Merge branch 'master' of github.com:designsecurity/progpilot

.devcontainer/Dockerfile

@@ -0,0 +1,16 @@
+FROM php:8.1.13-cli
+
+RUN apt-get update && apt-get install -y vim git sudo
+
+RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
+  && php -r "if (hash_file('sha384', 'composer-setup.php') === '55ce33d7678c5a611085589f1f3ddf8b3c52d662cd01d4ba75c0ee0459970c2200a51f492d557530c71c15d8dba01eae') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" \
+  && php composer-setup.php \
+  && php -r "unlink('composer-setup.php');" \
+  && sudo mv composer.phar /usr/local/bin/composer
+
+ARG USERNAME=developer
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+RUN groupadd --gid $USER_GID $USERNAME \
+  && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME

.devcontainer/devcontainer.json

@@ -0,0 +1,7 @@
+{
+	"name": "progpilot-linux",
+	"build": {
+		"dockerfile": "Dockerfile"
+	},
+	"remoteUser": "developer"
+}

.github/workflows/main.yml

@@ -10,8 +10,9 @@ jobs:
     strategy:
       matrix:
         php-version:
-          - "7.3"
           - "7.4"
+          - "8.0"
+          - "8.1"
     steps:
       - name: "Checkout"
         uses: "actions/checkout@v2"

.gitignore

@@ -2,6 +2,7 @@ articles/
 builds/*.phar
 projects/tests/vendor
 projects/tests/composer.lock
+projects/tests/.phpunit.result.cache
 projects/example/vendor
 projects/example/composer.lock
 projects/example_config/vendor

composer.json

@@ -9,19 +9,26 @@
         }
     ],
     "require": {
-        "php": ">=7.2.5",
-        "ircmaxell/php-cfg": "1.0.x-dev",
+        "php": ">=7.4",
+        "ircmaxell/php-cfg": "^0.6.0",
         "symfony/yaml": ">=3.3.6",
-        "symfony/console": ">=3.3.5"
+        "symfony/console": ">=3.3.5",
+        "myclabs/deep-copy": "^1.10.2"
     },
     "require-dev": {
-        "phpunit/phpunit": "^6.0",
-        "phpro/grumphp": "^1.3"
+        "phpunit/phpunit": "^8.0 || ^9.0",
+        "phpro/grumphp": "^1.3",
+        "squizlabs/php_codesniffer": "^3.5"
     },
     "bin": ["projects/phar/progpilot"],
     "autoload": {
         "psr-0": {
             "progpilot": "package/src"
         }
+    },
+    "config": {
+        "allow-plugins": {
+            "phpro/grumphp": true
+        }
     }
 }

docs/API.md

@@ -20,17 +20,20 @@ To retrieve the value of $file, $code and $folder use these methods:
 ***
 - $obj_context->inputs->setLanguages($array);  
 Languages you want to analyze (["php", "js"] but js is in development), default is *["php"]*
-- $obj_context->inputs->setFrameworks($array);  
-Frameworks you want to analyze (default is *["suitecrm", "codeigniter"]*)
 - $obj_context->inputs->setDev($bool);  
 If you want to use security data relative to development of progpilot (default is *false*)
 ***
 
 ***
+- $obj_context->inputs->addSources($files_sources);
 - $obj_context->inputs->setSources($files_sources);
+- $obj_context->inputs->addSinks($files_sinks);
 - $obj_context->inputs->setSinks($files_sinks);
+- $obj_context->inputs->addSanitizers($files_sanitizers);
 - $obj_context->inputs->setSanitizers($files_sanitizers);
+- $obj_context->inputs->addValidators($files_validators);
 - $obj_context->inputs->setValidators($files_validators);
+- $obj_context->inputs->addCustomRules($files_custom);
 - $obj_context->inputs->setCustomRules($files_custom);
 - $obj_context->inputs->getCustomRules();
 - $obj_context->inputs->getSources();
@@ -49,15 +52,15 @@ These functions are explained in the chapter about [**handling false positives**
 ***
 
 ***
-- $obj_context->inputs->setIncludes($mixed);  
-- $obj_context->inputs->setExcludes($mixed);  
+- $obj_context->inputs->setInclusions($mixed);  
+- $obj_context->inputs->setExclusions($mixed);  
 For include or exclude files and folders during the analysis, see an [**example here**](./../projects/tests/exclude_files.json) with a json file configuration and an [**example here**](./../projects/tests/run_exclude_files.php) with a php array.
 ***
 
 ## Outputs
 ***
-- $obj_context->outputs->resolveIncludes($bool);
-- $obj_context->outputs->resolveIncludesFile($file);  
+- $obj_context->outputs->setWriteIncludeFailures($bool);
+- $obj_context->outputs->setIncludeFailuresFile($file);  
 These functions are explained in the chapter about [**included files**](./INCLUDES.md)
 - $obj_context->outputs->getAst();
 - $obj_context->outputs->getCfg();
@@ -72,25 +75,19 @@ print the number of files analyzed (it does not count the included files (with *
 
