Implement the .line filter

Close #48
author: jvoisin 2017-10-23 22:47:46 +0200
committer: GitHub 2017-10-23 22:47:46 +0200
commit: a8ab6484c1cf08bb5669b2f46f933845cc81f077 (patch)
tree: 06bcfc62b03c2113277385073294bcb27f30d643 /src
parent: a50fe60a3d736bce1a1838d4e736f80af1ee7bbc (diff)
7 files changed, 52 insertions, 0 deletions
diff --git a/src/sp_config.h b/src/sp_config.h
index c005206..c6de8ba 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -78,6 +78,7 @@ typedef struct {
  pcre *r_param;
  sp_php_type param_type;
  int pos;
+  unsigned int line;
  char *ret;
  pcre *r_ret;
@@ -185,6 +186,7 @@ typedef struct {
 #define SP_TOKEN_VALUE ".value("
 #define SP_TOKEN_VALUE_REGEXP ".value_r("
 #define SP_TOKEN_VALUE_ARG_POS ".pos("
+#define SP_TOKEN_LINE_NUMBER ".line("
 // cookies encryption
 #define SP_TOKEN_NAME ".cookie("
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index 097d08b..168ee1c 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -145,6 +145,7 @@ int parse_disabled_functions(char *line) {
  int ret = 0;
  bool enable = true, disable = false;
  char *pos = NULL;
+  char *line_number = NULL;
  sp_disabled_function *df = pecalloc(sizeof(*df), 1, 1);
  df->pos = -1;
@@ -172,6 +173,7 @@ int parse_disabled_functions(char *line) {
      {parse_php_type, SP_TOKEN_RET_TYPE, &(df->ret_type)},
      {parse_str, SP_TOKEN_LOCAL_VAR, &(df->var)},
      {parse_str, SP_TOKEN_VALUE_ARG_POS, &(pos)},
+      {parse_str, SP_TOKEN_LINE_NUMBER, &(line_number)},
      {0}};
  ret = parse_keywords(sp_config_funcs_disabled_functions, line);
@@ -252,6 +254,17 @@ int parse_disabled_functions(char *line) {
    }
  }
+  if (line_number) {
+    errno = 0;
+    char *endptr;
+    df->line = strtoul(line_number, &endptr, 10);
+    if (errno != 0 || endptr == line_number) {
+      sp_log_err("config", "Failed to parse arg '%s' of `line` on line %zu.",
+                 line_number, sp_line_no);
+      return -1;
+    }
+  }
  if (df->function) {
    df->functions_list = parse_functions_list(df->function);
  }
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
index 54a1906..f089c25 100644
--- a/src/sp_disabled_functions.c
+++ b/src/sp_disabled_functions.c
@@ -172,6 +172,12 @@ bool should_disable(zend_execute_data* execute_data) {
      }
    }
+    if (config_node->line) {
+      if (config_node->line != zend_get_executed_lineno()) {
+        goto next;
+      }
+    }
    if (client_ip && config_node->cidr &&
        (false == cidr_match(client_ip, config_node->cidr))) {
      goto next;
diff --git a/src/tests/config/disabled_functions_broken_line.ini b/src/tests/config/disabled_functions_broken_line.ini
new file mode 100644
index 0000000..01229c5
--- /dev/null
+++ b/src/tests/config/disabled_functions_broken_line.ini
@@ -0,0 +1 @@
+sp.disable_function.function("system").line("qwe").drop();
diff --git a/src/tests/config/disabled_functions_line.ini b/src/tests/config/disabled_functions_line.ini
new file mode 100644
index 0000000..b00cab6
--- /dev/null
+++ b/src/tests/config/disabled_functions_line.ini
@@ -0,0 +1 @@
+sp.disable_function.function("system").line("3").drop();
diff --git a/src/tests/disabled_functions_param_broken_line.phpt b/src/tests/disabled_functions_param_broken_line.phpt
new file mode 100644
index 0000000..cca001f
--- /dev/null
+++ b/src/tests/disabled_functions_param_broken_line.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Disable functions - match on a specific line - broken configuration
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_broken_line.ini
+--FILE--
+<?php 
+system("echo 1337");
+system("echo 1338");
+?>
+--EXPECTF--
+[snuffleupagus][0.0.0.0][config][error] Failed to parse arg 'qwe' of `line` on line 1.
+1337
+1338
diff --git a/src/tests/disabled_functions_param_line.phpt b/src/tests/disabled_functions_param_line.phpt
new file mode 100644
index 0000000..cf7495f
--- /dev/null
+++ b/src/tests/disabled_functions_param_line.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions - match on a specific line
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_line.ini
+--FILE--
+<?php 
+system("echo 1337");
+system("id");
+?>
+--EXPECTF--
+1337
+[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/disabled_functions_param_line.php:3 has been disabled.
author	jvoisin	2017-10-23 22:47:46 +0200
committer	GitHub	2017-10-23 22:47:46 +0200
commit	a8ab6484c1cf08bb5669b2f46f933845cc81f077 (patch)
tree	06bcfc62b03c2113277385073294bcb27f30d643 /src
parent	a50fe60a3d736bce1a1838d4e736f80af1ee7bbc (diff)

