added vulnerability reporter to NodeAnalyser

lowjoel · Nov 18, 2014 · ce064f6 · ce064f6
1 parent da7ae7f
commit ce064f6
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/lib/Phortress/Dephenses/Taint/CodeAnalyser.php b/lib/Phortress/Dephenses/Taint/CodeAnalyser.php
@@ -2,6 +2,7 @@
 
 namespace Phortress\Dephenses\Taint;
 use Phortress\Dephenses\Engine\SQLVulnerabilityFinder;
+use Phortress\Dephenses\Engine\VulnerabilityReporter;
 
 /**
  * Description of CodeAnalyser
@@ -18,8 +19,9 @@ function __construct($tree) {
     }
 
     public function analyse(){
+	    $vulnerabilityReporter = new VulnerabilityReporter();
 	    $currentTaintEnv = new TaintEnvironment();
-	    $nodeAnalyser = new NodeAnalyser();
+	    $nodeAnalyser = new NodeAnalyser($vulnerabilityReporter);
         foreach($this->parseTree as $statement){
 	        $nodeTaintEnv = $nodeAnalyser->analyse($statement, $currentTaintEnv);
 	        $currentTaintEnv->updateTaintEnvironment($nodeTaintEnv);

diff --git a/lib/Phortress/Dephenses/Taint/NodeAnalyser.php b/lib/Phortress/Dephenses/Taint/NodeAnalyser.php
@@ -19,6 +19,13 @@
  * @param \PhpParser\Node $node
  */
 class NodeAnalyser {
+	protected $vulnerabilityReporter;
+	public function __construct($reporter = null){
+		if(!empty($reporter)){
+			$this->vulnerabilityReporter = $reporter;
+		}
+	}
+
 	public function analyse(Node $node, TaintEnvironment $taintEnv){
 		$taintEnv = $taintEnv->copy();
 		if($node instanceof Stmt){
@@ -265,6 +272,9 @@ protected function resolveFuncResultTaint(Expr\FuncCall $exp){
 		if(SanitisingFunctions::isGeneralSanitisingFunction($func_name_str)||
 			SanitisingFunctions::isSanitisingReverseFunction($func_name_str)){
 			return $this->resolveSanitisationFuncCall($exp);
+		}else if(Sinks::isSinkFunction($exp) && !empty($this->vulnerabilityReporter)){
+			$args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
+			$this->vulnerabilityReporter->runVulnerabilityChecks($exp, $args_with_taints);
 		}else{
 			$func_analyser = FunctionAnalyser::getFunctionAnalyser($exp->environment, $func_name);
 			$args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);

diff --git a/lib/Phortress/Dephenses/Taint/Sinks.php b/lib/Phortress/Dephenses/Taint/Sinks.php
@@ -368,4 +368,19 @@ public static function isSQLInjectionSinkFunction(Expr\FuncCall $func){
 		$funcName = $func->name->getLast();
 		return array_key_exists($funcName, self::$DATABASE_SINKS);
 	}
+
+	public static function isXSSSinkFunction(Expr\FuncCall $func){
+		$funcName = $func->name->getLast();
+		return array_key_exists($funcName, self::$XSS_SINKS);
+	}
+
+	public static function isCodeInjectionSinkFunction(Expr\FuncCall $func){
+		$funcName = $func->name->getLast();
+		return array_key_exists($funcName, self::$CODE_EXE_SINKS);
+	}
+
+	public static function isSinkFunction(Expr\FuncCall $func){
+		return self::isCodeInjectionSinkFunction($func) || self::isSQLInjectionSinkFunction
+		($func) || self::isXSSSinkFunction($func);
+	}
 }