Skip to content

Review PHP Pattern #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
compaluca merged 3 commits into from
Jun 2, 2023
Merged

Review PHP Pattern #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e7d30b6
review php patterns
felix-20 May 30, 2023
bd302c8
php pattern review, linting
felix-20 May 30, 2023
e578812
adapted pattern template json files
felix-20 May 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
26 changes: 13 additions & 13 deletions PHP/10_return_by_reference/10_return_by_reference.json
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"name": "Return By Reference",
"description": "[Return by reference](https://www.php.net/manual/en/language.references.return.php) in PHP, when the variable will be referenced to the returned variable from a specific function. Returning by reference is useful when you want to use a function to find to which variable a reference should be bound. If there are more than one return in the function, the variable will be referenced for the first one.",
"family": "code_pattern_php",
"tags": [
"sast",
"php",
"php_v7.4.9"
],
"instances": [
"./1_instance_10_return_by_reference/1_instance_10_return_by_reference.json"
],
"version": "v0.draft"
{
"name": "Return By Reference",
"description": "./docs/description.md",
"family": "code_pattern_php",
"tags": [
"sast",
"php",
"php_v7.4.9"
],
"instances": [
"./1_instance_10_return_by_reference/1_instance_10_return_by_reference.json"
],
"version": "v1.0"
}
63 changes: 30 additions & 33 deletions ...urn_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.bash
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,30 @@

$_main: ; (lines=17, args=0, vars=3, tmps=7)
; (before optimizer)
; /home/user/gitlab/static-tools---latex/paper_code/PHP/Testability_Patterns/19_return_by_reference/19_return_by_reference.php:1-18
L0 (3): NOP
L1 (10): EXT_STMT
L2 (10): ASSIGN CV0($b) string("input")
L3 (11): EXT_STMT
L4 (11): V4 = NEW 0 string("foo")
L5 (11): DO_FCALL
L6 (11): ASSIGN CV1($obj) V4
L7 (13): EXT_STMT
L8 (13): INIT_METHOD_CALL 0 CV1($obj) string("getValue")
L9 (13): V7 = DO_FCALL
L10 (13): ASSIGN_REF (function) CV2($myValue) V7
L11 (14): EXT_STMT
L12 (14): ASSIGN_OBJ CV1($obj) string("value")
L13 (14): OP_DATA CV0($b)
L14 (17): EXT_STMT
L15 (17): ECHO CV2($myValue)
L16 (18): RETURN int(1)
LIVE RANGES:
4: L5 - L6 (new)

foo::getValue: ; (lines=6, args=0, vars=0, tmps=1)
; (before optimizer)
; /home/user/gitlab/static-tools---latex/paper_code/PHP/Testability_Patterns/19_return_by_reference/19_return_by_reference.php:5-7
L0 (5): EXT_NOP
L1 (6): EXT_STMT
L2 (6): V0 = FETCH_OBJ_W (ref) THIS string("value")
L3 (6): RETURN_BY_REF V0
L4 (7): EXT_STMT
L5 (7): RETURN_BY_REF (function) null

$_main:
; (lines=13, args=0, vars=3, tmps=9)
; (before optimizer)
; /.../PHP/10_return_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.php:1-17
; return [] RANGE[0..0]
0000 T3 = FETCH_R (global) string("_GET")
0001 T4 = FETCH_DIM_R T3 string("p1")
0002 ASSIGN CV0($a) T4
0003 V6 = NEW 0 string("foo")
0004 DO_FCALL
0005 ASSIGN CV1($obj) V6
0006 INIT_METHOD_CALL 0 CV1($obj) string("getValue")
0007 V9 = DO_FCALL
0008 ASSIGN_REF (function) CV2($b) V9
0009 ASSIGN_OBJ CV1($obj) string("value")
0010 OP_DATA CV0($a)
0011 ECHO CV2($b)
0012 RETURN int(1)
LIVE RANGES:
6: 0004 - 0005 (new)

