{"title":"Denzyl Dick","subtitle":"My site ","link":[{"@attributes":{"rel":"self","type":"application\/atom+xml","href":"https:\/\/denzyl.io\/atom.xml"}},{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io"}}],"generator":"Zola","updated":"2020-01-01T00:00:00+00:00","id":"https:\/\/denzyl.io\/atom.xml","entry":[{"title":"Detecting spaghetti code in AST of a PHP source code.","published":"2020-01-01T00:00:00+00:00","updated":"2020-01-01T00:00:00+00:00","author":{"name":"\n \n Unknown\n \n "},"link":{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io\/blog\/detecting-spaghetti-code-in-ast-of-a-php-source-code\/"}},"id":"https:\/\/denzyl.io\/blog\/detecting-spaghetti-code-in-ast-of-a-php-source-code\/","content":"
\n

This is the part(3) of a series. I suggest you read parts 1<\/a> and 2<\/a> before this one.<\/p>\n<\/blockquote>\n

In part 2<\/a>, I made sure that the test passed correctly. The focus now is how we traverse a block of code inside its scope. We should be able to increase the variables in the formula at the right moment.<\/p>\n

If you have read part 1<\/a>, you know that we need to implement the validate function that is mandatory in the trait Rule<\/code>.<\/p>\n

\n<\/span>impl <\/span>Rule <\/span>for <\/span>E009 <\/span>{\n<\/span>    <\/span>fn <\/span>validate<\/span>(\n<\/span>        <\/span>&<\/span>self<\/span>,\n<\/span>        <\/span>statement<\/span>: <\/span>&<\/span>php_parser_rs::parser::ast::Statement,\n<\/span>    ) -> <\/span>Vec<\/span><crate::project::Suggestion> {\n<\/span>\n<\/span>    }\n<\/span>}\n<\/span>\n<\/span><\/code><\/pre>\n
\n
Nodes are like the conditional statement: if, else, while, for, etc.\nEdges are the paths that can be taken.<\/p>\n<\/blockquote>\n
The validate<\/code> function will be executed for every statement in a source code. In the source code below, there are 32 lines of code.<\/p>\n
<?php\n<\/span>\n<\/span>class <\/span>Index<\/span>{\n<\/span>\n<\/span>  <\/span>public function <\/span>tooComplex<\/span>(){\n<\/span>    $a <\/span>= <\/span>1<\/span>;\n<\/span>    $b <\/span>= <\/span>2<\/span>;\n<\/span>\n<\/span>\n<\/span>    <\/span>if<\/span>($a <\/span>> <\/span>$b){\n<\/span>      <\/span>if<\/span>($b <\/span>< <\/span>$a){\n<\/span>\n<\/span>        <\/span>if<\/span>($a <\/span>== <\/span>$b){\n<\/span>\n<\/span>          <\/span>while<\/span>($b <\/span>> <\/span>$a){\n<\/span>\n<\/span>          }\n<\/span>\n<\/span>        }\n<\/span>      }\n<\/span>    }\n<\/span>  }\n<\/span>}\n<\/span>\n<\/span><\/code><\/pre>\n
impl <\/span>Rule <\/span>for <\/span>E009 <\/span>{\n<\/span>    <\/span>fn <\/span>validate<\/span>(\n<\/span>        <\/span>&<\/span>self<\/span>,\n<\/span>        <\/span>statement<\/span>: <\/span>&<\/span>php_parser_rs::parser::ast::Statement,\n<\/span>    ) -> <\/span>Vec<\/span><crate::project::Suggestion> {\n<\/span>        <\/span>let mut<\/span> suggestions <\/span>= <\/span>Vec<\/span>::new();\n<\/span>        <\/span>let mut<\/span> graph <\/span>=<\/span> Graph { n: <\/span>0<\/span>, e: <\/span>0<\/span>, p: <\/span>0 <\/span>};\n<\/span>        <\/span>match<\/span> statement {\n<\/span>            Statement::Class(class) <\/span>=> <\/span>{\n<\/span>                <\/span>for<\/span> member <\/span>in &<\/span>class.body.members {\n<\/span>                    <\/span>match<\/span> member {\n<\/span>                        ClassMember::ConcreteMethod(concretemethod) <\/span>=> <\/span>{\n<\/span>                            <\/span>match<\/span> concretemethod.body.<\/span>clone<\/span>() {\n<\/span>                                MethodBody {\n<\/span>                                    comments: <\/span>_<\/span>,\n<\/span>                                    left_brace: <\/span>_<\/span>,\n<\/span>                                    statements,\n<\/span>                                    right_brace: <\/span>_<\/span>,\n<\/span>                                } <\/span>=> <\/span>{\n<\/span>                                   <\/span>\/\/\/ HERE !!