trace function

[tiandiyixian]

hi，
Sir，I used the progpilot to analyze my php project ，It works well，but It seem that taint flow do not work，there is no taint trace info，only exits source and sink. Can you give me some suggestion？

[eric-therond]

Hi @tiandiyixian

• use the latest version of progpilot (v0.2.0 or uptodate dev-master)
• use $obj_context->outputs->tainted_flow(true); in a library context (or tainted_flow: true if you use a configuration file) to authorize the tracing of tainted flows
• if it still doesn't work please paste your source code here

Eric

[tiandiyixian]

hi @eric-therond
I have done it,sometimes it work well,but when the inter-procedural analysis，the trace path may be lost partly,for example:

the program output :

[[source_name] => [[0] => $testa_return], [source_line] => [[0] => 5], [source_column] => [[0] => 51],
[source_file] => [[0] => E:\RCP\PHP\test.php], [tainted_flow] => [[0] => [[0] => [[flow_name] => $var,
[flow_line] => 4, [flow_column] => 36, [flow_file] => E:\RCP\PHP\test.php], [1] => [[flow_name] => $param,
[flow_line] => 2, [flow_column] => 23, [flow_file] => E:\RCP\PHP\test.php]]],
[sink_name] => echo, [sink_line] => 11, [sink_column] => 115,
[sink_file] => E:\RCP\PHP\test.php, [vuln_name] => xss, [vuln_cwe] => CWE_79,
[vuln_id] => 14019ed3e9fffa06897aa0875e76e362bc7c53ab8a2a9670515c07412e4a3a47]

but I think maybe line 8 & line 9 should be added in the flow path,the source start in line 9：$var7 = $_GET["p"];

I debug the program，the code：
if ($defarg->is_tainted())
{
// useful just for inside the function
$param->set_tainted(true);
$expr = $param->get_expr();
if (!is_null($expr) && $expr->is_assign())// here ,the expr is null,so the trace is lost.
how can trace the whole path?

[eric-therond]

thanks for the debug @tiandiyixian

I will check, could you paste the source code of your analyzed file : E:\RCP\PHP\test.php ?

Eric

[tiandiyixian]

@eric-therond
I am sorry ,I forgot to paste the example,this is the example:

2 function testa($param)
3 {
4 $var=$param;
5 return $var;
6 }
7
8 $var7 = $_GET["p"];
9 $var4 = $var7;
10
11 echo testa($var4);

[eric-therond]

The property taintedbyexpr of parameters of functions was not assigned to the expression of tainted argument of function during the function call (the flow was effectively broken here).

I've corrected this, you could try now.
I didn't test a lot this functionnality so let me know if there are another problems.

Eric

[tiandiyixian]

@eric-therond hi, I will test the project completely. after fixed the bug above, I tested some example,there is another bug,
example:
3 class testc1
4 {
5 private $member1;
6
7 public $object1;
8
9 public function set_object1($val)
10{
11 $this->object1 = $val;
12 }
13 public function get_object1()
14 {
15 return $this->object1 ;
16 }
17 };
18
19
20
21
22 $newsettestc1 = new testc1;
23
24$newsettestc1->set_object1($_GET["p"]);
25
26 echo $newsettestc1->get_object1();

when I opened trace,the result was that:

[[flow_name] => $this->object1, [flow_line] => 7, [flow_column] => 55, [flow_file] => E:\CP\PHP\tests\oop\simple19.php]

source line was 15, sink line was 26,the trace was partly missing path，line 24 was the beginner，
flow path maybe : 24-9-11-7
I found the class ResolveDefs，
218 if ($def_found->is_tainted())
219 $new_property->set_tainted(true);
//maybe lost $new_property->set_taintedbyexpr()
// but i do not know how add the expression,

269 if ($def_found->is_tainted())
270 $property->set_tainted(true);
//maybe lost $new_property->set_taintedbyexpr()
// but i do not know how add the expression in the right position,

[eric-therond]

It was the same mistake than previously, I've corrected this

I have also added to the roadmap the handling of multiple flows for a same source (see for example : flow3.php), currently only one flow is traced (starting from $var1 is this example))

Eric

[tiandiyixian]

thanks again,I will try it!