Merge pull request #55 from designsecurity/staticmethodsource

static methods as custom source

Author: eric-therond

package/src/progpilot/Analysis/VisitorAnalysis.php

@@ -132,6 +132,15 @@ public function funcCall(
                 $this->context->getObjects()->addMyclassToObject($idObjectTmp, $myClassStatic);
 
                 $stackClass[0][0] = $myDefStatic;
+            } else {
+                // we create a fake instance
+                $myClass = new MyClass(
+                    $myFuncCall->getLine(),
+                    $myFuncCall->getColumn(),
+                    $myFuncCall->getNameInstance()
+                );
+
+                $listMyFunc[] = [0, $myClass, null, true, null];
             }
         } else {
             $myFunc = $this->context->getFunctions()->getFunction($funcName);

package/src/progpilot/Inputs/MyInputsInternalApi.php

@@ -286,13 +286,15 @@ public function getSourceByName($myFuncOrDef, $myClass, $dimArray = null)
                 if (!$mySource->isInstance()
                     && empty($mySource->getArrayValue())
                         && !$myFuncOrDef->isType(MyFunction::TYPE_FUNC_METHOD)
-                            && !$myFuncOrDef->isType(MyDefinition::TYPE_PROPERTY)) {
+                            && !$myFuncOrDef->isType(MyFunction::TYPE_FUNC_STATIC)
+                                && !$myFuncOrDef->isType(MyDefinition::TYPE_PROPERTY)) {
                     return $mySource;
                 }
 
                 if ($mySource->isInstance()
                     && ($myFuncOrDef->isType(MyFunction::TYPE_FUNC_METHOD)
-                        || $myFuncOrDef->isType(MyDefinition::TYPE_PROPERTY))) {
+                        || $myFuncOrDef->isType(MyFunction::TYPE_FUNC_STATIC)
+                            || $myFuncOrDef->isType(MyDefinition::TYPE_PROPERTY))) {
                     if (!is_null($myClass) &&
                         ($mySource->getInstanceOfName() === $myClass->getName()
                             || $mySource->getInstanceOfName() === $myClass->getExtendsOf())) {

package/src/uptodate_data/php/dev/sources.json

@@ -5,6 +5,8 @@
         {"name": "methodc1arr", "is_function": true, "instanceof": "testc1", "return_array_index": "tainted", "language": "php", "type": "for dev purposes"},
         {"name": "func1arr", "is_function": true, "return_array_index": "tainted", "language": "php", "type": "for dev purposes"},
         {"name": "member1", "instanceof": "testc1", "language": "php", "type": "for dev purposes"},
-        {"name": "vardev", "is_array": true, "array_index": ["tainted"], "language": "php", "type": "for dev purposes"}
+        {"name": "vardev", "is_array": true, "array_index": ["tainted"], "language": "php", "type": "for dev purposes"},
+        {"name": "getValue", "is_function": true, "instanceof": "Tools", "language": "php", "type": "for dev purposes"},
+        {"name": "getValue", "is_function": true, "instanceof": "ToolsClass", "language": "php", "type": "for dev purposes"}
 		]
 }

projects/tests/datatest.php

@@ -135,6 +135,11 @@
                     "./tests/data/source21.php",
                         [["\$title", "0", "xss"]]
                 ],
+                [
+                    "./tests/data/source22.php",
+                        [["\$getValue_return", "3", "xss"],
+                        ["\$getValue_return", "7", "xss"]]
+                ],
                 [
                     "./tests/data/sanitizer1.php",
                         [["\$var7safe", "5", "xss"]]

projects/tests/tests/data/source22.php

@@ -0,0 +1,7 @@
+<?php
+
+echo Tools::getValue();
+
+$foo = new ToolsClass();
+
+echo $foo->getValue();