\n<\/span>                                    }\n<\/span>                                }\n<\/span>                            }\n<\/span>                        }\n<\/span>                        <\/span>_ => <\/span>{}\n<\/span>                    }\n<\/span>                }\n<\/span>            }\n<\/span>            <\/span>_ => <\/span>{}\n<\/span>        }\n<\/span>        suggestions\n<\/span>    }\n<\/span>}\n<\/span>\n<\/span><\/code><\/pre>\n
If you aren\u2019t familiar with pattern matching, it\u2019s kind of a switch keyword on steroids. Look for the Look for \/\/\/ HERE !!<\/code> in the above code.<\/p>\n
 MethodBody {\n<\/span>                                    comments: <\/span>_<\/span>,\n<\/span>                                    left_brace: <\/span>_<\/span>,\n<\/span>                                    statements,\n<\/span>                                    right_brace: <\/span>_<\/span>,\n<\/span>                                } <\/span>=> <\/span>{\n<\/span>                                    <\/span>\/\/\/ HERE 1\n<\/span>\n<\/span>                                    }\n<\/span>                                }\n<\/span>\n<\/span><\/code><\/pre>\n
As you can see we have four parameters that we can use. The ones we are looking for are the statements. The type of this parameter is Vec<Statement><\/code> meaning it can be anything.<\/p>\n
In the source code below, Phanalist<\/a> calls a function with let graph  = calculate _cyclomatic_complexity();<\/code> This function will return a struct of the type Graph<\/code>. The first parameter passed is statements.clone()<\/code>. This function uses recursion to traverse down the tree. In part 4 I will explain the recursion we were thinking about.<\/p>\n
\n<\/span> <\/span>let<\/span> graph <\/span>= <\/span>calculate_cyclomatic_complexity<\/span>(\n<\/span>                                        statements.<\/span>clone<\/span>(),\n<\/span>                                        <\/span>&<\/span>mut<\/span> graph,\n<\/span>                                    );\n<\/span> <\/span>if<\/span> graph.<\/span>calculate<\/span>() <\/span>> <\/span>10 <\/span>{\n<\/span>suggestions.<\/span>push<\/span>(Suggestion::from(<\/span>"This method body is too complex. Make it easier to understand."<\/span>.<\/span>to_string<\/span>(),\n<\/span>                concretemethod.function,\n<\/span>"E009"<\/span>.<\/span>to_string<\/span>() ));\n<\/span>}\n<\/span>\n<\/span><\/code><\/pre>\n
The Graph<\/code> struct has the calculate<\/code> function we previously used to calculate the cyclomatic complexity. My threshold is always ten, so I will be using that.<\/p>\n
If the value exceeds ten, I push the Suggestion<\/code> onto the vector. The vector of Suggestion<\/code> is the value returned to the validate function\u2019s caller.<\/p>\n
\ud83d\udd17<\/a>Recursion<\/h1>\n
\"Image<\/p>\n
\n
In computer science, recursion is a method of solving a computational problem where the solution depends on solutions to smaller instances of the same problem. Recursion solves such recursive problems using functions that call themselves from within their code. Wikipedia<\/a><\/p>\n<\/blockquote>\n
\ud83d\udd17<\/a>Conclusion<\/h1>\n
If you are a PHP developer, you know that a developer can make many more mistakes in PHP. In the future, the list of Rules will continue to grow into something more useful.<\/p>\n
Thanks for reading!<\/p>\n
