From ad6b3e723fe26bf1a3a573aed776960916d35499 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 10 Jan 2018 14:56:33 +0100
Subject: Eval whitelist

Implement whitelist in eval---
 src/tests/config/eval_backlist.ini              |  2 +-
 src/tests/config/eval_backlist_list.ini         |  2 +-
 src/tests/config/eval_backlist_simulation.ini   |  2 +-
 src/tests/config/eval_whitelist.ini             |  1 +
 src/tests/eval_backlist_whitelist.phpt          | 27 +++++++++++++++++++++++
 src/tests/eval_whitelist_builtin.phpt           | 19 ++++++++++++++++
 src/tests/eval_whitelist_include_then_user.phpt | 29 +++++++++++++++++++++++++
 src/tests/eval_whitelist_user_then_builtin.phpt | 23 ++++++++++++++++++++
 8 files changed, 102 insertions(+), 3 deletions(-)
 create mode 100644 src/tests/config/eval_whitelist.ini
 create mode 100644 src/tests/eval_backlist_whitelist.phpt
 create mode 100644 src/tests/eval_whitelist_builtin.phpt
 create mode 100644 src/tests/eval_whitelist_include_then_user.phpt
 create mode 100644 src/tests/eval_whitelist_user_then_builtin.phpt

(limited to 'src/tests')

diff --git a/src/tests/config/eval_backlist.ini b/src/tests/config/eval_backlist.ini
index 1e34b5b..b181598 100644
--- a/src/tests/config/eval_backlist.ini
+++ b/src/tests/config/eval_backlist.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strlen");
+sp.eval_blacklist.list("strlen");
diff --git a/src/tests/config/eval_backlist_list.ini b/src/tests/config/eval_backlist_list.ini
index da5650d..b395d03 100644
--- a/src/tests/config/eval_backlist_list.ini
+++ b/src/tests/config/eval_backlist_list.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strcmp,strlen");
+sp.eval_blacklist.list("strcmp,strlen");
diff --git a/src/tests/config/eval_backlist_simulation.ini b/src/tests/config/eval_backlist_simulation.ini
index fafebd5..2d8dc73 100644
--- a/src/tests/config/eval_backlist_simulation.ini
+++ b/src/tests/config/eval_backlist_simulation.ini
@@ -1 +1 @@
-sp.eval_filter.blacklist("strlen").simulation();
+sp.eval_blacklist.list("strlen").simulation();
diff --git a/src/tests/config/eval_whitelist.ini b/src/tests/config/eval_whitelist.ini
new file mode 100644
index 0000000..7a8f6ef
--- /dev/null
+++ b/src/tests/config/eval_whitelist.ini
@@ -0,0 +1 @@
+sp.eval_whitelist.list("my_fun,cos");
diff --git a/src/tests/eval_backlist_whitelist.phpt b/src/tests/eval_backlist_whitelist.phpt
new file mode 100644
index 0000000..1611288
--- /dev/null
+++ b/src/tests/eval_backlist_whitelist.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Eval whitelist
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+function my_fun($p) {
+	return "my_fun: $p";
+}
+
+function my_other_fun($p) {
+	return "my_other_fun: $p";
+}
+
+$a = my_fun("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = my_fun("1234");');
+echo "After allowed eval: $a\n";
+eval('$a = my_other_fun("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: my_fun: 1337 1337 1337
+After allowed eval: my_fun: 1234
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'my_other_fun' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_builtin.phpt b/src/tests/eval_whitelist_builtin.phpt
new file mode 100644
index 0000000..bd7c2ac
--- /dev/null
+++ b/src/tests/eval_whitelist_builtin.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+$a = cos(1);
+echo "Outside of eval: $a\n";
+eval('$a = cos(5);');
+echo "After allowed eval: $a\n";
+eval('$a = sin(4);');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 0.54030230586814
+After allowed eval: 0.28366218546323
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_include_then_user.phpt b/src/tests/eval_whitelist_include_then_user.phpt
new file mode 100644
index 0000000..6d4e36a
--- /dev/null
+++ b/src/tests/eval_whitelist_include_then_user.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+$b = 1337;
+$dir = __DIR__;
+
+file_put_contents($dir . '/test.bla', '<?php $b = sin(1) ?>');
+
+$a = cos(1);
+echo "Outside of eval: $a\n";
+eval('$a = cos(5);');
+echo "After allowed eval: $a\n";
+eval("include_once('$dir' . '/test.bla');");
+echo "After eval: $b\n";
+?>
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . '/test.bla');
+?>
+--EXPECTF--
+Outside of eval: 0.54030230586814
+After allowed eval: 0.28366218546323
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
diff --git a/src/tests/eval_whitelist_user_then_builtin.phpt b/src/tests/eval_whitelist_user_then_builtin.phpt
new file mode 100644
index 0000000..8db36fc
--- /dev/null
+++ b/src/tests/eval_whitelist_user_then_builtin.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Eval whitelist - builtin function
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist.ini
+--FILE--
+<?php 
+
+function my_fun() {
+	return sin(10);
+}
+
+$a = my_fun(1);
+echo "Outside of eval: $a\n";
+eval('$a = my_fun(5);');
+echo "After allowed eval: $a\n";
+eval('$a = my_fun(4);');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: -0.54402111088937
+[snuffleupagus][0.0.0.0][Eval_whitelist][drop] The function 'sin' isn't in the eval whitelist, dropping its call.
-- 
cgit v1.3