Merge pull request #3 from antman3351/master

Restrict calling static methods, static properties and constants on c…
apioo · May 10, 2024 · 092296c · 092296c
2 parents 6d07751 + 81a498c
commit 092296c
Show file tree

Hide file tree

Showing 10 changed files with 60 additions and 4 deletions.
diff --git a/src/Printer.php b/src/Printer.php
@@ -20,6 +20,7 @@
 
 namespace PSX\Sandbox;
 
+use PhpParser\Node;
 use PhpParser\Node\Expr;
 use PhpParser\Node\Stmt;
 use PhpParser\PrettyPrinter\Standard;
@@ -74,11 +75,20 @@ protected function pExpr_New(Expr\New_ $node)
 
         $class = $this->p($node->class);
 
-        $this->securityManager->checkNewCall($class);
+        $this->securityManager->checkClassIsAllowed($class);
 
         return parent::pExpr_New($node);
     }
 
+    protected function pStaticDereferenceLhs(Node $node)
+    {
+        $class = $this->p($node);
+
+        $this->securityManager->checkClassIsAllowed($class);
+
+        return parent::pStaticDereferenceLhs($node);
+    }
+
     protected function pExpr_Exit(Expr\Exit_ $node)
     {
         throw new SecurityException('Exit is not allowed');
@@ -162,6 +172,17 @@ protected function pStmt_Echo(Stmt\Echo_ $node)
         throw new SecurityException('Echo is not allowed');
     }
 
+    protected function pStmt_Expression(Stmt\Expression $node)
+    {
+        $expression = $this->p($node->expr);
+
+        if (\preg_match('/print\W+/i', $expression)) {
+            throw new SecurityException('Print is not allowed');
+        }
+
+        return $expression . ';';
+    }
+
     protected function pStmt_Global(Stmt\Global_ $node)
     {
         throw new SecurityException('Global is not allowed');

diff --git a/src/SecurityManager.php b/src/SecurityManager.php
@@ -640,7 +640,7 @@ private function fullyQualifyNamespacedFunction(string $functionName): string
     /**
      * @throws SecurityException
      */
-    public function checkNewCall(string $className)
+    public function checkClassIsAllowed(string $className) : void
     {
         if (isset($this->classAliases[$className])) {
             $className = $this->classAliases[$className];

diff --git a/tests/safe/008.phpt b/tests/safe/008.phpt
@@ -1,5 +1,5 @@
 --TEST--
-iterator_apply closure callback
+Class aliasing
 --FILE--
 <?php
 

diff --git a/tests/safe/014.phpt b/tests/safe/014.phpt
@@ -0,0 +1,7 @@
+--TEST--
+Check static method calls
+--FILE--
+<?php
+return DateTime::createFromFormat( 'Y-m-d', '2024-03-21' )->format('Y-m-d');
+--EXPECT--
+"2024-03-21"
diff --git a/tests/unsafe/034.phpt b/tests/unsafe/034.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Execute function through map
+Execute function through match
 --FILE--
 <?php
 

diff --git a/tests/unsafe/038.phpt b/tests/unsafe/038.phpt
@@ -0,0 +1,6 @@
+--TEST--
+Check static method calls
+--FILE--
+<?php
+
+Someclass::exec();
diff --git a/tests/unsafe/039.phpt b/tests/unsafe/039.phpt
@@ -0,0 +1,6 @@
+--TEST--
+Check static constant calls
+--FILE--
+<?php
+
+return Someclass::FOO;
diff --git a/tests/unsafe/040.phpt b/tests/unsafe/040.phpt
@@ -0,0 +1,6 @@
+--TEST--
+Check static property calls
+--FILE--
+<?php
+
+return Someclass::$property;
diff --git a/tests/unsafe/041.phpt b/tests/unsafe/041.phpt
@@ -0,0 +1,4 @@
+--TEST--
+Test print is blocked
+--FILE--
+<?php pRiNt"Hello World"?>
diff --git a/tests/unsafe/042.phpt b/tests/unsafe/042.phpt
@@ -0,0 +1,6 @@
+--TEST--
+Test wrapping function in closure
+--FILE--
+<?php
+return ( Closure::fromCallable( 'exec' ) )( 'ls' );
+?>