update web UI and bugfix for sanitizationHandler

Author: xyw55

CFGGenerator.php

@@ -257,7 +257,7 @@ private function assignHandler($node,$block,$dataFlow,$type){
 		            }else{
 		                //检查是否为sink函数
 		                $this->functionHandler($part, $block, $this->fileSummary);
-		    
+		                  
 		                //处理净化信息和编码信息
 		                SanitizationHandler::setSanitiInfo($part,$dataFlow, $block, $this->fileSummary) ;
 		                EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $this->fileSummary) ;
@@ -520,7 +520,6 @@ public function functionHandler($node, $block, $fileSummary){
             	$this->fileSummary->getIncludeMap()
 	        );
 
-			
 			//check
 	        if(!$funcBody || !is_object($funcBody)) return ;
 
@@ -1144,36 +1143,36 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 }
 
 
-//扫描漏洞类型
-$scan_type = 'ALL';
-echo "<pre>" ;
+// //扫描漏洞类型
+// $scan_type = 'ALL';
+// echo "<pre>" ;
 
 
 // //从用户那接受项目路径
-// $project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
+// $project_path = 'C:/Users/xyw55/Desktop/test/74cms_3.3';
 // //$project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
 // $allFiles = FileUtils::getPHPfile($project_path);
 // //初始化
 // $initModule = new InitModule() ;
 // $initModule->init($project_path, $allFiles) ;
 
+// echo '123';
+// $cfg = new CFGGenerator() ;
+// $visitor = new MyVisitor() ;
+// $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
+// $traverser = new PhpParser\NodeTraverser ;
+// $path = CURR_PATH . '/test/test.php';
+// $cfg->getFileSummary()->setPath($path);
+// $code = file_get_contents($path);
+// $stmts = $parser->parse($code) ;
+// $traverser->addVisitor($visitor) ;
+// $traverser->traverse($stmts) ;
+// $nodes = $visitor->getNodes() ;
+// $pEntryBlock = new BasicBlock() ;
+// $pEntryBlock->is_entry = true ;
+// $ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
-$cfg = new CFGGenerator() ;
-$visitor = new MyVisitor() ;
-$parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
-$traverser = new PhpParser\NodeTraverser ;
-$path = CURR_PATH . '/test/test.php';
-$cfg->getFileSummary()->setPath($path);
-$code = file_get_contents($path);
-$stmts = $parser->parse($code) ;
-$traverser->addVisitor($visitor) ;
-$traverser->traverse($stmts) ;
-$nodes = $visitor->getNodes() ;
-$pEntryBlock = new BasicBlock() ;
-$pEntryBlock->is_entry = true ;
-$ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
-
-
+//echo '456';
 
 
 

CodeViewer.php

@@ -21,10 +21,20 @@
 }
 
 // $fp = htmlspecialchars($fp); js按特定的方式处理子串，不需要html编码。
+// $in_charset = mb_detect_encoding($sink_fp) ;
+// $sink_fp = iconv($in_charset, "UTF-8", $sink_fp) ;
 
+// if ($arg_fp){
+//     $in_charset = mb_detect_encoding($arg_fp) ;
+//     $arg_fp = iconv($in_charset, "UTF-8", $arg_fp) ;
+// }
 $data = array("flag"=>true, "msg_sink"=>$sink_fp, "msg_arg"=>$arg_fp);
 
-$data = json_encode($data);
+// echo $sink_fp;
+
+//$data = json_encode($data);
+
+$data = '{"flag":true,"msg_sink":"'.$sink_fp.'","msg_arg":"'.$arg_fp.'"}';
 
 echo $data;
 

analyser/TaintAnalyser.class.php

@@ -179,7 +179,7 @@ public function getPrevBlocks($currBlock){
 				}
 			}else{
 				//前驱节点有多个
-				if(!in_array($blocks,$this->pathArr)){
+				if(!in_array($blocks,$this->pathArr,true)){
 					array_push($this->pathArr,$blocks) ;
 				} 
 			}

