Eval whitelist

Implement whitelist in eval
author: jvoisin 2018-01-10 14:56:33 +0100
committer: GitHub 2018-01-10 14:56:33 +0100
commit: ad6b3e723fe26bf1a3a573aed776960916d35499 (patch)
tree: eec9e15028f4529d776489d273bf9699333aa987 /src/tests
parent: b6e5bc4557cca3abbcfd179e7143ea54b9844e49 (diff)
8 files changed, 102 insertions, 3 deletions
diff --git a/src/tests/config/eval_backlist.ini b/src/tests/config/eval_backlist.ini
index 1e34b5b..b181598 100644
--- a/src/tests/config/eval_backlist.ini
+++ b/src/tests/config/eval_backlist.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strlen");
+sp.eval_blacklist.list("strlen");
diff --git a/src/tests/config/eval_backlist_list.ini b/src/tests/config/eval_backlist_list.ini
index da5650d..b395d03 100644
--- a/src/tests/config/eval_backlist_list.ini
+++ b/src/tests/config/eval_backlist_list.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strcmp,strlen");
+sp.eval_blacklist.list("strcmp,strlen");
diff --git a/src/tests/config/eval_backlist_simulation.ini b/src/tests/config/eval_backlist_simulation.ini
index fafebd5..2d8dc73 100644
--- a/src/tests/config/eval_backlist_simulation.ini
+++ b/src/tests/config/eval_backlist_simulation.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strlen").simulation();
+sp.eval_blacklist.list("strlen").simulation();
diff --git a/src/tests/config/eval_whitelist.ini b/src/tests/config/eval_whitelist.ini
new file mode 100644
index 0000000..7a8f6ef
--- /dev/null
+++ b/src/tests/config/eval_whitelist.ini
@@ -0,0 +1 @@
+sp.eval_whitelist.list("my_fun,cos");
diff --git a/src/tests/eval_backlist_whitelist.phpt b/src/tests/eval_backlist_whitelist.phpt
new file mode 100644
index 0000000..1611288
--- /dev/null
+++ b/src/tests/eval_backlist_whitelist.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Eval whitelist
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+function my_fun($p) {
+        return "my_fun: $p";
+}
+function my_other_fun($p) {
+        return "my_other_fun: $p";
+}
+$a = my_fun("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = my_fun("1234");');
+echo "After allowed eval: $a\n";
+eval('$a = my_other_fun("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: my_fun: 1337 1337 1337
+After allowed eval: my_fun: 1234
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'my_other_fun' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_builtin.phpt b/src/tests/eval_whitelist_builtin.phpt
new file mode 100644
index 0000000..bd7c2ac
--- /dev/null
+++ b/src/tests/eval_whitelist_builtin.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+$a = cos(1);
+echo "Outside of eval: $a\n";
+eval('$a = cos(5);');
+echo "After allowed eval: $a\n";
+eval('$a = sin(4);');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 0.54030230586814
+After allowed eval: 0.28366218546323
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_include_then_user.phpt b/src/tests/eval_whitelist_include_then_user.phpt
new file mode 100644
index 0000000..6d4e36a
--- /dev/null
+++ b/src/tests/eval_whitelist_include_then_user.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+$b = 1337;
+$dir = __DIR__;
+file_put_contents($dir . '/test.bla', '<?php $b = sin(1) ?>');
+$a = cos(1);
+echo "Outside of eval: $a\n";
+eval('$a = cos(5);');
+echo "After allowed eval: $a\n";
+eval("include_once('$dir' . '/test.bla');");
+echo "After eval: $b\n";
+?>
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . '/test.bla');
+?>
+--EXPECTF--
+Outside of eval: 0.54030230586814
+After allowed eval: 0.28366218546323
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_user_then_builtin.phpt b/src/tests/eval_whitelist_user_then_builtin.phpt
new file mode 100644
index 0000000..8db36fc
--- /dev/null
+++ b/src/tests/eval_whitelist_user_then_builtin.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+function my_fun() {
+        return sin(10);
+}
+$a = my_fun(1);
+echo "Outside of eval: $a\n";
+eval('$a = my_fun(5);');
+echo "After allowed eval: $a\n";
+eval('$a = my_fun(4);');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: -0.54402111088937
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
author	jvoisin	2018-01-10 14:56:33 +0100
committer	GitHub	2018-01-10 14:56:33 +0100
commit	ad6b3e723fe26bf1a3a573aed776960916d35499 (patch)
tree	eec9e15028f4529d776489d273bf9699333aa987 /src/tests
parent	b6e5bc4557cca3abbcfd179e7143ea54b9844e49 (diff)

diff --git a/src/tests/config/eval_backlist.ini b/src/tests/config/eval_backlist.ini index 1e34b5b..b181598 100644 --- a/src/tests/config/eval_backlist.ini +++ b/src/tests/config/eval_backlist.ini
@@ -1 +1 @@
	sp.eval_filter.blacklist("strlen");		sp.eval_blacklist.list("strlen");


