Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
89.83% covered (warning)
89.83%
53 / 59
50.00% covered (danger)
50.00%
2 / 4
CRAP
0.00% covered (danger)
0.00%
0 / 1
MWPreVisitor
89.83% covered (warning)
89.83%
53 / 59
50.00% covered (danger)
50.00%
2 / 4
20.42
0.00% covered (danger)
0.00%
0 / 1
 visitMethod
100.00% covered (success)
100.00%
12 / 12
100.00% covered (success)
100.00%
1 / 1
4
 setTagHookParamTaint
87.50% covered (warning)
87.50%
21 / 24
0.00% covered (danger)
0.00%
0 / 1
7.10
 setFuncHookParamTaint
84.21% covered (warning)
84.21%
16 / 19
0.00% covered (danger)
0.00%
0 / 1
6.14
 visitAssign
100.00% covered (success)
100.00%
4 / 4
100.00% covered (success)
100.00%
1 / 1
3
1<?php
2
3namespace SecurityCheckPlugin;
4
5use ast\Node;
6use Phan\Language\UnionType;
7
8/**
9 * Class for visiting any nodes we want to handle in pre-order.
10 *
11 * Copyright (C) 2017  Brian Wolff <bawolff@gmail.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License along
24 * with this program; if not, write to the Free Software Foundation, Inc.,
25 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
27class MWPreVisitor extends PreTaintednessVisitor {
28    /**
29     * Set taint for certain hook types.
30     *
31     * Also handles FuncDecl
32     * @param Node $node
33     */
34    public function visitMethod( Node $node ): void {
35        parent::visitMethod( $node );
36
37        $fqsen = $this->context->getFunctionLikeFQSEN();
38        $hookType = MediaWikiHooksHelper::getInstance()->isSpecialHookSubscriber( $fqsen );
39        if ( !$hookType ) {
40            return;
41        }
42        $params = $node->children['params']->children;
43
44        switch ( $hookType ) {
45            case '!ParserFunctionHook':
46                $this->setFuncHookParamTaint( $params );
47                break;
48            case '!ParserHook':
49                $this->setTagHookParamTaint( $params );
50                break;
51        }
52    }
53
54    /**
55     * Set taint for a tag hook.
56     *
57     * The parameters are:
58     *  string contents (Tainted from wikitext)
59     *  array attribs (Tainted from wikitext)
60     *  Parser object
61     *  PPFrame object
62     *
63     * @param array $params formal parameters of tag hook
64     * @phan-param array<Node|int|string|bool|null|float> $params
65     */
66    private function setTagHookParamTaint( array $params ): void {
67        // Only care about first 2 parameters.
68        $scope = $this->context->getScope();
69        for ( $i = 0; $i < 2 && $i < count( $params ); $i++ ) {
70            $param = $params[$i];
71            if ( !$scope->hasVariableWithName( $param->children['name'] ) ) {
72                // Well uh-oh.
73                $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] );
74                continue;
75            }
76            $varObj = $scope->getVariableByName( $param->children['name'] );
77            $argTaint = Taintedness::newTainted();
78            self::setTaintednessRaw( $varObj, $argTaint );
79            $this->addTaintError( $varObj, $argTaint, null, 'tainted argument to tag hook' );
80            // $this->debug( __METHOD__, "In $method setting param $varObj as tainted" );
81        }
82        // If there are no type hints, phan won't know that the parser
83        // is a parser as the hook isn't triggered from a real func call.
84        $hooksHelper = MediaWikiHooksHelper::getInstance();
85        $paramTypes = [
86            2 => $hooksHelper->getMwParserClassFQSEN( $this->code_base )->__toString(),
87            3 => $hooksHelper->getPPFrameClassFQSEN( $this->code_base )->__toString(),
88        ];
89        foreach ( $paramTypes as $i => $type ) {
90            if ( isset( $params[$i] ) ) {
91                $param = $params[$i];
92                if ( !$scope->hasVariableWithName( $param->children['name'] ) ) {
93                    // Well uh-oh.
94                    $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] );
95                } else {
96                    $varObj = $scope->getVariableByName( $param->children['name'] );
97                    $varObj->setUnionType(
98                        UnionType::fromFullyQualifiedPHPDocString( $type )
99                    );
100                }
101            }
102        }
103    }
104
105    /**
106     * Set the appropriate taint for a parser function hook
107     *
108     * Basically all but the first arg comes from wikitext
109     * and is tainted.
110     *
111     * @todo This is handling SFH_OBJECT type func hooks incorrectly.
112     * @param Node[] $params Children of the AST_PARAM_LIST
113     */
114    private function setFuncHookParamTaint( array $params ): void {
115        // First make sure the first arg is set to be a Parser
116        $scope = $this->context->getScope();
117        if ( isset( $params[0] ) ) {
118            $param = $params[0];
119            if ( !$scope->hasVariableWithName( $param->children['name'] ) ) {
120                // Well uh-oh.
121                $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] );
122            } else {
123                $varObj = $scope->getVariableByName( $param->children['name'] );
124                $varObj->setUnionType(
125                    MediaWikiHooksHelper::getInstance()->getMwParserClassFQSEN( $this->code_base )->asPHPDocUnionType()
126                );
127            }
128        }
129
130        foreach ( $params as $i => $param ) {
131            if ( $i === 0 ) {
132                continue;
133            }
134            if ( !$scope->hasVariableWithName( $param->children['name'] ) ) {
135                // Well uh-oh.
136                $this->debug( __METHOD__, "Missing variable for param \$" . $param->children['name'] );
137                continue;
138            }
139            $varObj = $scope->getVariableByName( $param->children['name'] );
140            $argTaint = Taintedness::newTainted();
141            self::setTaintednessRaw( $varObj, $argTaint );
142            $this->addTaintError( $varObj, $argTaint, null, 'tainted argument to parser hook' );
143        }
144    }
145
146    /**
147     * @param Node $node
148     */
149    public function visitAssign( Node $node ): void {
150        parent::visitAssign( $node );
151
152        $lhs = $node->children['var'];
153        if ( $lhs instanceof Node && $lhs->kind === \ast\AST_ARRAY ) {
154            // Don't try interpreting the node as an HTMLForm specifier later on, both for performance, and because
155            // resolving values might cause phan to emit issues (see test undeclaredvar3)
156            // @phan-suppress-next-line PhanUndeclaredProperty
157            $lhs->skipHTMLFormAnalysis = true;
158        }
159    }
160}