() ;
+// $pEntryBlock = new BasicBlock() ;
+// $pEntryBlock->is_entry = true ;
+// $ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
 
 

analyser/TaintAnalyser.class.php

@@ -33,33 +33,6 @@ public function getPathArr() {
 		return $this->pathArr;
 	}
 
-	/**
-	 * 判断字符串needle是否是str的开头
-	 * @param string $str
-	 * @param string $needle
-	 * @return boolean
-	 */
-	private function startWith($str, $needle) {
-        if(strpos($str, $needle) === 0){
-            return true ;
-        }else{
-            return false ;
-        }
-    }
-	
-    /**
-     * 判断target是否是source的结尾
-     * @param string $source
-     * @param string $target
-     * @return boolean
-     */
-	private function endsWith($source, $target){
-	    if(strrchr($source,$target) == $target){
-	        return true ;
-	    }else{
-	        return false ;
-	    }
-	}
 
 	/**
 	 * 根据变量的节点返回变量的名称
@@ -110,8 +83,8 @@ public function addTypeByVars(&$vars){
 					continue ;
 				}
 				//判断是否被单引号包裹
-				$is_start_with = $this->startWith($vars[$i-1]->getValue(), "'");
-				$is_end_with = $this->endsWith($vars[$i+1]->getValue(), "'") ;
+				$is_start_with = CommonUtils::startWith($vars[$i-1]->getValue(), "'");
+				$is_end_with = CommonUtils::endsWith($vars[$i+1]->getValue(), "'") ;
 				if($is_start_with != -1 && $is_end_with != -1){
 					$vars[$i]->setType("valueInt") ;
 				}
@@ -157,6 +130,7 @@ public function getVarsByFlow($flow){
 
 	/**
 	 * 获取当前基本块的所有前驱基本块
+	 * 逆序排列
 	 * @param BasicBlock $block
 	 * @return Array 返回前驱基本块集合$this->pathArr
 	 * 使用该方法时，需要对类属性$this->pathArr进行初始化
@@ -246,6 +220,7 @@ public function currBlockTaintHandler($block,$node,$argName,$fileSummary, $flowN
 						//报告漏洞
 						$path = $fileSummary->getPath() ;
 						$this->report($path, $path, $node, $flow->getLocation(), $type) ;
+						continue ;
 					}else{				
 						//首先进行文件夹的分析
 						$this->multiFileHandler($block, $varName, $node, $fileSummary) ;
@@ -267,41 +242,32 @@ public function currBlockTaintHandler($block,$node,$argName,$fileSummary, $flowN
 	 * @param Node $node 调用sink的node 
 	 * @param FileSummary $fileSummary 当前文件的文件摘要
 	 */
-	public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNum=0){
+	public function multiBlockHandler($block, $argName, $node, $fileSummary){
 		if($this->pathArr){
 			$this->pathArr = array() ;
 		}
 
 		$this->getPrevBlocks($block) ;
 		$block_list = $this->pathArr ;
 
-		//单基本块进入
+		//单基本块进入   算法停止
 		if(empty($block_list)){
+		    // 首先，在当前基本块中探测变量，如果有source和不完整的santi则报告漏洞
+		    $this->currBlockTaintHandler($block, $node, $argName, $fileSummary) ;
 		    return ;
 		}
 
 		!empty($block) && array_push($block_list, $block) ;
 
-		//如果前驱基本块为空，说明完成回溯，算法停止
-		if($block_list == null || count($block_list) == 0){
-			return  ;
-		}
-		
 		foreach($block_list as $bitem){
 		    //处理非平行结构的前驱基本块
 		    if(!is_array($bitem)){
 		        $flows = $bitem->getBlockSummary()->getDataFlowMap() ;
 		        $flows = array_reverse($flows) ;
-		        $tempNum = $flowNum ;
-		        while ($tempNum){
-		            $tempNum --;
-		            array_shift($flows);
-		        }
 		        //如果flow中没有信息，则换下一个基本块
 		        if($flows == null){
 		            //找到新的argName
 		            foreach ($block->getBlockSummary()->getDataFlowMap() as $flow){
-		                $flowNum ++;
 		                if($flow->getName() == $argName){
 		                    if(is_object($flow->getLocation())){
 		                        $target = $flow->getLocation() ;
@@ -325,27 +291,25 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                            $path = $fileSummary->getPath() ;
 		                            $type = TypeUtils::getTypeByFuncName(NodeUtils::getNodeFunctionName($node)) ;
 		                            $this->report($path, $path, $node, $flow->getLocation(),$type) ;
-		                            //return true ;
+		                            continue ;
 		                        }
-		                        $this->multiBlockHandler($bitem, $varName, $node, $fileSummary,$flowNum) ;
+		                        $this->multiBlockHandler($bitem, $varName, $node, $fileSummary) ;
 		                    }
 		                    return ;
 		                }else{
 		                    //在最初block中，argName没有变化则直接递归
-		    
 		                    if($block_list == null){
 		                        return ;
 		                    }else{
-		                        $this->multiBlockHandler($bitem, $argName, $node, $fileSummary,$flowNum) ;
-                                   return ;
+		                        $this->multiBlockHandler($bitem, $argName, $node, $fileSummary) ;
+                                return ;
 		                    }
 
