def check(result):
for type_, info in result:
if type_ == CLASS:
ctx = get_class_ctx(info)
for node_info in get_magic_method(info):
logger.debug(node_info['name'])
ctx['chains'][node_info['name']] = []
check_method(node_info, ctx=ctx)
build_chains(context=ctx)
def parser(filename):
if not os.path.exists(filename):
return {}
with open(filename) as f:
code = f.read()
reload(phply.phplex)
logger.debug('Parse file: %s' % filename)
return export(make_parser().parse(code,
lexer=phply.phplex.lexer,
tracking=True))
def check_method_call(node_info, ctx=None):
if ctx is not None:
if isinstance(node_info['name'], str):
logger.debug('Method call: %s' % node_info['name'])
if isinstance(node_info['name'], str):
if node_info['name'] in ctx['evil_methods']:
return node_info['name']
if not node_info['name'] in ctx['parsed_methods']:
if isinstance(node_info['name'], str):
ctx['parsed_methods'].append(node_info['name'])
check_method(ctx['methods'].get(node_info['name']), ctx=ctx)
return check_method_call(node_info, ctx=ctx)
def check_function_call(node_info, **kwargs):
"""check function call
:return str or None
"""
if node_info['name'] in DANGEROUS_FUNCTIONS or node_info[
'name'] in USER_DEFINED_DANGEROUS_FUNCTION:
logger.debug('Dangerous function call detected: %s' %
node_info['name'])
return node_info['name']
if node_info['name'] not in PARSED_FUNCTION:
PARSED_FUNCTION.append(node_info['name'])
func = get_function(node_info['name'])
if not func:
return
check_function(func)
return check_function_call(node_info)