bugfix for functionRecursive

Author: xyw55

CFGGenerator.php

@@ -527,38 +527,6 @@ public function functionHandler($node, $block, $fileSummary){
 			//check
 	        if(!$funcBody || !is_object($funcBody)) return ;
 
-	        //处理递归
-	        if($funcBody->getType() == "Stmt_Function"){
-	            $traverser = new PhpParser\NodeTraverser;
-	            $visitor = new RecursionFunctionVisitor() ;
-	            $visitor->funcName = $funcName ;
-	            $traverser->addVisitor($visitor) ;
-	            $traverser->traverse(array($funcBody)) ;
-	            if($visitor->isRecursion == true){
-	                return ;
-	            }
-	        }else if($funcBody->getType() == "Stmt_ClassMethod"){
-	            $traverser = new PhpParser\NodeTraverser;
-	            $visitor = new RecursionFunctionVisitor() ;
-	            $visitor->funcName = $funcName ;
-	            $traverser->addVisitor($visitor) ;
-	            $traverser->traverse(array($funcBody)) ;
-	            if($visitor->isRecursion == true){
-	                return ;
-	            }
-	        
-	        }else if($funcBody->getType() == "Stmt_StaticCall"){
-	            $traverser = new PhpParser\NodeTraverser;
-	            $visitor = new RecursionFunctionVisitor() ;
-	            $visitor->funcName = $funcName ;
-	            $traverser->addVisitor($visitor) ;
-	            $traverser->traverse(array($funcBody)) ;
-	            if($visitor->isRecursion == true){
-	                return ;
-	            }
-	             
-	        }
-	        
 	        if($funcBody->getType() == "Stmt_ClassMethod"){
 	        	$funcBody->stmts = $funcBody->stmts[0] ;
 	        }
@@ -882,51 +850,7 @@ public function leaveNode(Node $node) {
 }
 
 
-/**
- * 处理递归语句
- * 如果是递归，则返回true
- * @author Exploit
- *
- */
-class RecursionFunctionVisitor extends PhpParser\NodeVisitorAbstract{
-    public $funcName ;
-    public $isRecursion = false;
-    public function leaveNode(Node $node){
-        //方法调用
-        if($node->getType() == "Expr_FuncCall"){
-            if($node->name == $this->funcName){
-                $this->isRecursion = true ;
-            }
-        }
-
-        //静态方法
-        if($node->getType() == "Expr_StaticCall"){
-            $name = explode(":", $this->funcName) ;
-            if(count($name) >= 2){
-                $name = $name[1] ;
-            }else{
-                $name = $this->funcName ;
-            }
 
-            if($node->name == $name){
-                $this->isRecursion = true ;
-            }
-        }
-
-        //类方法
-        if($node->getType() == "Expr_MethodCall"){
-            $name = explode(":", $this->funcName) ;
-            if(count($name) >= 2){
-                $name = $name[1] ;
-            }else{
-                $name = $this->funcName ;
-            }
-            if($node->name == $name){
-                $this->isRecursion = true ;
-            }
-        }
-    }
-}
 
 class nodeFunctionVisitor extends PhpParser\NodeVisitorAbstract{
     public $block;
@@ -943,6 +867,7 @@ public function leaveNode(Node $node){
         }
     }
 }
+
 /**
  * 处理方法调用
  * @author Exploit
@@ -1147,35 +1072,40 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 }
 
 
-//扫描漏洞类型
-$scan_type = 'ALL';
-echo "<pre>" ;
+// //扫描漏洞类型
+// $scan_type = 'ALL';
+// echo "<pre>" ;
+
+// //从用户那接受项目路径
+// $project_path = 'C:/Users/xyw55/Desktop/test/74cms_3.3';
+// // $project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
+// // $project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
+// // $project_path = "E:/School_of_software/information_security/PHPVulScanner_project/74cms_3.3/" ;
+
+// $allFiles = FileUtils::getPHPfile($project_path);
 