 		                }
 		            }
 		        }else{
 		            //对于每个flow,寻找变量argName
 		            foreach ($flows as $flow){
-		                $flowNum ++;
 		                if($flow->getName() == $argName){
 		                    //处理净化信息,如果被编码或者净化则返回safe
 		                    //先对左边的变量进行查询
@@ -376,6 +340,7 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                            //报告漏洞
 		                            $path = $fileSummary->getPath() ;
 		                            $this->report($path, $path, $node, $flow->getLocation(), $type) ;
+		                            continue ;
 		                        }else{
 		                            //首先进行文件夹的分析
 		                            //首先根据fileSummary获取到fileSummaryMap
@@ -392,8 +357,7 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                                $bitem,
 		                                $varName,
 		                                $node,
-		                                $fileSummary,
-		                                $flowNum
+		                                $fileSummary
 		                            ) ;
 		                        }
 		                    }
@@ -404,15 +368,11 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		        }
 
 		    }else if(is_array($bitem) && count($block_list) > 0){
+		        $bitem = array_reverse($bitem) ;
 		        //是平行结构
-		        foreach ($bitem as $block_item){
+		        foreach ($bitem as $block_item){   
 		            $flows = $block_item->getBlockSummary()->getDataFlowMap() ;
 		            $flows = array_reverse($flows) ;
-		            $tempNum = $flowNum ;
-		            while ($tempNum){
-		                $tempNum --;
-		                array_shift($flows);
-		            }
 		            //如果flow中没有信息，则换下一个基本块
 		            if($flows == null){
 		                //找到新的argName
@@ -432,15 +392,20 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                        }
 
 		                        $vars = $this->getVarsByFlow($flow) ;
+
 		                        foreach ($vars as $var){
+		                            if($var instanceof ValueSymbol){
+		                                continue ;
+		                            }
 		                            $varName = $this->getVarName($var) ;
 		                            if(in_array($varName, $this->sourcesArr)){
 		                                //报告漏洞
 		                                $path = $fileSummary->getPath() ;
 		                                $this->report($path, $path, $node, $flow->getLocation(),$type) ;
-		                                return ;
+		                                continue ;
+		                            }else{
+		                                $this->multiBlockHandler($block_item, $varName, $node,$fileSummary) ;
 		                            }
-		                            $this->multiBlockHandler($block_item, $varName, $node,$fileSummary) ;
 		                        }
 		                        return ;
 		                    }else{
@@ -452,7 +417,6 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		            }else{
 		                //对于每个flow,寻找变量argName
 		                foreach ($flows as $flow){
-		                    $flowNum ++;
 		                    if($flow->getName() == $argName){
 		                        //处理净化信息,如果被编码或者净化则返回safe
 		                        //先对左边的变量进行查询
@@ -483,7 +447,7 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                                //报告漏洞
 		                                $path = $fileSummary->getPath() ;
 		                                $this->report($path, $path, $node, $flow->getLocation(),$type) ;
-		                                //return true ;
+		                                continue ;
 		                            }else{
 		                                //首先进行文件夹的分析
 		                                //首先根据fileSummary获取到fileSummaryMap
@@ -492,17 +456,15 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary, $flowNu
 		                                    $block, 
 		                                    $varName, 
 		                                    $node, 
-		                                    $fileSummaryMap,
-		                                    $flowNum
+		                                    $fileSummaryMap
 		                                ) ;
 
 		                                //文件间分析失败，递归
 		                                $ret = $this->multiBlockHandler(
 		                                    $block_item, 
 		                                    $varName, 
 		                                    $node, 
-		                                    $fileSummary,
-		                                    $flowNum
+		                                    $fileSummary
 		                                ) ;
 		                            }
 		                        }
@@ -684,7 +646,7 @@ public function analysis($block, $node, $argName, $fileSummary){
 	        $block_list = $this->pathArr ;
 	        array_push($block_list, $block) ;
 	        //首先，在当前基本块中探测变量，如果有source和不完整的santi则报告漏洞
-	        $this->currBlockTaintHandler($block, $node, $argName, $fileSummary) ;
+	        //$this->currBlockTaintHandler($block, $node, $argName, $fileSummary) ;
 	        //多个基本块的处理
 	        $this->pathArr = array() ;
 	        $this->multiBlockHandler($block, $argName, $node, $fileSummary) ;
@@ -700,12 +662,12 @@ public function analysis($block, $node, $argName, $fileSummary){
 	 * @param string 漏洞的类型
 	 */
 	public function report($node_path, $var_path, $node, $var, $type){
-		echo "<pre>" ;
-		echo "有漏洞=====>". $type ."<br/>" ;
-		echo "漏洞变量：<br/>" ;
-		print_r($var) ;
-		echo "漏洞节点：<br/>" ;
-		print_r($node) ;
+// 		echo "<pre>" ;
+// 		echo "有漏洞=====>". $type ."<br/>" ;
+// 		echo "漏洞变量：<br/>" ;
+// 		print_r($var) ;
+// 		echo "漏洞节点：<br/>" ;
+// 		print_r($node) ;
 
 		//获取结果集上下文
 		$resultContext = ResultContext::getInstance() ;