diff options
| -rw-r--r-- | scripts/generate_rules.php | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/scripts/generate_rules.php b/scripts/generate_rules.php index 1fa40d1..68936ad 100644 --- a/scripts/generate_rules.php +++ b/scripts/generate_rules.php | |||
| @@ -1,19 +1,29 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | 2 | ||
| 3 | if ($argc != 2) { | 3 | function help($name) { |
| 4 | echo 'Please provide a folder as argument.'; | 4 | die("Usage: $name [-h|--help] [--without-hash] folder\n"); |
| 5 | die(); | 5 | } |
| 6 | |||
| 7 | if ($argc < 2) { | ||
| 8 | help($argv[0]); | ||
| 6 | } | 9 | } |
| 7 | 10 | ||
| 8 | $functions_blacklist = ['shell_exec', 'exec', 'passthru', 'php_uname', 'popen', | 11 | $functions_blacklist = ['shell_exec', 'exec', 'passthru', 'php_uname', 'popen', |
| 9 | 'posix_kill', 'posix_mkfifo', 'posix_setpgid', 'posix_setsid', 'posix_setuid', | 12 | 'posix_kill', 'posix_mkfifo', 'posix_setpgid', 'posix_setsid', 'posix_setuid', |
| 10 | 'posix_setgid', 'posix_uname', 'proc_close', 'proc_nice', 'proc_open', | 13 | 'posix_setgid', 'posix_uname', 'proc_close', 'proc_nice', 'proc_open', |
| 11 | 'proc_terminate', 'proc_open', 'proc_get_status', 'dl', 'pnctl_exec', | 14 | 'proc_terminate', 'proc_open', 'proc_get_status', 'dl', 'pnctl_exec', |
| 12 | 'pnctl_fork', 'assert', 'system', 'curl_exec', 'curl_multi_exec']; | 15 | 'pnctl_fork', 'assert', 'system', 'curl_exec', 'curl_multi_exec', 'function_exists']; |
| 13 | 16 | ||
| 14 | $extensions = ['php', 'php7', 'php5', 'inc']; | 17 | $extensions = ['php', 'php7', 'php5', 'inc']; |
| 15 | 18 | ||
| 16 | $path = realpath($argv[1]); | 19 | $path = realpath($argv[count($argv) - 1]); |
| 20 | $parsedArgs = getopt('h', ['without-hash', 'help']); | ||
| 21 | |||
| 22 | if (isset($parsedArgs['h']) || isset($parsedArgs['help'])) { | ||
| 23 | help($argv[0]); | ||
| 24 | } | ||
| 25 | |||
| 26 | $useHash = !isset($parsedArgs['without-hash']); | ||
| 17 | 27 | ||
| 18 | $output = Array(); | 28 | $output = Array(); |
| 19 | 29 | ||
| @@ -26,16 +36,17 @@ foreach($objects as $name => $object){ | |||
| 26 | $hash = ''; | 36 | $hash = ''; |
| 27 | $file_content = file_get_contents($name); | 37 | $file_content = file_get_contents($name); |
| 28 | 38 | ||
| 39 | if ($useHash) { | ||
| 40 | $hash = '.hash("' . hash('sha256', $file_content) . '")'; | ||
| 41 | } | ||
| 42 | |||
| 29 | foreach(token_get_all($file_content) as $token) { | 43 | foreach(token_get_all($file_content) as $token) { |
| 30 | if ($token[0] != 319) { | 44 | if ($token[0] != 319) { |
| 31 | continue; | 45 | continue; |
| 32 | } | 46 | } |
| 33 | 47 | ||
| 34 | if (in_array($token[1], $functions_blacklist, true)) { | 48 | if (in_array($token[1], $functions_blacklist, true)) { |
| 35 | if ('' === $hash) { | 49 | $output[] = 'sp.disable_function.function("' . $token[1] . '").filename("' . $name . '")' . $hash . '.allow();' . "\n"; |
| 36 | $hash = hash('sha256', $file_content); | ||
| 37 | } | ||
| 38 | $output[] = 'sp.disable_function.function("' . $token[1] . '").filename("' . $name . '").hash("' . $hash . '").allow();' . "\n"; | ||
| 39 | } | 50 | } |
| 40 | } | 51 | } |
| 41 | } | 52 | } |
| @@ -45,4 +56,4 @@ foreach($functions_blacklist as $fun) { | |||
| 45 | 56 | ||
| 46 | foreach (array_unique($output) as $line) { | 57 | foreach (array_unique($output) as $line) { |
| 47 | echo $line; | 58 | echo $line; |
| 48 | } | 59 | } |