Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch 'develop' of git@github.com:Dolibarr/dolibarr.git into

Browse Source 
develop
This commit is contained in:
Laurent Destailleur
2024-03-03 19:59:34 +01:00
parent 7b897ae27d 1e00cf34d4
commit 301bec664a
8 changed files with 148 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
test/phpunit/SecurityTest.php
View File

@@ -984,7 +984,11 @@ class SecurityTest extends CommonClassTest
$langs = $this->savlangs;
$db = $this->savdb;
$result = dol_eval('1==1', 1, 0);
// Declare classes found into string to evaluate
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
$result=dol_eval('1==1', 1, 0);
print "result1 = ".$result."\n";
$this->assertTrue($result);
@@ -992,11 +996,18 @@ class SecurityTest extends CommonClassTest
print "result2 = ".$result."\n";
$this->assertFalse($result);
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
$s = '((($reloadedobj = new ClassThatDoesNotExists($db)) && ($reloadedobj->fetchNoCompute($objectoffield->fk_product) > 0)) ? \'1\' : \'0\')';
$result3a = dol_eval($s, 1, 1, '2');
print "result3a = ".$result3a."\n";
$this->assertEquals('Exception during evaluation: '.$s, $result3a);
$s = '((($reloadedobj = new Project($db)) && ($reloadedobj->fetchNoCompute($objectoffield->fk_product) > 0)) ? \'1\' : \'0\')';
$result3b = dol_eval($s, 1, 1, '2');
print "result3b = ".$result."\n";
$this->assertEquals('0', $result3b);
$s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"';
$result = dol_eval($s, 1, 1, '2');
$result = (string) dol_eval($s, 1, 1, '2');
print "result3 = ".$result."\n";
$this->assertEquals('Parent project not found', $result);
@@ -1005,6 +1016,17 @@ class SecurityTest extends CommonClassTest
print "result4 = ".$result."\n";
$this->assertEquals('Parent project not found', $result);
$s = 'new abc->invoke(\'whoami\')';
$result = (string) dol_eval($s, 1, 1, '2');
print "result = ".$result."\n";
$this->assertEquals('Bad string syntax to evaluate: new abc__forbiddenstring__(\'whoami\')', $result);
$s = 'new ReflectionFunction(\'abc\')';
$result = (string) dol_eval($s, 1, 1, '2');
print "result = ".$result."\n";
$this->assertEquals('Bad string syntax to evaluate: new __forbiddenstring__(\'abc\')', $result);
$result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '0');
print "result5 = ".$result."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', $result);