Hello World

.gitignore

@@ -0,0 +1,10 @@
+# Byte-compiled / optimized / DLL files
+.idea/
+__pycache__/
+*.py[cod]
+*$py.class
+.DS_Store
+site/
+vendor/
+modules/
+tools/

.travis.yml

@@ -0,0 +1,23 @@
+language: php
+
+php:
+  - 7.0
+  - 7.1
+  - 7.2
+  - nightly
+
+matrix:
+  allow_failures:
+    - php: nightly
+
+services:
+  - mysql
+  - postgresql
+
+before_script:
+  - git clone https://github.com/fate0/xmark.git
+  - cd xmark && phpize && ./configure && make && cd ..
+  - mv ./xmark/modules ./modules
+  - composer install
+
+script: php -n -c php.ini ./vendor/bin/phpunit -c phpunit.xml

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2018, 
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1 @@
+# prvd 

composer.json

@@ -0,0 +1,23 @@
+{
+  "name": "fate0/prvd",
+  "type": "project",
+  "description": "PHP Runtime Vulnerability Detection",
+  "license": "BSD-3-Clause",
+
+  "authors": [
+    {
+      "name": "fate0",
+      "email": "fate0@fatezero.org",
+      "homepage": "http://www.fatezero.org"
+    }
+  ],
+
+  "require-dev": {
+    "phpunit/phpunit": "*"
+  },
+
+  "require": {
+    "php": "^7.0",
+    "sentry/sentry": "*"
+  }
+}

php.ini

@@ -0,0 +1,84 @@
+auto_prepend_file = "src/Entry.php"
+extension="modules/xmark.so"
+
+[xmark]
+xmark.enable = 1
+xmark.rename_enable = 0
+xmark.rename_classes="
+    SQLite3:prvd_SQLite3,
+    mysqli:prvd_mysqli,
+    PDO:prvd_PDO,
+"
+xmark.rename_functions="
+    base64_decode:prvd_base64_decode,
+    basename:prvd_basename,
+    dirname:prvd_dirname,
+    explode:prvd_explode,
+    gzuncompress:prvd_gzuncompress,
+    hex2bin:prvd_hex2bin,
+    html_entity_decode:prvd_html_entity_decode,
+    htmlspecialchars_decode:prvd_htmlspecialchars_decode,
+    implode:prvd_implode,
+    join:prvd_join,
+    json_decode:prvd_json_decode,
+    ltrim:prvd_ltrim,
+    pathinfo:prvd_pathinfo,
+    rawurldecode:prvd_rawurldecode,
+    rawurlencode:prvd_rawurlencode,
+    rtrim:prvd_rtrim,
+    sprintf:prvd_sprintf,
+    str_ireplace:prvd_str_ireplace,
+    str_pad:prvd_str_pad,
+    str_replace:prvd_str_replace,
+    strstr:prvd_strstr,
+    strtolower:prvd_strtolower,
+    strtoupper:prvd_strtoupper,
+    substr:prvd_substr,
+    trim:prvd_trim,
+    urldecode:prvd_urldecode,
+    urlencode:prvd_urlencode,
+    vsprintf:prvd_vsprintf,
+
+    exec:prvd_exec,
+    passthru:prvd_passthru,
+    popen:prvd_popen,
+    proc_open:prvd_proc_open,
+    shell_exec:prvd_shell_exec,
+    system:prvd_system,
+    unserialize:prvd_unserialize,
+
+    copy:prvd_copy,
+    dir:prvd_dir,
+    file:prvd_file,
+    file_get_contents:prvd_file_get_contents,
+    file_put_contents:prvd_file_put_contents,
+    fopen:prvd_fopen,
+    glob:prvd_glob,
+    highlight_file:prvd_highlight_file,
+    link:prvd_link,
+    move_uploaded_file:prvd_move_uploaded_file,
+    opendir:prvd_opendir,
+    readfile:prvd_readfile,
+    rename:prvd_rename,
+    rmdir:prvd_rmdir,
+    scandir:prvd_scandir,
+    unlink:prvd_unlink,
+
+    mysqli_init:prvd_mysqli_init,
+    mysqli_query:prvd_mysqli_query,
+    mysqli_prepare:prvd_mysqli_prepare,
+    mysqli_real_query:prvd_mysqli_real_query,
+    pg_prepare:prvd_pg_prepare,
+    pg_query:prvd_pg_query,
+    pg_query_params:prvd_pg_query_params,
+    pg_send_prepare:prvd_pg_send_prepare,
+    pg_send_query:prvd_pg_send_query,
+    pg_send_query_params:prvd_pg_send_query_params,
+
+    curl_exec:prvd_curl_exec,
+    fsockopen:prvd_fsockopen,
+    get_headers:prvd_get_headers,
+
+    print_r:prvd_print_r,
+    printf:prvd_printf,
+    vprintf:prvd_vprintf"

