From f5764932ec2194b259c88895723f40dc03b273e3 Mon Sep 17 00:00:00 2001
From: Naomi Leow <naomileowwx@gmail.com>
Date: Wed, 19 Nov 2014 01:10:50 +0800
Subject: [PATCH] linked up vulnerability reporter

---
 lib/Phortress/Dephenses/Dephense.php          |  1 -
 .../Engine/VulnerabilityReporter.php          |  1 +
 lib/Phortress/Dephenses/Taint.php             |  5 -----
 .../Dephenses/Taint/CodeAnalyser.php          |  5 +----
 .../Dephenses/Taint/FunctionAnalyser.php      | 11 +++++++++-
 .../Dephenses/Taint/FunctionNodeAnalyser.php  | 22 ++++++++++++-------
 .../Dephenses/Taint/NodeAnalyser.php          |  2 +-
 lib/Phortress/Program.php                     |  2 +-
 8 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/lib/Phortress/Dephenses/Dephense.php b/lib/Phortress/Dephenses/Dephense.php
index 0acf932..ad51fa0 100644
--- a/lib/Phortress/Dephenses/Dephense.php
+++ b/lib/Phortress/Dephenses/Dephense.php
@@ -64,5 +64,4 @@ private static function isDephense($className) {
 	 */
 	public abstract function run(array $parseTree);
 
-	public abstract function runChecks(array $parseTree);
 }
diff --git a/lib/Phortress/Dephenses/Engine/VulnerabilityReporter.php b/lib/Phortress/Dephenses/Engine/VulnerabilityReporter.php
index 1b3ac0d..686caa8 100644
--- a/lib/Phortress/Dephenses/Engine/VulnerabilityReporter.php
+++ b/lib/Phortress/Dephenses/Engine/VulnerabilityReporter.php
@@ -32,5 +32,6 @@ public function getVulnerabilityReport(){
 		foreach($this->vulnerabilityCheckers as $checker){
 			$report = array_merge($report, $checker->getMessages());
 		}
+		return $report;
 	}
 } 
\ No newline at end of file
diff --git a/lib/Phortress/Dephenses/Taint.php b/lib/Phortress/Dephenses/Taint.php
index 26e1b03..b33bbcf 100644
--- a/lib/Phortress/Dephenses/Taint.php
+++ b/lib/Phortress/Dephenses/Taint.php
@@ -7,9 +7,4 @@ public function run(array $parseTree) {
 
 		return $analyser->analyse();
 	}
-
-	public function runChecks(array $parseTree){
-		$analyser = new Taint\CodeAnalyser($parseTree);
-		return $analyser->runVulnerabilityChecks();
-	}
 }
diff --git a/lib/Phortress/Dephenses/Taint/CodeAnalyser.php b/lib/Phortress/Dephenses/Taint/CodeAnalyser.php
index e053cda..84e697c 100644
--- a/lib/Phortress/Dephenses/Taint/CodeAnalyser.php
+++ b/lib/Phortress/Dephenses/Taint/CodeAnalyser.php
@@ -26,10 +26,7 @@ public function analyse(){
 	        $nodeTaintEnv = $nodeAnalyser->analyse($statement, $currentTaintEnv);
 	        $currentTaintEnv->updateTaintEnvironment($nodeTaintEnv);
         }
+	    return $vulnerabilityReporter->getVulnerabilityReport();
     }
 
-	public function runVulnerabilityChecks(){
-//		$sql_vul_finder = new SQLVulnerabilityFinder($this->parseTree);
-//		return $sql_vul_finder->findVulnerabilities();
-	}
 }
diff --git a/lib/Phortress/Dephenses/Taint/FunctionAnalyser.php b/lib/Phortress/Dephenses/Taint/FunctionAnalyser.php
index f7d2a91..f13cd5e 100644
--- a/lib/Phortress/Dephenses/Taint/FunctionAnalyser.php
+++ b/lib/Phortress/Dephenses/Taint/FunctionAnalyser.php
@@ -34,6 +34,7 @@ class FunctionAnalyser{
 	 */
 	protected $functionStmts;
 
+	protected $sinkFunctionCalls = array();
 
 	/**
 	 * Environment where the function was defined
@@ -72,6 +73,7 @@ private function analyseFunction(){
 			$currentTaintEnv->updateTaintEnvironment($nodeTaintEnv);
 		}
 		$this->returnStmtTaintResults = $funcNodeAnalyser->getReturnTaintResult();
+		$this->sinkFunctionCalls = $funcNodeAnalyser->getSinkFunctionCalls();
 	}
 
