From cc5e609d49a413fd35bb6a1eebad40114715c58c Mon Sep 17 00:00:00 2001
From: Christian Kollross <christian.kollross@ekino.com>
Date: Fri, 25 Feb 2022 11:08:06 +0100
Subject: [PATCH] feat(ban): Add rule to ban shell execution via backticks

---
 CHANGELOG.md                        | 2 +-
 README.md                           | 5 +++++
 extension.neon                      | 5 +++++
 snippets/backticks.php              | 3 +++
 snippets/echo.php                   | 1 -
 snippets/eval.php                   | 1 -
 snippets/exec.php                   | 3 +--
 snippets/exit.php                   | 1 -
 snippets/passthru.php               | 1 -
 snippets/phpinfo.php                | 1 -
 snippets/print_r.php                | 1 -
 snippets/proc_open.php              | 2 +-
 snippets/shell_exec.php             | 1 -
 snippets/system.php                 | 1 -
 snippets/var_dump.php               | 1 -
 tests/Rules/BannedNodesRuleTest.php | 5 ++++-
 16 files changed, 20 insertions(+), 14 deletions(-)
 create mode 100644 snippets/backticks.php

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4e5aecb..2aca616 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@ CHANGELOG
 master
 ------
 
-* todo...
+* Added rule to ban shell execution via backticks
 
 v1.0.0
 ------
diff --git a/README.md b/README.md
index 0664579..13060c4 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,11 @@ parameters:
 					- system
 					- var_dump
 
+			# enable detection of shell execution by backticks
+			-
+				type: Expr_ShellExec
+				functions: null
+
 		# enable detection of `use Tests\Foo\Bar` in a non-test file
 		use_from_tests: true
 ```
diff --git a/extension.neon b/extension.neon
index 00c5ecb..9bdad7b 100644
--- a/extension.neon
+++ b/extension.neon
@@ -41,6 +41,11 @@ parameters:
 					- system
 					- var_dump
 
+			# enable detection of shell execution by backticks
+			-
+				type: Expr_ShellExec
+				functions: null
+
 		# enable detection of `use Tests\Foo\Bar` in a non-test file
 		use_from_tests: true
 
diff --git a/snippets/backticks.php b/snippets/backticks.php
new file mode 100644
index 0000000..50b7664
--- /dev/null
+++ b/snippets/backticks.php
@@ -0,0 +1,3 @@
+<?php
+
+`ls -lsa`;
diff --git a/snippets/echo.php b/snippets/echo.php
index 61fb197..9473f3b 100644
--- a/snippets/echo.php
+++ b/snippets/echo.php
@@ -1,4 +1,3 @@
 <?php
 
 echo 'test echo';
-
diff --git a/snippets/eval.php b/snippets/eval.php
index a95d999..4fa64e6 100644
--- a/snippets/eval.php
+++ b/snippets/eval.php
@@ -1,4 +1,3 @@
 <?php
 
 eval(true);
-
diff --git a/snippets/exec.php b/snippets/exec.php
index 1192ee6..793d0fe 100644
--- a/snippets/exec.php
+++ b/snippets/exec.php
@@ -1,4 +1,3 @@
 <?php
 
-exec('');
-
+exec('ls -lsa');
diff --git a/snippets/exit.php b/snippets/exit.php
index 889830a..b66b36e 100644
--- a/snippets/exit.php
+++ b/snippets/exit.php
@@ -1,4 +1,3 @@
 <?php
 
 exit;
-
diff --git a/snippets/passthru.php b/snippets/passthru.php
index acf02b7..ee0919e 100644
--- a/snippets/passthru.php
+++ b/snippets/passthru.php
@@ -1,4 +1,3 @@
 <?php
 
 passthru('');
-
diff --git a/snippets/phpinfo.php b/snippets/phpinfo.php
index bff637f..83f1549 100644
--- a/snippets/phpinfo.php
+++ b/snippets/phpinfo.php
@@ -1,4 +1,3 @@
 <?php
 
 phpinfo();
-
diff --git a/snippets/print_r.php b/snippets/print_r.php
index 7b31d2c..eccef0e 100644
--- a/snippets/print_r.php
+++ b/snippets/print_r.php
@@ -1,4 +1,3 @@
 <?php
 
 print_r('');
-
diff --git a/snippets/proc_open.php b/snippets/proc_open.php
index 95f29de..e7c4cc7 100644
--- a/snippets/proc_open.php
+++ b/snippets/proc_open.php
@@ -1,4 +1,4 @@
 <?php
+
 $pipes = [];
 proc_open('', [], $pipes);
-
diff --git a/snippets/shell_exec.php b/snippets/shell_exec.php
index 9c3248c..962cbbb 100644
--- a/snippets/shell_exec.php
+++ b/snippets/shell_exec.php
@@ -1,4 +1,3 @@
 <?php
 
 shell_exec('');
-
diff --git a/snippets/system.php b/snippets/system.php
index cfc6fc7..01c2224 100644
--- a/snippets/system.php
+++ b/snippets/system.php
@@ -1,4 +1,3 @@
 <?php
 
 system('');
-
diff --git a/snippets/var_dump.php b/snippets/var_dump.php
index 2263779..47bf74a 100644
--- a/snippets/var_dump.php
+++ b/snippets/var_dump.php
@@ -1,4 +1,3 @@
 <?php
 
 var_dump('');
-
diff --git a/tests/Rules/BannedNodesRuleTest.php b/tests/Rules/BannedNodesRuleTest.php
index 4a1294f..69cddd2 100644
--- a/tests/Rules/BannedNodesRuleTest.php
+++ b/tests/Rules/BannedNodesRuleTest.php
@@ -20,6 +20,7 @@
 use PhpParser\Node\Expr\Exit_;
 use PhpParser\Node\Expr\FuncCall;
 use PhpParser\Node\Expr\Include_;
+use PhpParser\Node\Expr\ShellExec;
 use PhpParser\Node\Expr\Variable;
 use PhpParser\Node\Name;
 use PhpParser\Node\Scalar\LNumber;
@@ -52,6 +53,7 @@ protected function setUp(): void
             ['type' => 'Expr_Eval'],
             ['type' => 'Expr_Exit'],
             ['type' => 'Expr_FuncCall', 'functions' => ['debug_backtrace', 'dump']],
+            ['type' => 'Expr_ShellExec'],
         ]);
         $this->scope = $this->createMock(Scope::class);
     }
@@ -128,11 +130,12 @@ public function getUnhandledNodes(): \Generator
     }
 
     /**
-     * @return \Generator<array<Eval_|Exit_>>
+     * @return \Generator<array<mixed>>
      */
     public function getHandledNodes(): \Generator
     {
         yield [new Eval_($this->createMock(Expr::class))];
         yield [new Exit_()];
+        yield [new ShellExec([''])];
     }
 }