diff --git a/src/tests/config/eval_backlist_list.ini b/src/tests/config/eval_backlist_list.ini index da5650d..b395d03 100644 --- a/src/tests/config/eval_backlist_list.ini +++ b/src/tests/config/eval_backlist_list.ini
@@ -1 +1 @@
	sp.eval_filter.blacklist("strcmp,strlen");		sp.eval_blacklist.list("strcmp,strlen");


diff --git a/src/tests/config/eval_backlist_simulation.ini b/src/tests/config/eval_backlist_simulation.ini index fafebd5..2d8dc73 100644 --- a/src/tests/config/eval_backlist_simulation.ini +++ b/src/tests/config/eval_backlist_simulation.ini
@@ -1 +1 @@
	sp.eval_filter.blacklist("strlen").simulation();		sp.eval_blacklist.list("strlen").simulation();


diff --git a/src/tests/config/eval_whitelist.ini b/src/tests/config/eval_whitelist.ini new file mode 100644 index 0000000..7a8f6ef --- /dev/null +++ b/src/tests/config/eval_whitelist.ini
@@ -0,0 +1 @@
			sp.eval_whitelist.list("my_fun,cos");


diff --git a/src/tests/eval_backlist_whitelist.phpt b/src/tests/eval_backlist_whitelist.phpt new file mode 100644 index 0000000..1611288 --- /dev/null +++ b/src/tests/eval_backlist_whitelist.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	Eval whitelist
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/eval_whitelist.ini
		7	--FILE--
		8	<?php
		9	function my_fun($p) {
		10	return "my_fun: $p";
		11	}
		12
		13	function my_other_fun($p) {
		14	return "my_other_fun: $p";
		15	}
		16
		17	$a = my_fun("1337 1337 1337");
		18	echo "Outside of eval: $a\n";
		19	eval('$a = my_fun("1234");');
		20	echo "After allowed eval: $a\n";
		21	eval('$a = my_other_fun("1234");');
		22	echo "After eval: $a\n";
		23	?>
		24	--EXPECTF--
		25	Outside of eval: my_fun: 1337 1337 1337
		26	After allowed eval: my_fun: 1234
		27	[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'my_other_fun' isn't in the eval whitelist, dropping its call.


diff --git a/src/tests/eval_whitelist_builtin.phpt b/src/tests/eval_whitelist_builtin.phpt new file mode 100644 index 0000000..bd7c2ac --- /dev/null +++ b/src/tests/eval_whitelist_builtin.phpt
@@ -0,0 +1,19 @@
		1	--TEST--
		2	Eval whitelist - builtin function
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/eval_whitelist.ini
		7	--FILE--
		8	<?php
		9	$a = cos(1);
		10	echo "Outside of eval: $a\n";
		11	eval('$a = cos(5);');
		12	echo "After allowed eval: $a\n";
		13	eval('$a = sin(4);');
		14	echo "After eval: $a\n";
		15	?>
		16	--EXPECTF--
		17	Outside of eval: 0.54030230586814
		18	After allowed eval: 0.28366218546323
		19	[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.


diff --git a/src/tests/eval_whitelist_include_then_user.phpt b/src/tests/eval_whitelist_include_then_user.phpt new file mode 100644 index 0000000..6d4e36a --- /dev/null +++ b/src/tests/eval_whitelist_include_then_user.phpt
@@ -0,0 +1,29 @@
		1	--TEST--
		2	Eval whitelist - builtin function
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/eval_whitelist.ini
		7	--FILE--
		8	<?php
		9	$b = 1337;
		10	$dir = __DIR__;
		11
		12	file_put_contents($dir . '/test.bla', '<?php $b = sin(1) ?>');
		13
		14	$a = cos(1);
		15	echo "Outside of eval: $a\n";
		16	eval('$a = cos(5);');
		17	echo "After allowed eval: $a\n";
		18	eval("include_once('$dir' . '/test.bla');");
		19	echo "After eval: $b\n";
		20	?>
		21	--CLEAN--
		22	<?php
		23	$dir = __DIR__;
		24	unlink($dir . '/test.bla');
		25	?>
		26	--EXPECTF--
		27	Outside of eval: 0.54030230586814
		28	After allowed eval: 0.28366218546323
		29	[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.


diff --git a/src/tests/eval_whitelist_user_then_builtin.phpt b/src/tests/eval_whitelist_user_then_builtin.phpt new file mode 100644 index 0000000..8db36fc --- /dev/null +++ b/src/tests/eval_whitelist_user_then_builtin.phpt
@@ -0,0 +1,23 @@
		1	--TEST--
		2	Eval whitelist - builtin function
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/eval_whitelist.ini
		7	--FILE--
		8	<?php
		9
		10	function my_fun() {
		11	return sin(10);
		12	}
		13
		14	$a = my_fun(1);
		15	echo "Outside of eval: $a\n";
		16	eval('$a = my_fun(5);');
		17	echo "After allowed eval: $a\n";
		18	eval('$a = my_fun(4);');
		19	echo "After eval: $a\n";
		20	?>
		21	--EXPECTF--
		22	Outside of eval: -0.54402111088937
		23	[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.