Taint-check in your browser
(Uses
Phan
3.2.3,
taint-check
3.1.0, and PHP 7.4.10. Best viewed in Firefox/Chrome)
This is a fork of
Phan demo
, available under the MIT license. View source
on Github
.
Loading...
Loading...
use Phan\Config; use Phan\Issue; use Phan\IssueInstance; use Phan\Output\HTML; use Phan\Output\IssuePrinterInterface; use Symfony\Component\Console\Output\OutputInterface; use Phan\CLI; use Phan\Phan; error_reporting(E_ALL); ini_set('display_errors', 'stderr'); putenv('NO_COLOR=1'); try { $phar_path = 'phan-3.2.3.phar'; if (!file_exists($phar_path)) { fwrite(STDERR, "Could not load '$phar_path' - this may not have been included when generating this site with emscripten\n"); exit(1); } $phar = "phar://$phar_path"; gc_disable(); $data = require($phar . '/src/Phan/Language/Internal/ClassDocumentationMap.php'); require_once($phar . '/src/requirements.php'); $code_base = require_once($phar . '/src/codebase.php'); require_once($phar . '/src/Phan/Bootstrap.php'); $taintCheckPath = 'phan-taint-check-plugin-3.1.0'; // Bootstrap taint-check, since we can't really use composer autoloader. Note, order matters // TODO This is not pretty. require "$taintCheckPath/src/SecurityCheckPlugin.php"; require "$taintCheckPath/src/TaintednessBaseVisitor.php"; require "$taintCheckPath/src/TaintednessVisitor.php"; require "$taintCheckPath/src/TaintednessLoopVisitor.php"; require "$taintCheckPath/src/PreTaintednessVisitor.php"; require "$taintCheckPath/src/MWVisitor.php"; require "$taintCheckPath/src/MWPreVisitor.php"; require "$taintCheckPath/src/MediaWikiHooksHelper.php"; require "$taintCheckPath/src/Taintedness.php"; require "$taintCheckPath/src/FunctionTaintedness.php"; file_put_contents('input', $CONTENTS_TO_ANALYZE); Config::setValue('file_list', ['input']); // These plugins are what you'd see with --init-level=2 Config::setValue('plugins', [ "./$taintCheckPath/GenericSecurityCheckPlugin.php" ]); // This is stricter, though. Config::setValue('plugin_config', [ 'infer_pure_methods' => true, ]); // This is the list used by base-config.php in taint-check Config::setValue( 'whitelist_issue_types', [ 'SecurityCheckMulti', 'SecurityCheck-XSS', 'SecurityCheck-SQLInjection', 'SecurityCheck-ShellInjection', 'SecurityCheck-DoubleEscaped', 'SecurityCheck-CUSTOM1', 'SecurityCheck-CUSTOM2', 'SecurityCheck-OTHER', 'SecurityCheck-LikelyFalsePositive', 'PhanSyntaxError', 'SecurityCheckDebugTaintedness', ] ); $cli = CLI::fromRawValues([ 'output-mode' => 'html', 'allow-polyfill-parser' => false, 'use-fallback-parser' => false, 'redundant-condition-detection' => false, 'dead-code-detection' => false, 'no-progress-bar' => false, ], []); // Analyze the file list provided via the CLI $is_issue_found = Phan::analyzeFileList( $code_base, function (bool $recompute_file_list = false) use ($cli) : array { return $cli->getFileList(); } ); } catch (\Throwable $e) { echo "Caught $e\n"; }
function demo_error_handler(int $errno, string $errstr, string $errfile, int $errline) : bool { fwrite(STDERR, "$errfile:$errline [$errno] $errstr\n"); ob_start(); debug_print_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); fwrite(STDERR, ob_get_clean()); return false; } try { error_reporting(E_ALL); ini_set("display_errors", "stderr"); set_error_handler('demo_error_handler'); eval($CONTENTS_TO_ANALYZE); } catch (Throwable $e) { fwrite(STDERR, "Caught " . $e); }
function printUnsafe( $thing ) { echo $thing; } function printSafe( $thing ) { echo htmlspecialchars( $thing ); } $values = [ 'escaped' => htmlspecialchars( $_GET['y'] ), 'unsafe' => $_GET['x'] ]; printUnsafe( $values['unsafe'] ); // Uh-oh printSafe( $values['escaped'] ); // This is also wrong $userID = $_GET['user_id']; $userName = $_GET['user_name']; querySafe( $userID ); queryUnsafe( $userName ); // Say bye to your database. function querySafe( int $id ) { queryDatabase( "SELECT * FROM users WHERE user_id = $id" ); } function queryUnsafe( string $name ) { queryDatabase( "SELECT * FROM users WHERE user_name = $name" ); } /** * @param-taint $query exec_sql */ function queryDatabase( string $query ) { // The annotation tells taint-check what this function does }