fix #64 globals variable state

eric-therond · eric-therond · commit 55cfc6bf2a21 · 2025-06-06T14:32:42.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -12,3 +12,4 @@ projects/phar/composer.lock
 vendor/
 composer.lock
 indent.sh
+.DS_Store
diff --git a/package/src/progpilot/Analysis/VisitorAnalysis.php b/package/src/progpilot/Analysis/VisitorAnalysis.php
diff --git a/package/src/progpilot/Helpers/State.php b/package/src/progpilot/Helpers/State.php
@@ -154,8 +154,12 @@ public static function mergeDefsBlockIdStates($defs, $concatValues, $block)
 
         foreach ($defs as $def) {
             if ($def->isType(MyDefinition::TYPE_ARRAY_ELEMENT)
-                || $def->isType(MyDefinition::TYPE_PROPERTY)) {
+                || $def->isType(MyDefinition::TYPE_PROPERTY)
+                || $def->isType(MyDefinition::TYPE_REFERENCE)) {
                 $state = $def->getState($blockId);
+                if (is_null($state)) { 
+                    $state = $def->getCurrentState();
+                }
             } else {
                 $state = $def->getCurrentState();
             }
diff --git a/projects/tests/foldertest.php b/projects/tests/foldertest.php
@@ -43,6 +43,7 @@
                 ],
                 [
                     "./tests/real/incallstack/",
-                        [["\$rtrim_return", "77", "xss"]]
+                        [["\$rtrim_return", "77", "xss"],
+                        ["\$localfile", "610", "path_traversal"]]
                 ]
             ];
diff --git a/projects/tests/generictest.php b/projects/tests/generictest.php
@@ -334,6 +334,12 @@
                         [["\$_POST[\"form_id\"]", "6", "sql_injection"]]
                 ],
 
+                [
+                    "./tests/generic/global5.php",
+                        [["\$query", "8", "sql_injection"],
+                        ["\$row[1]", "17", "xss"]]
+                ],
+
                 [
                     "./tests/generic/namespace1.php",
                         [["\$_GET[\"p\"]", "9", "xss"]]
diff --git a/projects/tests/phpwandertest.php b/projects/tests/phpwandertest.php
@@ -68,7 +68,7 @@
                 ],// a corriger
                 [
                     "./tests/phpwander/test13.php",
-                        []
+                        [["\$value", "11", "xss"]]
                 ],
                 [
                     "./tests/phpwander/test14.php",
diff --git a/projects/tests/tests/generic/global5.php b/projects/tests/tests/generic/global5.php
@@ -0,0 +1,20 @@
+<?php
+$tainted = 'Constant';
+
+function test() {
+    $GLOBALS['tainted'] = $_POST["tainted"];
+    $db = mysqli_connect("127.0.0.1", "root", "123456");
+    mysqli_select_db($db, "testcasesqli");
+    $query = "select * from users where id=".$GLOBALS["tainted"];
+    $result = mysqli_query($db, $query);
+    if ($result == false) {
+        exit("Database error !<br />");
+    }
+    $row = mysqli_fetch_array($result);
+    if ($row == null) {
+        exit("Error ID or password.<br />");
+    }
+    print("Login successfully!<br />welcome,".$row[1]."<br />");
+}
+
+test();

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@`
`43`	`43`	`],`
`44`	`44`	`[`
`45`	`45`	`"./tests/real/incallstack/",`
`46`		`- [["\$rtrim_return", "77", "xss"]]`
	`46`	`+ [["\$rtrim_return", "77", "xss"],`
	`47`	`+ ["\$localfile", "610", "path_traversal"]]`
`47`	`48`	`]`
`48`	`49`	`];`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@`
`68`	`68`	`],// a corriger`
`69`	`69`	`[`
`70`	`70`	`"./tests/phpwander/test13.php",`
`71`		`- []`
	`71`	`+ [["\$value", "11", "xss"]]`
`72`	`72`	`],`
`73`	`73`	`[`
`74`	`74`	`"./tests/phpwander/test14.php",`