-
-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect possible sql injections #155
Merged
Merged
Changes from all commits
Commits
Show all changes
37 commits
Select commit
Hold shift + click to select a range
d005a0a
detect possible sql injections
staabm 2e9b52b
Update expected.out
staabm 396c40a
cs
staabm 091e3a1
fix expectations
staabm 92ddbf0
more tests
staabm 385bf4e
whitelist some api calls which can be used in sql expressions but are…
staabm 6451bee
tests and fixes
staabm 3d95bb4
Update RexSqlInjectionRule.php
staabm d517f23
cover getArray(), getDbArray()
staabm d87a6e6
support indirect analysis via variable
staabm 72419b7
support encapsed types
staabm d2eb801
added 'in' escaping method
staabm 3cee00e
added another test
staabm cc4e6df
utilize `@psalm-taint-escape sql`
staabm a16ca3f
Revert "utilize `@psalm-taint-escape sql`"
staabm 381fffa
fix
staabm 8312e65
Update RexSqlInjectionRule.php
staabm 33c09fa
better method name
staabm eb86eb6
added hint to the expression in question
staabm 5f80a39
ignore queries from property-fetches
staabm 6706ac9
more precise error in deep-concat cases
staabm d5e4e10
better tip
staabm 7aa26a4
cs
staabm edd4805
Update expected.out
staabm fb905a6
cover more rex_sql apis
staabm 09d6e94
Update RexSqlInjectionRule.php
staabm a02f231
more tests
staabm c17aff8
fix handling of encapsed values
staabm 7f38abe
re-organize tests
staabm ec8f80d
support safe-implode() concat
staabm 411d9b2
cs
staabm a35d609
`escapelikewildcards` requires an additional escape
staabm 0694f86
better tip
staabm e5fb9ae
Update RexSqlInjectionRule.php
staabm a268fc4
fix
staabm abbc211
docs
staabm 48ae696
Update RexSqlInjectionRule.php
staabm File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,252 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
namespace redaxo\phpstan; | ||
|
||
use PhpParser\Node; | ||
use PhpParser\Node\Expr\BinaryOp\Concat; | ||
use PhpParser\Node\Expr\MethodCall; | ||
use PHPStan\Analyser\Scope; | ||
use PHPStan\Node\Printer\ExprPrinter; | ||
use PHPStan\Rules\Rule; | ||
use PHPStan\Rules\RuleErrorBuilder; | ||
use PHPStan\Type\BooleanType; | ||
use PHPStan\Type\FloatType; | ||
use PHPStan\Type\IntegerType; | ||
use PHPStan\Type\MixedType; | ||
use PHPStan\Type\Type; | ||
use PHPStan\Type\TypeWithClassName; | ||
use rex; | ||
use rex_i18n; | ||
use rex_sql; | ||
use staabm\PHPStanDba\Ast\ExpressionFinder; | ||
use staabm\PHPStanDba\PhpDoc\PhpDocUtil; | ||
use function array_key_exists; | ||
use function count; | ||
use function in_array; | ||
|
||
/** | ||
* @implements Rule<MethodCall> | ||
* | ||
* @see https://psalm.dev/docs/security_analysis/ | ||
*/ | ||
final class RexSqlInjectionRule implements Rule | ||
{ | ||
/** | ||
* @var ExprPrinter | ||
*/ | ||
private $exprPrinter; | ||
|
||
/** | ||
* @var array<string, int> | ||
*/ | ||
private $taintSinks = [ | ||
'select' => 0, | ||
'setrawvalue' => 1, | ||
'setwhere' => 0, | ||
'preparequery' => 0, | ||
'setquery' => 0, | ||
'getarray' => 0, | ||
'setdbquery' => 0, | ||
'getdbarray' => 0, | ||
]; | ||
|
||
public function __construct( | ||
ExprPrinter $exprPrinter | ||
) { | ||
$this->exprPrinter = $exprPrinter; | ||
} | ||
|
||
public function getNodeType(): string | ||
{ | ||
return MethodCall::class; | ||
} | ||
|
||
public function processNode(Node $methodCall, Scope $scope): array | ||
{ | ||
$args = $methodCall->getArgs(); | ||
if (count($args) < 1) { | ||
return []; | ||
} | ||
|
||
if (!$methodCall->name instanceof Node\Identifier) { | ||
return []; | ||
} | ||
|
||
if (!array_key_exists($methodCall->name->toLowerString(), $this->taintSinks)) { | ||
return []; | ||
} | ||
|
||
$callerType = $scope->getType($methodCall->var); | ||
if (!$callerType instanceof TypeWithClassName) { | ||
return []; | ||
} | ||
|
||
if (rex_sql::class !== $callerType->getClassname()) { | ||
return []; | ||
} | ||
|
||
$argNo = $this->taintSinks[$methodCall->name->toLowerString()]; | ||
$sqlExpression = $args[$argNo]->value; | ||
|
||
// we can't infer query strings from properties | ||
if ($sqlExpression instanceof Node\Expr\PropertyFetch) { | ||
return []; | ||
} | ||
|
||
if ($sqlExpression instanceof Node\Expr\Variable) { | ||
$finder = new ExpressionFinder(); | ||
$queryStringExpression = $finder->findQueryStringExpression($sqlExpression); | ||
if (null !== $queryStringExpression) { | ||
$sqlExpression = $queryStringExpression; | ||
} | ||
} | ||
|
||
$rawValue = $this->findInsecureSqlExpr($sqlExpression, $scope); | ||
