A full-scale PHP sandbox class that utilizes PHP-Parser to prevent sandboxed code from running unsafe code

Hello,

Is there anything preventing you from using the latest version of nikic/php-parser (v.4)? We have other dependencies in our projects which require the newer version (at least version 3) and we are having troubles with that.

Just started using this project and found that traits and closures were unusable.

For traits, aliases, and interfaces, I found that the name of the trait was always passed to the visitor as Node\Identifier, not string, but included both for BC. Maybe a change in PHPParser?

For closures, the $name instanceof checks in checkFunc could never be reached because of the function's type hint.

Sorry to lump them in one PR but that's how I committed it in my fork. I've added test coverage for both cases as well. Thanks!

I need to log every arguments before eval statement is executed. I know eval is a language construct, but still cant find a way to rewrite it.

The attempts gives me error message as below: eval()'d code(3) : eval()'d code on line 1

So the question is, is it possible to rewrite a keyword or could I place a filter before eval is executed.

Composer:

Deprecation warning: require.jeremeamia/FunctionParser is invalid, it should not contain uppercase characters. Please use jeremeamia/functionparser instead.

I have many customers and each one need a customizate reports. It's inviable create one code report to each one.

I think to create a report crud with a text editor box, in this box I will write the php code to run in phpSandbox (with restric environment obviosly) to agroup the mysql results (sql query would run out of sandbox and inject the result in phpSandbox) and build the report as my costumer wish.

Conclusion: I would use the phpSandbox(with restric environment) only to handle the pdf/excel generator to build the report.

Could I do that? Could have any security problem?

Code to run in sandbox:

$registers = sort($mysqlResultsInjected);

$excel = new Excel();

foreach($registers as $register) {
   $excel->row([$register->id, $register->name]);
}

$excel->output();

I plan to use this library to run user's input code in isolated environment with most functions blacklisted by default. (On some relatively safe string and array manipulation). I wonder if there is any security that I should consider? I can imagine that all the SERVER, SESSION variables should be blacklisted or overriden as well?

Hi, is it possible to Declare Global vars inside the Sandbox, and make them available only there...? I need this because i want to execute a lot of functions using same global vars => but i need to execute them in multithreading environment, so don't need them to access same var with same memory stack (same pointer), need to separate them without changing the Arhitecture and classes...

I came across this online PHP sandbox app similar to this project (closed source and not available except as an online service) http://sandbox.onlinephpfunctions.com/

I noticed it allows to run the PHP code on up to 62-63 different PHP versions!

I am curious, would it be difficult to allow a project like this to work across multiple PHP versions? I realize it would likely require the hosting server to have all the available PHP versions installed but was just curious if it might be easy to add support for this project to work across multiple versions when available?

Running this code $TwoWeeksAgo = new DateTime(date("Ymd"));

on the demno here https://code.phpsandbox.org/ results in this error message:

Sandboxed code attempted to call invalid type: DateTime

Is there a way to make this work?

I was able to get my idea working with plain eval. See the code below:

function staticEval($_code)
{
    static $_vars = [];
    extract($_vars);
    $_result = eval($_code);
    $_vars = get_defined_vars();
    unset($_vars['_vars']);
    unset($_vars['_code']);
    unset($_vars['_result']);
    return $_result;
}

staticEval('$a = "hello world!";');
staticEval('echo "$a\n";');

It says in the introduction that:

Can redefine internal PHP and other functions to make them more secure for sandbox usage.

So I have tried using defineFunc like below:

         $newSandbox=$this->sandbox->defineFunc("phpinfo", function(){
             echo "hellow phpinfo";
         });
         $newSandbox->whitelistFunc('phpinfo');
         #printHello('1\n');
         $newSandbox->execute(function(){
             phpinfo();
         });

But it seems doesn't work fine with eval statement. Furthermore, Could I have any method to inherit internal function other than totally rewrite it.