 	/**
@@ -79,16 +81,23 @@ private function analyseFunction(){
 	 * Returns an array containing taint value of the value returned by the function,
 	 * and the array of sanitising functions applied
 	 */
-	public function analyseFunctionCall($argMappings){
+	public function analyseFunctionCall($argMappings, $reporter = null){
 		$paramTaintMappings = $this->getParametersToTaintResultMappings($argMappings);
 		$result = new TaintResult(Annotation::UNASSIGNED);
 		foreach($this->returnStmts as $retStmt){
 			$retStmtResult = $this->analyseArgumentsEffectOnReturnStmt($paramTaintMappings, $retStmt);
 			$result->merge($retStmtResult);
 		}
+		if(!empty($reporter)){
+			$this->checkSinkFunctionCalls($argMappings, $reporter);
+		}
 		return $result;
 	}
 
+	private function checkSinkFunctionCalls($argMappings, $reporter){
+
+	}
+
 	private function analyseArgumentsEffectOnReturnStmt($argTaints, Stmt\Return_ $return){
 		$retTaint = $this->returnStmtTaintResults[$return->getLine()];
 		if(empty($retTaint)){
diff --git a/lib/Phortress/Dephenses/Taint/FunctionNodeAnalyser.php b/lib/Phortress/Dephenses/Taint/FunctionNodeAnalyser.php
index dc52793..fba0911 100644
--- a/lib/Phortress/Dephenses/Taint/FunctionNodeAnalyser.php
+++ b/lib/Phortress/Dephenses/Taint/FunctionNodeAnalyser.php
@@ -20,6 +20,11 @@ class FunctionNodeAnalyser extends NodeAnalyser{
 	protected $functionParams = array();
 	protected $returnResults = array();
 
+	/**
+	 * array(int lineNumber => FuncCall functionCall)
+	 */
+	protected $sinkFunctionCalls = array();
+
 	public function __construct($params){
 		$this->functionParams = $params;
 	}
@@ -28,6 +33,10 @@ protected function createTaintResult($taint, $sanitising_funcs = array()){
 		return new FunctionTaintResult($taint, $sanitising_funcs);
 	}
 
+	public function getSinkFunctionCalls(){
+		return $this->sinkFunctionCalls;
+	}
+
 	private function isFunctionParameter($name){
 		foreach($this->functionParams as $param){
 			if($param->name === $name){
@@ -53,8 +62,12 @@ protected function resolveVariableTaint(Variable $var){
 	}
 
 	protected function resolveFuncResultTaint(FuncCall $exp){
-		$result = parent::resolveFuncResultTaint($exp);
 		$args = $exp->args;
+		if(Sinks::isSinkFunction($exp)){
+			$this->sinkFunctionCalls[$exp->getLine()] = $exp;
+			return;
+		}
+		$result = parent::resolveFuncResultTaint($exp);
 		foreach($args as $arg){
 			$argExpName = $arg->value->name;
 			$this->addAffectingParameterToAnalysisResult($result, $argExpName);
@@ -111,11 +124,4 @@ private function addReturnTaintResult(Return_ $ret, FunctionTaintResult $result)
 	public function getReturnTaintResult(){
 		return $this->returnResults;
 	}
-//	protected function mergeAnalysisResults(array $results){
-//		$mergeResult = self::createTaintResult(Annotation::UNASSIGNED);
-//		foreach($results as $result){
-//			$mergeResult->merge($result);
-//		}
-//		return $result;
-//	}
 } 
\ No newline at end of file
diff --git a/lib/Phortress/Dephenses/Taint/NodeAnalyser.php b/lib/Phortress/Dephenses/Taint/NodeAnalyser.php
index 74d48a2..7a8bb9e 100644
--- a/lib/Phortress/Dephenses/Taint/NodeAnalyser.php
+++ b/lib/Phortress/Dephenses/Taint/NodeAnalyser.php
@@ -278,7 +278,7 @@ protected function resolveFuncResultTaint(Expr\FuncCall $exp){
 		}else{
 			$func_analyser = FunctionAnalyser::getFunctionAnalyser($exp->environment, $func_name);
 			$args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args);
-			$analysis_res = $func_analyser->analyseFunctionCall($args_with_taints);
+			$analysis_res = $func_analyser->analyseFunctionCall($args_with_taints, $this->vulnerabilityReporter);
 			return $analysis_res;
 		}
 	}
diff --git a/lib/Phortress/Program.php b/lib/Phortress/Program.php
index 07a2d32..dfe40bc 100644
--- a/lib/Phortress/Program.php
+++ b/lib/Phortress/Program.php
@@ -151,7 +151,7 @@ public function verify(array $dephenses = null) {
 
 		$errors = array();
 		foreach ($dephenses as $dephense) {
-			$errors += $dephense->runChecks($this->parseTree);
+			$errors += $dephense->run($this->parseTree);
 		}
 
 		return $errors;