-//从用户那接受项目路径
-$project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
-$project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
-$project_path = "E:/School_of_software/information_security/PHPVulScanner_project/74cms_3.3/" ;
-$allFiles = FileUtils::getPHPfile($project_path);
+// //初始化
+// $initModule = new InitModule() ;
+// $initModule->init($project_path, $allFiles) ;
 
-//初始化
-$initModule = new InitModule() ;
-$initModule->init($project_path, $allFiles) ;
 
-$cfg = new CFGGenerator() ;
-$visitor = new MyVisitor() ;
-$parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
-$traverser = new PhpParser\NodeTraverser ;
-$path = CURR_PATH . '/test/test.php';
-$cfg->getFileSummary()->setPath($path);
-$code = file_get_contents($path);
-$stmts = $parser->parse($code) ;
-$traverser->addVisitor($visitor) ;
-$traverser->traverse($stmts) ;
-$nodes = $visitor->getNodes() ;
-$pEntryBlock = new BasicBlock() ;
-$pEntryBlock->is_entry = true ;
-$ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
+// $cfg = new CFGGenerator() ;
+// $visitor = new MyVisitor() ;
+// $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
+// $traverser = new PhpParser\NodeTraverser ;
+// $path = CURR_PATH . '/test/test.php';
+// $path = 'C:/Users/xyw55/Desktop/test/74cms_3.3/admin/api/locoyspider.php';
+// $cfg->getFileSummary()->setPath($path);
+// $code = file_get_contents($path);
+// $stmts = $parser->parse($code) ;
+// $traverser->addVisitor($visitor) ;
+// $traverser->traverse($stmts) ;
+// $nodes = $visitor->getNodes() ;
+// $pEntryBlock = new BasicBlock() ;
+// $pEntryBlock->is_entry = true ;
+// $ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
+// echo '456';
 
 
 ?>

FileSummaryGenerator.php

@@ -8,8 +8,8 @@ class FileSummaryGenerator {
      * @return array(fileSummarys)
      */
     public static function getIncludeFilesDataFlows($fileSummary){
-        if (!is_object($fileSummary)){
-            return null;
+        if (is_object($fileSummary)){
+            return;
         }
         //1.得到include files
         $includeFiles = $fileSummary->getIncludeMap();
@@ -53,7 +53,7 @@ public static function getIncludeFilesDataFlows($fileSummary){
 	public static function getFileSummary($absPath){
 	    if (!$absPath){
 	        return ;
-	    }
+		}
 	    $visitor = new MyVisitor() ;
 	    $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
 	    $traverser = new PhpParser\NodeTraverser ;

context/ClassFinder.php

@@ -145,8 +145,47 @@ public function getClassMethodBody($funcName,$path,$require_array){
                 }
 	        }
 	    }
-	    $ret = $this->getFunction($path, $method);
-	    return $ret;
+	    
+	    $funcBody = $this->getFunction($path, $method);
+
+   
+	    //check
+	    if(!$funcBody || !is_object($funcBody)) return ;
+	    	
+	    //处理递归
+	    if($funcBody->getType() == "Stmt_Function"){
+	        $traverser = new PhpParser\NodeTraverser;
+	        $visitor = new RecursionFunctionVisitor() ;
+	        $visitor->funcName = $funcName ;
+	        $traverser->addVisitor($visitor) ;
+	        $traverser->traverse(array($funcBody)) ;
+	        if($visitor->isRecursion == true){
+	            return null;
+	        }
+	    }else if($funcBody->getType() == "Stmt_ClassMethod"){
+	        $traverser = new PhpParser\NodeTraverser;
+	        $visitor = new RecursionFunctionVisitor() ;
+	        $visitor->funcName = $funcName ;
+	        $traverser->addVisitor($visitor) ;
+	        $traverser->traverse(array($funcBody)) ;
+	        if($visitor->isRecursion == true){
+	            return null;
+	        }
+	         
+	    }else if($funcBody->getType() == "Stmt_StaticCall"){
+	        $traverser = new PhpParser\NodeTraverser;
+	        $visitor = new RecursionFunctionVisitor() ;
+	        $visitor->funcName = $funcName ;
+	        $traverser->addVisitor($visitor) ;
+	        $traverser->traverse(array($funcBody)) ;
+	        if($visitor->isRecursion == true){
+	            return null;
+	        }
+	    
+	    }
+        
+	    
+	    return $funcBody;
 	}
 