Best regrads.

https://github.com/Corveda/PHPSandbox/blob/main/src/PHPSandbox.php#L2670

If you attempt to pass a non-static method callable in, for instance: [$instance, 'methodName'] it passes the callable typehint, then gets nuked by whatever that condition block is all about, and then throws an exception about being uncallable. Why?

And attempting to pass a nested array does not pass the callable typehint. I can workaround this by passing a closure to perform the same work, but this is still an issue.

In theory this would also break static class method calls in array syntax as well, possibly leading to bizarre or even dangerous behavior if the class name is still callable or invokable.

If instance methods are unsupported or otherwise should not be used, they should be checked for properly. Please do not mangle my callable.

When a variable is passed to a function, the sandbox wraps it with a "wrap" function. If the variable is a string with a callable value like "time", the "wrap" function returns a SandboxedString object. The target function receives the SandboxedString object instead of the string. Understand that the SandboxedString object was trying to prevent unsafe code to run by a callable variable. However, it has following issues.

1. The gettype function in the target function returns "object" instead of "string". The var_dump and var_export functions are okay.
2. Strict comparison of input values in the target function fail because they are objects instead of strings.
3. I don't know if this could have any security concern because the SandboxedString passed into custom function contains a lot of information.

Following code replicates the issue. The gettype in obj_b->getValue returns "object". The strict comparison in obj_a->test returns "false" even the same strings are submitted to the function.

echo '001';
echo '<br>';

$execode = '';
$appcode = '';

$execode = 'class obj_a {' .
			'	function test($x, $y, $cusfun) {' .
			'		$a = $cusfun[\'b\']->getValue($x);' .
			'		$b = $cusfun[\'b\']->getValue($y);' .
			'		return ($a === $b);' .
			'	}' .
			'}' .
			'class obj_b {' .
			'	function getValue($x) {' .
			'		echo gettype($x) . \'<br>\';' .
			'		return $x;' .
			'	}' .
			'}' .
			'$cusfun[\'a\'] = new obj_a();' .
			'$cusfun[\'b\'] = new obj_b();';
			
$appcode = 'return $cusfun;';

echo '002';
echo '<br>';

$sandboxcusfun = new PHPSandbox\PHPSandbox;

$sandboxcusfun->setOptions(['allow_classes'=>1]);
$sandboxcusfun->defineVar('cusfun',null);

$cusfun = $sandboxcusfun->execute($execode . $appcode);

echo '003';
echo '<br>';
var_dump($cusfun);
echo '<br>';

$r = 'nothing';
if ($cusfun['a'] && method_exists($cusfun['a'], 'test')) {
	$r = $cusfun['a']->test('ob_clean','ob_clean',$cusfun);
}

echo '005';
echo '<br>';

var_dump($r);
echo '<br>';

echo '006';
echo '<br>';

For example :

$sandbox = new PHPSandbox; function test ($values) { return $values; } $sandbox->whitelistFunc(['test','dd']); $sandbox->allow_casting = true;

$result = $sandbox->execute(function(){ return test(['required','date', 'copy']); });

print_r( $result , );

Code:

function foo(int ...$a) {
	return $a;
}

$ints = [1,2];
foo(...$ints);

Result: Compile Error: Cannot use positional argument after argument unpacking

Generated code causing the error:

return foo(\PHPSandbox\wrapByRef(...$ints, \PHPSandbox\PHPSandbox::getSandbox('__PHPSandbox_ff7c8ab064063e1d4d509dfbadda498e')));

PHPSandbox throws an error if there's a check for a superglobal variable.

The code:

<?php
isset($_SERVER);
?>

The error message:

Fatal error: Cannot use isset() on the result of an expression (you can use "null !== expression" instead) in /.../vendor/corveda/php-sandbox/src/PHPSandbox.php(6885) : eval()'d code on line 8

I've extended the code to check for whitelisted types and interfaces in parameter type hints and use statements. Even though this is not strictly required for practical sandbox constraints; for my use of this library this is very helpful. I'm not sure if this breaks other use cases; if so I can add a switch.