Почетна Преглед Помоћ
Пријавите се
waibao
/
NN2024071001
2
0
Креирај огранак 0
Датотеке Дискусије 0 Захтеви за спајање 0 Вики
Грана: master
Гране Ознаке
NN2024071001
/
vendor
/
nikic
/
php-parser
/
tools
/
fuzzing
/
target.php

target.php 4.6 KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. <?php declare(strict_types=1);
    2. 

  2. 

  3. /** @var PhpFuzzer\Fuzzer $fuzzer */
    4. 

  4. 

  5. use PhpParser\Node\Expr;
    6. 

  6. use PhpParser\Node\Scalar;
    7. 

  7. use PhpParser\Node\Stmt;
    8. 

  8. use PhpParser\NodeVisitor;
    9. 

  9. 

  10. if (class_exists(PhpParser\Parser\Php7::class)) {
    11. 

  11.     echo "The PHP-Parser target can only be used with php-fuzzer.phar,\n";
    12. 

  12.     echo "otherwise there is a conflict with php-fuzzer's own use of PHP-Parser.\n";
    13. 

  13.     exit(1);
    14. 

  14. }
    15. 

  15. 

  16. $autoload = __DIR__ . '/../../vendor/autoload.php';
    17. 

  17. if (!file_exists($autoload)) {
    18. 

  18.     echo "Cannot find PHP-Parser installation in " . __DIR__ . "/PHP-Parser\n";
    19. 

  19.     exit(1);
    20. 

  20. }
    21. 

  21. 

  22. require $autoload;
    23. 

  23. 

  24. $lexer = new PhpParser\Lexer();
    25. 

  25. $parser = new PhpParser\Parser\Php7($lexer);
    26. 

  26. $prettyPrinter = new PhpParser\PrettyPrinter\Standard();
    27. 

  27. $nodeDumper = new PhpParser\NodeDumper();
    28. 

  28. $visitor = new class extends PhpParser\NodeVisitorAbstract {
    29. 

  29.     private const CAST_NAMES = [
    30. 

  30.         'int', 'integer',
    31. 

  31.         'double', 'float', 'real',
    32. 

  32.         'string', 'binary',
    33. 

  33.         'array', 'object',
    34. 

  34.         'bool', 'boolean',
    35. 

  35.         'unset',
    36. 

  36.     ];
    37. 

  37. 

  38. 

  39.     private $tokens;
    40. 

  40.     public $hasProblematicConstruct;
    41. 

  41. 

  42.     public function setTokens(array $tokens): void {
    43. 

  43.         $this->tokens = $tokens;
    44. 

  44.     }
    45. 

  45. 

  46.     public function beforeTraverse(array $nodes): void {
    47. 

  47.         $this->hasProblematicConstruct = false;
    48. 

  48.     }
    49. 

  49. 

  50.     public function leaveNode(PhpParser\Node $node) {
    51. 

  51.         // We don't precisely preserve nop statements.
    52. 

  52.         if ($node instanceof Stmt\Nop) {
    53. 

  53.             return NodeVisitor::REMOVE_NODE;
    54. 

  54.         }
    55. 

  55. 

  56.         // We don't precisely preserve redundant trailing commas in array destructuring.
    57. 

  57.         if ($node instanceof Expr\List_) {
    58. 

  58.             while (!empty($node->items) && $node->items[count($node->items) - 1] === null) {
    59. 

  59.                 array_pop($node->items);
    60. 

  60.             }
    61. 

  61.         }
    62. 

  62. 

  63.         // For T_NUM_STRING the parser produced negative integer literals. Convert these into
    64. 

  64.         // a unary minus followed by a positive integer.
    65. 

  65.         if ($node instanceof Scalar\Int_ && $node->value < 0) {
    66. 

  66.             if ($node->value === \PHP_INT_MIN) {
    67. 

  67.                 // PHP_INT_MIN == -PHP_INT_MAX - 1
    68. 