 ## Options
 ***
-- $obj_context->setLimitDefs($nb);  
+- $obj_context->setMaxDefinitions($nb);  
 to prevent memory exhaustion you could limit the number of definitions by file during the analysis (default is *3000*)
-- $obj_context->setLimitTime($time_sec);  
+- $obj_context->setMaxFileAnalysisDuration($time_sec);  
 max execution time by file for some steps of the analysis (default is *10 seconds*)
-- $obj_context->setLimitSize($size_bytes);  
+- $obj_context->setMaxFileSize($size_bytes);  
 do not analyze file that are larger than this defined size (default is 500 000 bytes)
-- $obj_context->setPrintFile($bool);  
-*true* if you want to print the name of files analyzed by progpilot, default is *false*
-- $obj_context->setPrintWarning($bool);  
-*true* if you want to print warnings during the analysis, default is *false*
+- $obj_context->setDebugMode($bool);  
+*true* if you want to output warnings during the analysis, default is *false*
 - $obj_context->setPrettyPrint($bool);  
 *true* if you want to pretty print the JSON output of standalone progpilot application, default is *true*
-- $obj_context->setAnalyzeFunctions($bool);  
-*true* if you want to analyze all functions (*false* only *main function* is analyzed), default is *true*
 - $obj_context->setAnalyzeIncludes($bool);  
 *true* or *false* if you want to analyze included files, default is *true*
 - $obj_context->setConfiguration($config);  
 you can use an yaml file to specify the configuration of analysis, see an [**example here**](./../projects/example_config/configuration.yml).
-- $obj_context->setAnalyzeHardRules($bool);  
-If you want to check custom rules that can take a lot a time (default is false)  
 These rules are explained in the chapter [**customize an analyze**](./CUSTOM_ANALYSIS.md)
 ***

docs/CONTRIBUTING.md

@@ -16,21 +16,7 @@ That will allow the ability of contributors to reproduce the bug.
 All php code must adhere to [PSR-2 standard](https://www.php-fig.org/psr/psr-2/) (except for tests).
 
 ### GrumPHP
-Developers can use [GrumPHP](https://github.com/phpro/grumphp/) to ensure each progpilot commit reaches code style (phpcs) and security (progpilot itself) requirements.  
-Install GrumPHP globally or in the progpilot repository:
-```shell
-composer require --dev phpro/grumphp
-```
-Install the [required tasks](../grumphp.yml) for Progpilot:
-```shell
-composer config minimum-stability dev
-composer require --dev squizlabs/php_codesniffer
-composer require --dev designsecurity/progpilot
-```
-Configure the following env variable to instruct GrumPHP to locate tasks executables:
-```shell
-export GRUMPHP_BIN_DIR="/path/to/vendor/bin"
-```
+Developers can use [GrumPHP](https://github.com/phpro/grumphp/) to ensure each progpilot commit reaches code style (phpcs) requirements.  
 
 ### Frameworks support
 Most of the time the analysis of progpilot can be extended simply with adding the corresponding [sources, sinks, validators and sanitizers](./SPECIFY_ANALYSIS.md): look at how it was done for [current frameworks](https://github.com/designsecurity/progpilot/tree/master/package/src/uptodate_data/php/frameworks).

docs/FAQ.md

@@ -1,7 +1,7 @@
 # FAQ
 
 #### Which version of PHP do I need?
-The minimum version of PHP needed to run Progpilot is 7.2.5
+The minimum version of PHP needed to run Progpilot is 7.4
 
 #### Where can I find the updated security files configuration (sinks, sources, validators, sanitizers and rules) of Progpilot?
 You can find the updated security files configuration of Progpilot in [package/src/uptodate_data](../package/src/uptodate_data) folder.
@@ -11,13 +11,12 @@ Example of control flow graph and call graph of source code transformed to dot f
 
 #### When I use progpilot I often run out of memory?
 Static analyzers use a lot of memory but you could try to handle this with [these functions](./API.md):
-- *$obj_context->setLimitDefs($nb);* 
-- *$obj_context->setLimitSize($size_bytes);* 
+- *$obj_context->setMaxDefinitions($nb);* 
+- *$obj_context->setMaxFileSize($size_bytes);* 
 
 And by increasing the maximum memory amount for a script (*memory_limit*) in the configuration of PHP (*php.ini*).
 
