逻辑结构回溯有问题

[m4p1e]

function add_func($any){
	$did=$_GET['maple'];
	$pid="random";
	if(1>0){
		$pid=$did;
	}
	mysql_query($pid);
}

递归回溯

[DEBUG] [MainThread] [17:07:12] [parser.py:1317] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [17:07:12] [parser.py:1124] [AST] AST to find param Variable('$pid')
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$di', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None), FunctionCall('mysql_query', [Parameter(Variable('$pid'), False)])], False)],function_params=None, lineno=33,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [17:07:12] [parser.py:794] [AST] param $pid line 33 in function add_func line 23, start ast in function
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None)],function_params=[FormalParameter('$di', None, False, None)], lineno=23,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [17:07:12] [parser.py:849] [AST] param $pid line 27 in if/else, start ast in if/else
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$pid'), Variable('$did'), False)],function_params=[FormalParameter('$di', None, False, None)], lineno=27,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None)
[DEBUG] [MainThread] [17:07:12] [parser.py:641] [AST] Find $pid=$did in line 28, start ast for param $did
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$did'),nodes=[],function_params=[FormalParameter('$di', None, False, None)], lineno=27,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$di', None, False, None)], lineno=23,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [17:07:12] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [17:07:12] [engine.py:809] [AST] [RET] []

换成while 也一样，都不能报。cobra可以报，cobra在处理逻辑结构的时候把block里面的节点拿出来放到back_nodes里面去了。

[m4p1e]

应该是作用域的问题

[grayguest]

php应该没有块作用域，这种条件判断主要需要考虑不同的数据流比较好，而且对于条件最好能动态执行获取结果？我在调研商业产品的时候，针对OWASP Benchmark的一些误报，商业产品也没有避免，例如checkmarx的误报：

[LoRexxar]

1.9.2中更新并修复了这个问题

[m4p1e]

1.9.2中更新并修复了这个问题

function add_func($any){
	 $did="random";
	 $pid=$_GET['maple']
	 if(1<0){
	 $pid=$did;
	 }
	 mysql_query($pid);
}

想过这个吗？ 哈哈，我感觉如果为了尽可能多探测路径，这里可以param = [param ,cp]，再递归。 可以这样考虑。

[LoRexxar]

换了一个逻辑，如果if没有else，则会专门处理一种不进入循环的流程