Some node types are not handle, I tried to run progpilot on some projects using nullable type or group use and I have those errors:

• Unknown Stmt Node Encountered : Stmt_GroupUse
• Unknown Expr Type NullableType

If you add a file to the "exclude_files" section of a configuration file but then pass that file to be processed the file is still processed instead of being excluded.

My case: I have a VERY large project and for some reason there are a few files within the project that causes Progpilot to crash. For now I want to exclude those files to be able to still process everything else. My issue is that I am doing a diff between my current working branch to the master branch to get a list of files that have been changed, then pass those filenames to progpilot to be processed. Mind you this way saves processing time but it still takes over 30 minutes to run, as opposed to 3-4 hours (I told you it was a large project).

I'm just trying to run this with out a configuration file: php progpilot.phar someFile.php

This is the result I get: PHP Fatal error: Uncaught Error: Call to a member function get_name() on null in phar:///home/centos/progpilot/progpilot.phar/vendor/progpilot/package/src/progpilot/Inputs/MyInputs.php:310 Stack trace: #0 phar:///home/centos/progpilot/progpilot.phar/vendor/progpilot/package/src/progpilot/Analysis/SecurityAnalysis.php(93): progpilot\Inputs\MyInputs->get_sink_byname(Object(progpilot\Context), Array, Object(progpilot\Objects\MyFunction), NULL) #1 phar:///home/centos/progpilot/progpilot.phar/vendor/progpilot/package/src/progpilot/Analysis/TaintAnalysis.php(40): progpilot\Analysis\SecurityAnalysis::funccall(Array, Object(progpilot\Context), Object(progpilot\Code\MyInstruction), NULL) #2 phar:///home/centos/progpilot/progpilot.phar/vendor/progpilot/package/src/progpilot/Analysis/VisitorAnalysis.php(461): progpilot\Analysis\TaintAnalysis::funccall_specify_analysis(NULL, Array, Object(progpilot\Context), Array, NULL, Object(progpilot\Objects\MyFunction), false, Object(progpilot\Code\MyInstruction), Object(progpilot\Code\MyCode), 858) in phar:///home/centos/progpilot/progpilot.phar/vendor/progpilot/package/src/progpilot/Inputs/MyInputs.php on line 310

hi， Sir，I used the progpilot to analyze my php project ，It works well，but It seem that taint flow do not work，there is no taint trace info，only exits source and sink. Can you give me some suggestion？

I got 'Illegal offset type' error on fresh installation via composer. It is not just a notice. Class method analysis failed. nikic/php-parser v4.0.2 35b8caf75e791ba1b2d24fec1552168d72692b12 php v7.0 Solved by type casting to string

diff --git a/package/src/progpilot/Transformations/Php/Transform.php 
-        $this->context->get_functions()->add_function($myfunction->get_name(), $myfunction);
+        $this->context->get_functions()->add_function((string)$myfunction->get_name(), $myfunction);
-        $myfunction = $this->context->get_functions()->get_function($func->name, $class_name);
+        $myfunction = $this->context->get_functions()->get_function((string)$func->name, $class_name);

Hello,

Thanks for providing to us this nice security package.

I use last phar version, and set the config file like this: setFalsePositives: "./tests/php/progpilot-false-positive.json"

and the json files with reported false positive:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad",
	  "vuln_id": "14fad770072acbb70eebdf1aeba31c032d63c6806c2cc94de1c97266d2fea41a"
	}
  ]
}

I tryed with just one:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad"
	}
  ]
}

,and like this too:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad"
	},
    {
	  "vuln_id": "14fad770072acbb70eebdf1aeba31c032d63c6806c2cc94de1c97266d2fea41a"
	}
  ]
}

But problem are always displayed when i run the phar file : ( The json config is well parsed by progpilot because if the format is not good i got an error message, so the config and the json file is well loaded in progpilot. Is it a bug or i missed something ? Actually I cannot use it because some false positive are reported and i would like to silent them.

When several vuln_id, which is the good format from my 2 examples ?

Thanks a lot!

Hey there,

I've found the closed #10 issue that seems really close to mine, the only difference is that i'm running a Debian machine.

php's version :

$ php -v PHP 7.0.30-0+deb9u1 (cli) (built: Jun 14 2018 13:50:25) ( NTS )

What I Did

$ wget https://github.com/designsecurity/progpilot/releases/download/v0.4.0/progpilot_v0.4.0.phar $ php progpilot_v0.4.0.phar

What I Got

PHP Parse error: syntax error, unexpected '?', expecting variable (T_VARIABLE) in phar:///.../progpilot_v0.4.0.phar/vendor/symfony/console/Output/Output.php on line 40

Did I do something obviously wrong ?