 #### What frameworks are supported by progpilot?
 At this moment, these frameworks are supported:
 - suiteCRM
 - codeIgniter
-- wordpress

docs/INCLUDES.md

@@ -13,13 +13,13 @@ include($dir."myfile$suf.php");
 ```
 
 To bypass this limitation use these functions:
-- $obj_context->outputs->resolveIncludes($bool);
-- $obj_context->outputs->resolveIncludesFile($file);  
+- $obj_context->outputs->setWriteIncludeFailures($bool);
+- $obj_context->outputs->setIncludeFailuresFile($file);  
 When *$bool* set to *true* and *$file* set to *resolve_includes.json* for example
 
 For each include not resolved an entry will be printed in the *$file* with the location of the include function (file, line, column):
 ```javascript
-{"includes_not_resolved":[["/home/dev/projects/tests/includes/simple5.php",11,11]]}
+{"include_failures":[["/home/dev/projects/tests/includes/simple5.php",11,11]]}
 ```
 Next create a *resolved_includes.json* file with the good value for each include function call:
 ```javascript

docs/SPECIFY_ANALYSIS.md

@@ -9,6 +9,7 @@ To specify the way vulnerabilities are detected, customize the sources, sinks, s
 
 ## Configure sources
 - $obj_context->inputs->setSources($files_sources);
+- $obj_context->inputs->addSources($files_sources);
 - $obj_context->inputs->getSources();
 
 Where *$file_sources* is a json file (or an array of json files) like below:
@@ -32,6 +33,7 @@ Optional properties:
 
 ## Configure sanitizers
 - $obj_context->inputs->setSanitizers($file_sanitizers);
+- $obj_context->inputs->addSanitizers($file_sanitizers);
 - $obj_context->inputs->getSanitizers();
 
 Where *$file_sanitizers* is a json file (or an array of json files) like below:
@@ -63,6 +65,7 @@ Optional properties:
 
 ## Configure sinks
 - $obj_context->inputs->setSinks($file_sinks);
+- $obj_context->inputs->addSinks($file_sinks);
 - $obj_context->inputs->getSinks();
 
 Where *$file_sinks* is a json file (or an array of json files) like below:
@@ -88,6 +91,7 @@ Optional properties:
 - [instanceof](#instanceof-property), [prevent](#prevent-property), [parameters](#parameters-property)
 
 ## Configure validators
+- $obj_context->inputs->addValidators($file_validators);
 - $obj_context->inputs->setValidators($file_validators);
 - $obj_context->inputs->getValidators();
 

docs/dev/STATES.md

@@ -0,0 +1,89 @@
+# definition states API
+
+Each definition has at least one state holding attributes like isTainted. The goal is to handle properties and array dataflow.
+
+For simple variable, the defaultState is enough, as dataflow is correctly performed by visitorDataFlow:
+```
+// block 1
+// foo defined in blockid 1 (defaultState = 1)
+// state 1 of foo tainted
+$foo = $_GET["p"]; 
+
+if(rand()) {
+    // block 2
+    // bar defined in blockid 2 (defaultState = 2)
+    // state 2 of foo bar (get value of foo->currentState()) tainted
+    $bar = $foo;
+}
+else {
+    // block 3
+    // bar defined in blockid 3 (defaultState = 3)
+    // state 3 of foo bar empty
+    $bar = null;
+}
+
+// block 4
+// bar search def:
+//    * block2 $bar->getCurrentState()
+//    * block3 $bar->getCurrentState()
+// merge states on block 4 of echo_arg0
+echo $bar;
+```
+
+For instances/properties variable, we need different states:
+```
+// block 1
+// instance defined in blockid 1 (defaultState = 1)
+$instance = new Object;
+
+if(rand()) {
+    // block 2
+    // instance defined in blockid 1 (defaultState = 1)
+    // state 2 of instance prop tainted
+    $instance->prop = $_GET["p"]; 
+    echo $instance->prop;
+}
+else {
+    // block 3
+    // instance defined in blockid 1 (defaultState = 1)
+    // state 3 of instance prop "null"
+    $instance->prop = "null";
+    echo $instance->prop;
+}
+
+// block 4
+// we launch dataflow analysis for properties
+// parent of 4 = block 2, 3
+// state 4 = merge(state 2,3)
+echo $instance->prop;
+```
+
+
+Chained calls:
+```
+// block 1
+// instance1 defined in blockid 1 (defaultState = 1)
+$instance1 = new Object1;
+
+/*
+function func1() {
+    // block 2
+    // instance2 defined in blockid 2 (defaultState = 2)
+    $instance2 = new Object2;
+    return $instance2;
+}
+
+function func2() {
+    // block 3
+    // instance3 defined in blockid 3 (defaultState = 3)
+    $instance3 = new Object3;
+    return $instance3;
+}
+
+function func3() {
+    echo $this->prop;
+}
+*/
+
+$instance1->func1()->func2()->func3();
+```

grumphp.yml

@@ -6,7 +6,3 @@ grumphp:
         metadata:
           priority: 300
         ignore_patterns: ["*/projects/tests/*"]
-
-      progpilot:
-        config_file: progpilot.yml
-        triggered_by: [php]

package/composer.json

@@ -9,13 +9,13 @@
         }
     ],
     "require": {
-        "php": "^7.0",
-        "ircmaxell/php-cfg": "1.0.x-dev",
+        "php": ">=7.4",
+        "ircmaxell/php-cfg": "^0.6.0",
         "symfony/yaml": ">=3.3.6",
         "symfony/console": ">=3.3.5"
     },
     "require-dev": {
-        "phpunit/phpunit": "^6.0"
+        "phpunit/phpunit": "^8.0 || ^9.0"
     },
     "autoload": {
         "psr-0": {