     /**
@@ -341,28 +380,6 @@ public function leaveNode(Node $node){
 }
 
 
-
-class InFunctionVisitor extends PhpParser\NodeVisitorAbstract{
-    public $isSameFunction = false;
-    public $funcName;
-    public function leaveNode(PhpParser\Node $node){
-        if(($node->getType() == 'Expr_FuncCall' ||
-            $node->getType() == 'Expr_MethodCall' ||
-            $node->getType() == 'Expr_StaticCall'||
-            $node->getType() == "Expr_Isset")){
-            $funcName = NodeUtils::getNodeFunctionName($node);
-            
-            $funcName = substr($funcName, strpos($funcName, ':')+1);
-            if ($funcName == $this->funcName){
-                $this->isSameFunction = true;
-                return ;
-            }
-    
-
-        }
-    }
-}
-
 /*
 	用来获取方法体的遍历
 */
@@ -371,20 +388,12 @@ class FunctionBodyVisitor extends PhpParser\NodeVisitorAbstract{
 	public $startLine ;
 	public $endLine ;
     public $funcName ;
+    private $isSameFunction = false;
 
 	public function leaveNode(PhpParser\Node $node){
-		if(($node->getAttribute('startLine') == $this->startLine) && ($node->getAttribute('endLine') == $this->endLine)){
-		    $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
-		    $visitor = new InFunctionVisitor ;
-		    $traverser = new PhpParser\NodeTraverser ;
-		    $visitor->funcName = $this->funcName;
-		    $traverser->addVisitor($visitor) ;
-		    $traverser->traverse(array($node)) ;
-		    
-		    if ($visitor->isSameFunction){
-		        return ;		        
-		    }
-		    $this->func_body = $node ;
+		if(($node->getAttribute('startLine') == $this->startLine) && 
+		    ($node->getAttribute('endLine') == $this->endLine)){
+		        $this->func_body = $node ;
 		}
 
 	}
@@ -396,6 +405,53 @@ public function getFunctionBody(){
 }
 
 
+/**
+ * 处理递归语句
+ * 如果是递归，则返回true
+ * @author Exploit
+ *
+ */
+class RecursionFunctionVisitor extends PhpParser\NodeVisitorAbstract{
+    public $funcName ;
+    public $isRecursion = false;
+    public function leaveNode(Node $node){
+        //方法调用
+        if($node->getType() == "Expr_FuncCall"){
+            if($node->name == $this->funcName){
+                $this->isRecursion = true ;
+            }
+        }
+
+        //静态方法
+        if($node->getType() == "Expr_StaticCall"){
+            $name = explode(":", $this->funcName) ;
+            if(count($name) >= 2){
+                $name = $name[1] ;
+            }else{
+                $name = $this->funcName ;
+            }
+
+            if($node->name == $name){
+                $this->isRecursion = true ;
+            }
+        }
+
+        //类方法
+        if($node->getType() == "Expr_MethodCall"){
+            $name = explode(":", $this->funcName) ;
+            if(count($name) >= 2){
+                $name = $name[1] ;
+            }else{
+                $name = $this->funcName ;
+            }
+            if($node->name == $name){
+                $this->isRecursion = true ;
+            }
+        }
+    }
+}
+
+
 /*
 	遍历出审计工程中的所有代码
 	并抽取出所有类的信息

main.php

@@ -106,6 +106,7 @@ function convertResults($resContext){
 }
 
 $scan_type = $scanType = strtoupper($scan_type);
+$encoding = strtoupper($encoding);
 $project_path = str_replace(array('\\','//'), '/', $project_path);
 $scan_path = str_replace(array('\\','//'), '/', $scan_path);