Contribution is always welcome if you have a mistake you would like to add to Phanalist<\/a>.<\/p>\n"},{"title":"How I made it impossible to write spaghetti code","published":"2020-01-01T00:00:00+00:00","updated":"2020-01-01T00:00:00+00:00","author":{"name":"\n            \n              Unknown\n            \n          "},"link":{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io\/blog\/how-i-made-impossible-to-write-spaghetti-code\/"}},"id":"https:\/\/denzyl.io\/blog\/how-i-made-impossible-to-write-spaghetti-code\/","content":"
\n
This is part 2 of a series of my static analyzer for PHP. If you did not read part 1<\/a>, I suggest you to read it first.<\/p>\n<\/blockquote>\n
A long time ago, I went to a development user group, and one of the talks was about cyclomatic complexity. At that time, I thought, what a cool name. If you already know the meaning of that cool name. Congrats, you are probably 1 of those developers who can detect lousy code without reading it. By seeing the indentation\u2019s shape, you can smell the bad code.\n\"Bad<\/p>\n
Cyclomatic definition:<\/strong>\nUsed to describe the number of circuits in a network; equal to the number of edges minus the number of nodes plus the number of graphs.<\/em><\/p>\n
Ok, breathe. If we translate the definitions into code, it will be something like this.<\/p>\n
\"Bad<\/p>\n
Nodes are like the conditional statement: if<\/code>, else<\/code>, while<\/code>, for<\/code>, etc.\nEdges are the paths that can be taken. There are two paths in the code on lines 4<\/code> and 14<\/code>. One of the two can be taken if the variable defined on line 3<\/code> has the value of Hola<\/code>; in this case, the first path will be taken. But in this example, the value of the $a<\/code> is Helloworld<\/code> so the second path will be taken. In the control flow graph below, you can view a better representation.<\/p>\n
\"Control<\/p>\n
Ok, right; what is the complexity of that cool name I previously told you about?<\/p>\n
The code above is a small example, but imagine you have a method that has 100 lines of code. Then, the complexity of the code will increase drastically.<\/p>\n
\ud83d\udd17<\/a>Calculate the complexity<\/h2>\n
The equation for calculating the cyclomatic complexity is:<\/p>\n
{% katex %} M = N - E + 2P {% endkatex %}<\/p>\n
\n
This formula is also known as McCabe\u2019s Cyclomatic Complexity (MCC) and is widely used to measure the complexity of a program by analyzing its control flow structure.<\/p>\n<\/blockquote>\n
N<\/code> stands for the number of nodes, and E<\/code> stands for the number of edges. The 2P<\/code> stands for two multiplied by the number of exit nodes. In our example, this will translate into:<\/p>\n
{% katex %} 5 = 8 - 9 + 2 x 3 {% endkatex %}<\/p>\n
So, I started this blog by saying I can prevent myself from writing spaghetti code. If you did not read part 1<\/a> of this series, you might not know I\u2019m working on a static analyzer for PHP. The project\u2019s name is phanalist, and it\u2019s available on github<\/a>.<\/p>\n
In the following paragraph, we will see how phanalist<\/a> can calculate the cyclomatic complexity of the scope of a method. Before creating Phanalist, I always kept the cyclomatic complexity of the methods I wrote in my mind. And if I see that the complexity is higher than 10. I always try to refactor the method, making it easier to understand.<\/p>\n
How does phanalist<\/a> calculate the cyclomatic complexity? Let\u2019s start by implementing the equation above. We will start by creating a struct named Graph. This struct will have the three variables from the equation(n, e, and p).<\/p>\n
struct <\/span>Graph <\/span>{\n<\/span>    <\/span>n<\/span>: <\/span>i64<\/span>,\n<\/span>    <\/span>e<\/span>: <\/span>i64<\/span>,\n<\/span>    <\/span>p<\/span>: <\/span>i64<\/span>,\n<\/span>}\n<\/span><\/code><\/pre>\n
\n
This struct will be passed around when traversing the abstract syntax tree.<\/p>\n<\/blockquote>\n
{% katex %} M = N - E + 2P {% endkatex %}<\/p>\n
