Merge pull request #94 from wufeifei/develop

Improves #84

Author: FeeiCN

engine/parse.py

@@ -37,6 +37,7 @@ def __init__(self, rule, file_path, line, code):
         self.line = line
         self.code = code
         self.param_name = None
+        self.param_value = None
 
     def functions(self):
         logging.info('---------------------- [-]. Functions --------------------------------------')
@@ -189,7 +190,7 @@ def is_controllable_param(self):
                 logging.info("Check controllable param rule")
                 controllable_param_rule = [
                     {
-                        'rule': r'\\s?=\s?(\$\w+(?:\[(?:[^[\]]|(\?R))*\])*)'.format(param_name),
+                        'rule': r'(\{0}\s?=\s?\$\w+(?:\[(?:[^[\]]|\?R)*\])*)'.format(param_name),
                         'example': '$param_name = $variable',
                         'test': """
                             $param_name = $_GET
@@ -200,18 +201,18 @@ def is_controllable_param(self):
                             """
                     },
                     {
-                        'rule': r'function\s+\w+\s?\(.*(\{0})'.format(param_name),
+                        'rule': r'(function\s*\w+\s*\(.*\{0})'.format(param_name),
                         'example': 'function ($param_name)',
                         'test': """
                             function ($param_name)
                             function ($some, $param_name)
                             """
                     }
-
                 ]
                 for c_rule in controllable_param_rule:
                     c_rule_result = re.findall(c_rule['rule'], param_block_code)
                     if len(c_rule_result) >= 1:
+                        self.param_value = c_rule_result[0]
                         logging.info("R: True (New rule: controllable param: {0}, {1})".format(param_name, c_rule['example']))
                         return True
                 logging.info("R: True")

engine/static.py

@@ -211,6 +211,7 @@ def analyse(self):
                                 if match_result.group(0) is not None and match_result.group(0) is not "":
                                     logging.info("In Annotation")
                                 else:
+                                    param_value = None
                                     # parse file function structure
                                     if file_path[-3:] == 'php' and rule.regex_repair.strip() != '':
                                         try:
@@ -220,6 +221,8 @@ def analyse(self):
                                                     logging.info("Static: repaired")
                                                     continue
                                                 else:
+                                                    if parse_instance.param_value is not None:
+                                                        param_value = parse_instance.param_value
                                                     found_vul = True
                                             else:
                                                 logging.info("Static: uncontrollable param")
@@ -238,6 +241,9 @@ def analyse(self):
                                         if exist_result is not None:
                                             logging.warning("Exists Result")
                                         else:
+                                            code_content = '# 触发位置\r' + code_content
+                                            if param_value is not None:
+                                                code_content = '# 参数可控\r' + param_value + '\r//\r// ------ 省略部分代码 ------\r//\r' + code_content
                                             logging.debug('File: {0}:{1} {2}'.format(file_path, line_number, code_content))
                                             vul = CobraResults(self.task_id, rule.id, file_path, line_number, code_content)
                                             db.session.add(vul)