foo::getValue:
; (lines=3, args=0, vars=0, tmps=1)
; (before optimizer)
; /.../PHP/10_return_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.php:5-7
; return [] RANGE[0..0]
0000 V0 = FETCH_OBJ_W (ref) THIS string("value")
0001 RETURN_BY_REF V0
0002 RETURN_BY_REF (function) null
73 changes: 37 additions & 36 deletions ...urn_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.json
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,37 +1,38 @@
{
"code": {
"path": "./1_instance_10_return_by_reference.php",
"injection_skeleton_broken": false
},
"discovery": {
"rule": "./1_instance_10_return_by_reference.sc",
"method": "joern",
"rule_accuracy": "FP",
"notes": "Question: To be perfect this rule should be combined to search for the assignment of the return by reference function i.e., ASSIGN_REF (function)?"
},
"compile": {
"binary": "./1_instance_10_return_by_reference.bash",
"instruction": null,
"dependencies": null
},
"expectation": {
"type": "xss",
"sink_file": "./1_instance_10_return_by_reference.php",
"sink_line": 16,
"source_file": "./1_instance_10_return_by_reference.php",
"source_line": 10,
"expectation": true
},
"properties": {
"category": "S0",
"feature_vs_internal_api": "FEATURE",
"input_sanitizer": false,
"source_and_sink": false,
"negative_test_case": false
},
"remediation": {
"notes": "",
"transformation": null,
"modeling_rule": null
}
{
"description": "This instance target the usage of return values being passed by reference.",
"code": {
"path": "./1_instance_10_return_by_reference.php",
"injection_skeleton_broken": false
},
"discovery": {
"rule": "./1_instance_10_return_by_reference.sc",
"method": "joern",
"rule_accuracy": "FP",
"notes": "Question: To be perfect this rule should be combined to search for the assignment of the return by reference function i.e., ASSIGN_REF (function)?"
},
"compile": {
"binary": "./1_instance_10_return_by_reference.bash",
"instruction": null,
"dependencies": null
},
"expectation": {
"type": "xss",
"sink_file": "./1_instance_10_return_by_reference.php",
"sink_line": 16,
"source_file": "./1_instance_10_return_by_reference.php",
"source_line": 10,
"expectation": true
},
"properties": {
"category": "S0",
"feature_vs_internal_api": "FEATURE",
"input_sanitizer": false,
"source_and_sink": false,
"negative_test_case": false
},
"remediation": {
"notes": "",
"transformation": null,
"modeling_rule": null
}
}
32 changes: 16 additions & 16 deletions ...turn_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.php
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
<?php
class foo {
public $value = 42;

public function &getValue() {
return $this->value;
}
}

$a = $_GET["p1"];
$obj = new foo;
// $b is a reference to $obj->value, which is 42.
$b = &$obj->getValue();
$obj->value = $a;
// prints the new value of $obj->value, which is the source $a (XSS)
echo $b;
<?php
class foo {
public $value = 42;
public function &getValue() {
return $this->value;
}
}
$a = $_GET["p1"]; // source
$obj = new foo;
// $b is a reference to $obj->value, which is 42.
$b = &$obj->getValue();
$obj->value = $a;
// prints the new value of $obj->value, which is the source $a (XSS)
echo $b; // sink
10 changes: 5 additions & 5 deletions ...eturn_by_reference/1_instance_10_return_by_reference/1_instance_10_return_by_reference.sc
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
@main def main(name : String): Unit = {
importCpg(name)
val x10 = (name, "10_return_by_reference_iall", cpg.call(".*RETURN_BY_REF.*").argument.code("function").location.toJson);
println(x10)
delete;
@main def main(name : String): Unit = {
importCpg(name)
val x10 = (name, "10_return_by_reference_iall", cpg.call(".*RETURN_BY_REF.*").argument.code("function").location.toJson);
println(x10)
delete;
}
Loading