When traversing the AST, we can increase the variables at the right moment. After that, I used the MCC equation to calculate the cyclomatic complexity of our example code.<\/p>\n
impl <\/span>Graph <\/span>{\n<\/span>    <\/span>pub fn <\/span>calculate<\/span>(<\/span>self<\/span>) -> <\/span>i64 <\/span>{\n<\/span>        <\/span>self<\/span>.n <\/span>- <\/span>self<\/span>.e <\/span>+ <\/span>(<\/span>2 <\/span>* <\/span>self<\/span>.p)\n<\/span>    }\n<\/span>}\n<\/span>#[<\/span>test<\/span>]\n<\/span>pub fn <\/span>calculate<\/span>() {\n<\/span>    <\/span>let<\/span> g <\/span>=<\/span> Graph { n: <\/span>8<\/span>, e: <\/span>9<\/span>, p: <\/span>3 <\/span>};\n<\/span>    <\/span>assert_eq!<\/span>(g.<\/span>calculate<\/span>(), <\/span>5<\/span>);\n<\/span>}\n<\/span>\n<\/span><\/code><\/pre>\n
In part 3<\/a> of this series. I will explain how we traverse the AST when calculating the cyclomatic complexity.<\/p>\n"},{"title":"Improve your CI output","published":"2020-01-01T00:00:00+00:00","updated":"2020-01-01T00:00:00+00:00","author":{"name":"\n            \n              Unknown\n            \n          "},"link":{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io\/blog\/improve-your-ci-output\/"}},"id":"https:\/\/denzyl.io\/blog\/improve-your-ci-output\/","content":"
Have you ever been in a situation where you made a PR or MR and waited for a couple of seconds for the output of the CI pipeline? But something went wrong, and you can\u2019t see the issue in the blink of an eye. And you get annoyed that you must read a few logs to discover the problem?<\/p>\n
It\u2019s a scenario that many of us have likely encountered at some point.<\/p>\n
This article teaches how to improve your CI output. I will use Github.<\/p>\n
\n
This article is part of a series about a static analysis tool I\u2019ve worked on for over a year. It\u2019s called Phanalist<\/a>. Please check it out and hit the star button. Thank you.<\/p>\n<\/blockquote>\n
How can I improve the CI output in Github? When running your CI tools, you probably output everything to STDOUT and view the content in the log viewer.<\/p>\n
Something like this:<\/p>\n
\"Image<\/p>\n
The output format text in Phanalist is not so bad. It\u2019s readable because of the table layout. But why stop there?<\/p>\n
Microsoft is not so evil anymore, and Github has solved that problem I\u2019ve already. What we will be using is what they call SARIF<\/code>. It stands\nfor Static Analysis Results Interchange Format. It\u2019s a specification for understanding the output of static analysis tools. That is how the tools can display information in the code scanning section under the security tab on a repository.<\/p>\n
\"Image<\/p>\n
For Phanalist to have a chance to be adopted by more people, this is a must feature that should be implemented first. Then, I can focus on adding more rules to the tool.<\/p>\n
For context, Phanalist<\/a> consists of rules implemented by the contributors. Every rule has a detailed explanation of what you are doing wrong and guides you in the right direction so you can fix it.<\/p>\n
The tools under the code scanning section use a Github action called github\/codeql-action\/upload-sarif<\/code>. This action uploads a .sarif<\/code> file to GitHub. Remember that you will need the right permissions to upload a file from the Github workflow. After uploading, Github will validate the file\u2019s content, and if there are any errors, they will be displayed in the logs. If everything goes well, you will have more issues to fix under the security tab.<\/p>\n
The tools you use should have a Sarif<\/code> output. At the time of writing, I do not know if the popular static analysis tools in the PHP ecosystem support Sarif, but if not, you can help them with that.<\/p>\n
But Phanalist<\/a> supports that format. It can output information in three formats: text<\/code>, json<\/code>, and sarif<\/code>.<\/p>\n
