Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
89.83% |
53 / 59 |
|
50.00% |
2 / 4 |
CRAP | |
0.00% |
0 / 1 |
MWPreVisitor | |
89.83% |
53 / 59 |
|
50.00% |
2 / 4 |
20.42 | |
0.00% |
0 / 1 |
visitMethod | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
4 | |||
setTagHookParamTaint | |
87.50% |
21 / 24 |
|
0.00% |
0 / 1 |
7.10 | |||
setFuncHookParamTaint | |
84.21% |
16 / 19 |
|
0.00% |
0 / 1 |
6.14 | |||
visitAssign | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 |
1 | <?php |
2 | |
3 | namespace SecurityCheckPlugin; |
4 | |
5 | use ast\Node; |
6 | use Phan\Language\UnionType; |
7 | |
8 | /** |
9 | * Class for visiting any nodes we want to handle in pre-order. |
10 | * |
11 | * Copyright (C) 2017 Brian Wolff <bawolff@gmail.com> |
12 | * |
13 | * This program is free software; you can redistribute it and/or modify |
14 | * it under the terms of the GNU General Public License as published by |
15 | * the Free Software Foundation; either version 2 of the License, or |
16 | * (at your option) any later version. |
17 | * |
18 | * This program is distributed in the hope that it will be useful, |
19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
21 | * GNU General Public License for more details. |
22 | * |
23 | * You should have received a copy of the GNU General Public License along |
24 | * with this program; if not, write to the Free Software Foundation, Inc., |
25 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
26 | */ |
27 | class MWPreVisitor extends PreTaintednessVisitor { |
28 | /** |
29 | * Set taint for certain hook types. |
30 | * |
31 | * Also handles FuncDecl |
32 | * @param Node $node |
33 | */ |
34 | public function visitMethod( Node $node ): void { |
35 | parent::visitMethod( $node ); |
36 | |
37 | $fqsen = $this->context->getFunctionLikeFQSEN(); |
38 | $hookType = MediaWikiHooksHelper::getInstance()->isSpecialHookSubscriber( $fqsen ); |
39 | if ( !$hookType ) { |
40 | return; |
41 | } |
42 | $params = $node->children['params']->children; |
43 | |
44 | switch ( $hookType ) { |
45 | case '!ParserFunctionHook': |
46 | $this->setFuncHookParamTaint( $params ); |
47 | break; |
48 | case '!ParserHook': |
49 | $this->setTagHookParamTaint( $params ); |
50 | break; |
51 | } |
52 | } |
53 | |
54 | /** |
55 | * Set taint for a tag hook. |
56 | * |
57 | * The parameters are: |
58 | * string contents (Tainted from wikitext) |
59 | * array attribs (Tainted from wikitext) |
60 | * Parser object |
61 | * PPFrame object |
62 | * |
63 | * @param array $params formal parameters of tag hook |
64 | * @phan-param array<Node|int|string|bool|null|float> $params |
65 | */ |
66 | private function setTagHookParamTaint( array $params ): void { |
67 | // Only care about first 2 parameters. |
68 | $scope = $this->context->getScope(); |
69 | for ( $i = 0; $i < 2 && $i < count( $params ); $i++ ) { |
70 | $param = $params[$i]; |
71 | if ( !$scope->hasVariableWithName( $param->children['name'] ) ) { |
72 | // Well uh-oh. |
73 | $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] ); |
74 | continue; |
75 | } |
76 | $varObj = $scope->getVariableByName( $param->children['name'] ); |
77 | $argTaint = Taintedness::newTainted(); |
78 | self::setTaintednessRaw( $varObj, $argTaint ); |
79 | $this->addTaintError( $varObj, $argTaint, null, 'tainted argument to tag hook' ); |
80 | // $this->debug( __METHOD__, "In $method setting param $varObj as tainted" ); |
81 | } |
82 | // If there are no type hints, phan won't know that the parser |
83 | // is a parser as the hook isn't triggered from a real func call. |
84 | $hooksHelper = MediaWikiHooksHelper::getInstance(); |
85 | $paramTypes = [ |
86 | 2 => $hooksHelper->getMwParserClassFQSEN( $this->code_base )->__toString(), |
87 | 3 => $hooksHelper->getPPFrameClassFQSEN( $this->code_base )->__toString(), |
88 | ]; |
89 | foreach ( $paramTypes as $i => $type ) { |
90 | if ( isset( $params[$i] ) ) { |
91 | $param = $params[$i]; |
92 | if ( !$scope->hasVariableWithName( $param->children['name'] ) ) { |
93 | // Well uh-oh. |
94 | $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] ); |
95 | } else { |
96 | $varObj = $scope->getVariableByName( $param->children['name'] ); |
97 | $varObj->setUnionType( |
98 | UnionType::fromFullyQualifiedPHPDocString( $type ) |
99 | ); |
100 | } |
101 | } |
102 | } |
103 | } |
104 | |
105 | /** |
106 | * Set the appropriate taint for a parser function hook |
107 | * |
108 | * Basically all but the first arg comes from wikitext |
109 | * and is tainted. |
110 | * |
111 | * @todo This is handling SFH_OBJECT type func hooks incorrectly. |
112 | * @param Node[] $params Children of the AST_PARAM_LIST |
113 | */ |
114 | private function setFuncHookParamTaint( array $params ): void { |
115 | // First make sure the first arg is set to be a Parser |
116 | $scope = $this->context->getScope(); |
117 | if ( isset( $params[0] ) ) { |
118 | $param = $params[0]; |
119 | if ( !$scope->hasVariableWithName( $param->children['name'] ) ) { |
120 | // Well uh-oh. |
121 | $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] ); |
122 | } else { |
123 | $varObj = $scope->getVariableByName( $param->children['name'] ); |
124 | $varObj->setUnionType( |
125 | MediaWikiHooksHelper::getInstance()->getMwParserClassFQSEN( $this->code_base )->asPHPDocUnionType() |
126 | ); |
127 | } |
128 | } |
129 | |
130 | foreach ( $params as $i => $param ) { |
131 | if ( $i === 0 ) { |
132 | continue; |
133 | } |
134 | if ( !$scope->hasVariableWithName( $param->children['name'] ) ) { |
135 | // Well uh-oh. |
136 | $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] ); |
137 | continue; |
138 | } |
139 | $varObj = $scope->getVariableByName( $param->children['name'] ); |
140 | $argTaint = Taintedness::newTainted(); |
141 | self::setTaintednessRaw( $varObj, $argTaint ); |
142 | $this->addTaintError( $varObj, $argTaint, null, 'tainted argument to parser hook' ); |
143 | } |
144 | } |
145 | |
146 | /** |
147 | * @param Node $node |
148 | */ |
149 | public function visitAssign( Node $node ): void { |
150 | parent::visitAssign( $node ); |
151 | |
152 | $lhs = $node->children['var']; |
153 | if ( $lhs instanceof Node && $lhs->kind === \ast\AST_ARRAY ) { |
154 | // Don't try interpreting the node as an HTMLForm specifier later on, both for performance, and because |
155 | // resolving values might cause phan to emit issues (see test undeclaredvar3) |
156 | // @phan-suppress-next-line PhanUndeclaredProperty |
157 | $lhs->skipHTMLFormAnalysis = true; |
158 | } |
159 | } |
160 | } |