  68.                 return new Expr\BinaryOp\Minus(
    69. 

  69.                     new Expr\UnaryMinus(new Scalar\Int_(\PHP_INT_MAX)),
    70. 

  70.                     new Scalar\Int_(1));
    71. 

  71.             }
    72. 

  72.             return new Expr\UnaryMinus(new Scalar\Int_(-$node->value));
    73. 

  73.         }
    74. 

  74. 

  75.         // If a constant with the same name as a cast operand occurs inside parentheses, it will
    76. 

  76.         // be parsed back as a cast. E.g. "foo(int)" will fail to parse, because the argument is
    77. 

  77.         // interpreted as a cast. We can run into this with inputs like "foo(int\n)", where the
    78. 

  78.         // newline is not preserved.
    79. 

  79.         if ($node instanceof Expr\ConstFetch && $node->name->isUnqualified() &&
    80. 

  80.             in_array($node->name->toLowerString(), self::CAST_NAMES)
    81. 

  81.         ) {
    82. 

  82.             $this->hasProblematicConstruct = true;
    83. 

  83.         }
    84. 

  84. 

  85.         // The parser does not distinguish between use X and use \X, as they are semantically
    86. 

  86.         // equivalent. However, use \keyword is legal PHP, while use keyword is not, so we inspect
    87. 

  87.         // tokens to detect this situation here.
    88. 

  88.         if ($node instanceof Stmt\Use_ && $node->uses[0]->name->isUnqualified() &&
    89. 

  89.             $this->tokens[$node->uses[0]->name->getStartTokenPos()]->is(\T_NAME_FULLY_QUALIFIED)
    90. 

  90.         ) {
    91. 

  91.             $this->hasProblematicConstruct = true;
    92. 

  92.         }
    93. 

  93.         if ($node instanceof Stmt\GroupUse && $node->prefix->isUnqualified() &&
    94. 

  94.             $this->tokens[$node->prefix->getStartTokenPos()]->is(\T_NAME_FULLY_QUALIFIED)
    95. 

  95.         ) {
    96. 

  96.             $this->hasProblematicConstruct = true;
    97. 

  97.         }
    98. 

  98.     }
    99. 

  99. };
    100. 

  100. $traverser = new PhpParser\NodeTraverser();
    101. 

  101. $traverser->addVisitor($visitor);
    102. 

  102. 

  103. $fuzzer->setTarget(function(string $input) use($lexer, $parser, $prettyPrinter, $nodeDumper, $visitor, $traverser) {
    104. 

  104.     $stmts = $parser->parse($input);
    105. 

  105.     $printed = $prettyPrinter->prettyPrintFile($stmts);
    106. 

  106. 

  107.     $visitor->setTokens($lexer->getTokens());
    108. 

  108.     $stmts = $traverser->traverse($stmts);
    109. 

  109.     if ($visitor->hasProblematicConstruct) {
    110. 

  110.         return;
    111. 

  111.     }
    112. 

  112. 

  113.     try {
    114. 

  114.         $printedStmts = $parser->parse($printed);
    115. 

  115.     } catch (PhpParser\Error $e) {
    116. 

  116.         throw new Error("Failed to parse pretty printer output");
    117. 

  117.     }
    118. 

  118. 

  119.     $visitor->setTokens($lexer->getTokens());
    120. 

  120.     $printedStmts = $traverser->traverse($printedStmts);
    121. 

  121.     $same = $nodeDumper->dump($stmts) == $nodeDumper->dump($printedStmts);
    122. 

  122.     if (!$same && !preg_match('/<\?php<\?php/i', $input)) {
    123. 

  123.         throw new Error("Result after pretty printing differs");
    124. 

  124.     }
    125. 

  125. });
    126. 

  126. 

  127. $fuzzer->setMaxLen(1024);
    128. 

  128. $fuzzer->addDictionary(__DIR__ . '/php.dict');
    129. 

  129. $fuzzer->setAllowedExceptions([PhpParser\Error::class]);
    130.