def test_vuln_func_get_sources_1(self): code = ''' <? $eggs = $_GET['bar']; $foo = func($eggs); $a = 'ls ' . $foo; exec($a); ?> ''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'bar' in execfunc.vulnsources)
def test_vuln_functions_3(self): code = ''' <?php $var1 = escapeshellarg($_GET['param']); system($var1); system(escapeshellarg($_GET['param'])); system(myfunc(escapeshellarg($_GET['param']))); ?> ''' analyzer = PhpSCA(code) syscall1, syscall2, syscall3 = analyzer.get_func_calls() # Both must be SAFE! self.assertEquals(0, len(syscall1.vulntypes)) self.assertEquals(0, len(syscall2.vulntypes)) self.assertEquals(0, len(syscall3.vulntypes))
def test_vuln_functions_2(self): code = ''' <? $foo = $_GET['bar']; system('ls ' . $foo); echo file_get_contents($foo); ?> ''' analyzer = PhpSCA(code) syscall, echocall = analyzer.get_func_calls() self.assertTrue('OS_COMMANDING' in syscall.vulntypes) self.assertTrue('XSS' in echocall.vulntypes) # # FIXME: Not sure why this is failing... not important at the moment # raise SkipTest('FIXME') self.assertTrue('FILE_DISCLOSURE' in echocall.vulntypes)
def test_vuln_functions_4(self): code = ''' <? $foo = $_GET['foo']; if ( $spam == $eggs ){ $foo = 'ls'; system($foo); } else{ echo $foo; system($foo); } ?> ''' analyzer = PhpSCA(code) sys1, echo, sys2 = analyzer.get_func_calls() self.assertEquals([], sys1.vulntypes) self.assertTrue('XSS' in echo.vulntypes) self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
def test_vuln_functions_1(self): code = ''' <?php $var = $_GET['bleh']; if ($x){ $var = 2; // not vuln! system($var); } // vuln for OS COMMANDING! system($var); ?> ''' analyzer = PhpSCA(code) sys1, sys2 = analyzer.get_func_calls() # First system call self.assertEquals(0, len(sys1.vulntypes)) # Second system call self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
def test_vuln_func_get_sources_3(self): code = '''<? system($_GET['foo']); ?>''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'foo' in execfunc.vulnsources)
def test_vuln_func_get_sources_2(self): code = '''<? echo file_get_contents($_REQUEST['file']); ?>''' analyzer = PhpSCA(code) execfunc = analyzer.get_func_calls(vuln=True)[0] self.assertTrue( len(execfunc.vulnsources) == 1 and 'file' in execfunc.vulnsources)