add sanitization in fileSummary

xyw55 · xyw55 · commit ca8547505970 · 2015-05-14T14:41:51.000+08:00
diff --git a/CFGGenerator.php b/CFGGenerator.php
@@ -165,7 +165,6 @@ private function assignHandler($node,$block,$dataFlow,$type){
 		}else{
 			return ;
 		}
-		
 
 		//处理$GLOBALS的赋值
 		//$GLOBAL['name'] = "chongrui" ; 数据流信息为 $name = "chongrui" ;
@@ -1043,9 +1042,20 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 	}
 }
 
+
 echo "<pre>" ;
 //从用户那接受项目路径
 $project_path = 'F:/wamp/www/phpvulhunter/test';
+//初始化
+$initModule = new InitModule() ;
+$initModule->init($project_path) ;
+
+//$path = 'F:/wamp/www/phpvulhunter/test/simple_demo.php';
+//$absPath = $path;
+//$ret = FileSummaryGenerator::getFileSummary($absPath);
+//print_r($ret);
+//FileSummaryGenerator::getIncludeFilesDataFlows($ret);
+
 $cfg = new CFGGenerator() ;
 $visitor = new MyVisitor() ;
 $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
@@ -1067,7 +1077,7 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 $sanitiFuncContext = UserSanitizeFuncConetxt::getInstance();
 // print_r($sanitiFuncContext);
 $sinkContext = UserDefinedSinkContext::getInstance();
-//print_r($sinkContext);
+// print_r($sinkContext);
 // $context = Context::getInstance() ;
 // $funcName = "goods:buy";
 // $funcBody = $context->getClassMethodBody($funcName,$path,$fileSummary->getIncludeMap());
diff --git a/FileSummaryGenerator.php b/FileSummaryGenerator.php
@@ -15,12 +15,16 @@ public static function getIncludeFilesDataFlows($fileSummary){
             $fileSummaryContext = FileSummaryContext::getInstance();           
             $ret = $fileSummaryContext->findSummaryByPath($absPath);
             if ($ret){
+                //查看此文件是否有include文件
+                $pRetFlows = self::getIncludeFilesDataFlows($ret);
+                $retFlows = array_merge($pRetFlows, $retFlows);
+                
                 $dataFlows = $ret->getFlowsMap();
                 $retFlows = array_merge($dataFlows, $retFlows);
             }else{
-                $fileSummary = self::getFileSummary($absPath);
-                if ($fileSummary)
-                    $retFlows = array_merge($fileSummary->getFlowsMap(), $retFlows);
+                $includeFileSummary = self::getFileSummary($absPath);
+                if ($includeFileSummary)
+                    $retFlows = array_merge($includeFileSummary->getFlowsMap(), $retFlows);
             }
         }
         //return all files dataFlows
@@ -45,17 +49,33 @@ public static function getFileSummary($absPath){
 	    
 	    $fileSummary = new FileSummary();
 	    $fileSummary->setPath($absPath);
+	    
+	    $currBlock = new BasicBlock() ;
+	    foreach ($nodes as $node){
+	        //搜集节点中的require include require_once include_once的PHP文件名称
+	        $fileSummary->addIncludeToMap(NodeUtils::getNodeIncludeInfo($node)) ;
+	        	
+	        if(!is_object($node)) continue ;
+	        	
+	        //不分析函数定义
+	        if($node->getType() == "Stmt_Function"){
+	            continue ;
+	        }
+	        $currBlock->addNode($node);
+	    }
+	    
+	    
 	    $fileSummaryGenerator = new FileSummaryGenerator();
-	    $fileSummaryGenerator->simulate($nodes, $fileSummary);
+	    $fileSummaryGenerator->simulate($currBlock, $fileSummary);
 	    return $fileSummary;
 	}
 	