if (null !== $rawValue) { | ||
$description = $this->exprPrinter->printExpr($rawValue); | ||
|
||
return [ | ||
RuleErrorBuilder::message( | ||
'Possible SQL-injection in expression '. $description .'.') | ||
->tip('Consider use of more SQL-safe types, prepared statements, rex_sql::escape*() or rex_sql::in().') | ||
->build(), | ||
]; | ||
} | ||
|
||
return []; | ||
} | ||
|
||
private function findInsecureSqlExpr(Node\Expr $expr, Scope $scope, bool $resolveVariables = true): ?Node\Expr | ||
{ | ||
if (true === $resolveVariables && $expr instanceof Node\Expr\Variable) { | ||
$finder = new ExpressionFinder(); | ||
$assignExpr = $finder->findQueryStringExpression($expr); | ||
|
||
if (null !== $assignExpr) { | ||
return $this->findInsecureSqlExpr($assignExpr, $scope); | ||
} | ||
|
||
return $this->findInsecureSqlExpr($expr, $scope, false); | ||
} | ||
|
||
if ($expr instanceof Concat) { | ||
$left = $expr->left; | ||
$right = $expr->right; | ||
|
||
$leftInsecure = $this->findInsecureSqlExpr($left, $scope); | ||
if (null !== $leftInsecure) { | ||
return $leftInsecure; | ||
} | ||
|
||
$rightInsecure = $this->findInsecureSqlExpr($right, $scope); | ||
if (null !== $rightInsecure) { | ||
return $rightInsecure; | ||
} | ||
|
||
return null; | ||
} | ||
|
||
if ($expr instanceof Node\Scalar\Encapsed) { | ||
foreach ($expr->parts as $part) { | ||
$insecurePart = $this->findInsecureSqlExpr($part, $scope); | ||
if (null !== $insecurePart) { | ||
return $insecurePart; | ||
} | ||
} | ||
return null; | ||
} | ||
|
||
if ($expr instanceof Node\Scalar\EncapsedStringPart) { | ||
return null; | ||
} | ||
|
||
$exprType = $scope->getType($expr); | ||
$mixedType = new MixedType(); | ||
if ($exprType->isSuperTypeOf($mixedType)->yes()) { | ||
return $expr; | ||
} | ||
|
||
if ($exprType->isString()->yes()) { | ||
if ($expr instanceof Node\Expr\CallLike) { | ||
if (PhpDocUtil::commentContains('@psalm-taint-escape sql', $expr, $scope)) { | ||
return null; | ||
} | ||
} | ||
|
||
if ($expr instanceof Node\Expr\MethodCall && $expr->name instanceof Node\Identifier) { | ||
$callerType = $scope->getType($expr->var); | ||
|
||
if ($callerType instanceof TypeWithClassName) { | ||
// handle escaping methods | ||
if (rex_sql::class === $callerType->getClassName() && in_array($expr->name->toLowerString(), ['escape', 'escapeidentifier', 'in'], true)) { | ||
return null; | ||
} | ||
} | ||
} | ||
|
||
if ($expr instanceof Node\Expr\StaticCall && $expr->class instanceof Node\Name && $expr->name instanceof Node\Identifier) { | ||
// lets assume rex::getTable() and rex::getTablePrefix() return untainted values. | ||
// these methods are used in nearly every query and would otherwise create a lot of false positives. | ||
if (rex::class === $expr->class->toString() && in_array($expr->name->toLowerString(), ['gettableprefix', 'gettable'], true)) { | ||
return null; | ||
} | ||
// translations could still lead to syntax errors, but since the input is not end-user controlled, we ignore it. | ||
if (rex_i18n::class === $expr->class->toString() && 'msg' === $expr->name->toLowerString()) { | ||
return null; | ||
} | ||
} | ||
|
||
if ($expr instanceof Node\Expr\FuncCall && $expr->name instanceof Node\Name) { | ||
if (in_array($expr->name->toLowerString(), ['implode', 'join'], true)) { | ||
$args = $expr->getArgs(); | ||
|
||
if (count($args) >= 2) { | ||
$arrayValueType = $scope->getType($args[1]->value); | ||
|
||
if ($arrayValueType->isArray()->yes() && $this->isSafeType($arrayValueType->getIterableValueType())) { | ||
return null; | ||
} | ||
} | ||
} | ||
} | ||
|
||
if ($this->isSafeType($exprType)) { | ||
return null; | ||
} | ||
|
||
return $expr; | ||
} | ||
|
||
return null; | ||
} | ||
|
||
private function isSafeType(Type $type): bool | ||
{ | ||
if ($type->isLiteralString()->yes()) { | ||
return true; | ||
} | ||
|
||
if ($type->isNumericString()->yes()) { | ||
return true; | ||
} | ||
|
||
$integer = new IntegerType(); | ||
if ($integer->isSuperTypeOf($type)->yes()) { | ||
return true; | ||
} | ||
|
||
$bool = new BooleanType(); | ||
if ($bool->isSuperTypeOf($type)->yes()) { | ||
return true; | ||
} | ||
|
||
$float = new FloatType(); | ||
if ($float->isSuperTypeOf($type)->yes()) { | ||
return true; | ||
} | ||
|
||
return false; | ||
} | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
falls redaxo/redaxo#5353 gemergt wird, könnte man hier die liste um die methoden reduzieren die
psalm-taint-sink
markiert sind