Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix cast into variable into sql request.

Browse Source
This commit is contained in:
Laurent Destailleur
2021-08-23 17:41:11 +02:00
parent edb239837c
commit d4b5ee6c85
130 changed files with 396 additions and 379 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
test/phpunit/CodingPhpTest.php
View File

@@ -225,7 +225,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Must must not found $db->
$ok=true;
$matches=array();
// Check string get_class...
// Check string $db-> inside a class.php file (it should be $this->db-> insto such classes)
preg_match_all('/'.preg_quote('$db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok=false;
@@ -243,7 +243,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Must must not found $this->db->
$ok=true;
$matches=array();
// Check string get_class...
// Check string $this->db-> into a non class.php file (it shoud be $db-> into such classes)
preg_match_all('/'.preg_quote('$this->db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok=false;
@@ -286,6 +286,25 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$ok=true;
$matches=array();
// Check sql string AND ... yyy = ".$xxx
// with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string or an (int) if int when forging sql request.
preg_match_all('/AND.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] == 'ity' && $val[2] == 'con') {
continue;
}
//if ($val[2] != 'thi' && $val[2] != 'db-') {
var_dump($matches);
$ok=false;
break;
//}
//if ($reg[0] != 'db') $ok=false;
}
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non quoted or not casted var into sql request '.$file['relativename'].' - Bad.');
//exit;
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
@@ -299,10 +318,10 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' - Bad.');
//exit;
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
// Check string sql|set...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
preg_match_all('/(sql|SET).+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'dbsession', 'db->idate', 'excludeGr', 'includeGr'))) {
if (! in_array($val[2], array('this->db-', 'this->esc', 'db->escap', 'dbsession', 'db->idate', 'excludeGr', 'includeGr'))) {
$ok=false;
break;
}
@@ -341,7 +360,6 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] != 'scape_htmltag(' && $val[1] != 'ing_nohtmltag(' && $val[1] != 'dol_escape_js(') {
@@ -355,7 +373,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Test that first param of print_liste_field_titre is a translation key and not the translated value
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
// Check string ='print_liste_field_titre\(\$langs'.
preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok=false;
@@ -367,8 +385,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Test we don't have <br />
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/<br \/>/', $filecontent, $matches, PREG_SET_ORDER);
preg_match_all('/<br\s+\/>/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($file['name'] != 'functions.lib.php') {
$ok=false;
@@ -381,7 +398,6 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead.
$ok=true;
$matches=array();
// Check string name="token" value="'.$_SESSINON
preg_match_all('/name="token" value="\'\s*\.\s*\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($file['name'] != 'excludefile.php') {
@@ -395,7 +411,6 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Test we don't have @var array(
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok=false;