def test_vuln_functions_2(self): code = ''' <? $foo = $_GET['bar']; system('ls ' . $foo); echo file_get_contents($foo); ?> ''' analyzer = PhpSCA(code) syscall, echocall = analyzer.get_func_calls() self.assertTrue('OS_COMMANDING' in syscall.vulntypes) self.assertTrue('FILE_DISCLOSURE' in echocall.vulntypes)
def test_include_require_2(self): analyzer = PhpSCA(infile = os.path.join(self.TEST_DIR, '2', 'a.php')) echo = analyzer.get_func_calls()[1] self.assertTrue('XSS' in echo.vulntypes) self.assertEquals('core' + os.sep + 'tests' + os.sep + 'test_include_require' + os.sep + '2' + os.sep + 'b.php', echo.get_file_name()) vulns = analyzer.get_vulns() self.assertEquals('core' + os.sep + 'tests' + os.sep + 'test_include_require' + os.sep + '2' + os.sep + 'a.php', vulns['XSS'][0][-1].get_file_name()) self.assertEquals(2, vulns['XSS'][0][-1].lineno)
def test_vuln_func_get_sources_1(self): code = ''' <? $eggs = $_GET['bar']; $foo = func($eggs); $a = 'ls ' . $foo; exec($a); ?> ''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'bar' in execfunc.vulnsources)
def test_vuln_functions_3(self): code = ''' <?php $var1 = escapeshellarg($_GET['param']); system($var1); system(escapeshellarg($_GET['param'])); system(myfunc(escapeshellarg($_GET['param']))); ?> ''' analyzer = PhpSCA(code) escapecall, syscall1, syscall2, syscall3 = analyzer.get_func_calls() # Both must be SAFE! self.assertEquals(0, len(syscall1.vulntypes)) self.assertEquals(0, len(syscall2.vulntypes)) self.assertEquals(0, len(syscall3.vulntypes))
def test_function_scope_2(self): code = ''' <? $var = 1; echo $var; function foo($var, $var2) { echo $var; } foo($_GET[1], 4); ?> ''' analyzer = PhpSCA(code) echo_outside_func, echo_in_func = analyzer.get_func_calls() self.assertFalse('XSS' in echo_outside_func.vulntypes) self.assertTrue('XSS' in echo_in_func.vulntypes)
def test_vuln_functions_1(self): code = ''' <?php $var = $_GET['bleh']; if ($x){ $var = 2; // not vuln! system($var); } // vuln for OS COMMANDING! system($var); ?> ''' analyzer = PhpSCA(code) sys1, sys2 = analyzer.get_func_calls() # First system call self.assertEquals(0, len(sys1.vulntypes)) # Second system call self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
def test_vuln_functions_4(self): code = ''' <? $foo = $_GET['foo']; if ( $spam == $eggs ){ $foo = 'ls'; system($foo); } else{ echo $foo; system($foo); } ?> ''' analyzer = PhpSCA(code) sys1, echo, sys2 = analyzer.get_func_calls() self.assertEquals([], sys1.vulntypes) self.assertIn('XSS', echo.vulntypes) self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
def test_vuln_func_get_sources_3(self): code = '''<? system($_GET['foo']); ?>''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'foo' in execfunc.vulnsources)
def test_vuln_func_get_sources_2(self): code = '''<? echo file_get_contents($_REQUEST['file']); ?>''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'file' in execfunc.vulnsources)