Taint-check in your browser
(Uses the master version of
taint-check
and PHP 8.2.5. Best viewed in Firefox/Chrome)
This is a fork of
Phan demo
, available under the MIT license. View source
on Github
.
Loading...
Loading...
use Phan\Config; use Phan\Issue; use Phan\IssueInstance; use Phan\Output\HTML; use Phan\Output\IssuePrinterInterface; use Symfony\Component\Console\Output\OutputInterface; use Phan\CLI; use Phan\Phan; error_reporting(E_ALL); ini_set('display_errors', 'stderr'); putenv('NO_COLOR=1'); try { $phar_path = 'taint-check.phar'; if (!file_exists($phar_path)) { fwrite(STDERR, "Could not load '$phar_path' - this may not have been included when generating this site with emscripten\n"); exit(1); } $phar = "phar://$phar_path"; $phan_path = $phar . '/vendor/phan/phan'; gc_disable(); $data = require($phan_path . '/src/Phan/Language/Internal/ClassDocumentationMap.php'); require_once($phan_path . '/src/requirements.php'); $code_base = require_once($phan_path . '/src/codebase.php'); require_once($phan_path . '/src/Phan/Bootstrap.php'); $taintCheckPath = 'phan-taint-check-plugin'; file_put_contents('input', $CONTENTS_TO_ANALYZE); Config::setValue('file_list', ['input']); Config::setValue('plugins', [ "$phar/GenericSecurityCheckPlugin.php" ]); $taintCheckConfig = require_once "$phar/scripts/base-config.php"; // This is the list used by base-config.php in taint-check Config::setValue( 'whitelist_issue_types', $taintCheckConfig['whitelist_issue_types'] ); $cli = CLI::fromRawValues([ 'output-mode' => 'html', 'allow-polyfill-parser' => false, 'use-fallback-parser' => false, 'redundant-condition-detection' => false, 'dead-code-detection' => false, 'no-progress-bar' => false, ], []); // Analyze the file list provided via the CLI $is_issue_found = Phan::analyzeFileList( $code_base, function (bool $recompute_file_list = false) use ($cli) : array { return $cli->getFileList(); } ); } catch (\Throwable $e) { echo "Caught $e\n"; }
function demo_error_handler(int $errno, string $errstr, string $errfile, int $errline) : bool { fwrite(STDERR, "$errfile:$errline [$errno] $errstr\n"); ob_start(); debug_print_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); fwrite(STDERR, ob_get_clean()); return false; } try { error_reporting(E_ALL); ini_set("display_errors", "stderr"); set_error_handler('demo_error_handler'); eval($CONTENTS_TO_ANALYZE); } catch (Throwable $e) { fwrite(STDERR, "Caught " . $e); }
function printUnsafe( $thing ) { echo $thing; } function printSafe( $thing ) { echo htmlspecialchars( $thing ); } $values = [ 'escaped' => htmlspecialchars( $_GET['y'] ?? '' ), 'unsafe' => $_GET['x'] ?? '' ]; printUnsafe( $values['unsafe'] ); // Uh-oh printSafe( $values['escaped'] ); // This is also wrong $userID = $_GET['user_id'] ?? 0; $userName = $_GET['user_name'] ?? ''; querySafe( $userID ); queryUnsafe( $userName ); // Say bye to your database. function querySafe( int $id ) { queryDatabase( "SELECT * FROM users WHERE user_id = $id" ); } function queryUnsafe( string $name ) { queryDatabase( "SELECT * FROM users WHERE user_name = $name" ); } /** * @param-taint $query exec_sql */ function queryDatabase( string $query ) { // The annotation tells taint-check what this function does }