phanalist --src<\/span>=<\/span>. --output-format<\/span>=<\/span>sarif\n<\/span><\/code><\/pre>\n
The output will be something like this:<\/p>\n
{\n<\/span>  <\/span>"version"<\/span>: <\/span>"2.1.0"<\/span>,\n<\/span>  <\/span>"$schema"<\/span>: <\/span>"http:\/\/json.schemastore.org\/sarif-2.1.0-rtm.4"<\/span>,\n<\/span>  <\/span>"runs"<\/span>: [\n<\/span>    {\n<\/span>      <\/span>"tool"<\/span>: {\n<\/span>        <\/span>"driver"<\/span>: {\n<\/span>          <\/span>"name"<\/span>: <\/span>"Phanalist"<\/span>,\n<\/span>          <\/span>"informationUri"<\/span>: <\/span>"https:\/\/github.com\/denzyldick\/phanalist"<\/span>,\n<\/span>          <\/span>"rules"<\/span>: [\n<\/span>            {\n<\/span>              <\/span>"id"<\/span>: <\/span>"e0009"<\/span>,\n<\/span>              <\/span>"shortDescription"<\/span>: {\n<\/span>                <\/span>"text"<\/span>: <\/span>"Method is too complex"\n<\/span>              },\n<\/span>              <\/span>"properties"<\/span>: {\n<\/span>                <\/span>"category"<\/span>: <\/span>"phanalist"\n<\/span>              }\n<\/span>            }\n<\/span>          ]\n<\/span>        }\n<\/span>      },\n<\/span>      <\/span>"artifacts"<\/span>: [\n<\/span>        {\n<\/span>          <\/span>"location"<\/span>: {\n<\/span>            <\/span>"uri"<\/span>: <\/span>"src\/complex.php"\n<\/span>          }\n<\/span>        }\n<\/span>      ],\n<\/span>      <\/span>"results"<\/span>: [\n<\/span>        {\n<\/span>          <\/span>"level"<\/span>: <\/span>"warning"<\/span>,\n<\/span>          <\/span>"message"<\/span>: {\n<\/span>            <\/span>"text"<\/span>: <\/span>"Method is too complex."\n<\/span>          },\n<\/span>          <\/span>"locations"<\/span>: [\n<\/span>            {\n<\/span>              <\/span>"physicalLocation"<\/span>: {\n<\/span>                <\/span>"artifactLocation"<\/span>: {\n<\/span>                  <\/span>"uri"<\/span>: <\/span>"src\/complex.php"<\/span>,\n<\/span>                  <\/span>"index"<\/span>: <\/span>0\n<\/span>                },\n<\/span>                <\/span>"region"<\/span>: {\n<\/span>                  <\/span>"startLine"<\/span>: <\/span>1<\/span>,\n<\/span>                  <\/span>"startColumn"<\/span>: <\/span>5\n<\/span>                }\n<\/span>              }\n<\/span>            }\n<\/span>          ],\n<\/span>          <\/span>"ruleId"<\/span>: <\/span>"no-unused-vars"<\/span>,\n<\/span>          <\/span>"ruleIndex"<\/span>: <\/span>0\n<\/span>        }\n<\/span>      ]\n<\/span>    }\n<\/span>  ]\n<\/span>}\n<\/span><\/code><\/pre>\n
I won\u2019t explain Sarif in detail in this article; the people behind it have already done an excellent job.<\/p>\n
The next step is to upload this output to Github using the github\/codeql-action\/upload-sarif<\/code>.<\/p>\n
on<\/span>:\n<\/span>  <\/span>push<\/span>:\n<\/span>    <\/span>branches<\/span>:\n<\/span>      - <\/span>"main"\n<\/span>name<\/span>: <\/span>Sarif\n<\/span>jobs<\/span>:\n<\/span>  <\/span>upload-sarif<\/span>:\n<\/span>    <\/span>runs-on<\/span>: <\/span>ubuntu-latest\n<\/span>    <\/span>steps<\/span>:\n<\/span>      - <\/span>uses<\/span>: <\/span>actions\/checkout@v4\n<\/span>      - <\/span>name<\/span>: <\/span>Install Rust toolchain\n<\/span>        <\/span>uses<\/span>: <\/span>actions-rs\/toolchain@v1.0.6 <\/span>#@v1\n<\/span>        <\/span>with<\/span>:\n<\/span>          <\/span>profile<\/span>: <\/span>minimal\n<\/span>          <\/span>toolchain<\/span>: <\/span>stable\n<\/span>          <\/span>override<\/span>: <\/span>true\n<\/span>      - <\/span>run<\/span>: <\/span>cargo run --release -- --src=. --output-format=sarif | tee results.sarif\n<\/span>      - <\/span>name<\/span>: <\/span>Upload SARIF file\n<\/span>        <\/span>uses<\/span>: <\/span>github\/codeql-action\/upload-sarif@v3\n<\/span>        <\/span>with<\/span>:\n<\/span>          <\/span>sarif_file<\/span>: <\/span>results.sarif\n<\/span><\/code><\/pre>\n