• User /usr/bin/env instead of hardcoded path for bash
• Check if command is in $PATH instead of hardcoding it in the script
• Exit early if the command is not found
• Use modern $() syntax instead of backticks
• Group the cleanup commands together
• Merge the mkdir commands in one with -p flag
• Add -f to rm composer.lock command so it doesn't complain if file is not here
• Script is now passing shellcheck with no errors
• Add verbose flag to final move
• Add phar builds to .gitignore

Hello, I found a case where progpilot is failing when it encounters integers in the file. It can be replicated even with the default configuration

PHP version - 7.4.3 Progpilot version - v0.6.0 Configuration of progpilot - default File trying to analyze:

<?php


ini_set('allow_url_fopen',1);


function get_client_ip() {
    $ipaddress = '';
    if (getenv('HTTP_CLIENT_IP'))
        $ipaddress = getenv('HTTP_CLIENT_IP');
    else if(getenv('HTTP_X_FORWARDED_FOR'))
        $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
    else if(getenv('HTTP_X_FORWARDED'))
        $ipaddress = getenv('HTTP_X_FORWARDED');
    else if(getenv('HTTP_FORWARDED_FOR'))
        $ipaddress = getenv('HTTP_FORWARDED_FOR');
    else if(getenv('HTTP_FORWARDED'))
        $ipaddress = getenv('HTTP_FORWARDED');
    else if(getenv('REMOTE_ADDR'))
        $ipaddress = getenv('REMOTE_ADDR');
    else
        $ipaddress = 'UNKNOWN';
    return $ipaddress;
}

$IP = get_client_ip();

$settings = include '../../../settings/settings.php';

$message = "********** [ INFORMATION ] **********\n";
$message .= "# IP ADDRESS : {$IP}\n";
$message .= "**********************************************\n";

$to = $settings['email'];
$headers = "Content-type:text/plain;charset=UTF-8\r\n";
$headers .= "From: REDACTED\r\n";
$subject = "REDACTED";
mail($to,$subject,$msg,$headers);

$data = $message;
$send = ['REDACTED'=>$data];
$website = "REDACTED";
$ch = curl_init($website . '/somePath');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, ($send));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
curl_close($ch);

?>

Error - Multiple lines of:

PHP Notice:  Trying to access array offset on value of type int in /home/**/vendor/designsecurity/progpilot/package/src/progpilot/Transformations/Php/Expr.php on line 36

Removing lines with integers passed to functions, like the two curl_setopt lines and the ini_set line, it works fine and matches the custom rule used in default progpilot config for security misconfiguration.

I wasn't able to trace back the exact trace that calls Expr::setChars with a number passed to it, although it is possible that the $name generated using mt_rand() can also possibly cause this in general.

The documentation says:

The minimum version of PHP needed to run Progpilot is 7.0.25

However, due to the library requiring ircmaxell/php-cfg (which is requiring PHP 7.4) it's impossible to install the library with versions of PHP older than 7.4.

As I'm dealing with legacy code which for which we must provide support for older 7.* versions of PHP, I'm unable to use this library to scan for security issue.

With the new released version, I can now try this software :)

There is an issue with setcookie() because it can also take an array of options as a third parameter, and the code is only taking into account the other way to specify options.

This code:

Should not trigger this warning:

Cheers :) ~Nico

Bumps acorn from 5.7.3 to 5.7.4.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

I’m collaborating in a opensource project :

https://bitbucket.org/AliasAPI/damnp/src/master/etc/progpilot/run_progpilot.sh

And i am finding trouble configuring Progpilot in the most sensitive way possible, so it would detected every generally undesired line of code. If anyone has any tips, it would be very welcome.

Using yield from in PHP code causes an error: Unknown Expr Type Expr_YieldFrom.

PHP version: 7.4.3 progpilot version: 0.7.0 Configuration: default Code I'm trying to analyze:

function test() {
        yield from ['foo' => 123];
}

> progpilot --version
progpilot 0.7.0
> php --version
PHP 7.4.3 (cli) (built: Mar  2 2022 15:36:52) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
richard@richardspc ~> progpilot --version
progpilot 0.7.0
> cat test.php
<?php
function test() {
        yield from ['foo' => 123];
}
foreach (test() as $key => $value) {
        echo "$key: $value\n";
}
> php test.php
foo: 123
> progpilot test.php


Unknown Expr Type Expr_YieldFrom

Hi,

When I try to analyze some code I get Unknown type node: UnionType as a result. I can´t really figure out what this means. There must be something wrong with Main.php but can't figure out what : <?php require('../../sys/classes/Main.php');

After i try to install with composer i get error this is full error from terminal. Your requirements could not be resolved to an installable set of packages.

Problem 1 - Root composer.json requires designsecurity/progpilot ^0.8.0 -> satisfiable by designsecurity/progpilot[v0.8.0]. - designsecurity/progpilot v0.8.0 requires ircmaxell/php-cfg 1.0.x-dev -> found ircmaxell/php-cfg[v1.0.x-dev] but it does not match your minimum-stability.

Installation failed, deleting ./composer.json.

Thank you for the great work. Is there a corresponding paper on the implemented basics, i.e. analysis lattice, transfer functions, soundness, that can be cited?