phpunit.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/7.2/phpunit.xsd"
+         bootstrap="tests/bootstrap.php"
+         forceCoversAnnotation="true"
+         beStrictAboutCoversAnnotation="true"
+         beStrictAboutOutputDuringTests="false"
+         beStrictAboutTodoAnnotatedTests="true"
+         verbose="true">
+    <testsuites>
+        <testsuite name="default">
+            <directory suffix=".php">tests</directory>
+        </testsuite>
+    </testsuites>
+
+    <filter>
+        <whitelist processUncoveredFilesFromWhitelist="true">
+            <directory suffix=".php">src</directory>
+        </whitelist>
+    </filter>
+</phpunit>

src/Client.php

@@ -0,0 +1,55 @@
+<?php
+
+
+class PRVD_Sentry_Client extends Raven_Client
+{
+    public function __construct($options_or_dsn = null, $options = array())
+    {
+        parent::__construct($options_or_dsn, $options);
+    }
+
+    public function captureVuln($message, $level='error', $stack=true)
+    {
+        $stack = debug_backtrace();
+        array_shift($stack);
+        $this->captureMessage($message, array(), $level, $stack);
+    }
+}
+
+class PRVD_Fuzz_Client extends Raven_Client
+{
+    public function __construct($options_or_dsn = null, $options = array())
+    {
+        $options['trace'] = false;
+        $options['processors'] = array();
+        $options['auto_log_stacks'] = false;
+        parent::__construct($options_or_dsn, $options);
+    }
+
+    public function captureRequest()
+    {
+        if (!static::is_http_request()) return;
+
+        $data = $this->get_http_data();
+        $data['platform'] = 'php';
+        if (!empty($_GET)) {
+            $data['request']['query'] = $_GET;
+        }
+        if (!empty($_FILES)) {
+            $data['request']['files'] = $_FILES;
+        }
+
+        $this->process($data);
+        $this->send($data);
+    }
+
+    public function capture($data, $stack = null, $vars = null)
+    {
+        // do nothing
+    }
+
+    public function install(...$args)
+    {
+        // do nothing
+    }
+}

src/Entry.php

@@ -0,0 +1,72 @@
+<?php
+
+
+if (!extension_loaded('xmark')) {
+    trigger_error("xmark not installed", E_USER_WARNING);
+    return;
+}
+
+
+define("PRVD_FUZZ_DSN", "");
+define("PRVD_SENTRY_DSN", "");
+define("PRVD_TAINT_ENABLE", true);
+define("PRVD_RENAME_PREFIX", "prvd_");
+define("PRVD_TANZI", "xtanzi");
+define("PRVD_LOG_FILE", "/tmp/xmark.log");
+
+
+$prvd_sentry_client = null;
+$prvd_fuzz_client = null;
+
+
+function prvd_get_function($funcname) {
+    if (function_exists(PRVD_RENAME_PREFIX.$funcname)) {
+        return PRVD_RENAME_PREFIX.$funcname;
+    } else if (function_exists($funcname)) {
+        return $funcname;
+    } else {
+        exit("error: function ".$funcname." does not exists");
+    }
+}
+
+
+$prvd_dirname = prvd_get_function("dirname");
+define('PRVD_ABSPATH', $prvd_dirname( __FILE__ ) . '/' );
+require(PRVD_ABSPATH."Utils.php");
+
+
+// mark 输入变量
+prvd_xmark($_GET, true);
+prvd_xmark($_POST, true);
+prvd_xmark($_COOKIE, true);
+prvd_xmark($_FILES, true);
+
+foreach ($_SERVER as $key => &$value) {
+    if (stripos($key, 'HTTP_') === 0) {
+        prvd_xmark($value);
+    }
+}
+
+
+// 1. 加载 sink
+prvd_load_file(PRVD_ABSPATH."sink/*/*.php");
+
+// 2. 加载 filter
+prvd_load_file(PRVD_ABSPATH."filter/*.php");
+
+// 3. 加载 opcode
+prvd_load_opcode(PRVD_ABSPATH."opcode/*.php");
+
+
+// delay require
+require(PRVD_ABSPATH."../vendor/autoload.php");
+require(PRVD_ABSPATH."Client.php");
+
+$prvd_sentry_client = new PRVD_Sentry_Client(PRVD_SENTRY_DSN);
+$prvd_fuzz_client = new PRVD_Fuzz_Client(PRVD_FUZZ_DSN);
+
+
+// 如果 header 信息不是来源于 fuzzer，那就发送相关信息给 fuzzer
+if (PRVD_FUZZ_DSN && !isset($_SERVER['HTTP_PRVD_FUZZ'])) {
+    $prvd_fuzz_client->captureRequest();
+}