Sink with multiple params · Issue #5 · designsecurity/progpilot (original) (raw)

Look at the example

res=createfunction(res = create_function(res=createfunction(_GET["p1"], $_GET["t1"]); res=createfunction(′′,res = create_function('', res=createfunction(′′,_GET["t1"]); res=createfunction(res = create_function(res=createfunction(_GET["p1"], ''); progpilot can find only first line. I think there must be other logic ``` diff --git a/package/src/progpilot/Analysis/SecurityAnalysis.php b/package/src/progpilot/Analysis/SecurityAnalysis.php index 585f222..9c2985f 100644 --- a/package/src/progpilot/Analysis/SecurityAnalysis.php +++ b/package/src/progpilot/Analysis/SecurityAnalysis.php @@ -96,10 +96,9 @@ class SecurityAnalysis $condition_respected = true; if ($mysink->has_parameters()) { + $condition_respected = false; for ($i = 0; i<i < i<nb_params; $i ++) { if ($mysink->is_parameter($i + 1)) { - $condition_respected = false; - mydefarg=mydef_arg = mydefarg=instruction->get_property("argdef$i"); taintedexpr=tainted_expr = taintedexpr=mydef_arg->get_taintedbyexpr(); @@ -112,7 +111,7 @@ class SecurityAnalysis } } - if (!$condition_respected) { + if ($condition_respected) { break; } } ``` Is it Ok that I am sending diffs rather than pull requests? I think it is the last one. I almost finished my little project.