Merge pull request #60 from hahwul/hahwul-dev

Hahwul dev
owasp-noir · Aug 30, 2023 · 4d9d5e2 · 4d9d5e2
2 parents d742f01 + fa37057
commit 4d9d5e2
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@
 | Python   | Flask     | ✅   | X      | X     | X      | X  |
 | Ruby     | Rails     | ✅   | ✅      | ✅     | ✅      | X  |
 | Ruby     | Sinatra   | ✅   | ✅      | ✅     | ✅      | X  |
-| Php      |           | ✅   | ✅      | ✅     | X      | X  |
+| Php      |           | ✅   | ✅      | ✅     | ✅      | X  |
 | Java     | Spring    | ✅   | ✅      | X     | X      | X  |
 | Java     | Jsp       | X   | X      | X     | X      | X  |
 | Crystal  | Kemal     | ✅   | ✅      | ✅     | ✅      | ✅  |

diff --git a/shard.yml b/shard.yml
@@ -1,5 +1,5 @@
 name: noir
-version: 0.5.2
+version: 0.5.4
 
 authors:
   - hahwul <[email protected]>

diff --git a/spec/functional_test/fixtures/php_pure/post.php b/spec/functional_test/fixtures/php_pure/post.php
@@ -1,3 +1,4 @@
 <?
     $param1 = $_POST['param1'];
+    $password = hash('sha256',$_POST['password']);
 ?>
diff --git a/spec/functional_test/testers/php_pure_spec.cr b/spec/functional_test/testers/php_pure_spec.cr
@@ -7,7 +7,10 @@ extected_endpoints = [
     Param.new("param1", "", "query"),
   ]),
   Endpoint.new("/post.php", "GET"),
-  Endpoint.new("/post.php", "POST", [Param.new("param1", "", "form")]),
+  Endpoint.new("/post.php", "POST", [
+    Param.new("param1", "", "form"),
+    Param.new("password", "", "form"),
+  ]),
   Endpoint.new("/request.php", "GET", [Param.new("param1", "", "query")]),
   Endpoint.new("/request.php", "POST", [Param.new("param1", "", "form")]),
 ]

diff --git a/src/analyzer/analyzers/analyzer_php_pure.cr b/src/analyzer/analyzers/analyzer_php_pure.cr
@@ -20,26 +20,28 @@ class AnalyzerPhpPure < Analyzer
           methods = [] of String
 
           file.each_line do |line|
-            match = line.strip.match(%r{.*\$_(.*?)\['(.*?)'\];})
+            if allow_patterns.any? { |pattern| line.includes? pattern }
+              match = line.strip.match(/\$_(.*?)\['(.*?)'\]/)
 
-            if match
-              method = match[1]
-              param_name = match[2]
+              if match
+                method = match[1]
+                param_name = match[2]
 
-              if method == "GET"
-                params_query << Param.new(param_name, "", "query")
-              elsif method == "POST"
-                params_body << Param.new(param_name, "", "form")
-                methods << "POST"
-              elsif method == "REQUEST"
-                params_query << Param.new(param_name, "", "query")
-                params_body << Param.new(param_name, "", "form")
-                methods << "POST"
-              elsif method == "SERVER"
-                if param_name.includes? "HTTP_"
-                  param_name = param_name.sub("HTTP_", "").gsub("_", "-")
-                  params_query << Param.new(param_name, "", "header")
-                  params_body << Param.new(param_name, "", "header")
+                if method == "GET"
+                  params_query << Param.new(param_name, "", "query")
+                elsif method == "POST"
+                  params_body << Param.new(param_name, "", "form")
+                  methods << "POST"
+                elsif method == "REQUEST"
+                  params_query << Param.new(param_name, "", "query")
+                  params_body << Param.new(param_name, "", "form")
+                  methods << "POST"
+                elsif method == "SERVER"
+                  if param_name.includes? "HTTP_"
+                    param_name = param_name.sub("HTTP_", "").gsub("_", "-")
+                    params_query << Param.new(param_name, "", "header")
+                    params_body << Param.new(param_name, "", "header")
+                  end
                 end
               end
             end
@@ -58,8 +60,8 @@ class AnalyzerPhpPure < Analyzer
     result
   end
 
-  def allow_methods
-    ["GET", "POST", "PUT", "DELETE", "PATCH"]
+  def allow_patterns
+    ["$_GET", "$_POST", "$_REQUEST", "$_SERVER"]
   end
 end
 

diff --git a/src/models/noir.cr b/src/models/noir.cr
@@ -127,7 +127,7 @@ class NoirRunner
         if param.param_type == "form"
           if first_form
             final_body += "#{param.name}=#{param.value}"
-            first_form
+            first_form = false
           else
             final_body += "&#{param.name}=#{param.value}"
           end

diff --git a/src/noir.cr b/src/noir.cr
@@ -6,7 +6,7 @@ require "./options.cr"
 require "./techs/techs.cr"
 
 module Noir
-  VERSION = "0.5.2"
+  VERSION = "0.5.4"
 end
 
 noir_options = default_options()