data/fileSummaryConetxtSerialData/C__Users_xyw55_Desktop_test_74cms_3.3

@@ -127,7 +127,7 @@ function convertResults($resContext){
 $fileName = str_replace('/', '_', $scan_path);
 $fileName = str_replace(':', '_', $fileName);
 $serialPath = CURR_PATH . "/data/resultConetxtSerialData/" . $fileName;
-
+sleep(10);
 if (!is_file($serialPath)){
     //创建文件
     $fileHandler = fopen($serialPath, 'w');

data/fileSummaryConetxtSerialData/C__Users_xyw55_Desktop_test_she1.1_phpshe1.1

@@ -19,7 +19,7 @@ public static function setSanitiInfo($node, $dataFlow, $block, $fileSummary){
 
 	    $dataFlows = $block->getBlockSummary()->getDataFlowMap();
 	    $sanitiInfo = self::SantiniFuncHandler($node, $fileSummary);
-
+	    $sanitiInfo=null;
 	    if($sanitiInfo){
 	        $args = NodeUtils::getFuncParamsNode($node);
 	        if (count($args) > 0){
@@ -233,7 +233,7 @@ public static function SantiniFuncHandler($node, $fileSummary){
 
 	        $funcBody = $context->getClassMethodBody($funcName, $path, $require_array);
 	        if(!$funcBody) return null;
-	        
+
 	        $visitor = new SanitiFunctionVisitor();
 	        $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
 	        $traverser = new PhpParser\NodeTraverser ;
@@ -374,11 +374,13 @@ public function leaveNode(Node $node){
                 $context = Context::getInstance() ;
                 $funcBody = $context->getFunctionBody($this->funcName);
                 if(!$funcBody) return null;
+
                 $nodes = $funcBody->stmts;
                 $cfg = new CFGGenerator() ;
                 $block = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
                 $ret = $this->sanitiMultiBlockHandler($node->expr,$block);
+
                 if ($ret[0]){
                     $type = array_intersect($this->sanitiInfo['type'], $ret['type']);
                     $this->sanitiInfo = array(true,'type'=>$type);
@@ -468,47 +470,55 @@ public function sanitiMultiBlockHandler($arg, $block, $flowsNum=0){
 
         $flows = $block->getBlockSummary()->getDataFlowMap();
         //当前块flows没有遍历完
-        if(count($flows) != $flowsNum)
+        if(count($flows) != $flowsNum){
             return $this->sanitiTracebackBlock($arg, $block, $flowsNum);
-        
+        }else {
+            $flowsNum = 0;
+        }
         if($blockList == null || count($blockList) == 0){
             return  ;
         }
 
         if(!is_array($blockList[0])){
             //如果不是平行结构
             $flows = $block->getBlockSummary()->getDataFlowMap();
-            if(count($flows) == $flowsNum){
+            if(!$flowsNum){
                 $block = $blockList[0];
                 $ret = $this->sanitiTracebackBlock($arg, $block, 0);
                 return $ret;
             }
             $ret = $this->sanitiTracebackBlock($arg, $block, $flowsNum);
             return $ret;
         }else{
+            
             //平行结构
             //分别遍历每一个平行基本块及其以上，对得到的净化信息，合并共有的，返回
             global $SECURES_TYPE_ALL;
             $retarr = $SECURES_TYPE_ALL;
+            $isFind = false;
             foreach ($blockList[0] as $block){
+
                 $flows = $block->getBlockSummary()->getDataFlowMap();
-                if(count($flows) == $flowsNum){
+                if(!$flowsNum){
+                    $ret = null;
                     $ret = $this->sanitiTracebackBlock($arg, $block, 0);
-                    if ($ret[0])
+                    if ($ret[0]){
                         $retarr = array_intersect($ret, $retarr);
-                    else 
-                        return array(false); 
+                        $isFind = true;
+                    }
                 }else{
                     $ret = $this->sanitiTracebackBlock($arg, $block, $flowsNum);
                     if ($ret[0]){
                         $retarr = array_intersect($ret['type'], $retarr);
+                        $isFind = true;
                     }
-                    else
-                        return array(false);
                 }
             }
-            return array(true,'type'=>$retarr);
-            
+            if ($isFind){
+                return array(true,'type'=>$retarr);
+            }else{
+                return array(false);
+            }
         }
 
