Merge pull request #56 from BitScout/22-detect-shell-exec-via-backticks

mremi · web-flow · commit d3bca55de874 · 2022-02-25T14:16:13.000+01:00
feat(ban): Add rule to ban shell execution via backticks
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@ CHANGELOG
 master
 ------
 
-* todo...
+* Added rule to ban shell execution via backticks
 
 v1.0.0
 ------
diff --git a/README.md b/README.md
@@ -64,6 +64,11 @@ parameters:
 					- system
 					- var_dump
 
+			# enable detection of shell execution by backticks
+			-
+				type: Expr_ShellExec
+				functions: null
+
 		# enable detection of `use Tests\Foo\Bar` in a non-test file
 		use_from_tests: true
 ```
diff --git a/extension.neon b/extension.neon
@@ -41,6 +41,11 @@ parameters:
 					- system
 					- var_dump
 
+			# enable detection of shell execution by backticks
+			-
+				type: Expr_ShellExec
+				functions: null
+
 		# enable detection of `use Tests\Foo\Bar` in a non-test file
 		use_from_tests: true
 
diff --git a/snippets/backticks.php b/snippets/backticks.php
@@ -0,0 +1,3 @@
+<?php
+
+`ls -lsa`;
diff --git a/snippets/echo.php b/snippets/echo.php
@@ -1,4 +1,3 @@
 <?php
 
 echo 'test echo';
-
diff --git a/snippets/eval.php b/snippets/eval.php
@@ -1,4 +1,3 @@
 <?php
 
 eval(true);
-
diff --git a/snippets/exec.php b/snippets/exec.php
@@ -1,4 +1,3 @@
 <?php
 
-exec('');
-
+exec('ls -lsa');
diff --git a/snippets/exit.php b/snippets/exit.php
@@ -1,4 +1,3 @@
 <?php
 
 exit;
-
diff --git a/snippets/passthru.php b/snippets/passthru.php
@@ -1,4 +1,3 @@
 <?php
 
 passthru('');
-
diff --git a/snippets/phpinfo.php b/snippets/phpinfo.php
@@ -1,4 +1,3 @@
 <?php
 
 phpinfo();
-
diff --git a/snippets/print_r.php b/snippets/print_r.php
@@ -1,4 +1,3 @@
 <?php
 
 print_r('');
-
diff --git a/snippets/proc_open.php b/snippets/proc_open.php
@@ -1,4 +1,4 @@
 <?php
+
 $pipes = [];
 proc_open('', [], $pipes);
-
diff --git a/snippets/shell_exec.php b/snippets/shell_exec.php
@@ -1,4 +1,3 @@
 <?php
 
 shell_exec('');
-
diff --git a/snippets/system.php b/snippets/system.php
@@ -1,4 +1,3 @@
 <?php
 
 system('');
-
diff --git a/snippets/var_dump.php b/snippets/var_dump.php
@@ -1,4 +1,3 @@
 <?php
 
 var_dump('');
-
diff --git a/tests/Rules/BannedNodesRuleTest.php b/tests/Rules/BannedNodesRuleTest.php
@@ -20,6 +20,7 @@
 use PhpParser\Node\Expr\Exit_;
 use PhpParser\Node\Expr\FuncCall;
 use PhpParser\Node\Expr\Include_;
+use PhpParser\Node\Expr\ShellExec;
 use PhpParser\Node\Expr\Variable;
 use PhpParser\Node\Name;
 use PhpParser\Node\Scalar\LNumber;
@@ -52,6 +53,7 @@ protected function setUp(): void
             ['type' => 'Expr_Eval'],
             ['type' => 'Expr_Exit'],
             ['type' => 'Expr_FuncCall', 'functions' => ['debug_backtrace', 'dump']],
+            ['type' => 'Expr_ShellExec'],
         ]);
         $this->scope = $this->createMock(Scope::class);
     }
@@ -128,11 +130,12 @@ public function getUnhandledNodes(): \Generator
     }
 
     /**
-     * @return \Generator<array<Eval_|Exit_>>
+     * @return \Generator<array<mixed>>
      */
     public function getHandledNodes(): \Generator
     {
         yield [new Eval_($this->createMock(Expr::class))];
         yield [new Exit_()];
+        yield [new ShellExec([''])];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`echo 'test echo';`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`eval(true);`
`4`		`-`
-Original file line number
+Diff line change
@@ @@ -1,4 +1,3 @@ @@
 <?php
 -exec('');
+-
 +exec('ls -lsa');
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`passthru('');`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`phpinfo();`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`print_r('');`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`shell_exec('');`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`system('');`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`var_dump('');`
`4`		`-`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`use PhpParser\Node\Expr\Exit_;`
`21`	`21`	`use PhpParser\Node\Expr\FuncCall;`
`22`	`22`	`use PhpParser\Node\Expr\Include_;`
	`23`	`+use PhpParser\Node\Expr\ShellExec;`
`23`	`24`	`use PhpParser\Node\Expr\Variable;`
`24`	`25`	`use PhpParser\Node\Name;`
`25`	`26`	`use PhpParser\Node\Scalar\LNumber;`
`@@ -52,6 +53,7 @@ protected function setUp(): void`
`52`	`53`	`['type' => 'Expr_Eval'],`
`53`	`54`	`['type' => 'Expr_Exit'],`
`54`	`55`	`['type' => 'Expr_FuncCall', 'functions' => ['debug_backtrace', 'dump']],`
	`56`	`+ ['type' => 'Expr_ShellExec'],`
`55`	`57`	`]);`
`56`	`58`	`$this->scope = $this->createMock(Scope::class);`
`57`	`59`	`}`
`@@ -128,11 +130,12 @@ public function getUnhandledNodes(): \Generator`
`128`	`130`	`}`
`129`	`131`
`130`	`132`	`/**`
`131`		`- * @return \Generator<array<Eval_\|Exit_>>`
	`133`	`+ * @return \Generator<array<mixed>>`
`132`	`134`	`*/`
`133`	`135`	`public function getHandledNodes(): \Generator`
`134`	`136`	`{`
`135`	`137`	`yield [new Eval_($this->createMock(Expr::class))];`
`136`	`138`	`yield [new Exit_()];`
	`139`	`+ yield [new ShellExec([''])];`
`137`	`140`	`}`
`138`	`141`	`}`