Eval blacklist

Add support for eval filtering, only blacklist for now

7 files changed, 80 insertions, 0 deletions

diff --git a/src/tests/config/eval_backlist.ini b/src/tests/config/eval_backlist.ini
new file mode 100644
index 0000000..1e34b5b
--- /dev/null
+++ b/src/tests/config/eval_backlist.ini
@@ -0,0 +1 @@
+sp.eval_filter.blacklist("strlen");
diff --git a/src/tests/config/eval_backlist_list.ini b/src/tests/config/eval_backlist_list.ini
new file mode 100644
index 0000000..da5650d
--- /dev/null
+++ b/src/tests/config/eval_backlist_list.ini
@@ -0,0 +1 @@
+sp.eval_filter.blacklist("strcmp,strlen");
diff --git a/src/tests/config/eval_backlist_simulation.ini b/src/tests/config/eval_backlist_simulation.ini
new file mode 100644
index 0000000..fafebd5
--- /dev/null
+++ b/src/tests/config/eval_backlist_simulation.ini
@@ -0,0 +1 @@
+sp.eval_filter.blacklist("strlen").simulation();
diff --git a/src/tests/eval_backlist.phpt b/src/tests/eval_backlist.phpt
new file mode 100644
index 0000000..20b2c92
--- /dev/null
+++ b/src/tests/eval_backlist.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Eval blacklist
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_backlist.ini
+--FILE--
+<?php 
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = strlen("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 14
+[snuffleupagus][0.0.0.0][eval][drop] A call to strlen was tried in eval, in%atests/eval_backlist.php:1, dropping it.
diff --git a/src/tests/eval_backlist_list.phpt b/src/tests/eval_backlist_list.phpt
new file mode 100644
index 0000000..b1c7bfd
--- /dev/null
+++ b/src/tests/eval_backlist_list.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Eval blacklist - with a list of functions
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_backlist_list.ini
+--FILE--
+<?php 
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = strlen("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 14
+[snuffleupagus][0.0.0.0][eval][drop] A call to strlen was tried in eval, in %a/tests/eval_backlist_list.php:1, dropping it.
diff --git a/src/tests/eval_backlist_simulation.phpt b/src/tests/eval_backlist_simulation.phpt
new file mode 100644
index 0000000..ddeae60
--- /dev/null
+++ b/src/tests/eval_backlist_simulation.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Eval blacklist
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_backlist_simulation.ini
+--FILE--
+<?php 
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = strlen("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 14
+[snuffleupagus][0.0.0.0][eval][simulation] A call to strlen was tried in eval, in %a/tests/eval_backlist_simulation.php:1, dropping it.
+After eval: 4
diff --git a/src/tests/nested_eval_blacklist.phpt b/src/tests/nested_eval_blacklist.phpt
new file mode 100644
index 0000000..b12bf93
--- /dev/null
+++ b/src/tests/nested_eval_blacklist.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Eval blacklist - nested eval
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_backlist.ini
+--FILE--
+<?php 
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval(
+        "echo 'Inception lvl 1...\n';
+   eval(
+     'echo \"Inception lvl 2...\n\";
+      eval(
+                                 \"echo \'Inception lvl 3...\n\';
+          strlen(\'Limbo!\');
+       \");
+   ');
+");
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 14
+Inception lvl 1...
+Inception lvl 2...
+Inception lvl 3...
+[snuffleupagus][0.0.0.0][eval][drop] A call to strlen was tried in eval, in %a/tests/nested_eval_blacklist.php(5) : eval()'d code(4) : eval()'d code:3, dropping it.