     }

data/fileSummaryConetxtSerialData/C__Users_xyw55_Desktop_test_simple-log_v1.3.1_upload

@@ -1,12 +1,11 @@
 <?php
-if(1){
-    echo 1 ;
-}
-$id=intval($_GET['id']);
-$info=mysql_query("select * from ".table('members')." where uid='{$id}' LIMIT 1");
+define('IN_QISHI', true);
+require_once(dirname(__FILE__).'/../data/config.php');
+require_once(dirname(__FILE__).'/include/admin_common.inc.php');
+require_once(ADMIN_ROOT_PATH.'include/admin_article_fun.php');
+require_once(ADMIN_ROOT_PATH.'include/upload.php');
+
+$article = get_news($offset, $perpage,$joinsql.$wheresql.$oederbysql);
 
-if(3){
-    echo 3 ;
-}
 
 ?>

data/resultConetxtSerialData/C__Users_xyw55_Desktop_test_74cms_3.3_admin

@@ -16,47 +16,46 @@ public function __construct($block){
     }
 
     /**
-     * 获取当前基本块的所有前驱基本块
-     * @param BasicBlock $block
-     * @return Array 返回前驱基本块集合$this->pathArr
-     * 使用该方法时，需要对类属性$this->pathArr进行初始化
-     */
-    public function getPrevBlocks($currBlock){
-        if($currBlock != null){
-            $blocks = array() ;
-            $edges = $currBlock->getInEdges();
-             
-            //如果到达了第一个基本块则返回
-            if(!$edges) return $this->pathArr;
-             
-            foreach ($edges as $edge){
-                array_push($blocks, $edge->getSource()) ;
-            }
-             
-            if(count($blocks) == 1){
-                //前驱的节点只有一个
-                if(!in_array($blocks[0],$this->pathArr)){
-                    array_push($this->pathArr,$blocks[0]) ;
-                }
-            }else{
-                //前驱节点有多个
-                if(!in_array($blocks,$this->pathArr)){
-                    array_push($this->pathArr,$blocks) ;
-                }
-            }
-
-            //递归
-            foreach($blocks as $bitem){
-                if(!is_array($bitem)){
-                    $this->getPrevBlocks($bitem);
-                }else{
-                    $this->getPrevBlocks($bitem[0]) ;
-                }
-
-            }
-
-        }
-    }
+	 * 获取当前基本块的所有前驱基本块
+	 * @param BasicBlock $block
+	 * @return Array 返回前驱基本块集合$this->pathArr
+	 * 使用该方法时，需要对类属性$this->pathArr进行初始化
+	 */
+	public function getPrevBlocks($currBlock){
+		if($currBlock != null){
+			$blocks = array() ;
+			$edges = $currBlock->getInEdges();
+			//如果到达了第一个基本块则返回
+			if(!$edges) return $this->pathArr;
+			
+			foreach ($edges as $edge){
+				array_push($blocks, $edge->getSource()) ;
+			}
+			
+			if(count($blocks) == 1){
+				//前驱的节点只有一个
+				if(!in_array($blocks[0],$this->pathArr,true)){
+					array_push($this->pathArr,$blocks[0]) ;
+				}
+			}else{
+				//前驱节点有多个
+				if(!in_array($blocks,$this->pathArr,true)){
+					array_push($this->pathArr,$blocks) ;
+				} 
+			}
+		
+			//递归
+			foreach($blocks as $bitem){
+				if(!is_array($bitem)){
+					$this->getPrevBlocks($bitem);
+				}else{
+					$this->getPrevBlocks($bitem[0]) ;
+				}
+				
+			}
+		
+		}
+	}
 
 }
 ?>