After executing this workflow, the result will be displayed in the security tab under code scanning.<\/p>\n
\"Code<\/p>\n
The rules in Phanalist also consist of detailed explanations written in Markdown, which are backed into the executable binary. This comes in very handy when scanning code. In Sarif,<\/code> you can specify a Markdown for the result found when you ran your tool.<\/p>\n
If I click and open one of the warnings, I will be greeted with a detailed explanation. Including the file and location that is causing the issue.<\/p>\n
\"Detailed<\/p>\n
\"Detailed<\/p>\n
I hope you learned something useful and can now improve your CI output.<\/p>\n"},{"title":"Why using unserialize in PHP is a bad idea","published":"2020-01-01T00:00:00+00:00","updated":"2020-01-01T00:00:00+00:00","author":{"name":"\n            \n              Unknown\n            \n          "},"link":{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io\/blog\/why-using-unserialize-php-is-a-bad-idea\/"}},"id":"https:\/\/denzyl.io\/blog\/why-using-unserialize-php-is-a-bad-idea\/","content":"
Serializing in PHP is a way of converting a PHP object into a string. This string can be used in various ways, such as storing it in a database or passing it to another function. The PHP documentation says this is handy when passing PHP values around without losing their type and structure. But I have never had that problem before. Maybe I\u2019m not seeing it.<\/p>\n
<?php\n<\/span>$test <\/span>= <\/span>new <\/span>User<\/span>();\n<\/span>$test->name <\/span>= <\/span>"Denzyl"<\/span>;\n<\/span>echo serialize<\/span>($test);\n<\/span>\/\/\/ Output: O:4:"User":1:{s:4:"name";s:6:"Denzyl";}\n<\/span><\/code><\/pre>\n
So, let\u2019s digest the string. The o<\/code> stands for Object, and the following number is the length of the object\u2019s name. The two letters  s<\/code> stand for string and the length of the string\u2019s name.
\nWhen you need to convert the string back into PHP, call the unserialize<\/code> function and pass the string as a parameter.<\/p>\n
When serializing an object, two methods are automagically being called. __serialize()<\/code> & __sleep()<\/code>. This will allow the class author to do something before converting the object into a string.\nThat is straight to the point. But for now, let\u2019s focus on unserializing the string. This means converting the string into a real PHP object that can be later used at runtime in your PHP code.<\/p>\n
<?php\n<\/span>\n<\/span>$string <\/span>= <\/span>'O:8:"User":1:{s:4:"name";s:6:"Denzyl";}'<\/span>;\n<\/span>echo unserialize<\/span>($string)->name;\n<\/span>\/\/\/ Output: Denzyl\n<\/span><\/code><\/pre>\n
The same functionalities also apply to unserializing. But this time, the two methods are __unserialize()<\/code> and __wakeup().<\/code><\/p>\n
\ud83d\udd17<\/a>But why is it a bad idea?<\/h3>\n
Using unserialize<\/code> without knowing it can lead to remote code execution. That\u2019s why they say never to trust input.\nLet\u2019s say you are lazy and you trust a random input, and you concatenate to the serialized object so you can\nchange a value inside the object. BOOM, you can be hacked.<\/p>\n
<?php\n<\/span>$username <\/span>= <\/span>$_GET[<\/span>'username'<\/span>];\n<\/span>$serialized <\/span>= <\/span>'O:8:"User":1:{s:4:"name";s:6:"' <\/span>. <\/span>$username <\/span>. <\/span>'";}'<\/span>;\n<\/span><\/code><\/pre>\n
To understand the exploit, you can read the OWASP article<\/a>.\nIf you didn\u2019t know this before, also read the rest of the OWASP articles<\/a> about vulnerabilities<\/p>\n
I know I haven\u2019t explained how to write an exploit. I don\u2019t think I can do a better job than the articles on the internet. But now you know this, and you can do your research.<\/em><\/p>\n