 	/**
 	 * 得到该文件的dataFlows
 	 * @param Nodes $nodes
 	 */
-	public function simulate($nodes, $fileSummary){
-	    
+	public function simulate($block, $fileSummary){
+	    $nodes = $block->getContainedNodes();
 	    //循环nodes集合，搜集信息加入到中
 	    foreach ($nodes as $node){
 	        //搜集节点中的require include require_once include_once的PHP文件名称
@@ -65,20 +85,22 @@ public function simulate($nodes, $fileSummary){
 	            //处理赋值语句
 	            case 'Expr_Assign':
 	                $dataFlow = new DataFlow() ;
-	                $this->assignHandler($node, $dataFlow, "left") ;
-	                $this->assignHandler($node, $dataFlow, "right") ;
+	                $this->assignHandler($node, $dataFlow, "left", $block, $fileSummary) ;
+	                $this->assignHandler($node, $dataFlow, "right", $block, $fileSummary) ;
 	                //处理完一条赋值语句，加入DataFlowMap
 	                $fileSummary->addDataFlow($dataFlow);
+	                $block->getBlockSummary()->addDataFlowItem($dataFlow);
 	                break ;
 	    
 	            //处理字符串连接赋值
 	            //$sql .= "from users where"生成sql => "from users where"
 	            case 'Expr_AssignOp_Concat':
 	                $dataFlow = new DataFlow() ;
-	                $this->assignConcatHandler($node, $dataFlow, "left") ;
-	                $this->assignConcatHandler($node, $dataFlow, "right") ;
+	                $this->assignConcatHandler($node, $dataFlow, "left", $block, $fileSummary) ;
+	                $this->assignConcatHandler($node, $dataFlow, "right", $block, $fileSummary) ;
 	                //处理完一条赋值语句，加入DataFlowMap
 	                $fileSummary->addDataFlow($dataFlow);
+	                $block->getBlockSummary()->addDataFlowItem($dataFlow);
 	                break ;
 	           default:
 	               break;
@@ -92,7 +114,7 @@ public function simulate($nodes, $fileSummary){
 	 * @param DataFlow $dataFlow
 	 * @param string $type
 	 */
-	public function assignHandler($node, $dataFlow, $type){
+	public function assignHandler($node, $dataFlow, $type, $block, $fileSummary){
 	    $part = null ;
 	    if($type == "left"){
 	        $part = $node->var ;
@@ -174,15 +196,22 @@ public function assignHandler($node, $dataFlow, $type){
 	        }else if($type == "right"){
 	            $dataFlow->setValue($concat) ;
 	        }
-	    }else{
+	    }elseif($part && $part->getType() == "Expr_Ternary"){
+			//处理三元表达式
+			$ter_symbol = new MutipleSymbol() ;
+			$ter_symbol->setItemByNode($part) ;
+			if($type == 'right'){
+				$dataFlow->setValue($ter_symbol) ;
+			}
+		}else{
 	        //不属于已有的任何一个symbol类型,如函数调用
 	        if($part && $part->getType() == "Expr_FuncCall"){
                 if($type == "left"){
     	            $dataFlow->setLocation($arr) ;
     	            $dataFlow->setName(NodeUtils::getNodeStringName($part)) ;
     	        }else if($type == "right"){
                     //处理净化信息和编码信息
-                    //SanitizationHandler::setSanitiInfo($part, $dataFlow, $this->fileSummary) ;
+                    SanitizationHandler::setSanitiInfo($part, $dataFlow, $block, $fileSummary) ;
                     //EncodingHandler::setEncodeInfo($part, $dataFlow) ;
                 }
 	        }
@@ -196,8 +225,8 @@ public function assignHandler($node, $dataFlow, $type){
 	 * @param DataFlow $dataFlow
 	 * @param string $type
 	 */
-	private function assignConcatHandler($node, $dataFlow, $type){
-	    $this->assignHandler($node, $dataFlow, $type) ;
+	private function assignConcatHandler($node, $dataFlow, $type, $block, $fileSummary){
+	    $this->assignHandler($node, $dataFlow, $type, $block, $fileSummary) ;
 	}
 	
 }
diff --git a/symbols/SanitizationHandler.class.php b/symbols/SanitizationHandler.class.php
@@ -15,7 +15,7 @@ class SanitizationHandler {
 	 * @param Node $node
 	 * @param 数据流 $dataFlow
 	 */
-	public static function setSanitiInfo($node,$dataFlow,$block, $fileSummary ){
+	public static function setSanitiInfo($node, $dataFlow, $block, $fileSummary ){
 	    $dataFlows = $block->getBlockSummary()->getDataFlowMap();
 	    $sanitiInfo = self::SantiniFuncHandler($node, $fileSummary);
 	    //print_r($sanitiInfo);