diff --git a/src/sp_config.h b/src/sp_config.h index c005206..c6de8ba 100644 --- a/src/sp_config.h +++ b/src/sp_config.h
@@ -78,6 +78,7 @@ typedef struct {
78	pcre *r_param;	78	pcre *r_param;
79	sp_php_type param_type;	79	sp_php_type param_type;
80	int pos;	80	int pos;
		81	unsigned int line;
81		82
82	char *ret;	83	char *ret;
83	pcre *r_ret;	84	pcre *r_ret;
@@ -185,6 +186,7 @@ typedef struct {
185	#define SP_TOKEN_VALUE ".value("	186	#define SP_TOKEN_VALUE ".value("
186	#define SP_TOKEN_VALUE_REGEXP ".value_r("	187	#define SP_TOKEN_VALUE_REGEXP ".value_r("
187	#define SP_TOKEN_VALUE_ARG_POS ".pos("	188	#define SP_TOKEN_VALUE_ARG_POS ".pos("
		189	#define SP_TOKEN_LINE_NUMBER ".line("
188		190
189	// cookies encryption	191	// cookies encryption
190	#define SP_TOKEN_NAME ".cookie("	192	#define SP_TOKEN_NAME ".cookie("


diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index 097d08b..168ee1c 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -145,6 +145,7 @@ int parse_disabled_functions(char *line) {
145	int ret = 0;	145	int ret = 0;
146	bool enable = true, disable = false;	146	bool enable = true, disable = false;
147	char *pos = NULL;	147	char *pos = NULL;
		148	char *line_number = NULL;
148	sp_disabled_function df = pecalloc(sizeof(df), 1, 1);	149	sp_disabled_function df = pecalloc(sizeof(df), 1, 1);
149	df->pos = -1;	150	df->pos = -1;
150		151
@@ -172,6 +173,7 @@ int parse_disabled_functions(char *line) {
172	{parse_php_type, SP_TOKEN_RET_TYPE, &(df->ret_type)},	173	{parse_php_type, SP_TOKEN_RET_TYPE, &(df->ret_type)},
173	{parse_str, SP_TOKEN_LOCAL_VAR, &(df->var)},	174	{parse_str, SP_TOKEN_LOCAL_VAR, &(df->var)},
174	{parse_str, SP_TOKEN_VALUE_ARG_POS, &(pos)},	175	{parse_str, SP_TOKEN_VALUE_ARG_POS, &(pos)},
		176	{parse_str, SP_TOKEN_LINE_NUMBER, &(line_number)},
175	{0}};	177	{0}};
176		178
177	ret = parse_keywords(sp_config_funcs_disabled_functions, line);	179	ret = parse_keywords(sp_config_funcs_disabled_functions, line);
@@ -252,6 +254,17 @@ int parse_disabled_functions(char *line) {
252	}	254	}
253	}	255	}
254		256
		257	if (line_number) {
		258	errno = 0;
		259	char *endptr;
		260	df->line = strtoul(line_number, &endptr, 10);
		261	if (errno != 0 \|\| endptr == line_number) {
		262	sp_log_err("config", "Failed to parse arg '%s' of `line` on line %zu.",
		263	line_number, sp_line_no);
		264	return -1;
		265	}
		266	}
		267
255	if (df->function) {	268	if (df->function) {
256	df->functions_list = parse_functions_list(df->function);	269	df->functions_list = parse_functions_list(df->function);
257	}	270	}


diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index 54a1906..f089c25 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c
@@ -172,6 +172,12 @@ bool should_disable(zend_execute_data* execute_data) {
172	}	172	}
173	}	173	}
174		174
		175	if (config_node->line) {
		176	if (config_node->line != zend_get_executed_lineno()) {
		177	goto next;
		178	}
		179	}
		180
175	if (client_ip && config_node->cidr &&	181	if (client_ip && config_node->cidr &&
176	(false == cidr_match(client_ip, config_node->cidr))) {	182	(false == cidr_match(client_ip, config_node->cidr))) {
177	goto next;	183	goto next;


diff --git a/src/tests/config/disabled_functions_broken_line.ini b/src/tests/config/disabled_functions_broken_line.ini new file mode 100644 index 0000000..01229c5 --- /dev/null +++ b/src/tests/config/disabled_functions_broken_line.ini
@@ -0,0 +1 @@
			sp.disable_function.function("system").line("qwe").drop();


diff --git a/src/tests/config/disabled_functions_line.ini b/src/tests/config/disabled_functions_line.ini new file mode 100644 index 0000000..b00cab6 --- /dev/null +++ b/src/tests/config/disabled_functions_line.ini
@@ -0,0 +1 @@
			sp.disable_function.function("system").line("3").drop();


diff --git a/src/tests/disabled_functions_param_broken_line.phpt b/src/tests/disabled_functions_param_broken_line.phpt new file mode 100644 index 0000000..cca001f --- /dev/null +++ b/src/tests/disabled_functions_param_broken_line.phpt
@@ -0,0 +1,15 @@
		1	--TEST--
		2	Disable functions - match on a specific line - broken configuration
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/disabled_functions_broken_line.ini
		7	--FILE--
		8	<?php
		9	system("echo 1337");
		10	system("echo 1338");
		11	?>
		12	--EXPECTF--
		13	[snuffleupagus][0.0.0.0][config][error] Failed to parse arg 'qwe' of `line` on line 1.
		14	1337
		15	1338


diff --git a/src/tests/disabled_functions_param_line.phpt b/src/tests/disabled_functions_param_line.phpt new file mode 100644 index 0000000..cf7495f --- /dev/null +++ b/src/tests/disabled_functions_param_line.phpt
@@ -0,0 +1,14 @@
		1	--TEST--
		2	Disable functions - match on a specific line
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/disabled_functions_line.ini
		7	--FILE--
		8	<?php
		9	system("echo 1337");
		10	system("id");
		11	?>
		12	--EXPECTF--
		13	1337
		14	[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/disabled_functions_param_line.php:3 has been disabled.