\ud83d\udd17<\/a>How to prevent being exploited?<\/h3>\n
Why would you want to use this? I do not know; I haven\u2019t been programming long enough(~15 years) to have the opportunity to solve a problem using serialize\/unserialize.\nMy solution is too drastic. The simple answer is. Don\u2019t<\/strong> use it in my PHP projects.<\/p>\n
This article is part of a series of articles in my journey of writing a static analysis<\/a> tool for PHP that can scan massive projects in a couple of minutes\/seconds. And look for rules\nthat the developers want to have in their projects. At the time of writing this article, I\u2019m working on a rule to stop\npeople from using unserialize<\/code>, and it should be ready for the next release. Follow the project<\/a> so that you will get notified when\nI decided to write even more rules.<\/p>\n"},{"title":"Write your own static analyzer for PHP","published":"2020-01-01T00:00:00+00:00","updated":"2020-01-01T00:00:00+00:00","author":{"name":"\n            \n              Unknown\n            \n          "},"link":{"@attributes":{"rel":"alternate","type":"text\/html","href":"https:\/\/denzyl.io\/blog\/write-your-own-static-analyzer-for-php\/"}},"id":"https:\/\/denzyl.io\/blog\/write-your-own-static-analyzer-for-php\/","content":"
I keep reading everywhere that rust is fast, has memory safety guardrails, and is 1 of the most loved languages lately. After reading the book and dreaming about understanding the language, I decided to build a static analyzer for the language I\u2019ve been using for over a decade. I will be naming it Phanalist<\/a> and the code will also be available on\nhttps:\/\/github.com\/denzyldick\/phanalist<\/a>.<\/p>\n
To see if this idea would work, I made a list of 4 common bad practices\/mistakes I often see. As you can see in the code below, we can all agree that the class doesn\u2019t make you happy.<\/p>\n
 <?php\n<\/span>\n<\/span> <\/span>class <\/span>uTesting <\/span>extends <\/span>FakeClass\n<\/span>  {\n<\/span>    <\/span>const <\/span>I_ <\/span>= <\/span>null<\/span>;\n<\/span>    <\/span>const <\/span>hello <\/span>= <\/span>null<\/span>;\n<\/span>    $no_<\/span>= <\/span>null<\/span>, $no_modifier <\/span>= <\/span>null<\/span>;\n<\/span>\n<\/span>    <\/span>public function <\/span>__construct<\/span>($o)\n<\/span>    {\n<\/span>      $this->fake_variable <\/span>= <\/span>'hellworld'<\/span>;\n<\/span>    }\n<\/span>\n<\/span>    <\/span>function <\/span>test<\/span>($a){\n<\/span>      <\/span>return <\/span>1<\/span>;\n<\/span>    }\n<\/span>  }\n<\/span><\/code><\/pre>\n
To keep it easy, I will first find these four common mistakes that are easy to spot. This list will continue to grow in the future.<\/p>\n
I won\u2019t explain how to write an exploit for something like this. Some tools can automatically generate a payload for you, and you can call yourself a script kiddie(we all start somewhere). The one I know is PHPGGC<\/a>.<\/p>\n
In part 1<\/a>, I explained how to navigate the abstract syntax tree and how Phanalist generates one. If you missed it, I suggest you read that before reading the next part of the series.<\/p>\n
Let\u2019s use the Graph<\/code> we previously created in part 2<\/a><\/p>\n
Phanalist<\/a> needs a way to detect when we are in the function\u2019s scope with the name tooComplex().<\/code> With pattern matching, it is super easy to detect if the statement is either: if<\/code>,else<\/code>,etc..<\/code> The first statement that I want to match for is class Index{<\/code> and from there, we will continue down the tree. If you think the same way as I do you know that I will be using recursion to calculate the cyclomatic complexity. After we have matched the scope of the tooComplex()<\/code> function.<\/p>\n
In part 2<\/a> we have learned that :<\/p>\n