Merge pull request #48 from phpbb/paul999-patch-1

Return a fatal when using enable_super_globals()

Author: Derky

src/Tests/Tests/epv_test_validate_php_functions.php

@@ -31,6 +31,7 @@
 use PHPParser_Node_Stmt_Interface;
 use PHPParser_Node_Stmt_Namespace;
 use PHPParser_Node_Stmt_Use;
+use PHPParser_Node_Expr_MethodCall;
 use PHPParser_Parser;
 
 
@@ -285,6 +286,7 @@ private function parseNode(array $nodes)
 				$this->validateFunctionNames($node);
 				$this->validateExit($node);
 				$this->validatePrint($node);
+				$this->validateMethodCalls($node);
 			}
 
 			if (is_array($node) || is_object($node))
@@ -366,13 +368,56 @@ private function validateFunctionNames(PHPParser_Node $node)
 			$name = (string)$node->expr->name->subNodes[0];
 		}
 
-		if ($name != null)
+		if ($name !== null)
 		{
 			$this->validateDbal($name, $node);
 			$this->validateDeprecated($name, $node);
 			$this->validateFunctions($name, $node);
 		}
 	}
+	
+	/**
+	 * Validate method calls to classes.
+	 * @param \PHPParser_Node $node Node to validate
+	 */
+	private function validateMethodCalls(PHPParser_Node $node) {
+		$name = null;
+		if ($node instanceof PHPParser_Node_Expr_MethodCall)
+		{
+			if ($node->name instanceof PHPParser_Node_Expr_Variable)
+			{
+				// If function name is a variable.
+				$name = (string)$node->name->name;
+			}
+			else
+			{
+				$name = (string)$node->name;
+			}
+		}
+		else if (isset($node->expr) && $node->expr instanceof PHPParser_Node_Expr_MethodCall)
+		{
+			$name = (string)$node->expr->name;
+		}
+
+		if ($name !== null)
+		{
+			$this->validateEnableGlobals($name, $node);
+		}		
+	}
+
+	/**
+	 * Valdiate the use of enable_globals.
+	 *
+	 * @param                 $name
+	 * @param \PHPParser_Node $node
+	 */	
+	private function validateEnableGlobals($name, PHPParser_Node $node) 
+	{
+		if ($name == 'enable_super_globals') 
+		{
+			$this->addMessage(Output::FATAL, sprintf('The use of enable_super_globals() is not allowed for security reasons on line %s', $node->getAttribute('startLine')));
+		}
+	}
 
 	/**
 	 * Valdiate the use of deprecated functions.

tests/epv_test_validate_php_functions_test.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ *
+ * EPV :: The phpBB Forum Extension Pre Validator.
+ *
+ * @copyright (c) 2014 phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ */
+
+class epv_test_validate_php_functions extends PHPUnit_Framework_TestCase
+{
+	public static function setUpBeforeClass()
+	{
+		require_once('./tests/Mock/Output.php');
+	}
+	
+    public function test_usage_of_enable_globals() {
+        $output = $this->getOutputMock();
+        $output->expects($this->exactly(1))
+            ->method('addMessage')
+            ->with(\Phpbb\Epv\Output\OutputInterface::FATAL, 'The use of enable_super_globals() is not allowed for security reasons on line 7 in tests/testFiles/enable_globalsphp')
+        ;
+
+        $file = $this->getLoader()->loadFile('tests/testFiles/enable_globals.php');
+
+        $tester = new \Phpbb\Epv\Tests\Tests\epv_test_validate_php_functions(false, $output, '/a/b/', 'epv/test', false, '/a/');
+        $tester->validateFile($file);
+    }
+
+    private function getLoader()
+    {
+        return $file = new \Phpbb\Epv\Files\FileLoader(new \Phpbb\Epv\Tests\Mock\Output(), false, '.', '.');
+    }
+
+    /**
+     * @return \PHPUnit_Framework_MockObject_MockObject
+     */
+    function getOutputMock()
+    {
+        return $this->getMock('Phpbb\Epv\Output\OutputInterface');
+    }
+}

tests/testFiles/enable_globals.php

@@ -0,0 +1,8 @@
+<?php
+
+if (!defined('IN_PHPBB')) {
+  exit;
+}
+
+$request->enable_super_globals();
+