Skip to content
This repository has been archived by the owner on Nov 28, 2023. It is now read-only.

Commit

Permalink
Merge pull request #94 from wufeifei/develop
Browse files Browse the repository at this point in the history
Improves #84
  • Loading branch information
FeeiCN authored Sep 10, 2016
2 parents b6ec04f + 78cfa3e commit 85b5588
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
7 changes: 4 additions & 3 deletions engine/parse.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ def __init__(self, rule, file_path, line, code):
self.line = line
self.code = code
self.param_name = None
self.param_value = None

def functions(self):
logging.info('---------------------- [-]. Functions --------------------------------------')
Expand Down Expand Up @@ -189,7 +190,7 @@ def is_controllable_param(self):
logging.info("Check controllable param rule")
controllable_param_rule = [
{
'rule': r'\\s?=\s?(\$\w+(?:\[(?:[^[\]]|(\?R))*\])*)'.format(param_name),
'rule': r'(\{0}\s?=\s?\$\w+(?:\[(?:[^[\]]|\?R)*\])*)'.format(param_name),
'example': '$param_name = $variable',
'test': """
$param_name = $_GET
Expand All @@ -200,18 +201,18 @@ def is_controllable_param(self):
"""
},
{
'rule': r'function\s+\w+\s?\(.*(\{0})'.format(param_name),
'rule': r'(function\s*\w+\s*\(.*\{0})'.format(param_name),
'example': 'function ($param_name)',
'test': """
function ($param_name)
function ($some, $param_name)
"""
}

]
for c_rule in controllable_param_rule:
c_rule_result = re.findall(c_rule['rule'], param_block_code)
if len(c_rule_result) >= 1:
self.param_value = c_rule_result[0]
logging.info("R: True (New rule: controllable param: {0}, {1})".format(param_name, c_rule['example']))
return True
logging.info("R: True")
Expand Down
6 changes: 6 additions & 0 deletions engine/static.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ def analyse(self):
if match_result.group(0) is not None and match_result.group(0) is not "":
logging.info("In Annotation")
else:
param_value = None
# parse file function structure
if file_path[-3:] == 'php' and rule.regex_repair.strip() != '':
try:
Expand All @@ -220,6 +221,8 @@ def analyse(self):
logging.info("Static: repaired")
continue
else:
if parse_instance.param_value is not None:
param_value = parse_instance.param_value
found_vul = True
else:
logging.info("Static: uncontrollable param")
Expand All @@ -238,6 +241,9 @@ def analyse(self):
if exist_result is not None:
logging.warning("Exists Result")
else:
code_content = '# 触发位置\r' + code_content
if param_value is not None:
code_content = '# 参数可控\r' + param_value + '\r//\r// ------ 省略部分代码 ------\r//\r' + code_content
logging.debug('File: {0}:{1} {2}'.format(file_path, line_number, code_content))
vul = CobraResults(self.task_id, rule.id, file_path, line_number, code_content)
db.session.add(vul)
Expand Down

0 comments on commit 85b5588

Please sign in to comment.