From 17a09fafa2b569f0ce548220fd099cdf88e3a71e Mon Sep 17 00:00:00 2001
From: kkadosh
Date: Fri, 2 Mar 2018 13:31:56 +0000
Subject: Add .dump() for eval whitelist/blacklist + simulation mode for
 whitelist

---
 src/sp_config.h                                |  2 +
 src/sp_config_keywords.c                       |  6 +++
 src/sp_disabled_functions.c                    |  8 +++-
 src/sp_execute.c                               | 26 ++++++++++---
 src/tests/config/dump_eval_blacklist.ini       |  1 +
 src/tests/config/dump_eval_whitelist.ini       |  1 +
 src/tests/config/eval_whitelist_simulation.ini |  1 +
 src/tests/dump_eval_blacklist.phpt             | 39 ++++++++++++++++++++
 src/tests/dump_eval_whitelist.phpt             | 51 ++++++++++++++++++++++++++
 src/tests/dump_request.phpt                    |  3 ++
 src/tests/dump_request_too_big.phpt            | 10 ++---
 src/tests/dump_unserialize.phpt                |  9 ++---
 src/tests/eval_backlist_simulation.phpt        |  4 +-
 src/tests/eval_whitelist_simulation.phpt       | 28 ++++++++++++++
 14 files changed, 171 insertions(+), 18 deletions(-)
 create mode 100644 src/tests/config/dump_eval_blacklist.ini
 create mode 100644 src/tests/config/dump_eval_whitelist.ini
 create mode 100644 src/tests/config/eval_whitelist_simulation.ini
 create mode 100644 src/tests/dump_eval_blacklist.phpt
 create mode 100644 src/tests/dump_eval_whitelist.phpt
 create mode 100644 src/tests/eval_whitelist_simulation.phpt

(limited to 'src')

diff --git a/src/sp_config.h b/src/sp_config.h
index 0ccd11e..e537ec2 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -119,6 +119,8 @@ typedef struct {
   sp_list_node *blacklist;
   sp_list_node *whitelist;
   bool simulation;
+  char *dump;
+  char *textual_representation;
 } sp_config_eval;
 
 typedef struct {
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index a04c88f..9faaafb 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -153,11 +153,17 @@ int parse_global(char *line) {
 static int parse_eval_filter_conf(char *line, sp_list_node **list) {
   char *token;
   char *rest;
+  sp_config_eval *eval = SNUFFLEUPAGUS_G(config).config_eval;
+
   sp_config_functions sp_config_funcs[] = {
       {parse_str, SP_TOKEN_EVAL_LIST, &rest},
       {parse_empty, SP_TOKEN_SIMULATION,
        &(SNUFFLEUPAGUS_G(config).config_eval->simulation)},
+      {parse_str, SP_TOKEN_DUMP, &(SNUFFLEUPAGUS_G(config).config_eval->dump)},
       {0}};
+
+  eval->textual_representation = estrdup(line);
+
   int ret = parse_keywords(sp_config_funcs, line);
   if (0 != ret) {
     return ret;
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
index 4d94a97..5a39cdf 100644
--- a/src/sp_disabled_functions.c
+++ b/src/sp_disabled_functions.c
@@ -470,9 +470,15 @@ ZEND_FUNCTION(eval_blacklist_callback) {
   if (SNUFFLEUPAGUS_G(in_eval) > 0) {
     char* filename = get_eval_filename(zend_get_executed_filename());
     const int line_number = zend_get_executed_lineno(TSRMLS_C);
+    if (SNUFFLEUPAGUS_G(config).config_eval->dump) {
+      sp_log_request(
+          SNUFFLEUPAGUS_G(config).config_eval->dump,
+          SNUFFLEUPAGUS_G(config).config_eval->textual_representation,
+          SP_TOKEN_EVAL_BLACKLIST);
+    }
     if (1 == SNUFFLEUPAGUS_G(config).config_eval->simulation) {
       sp_log_msg("eval", SP_LOG_SIMULATION,
-                 "A call to %s was tried in eval, in %s:%d, dropping it.",
+                 "A call to %s was tried in eval, in %s:%d, logging it.",
                  current_function_name, filename, line_number);
     } else {
       sp_log_msg("eval", SP_LOG_DROP,
diff --git a/src/sp_execute.c b/src/sp_execute.c
index 5cf139a..1517134 100644
--- a/src/sp_execute.c
+++ b/src/sp_execute.c
@@ -51,6 +51,8 @@ static void is_builtin_matching(const char *restrict const filename,
 
 static void ZEND_HOT
 is_in_eval_and_whitelisted(const zend_execute_data *execute_data) {
+  sp_config_eval *eval = SNUFFLEUPAGUS_G(config).config_eval;
+
   if (EXPECTED(0 == SNUFFLEUPAGUS_G(in_eval))) {
     return;
   }
@@ -71,11 +73,25 @@ is_in_eval_and_whitelisted(const zend_execute_data *execute_data) {
 
   if (EXPECTED(NULL != current_function)) {
     if (UNEXPECTED(false == check_is_in_eval_whitelist(current_function))) {
-      sp_log_msg(
-          "Eval_whitelist", SP_LOG_DROP,
-          "The function '%s' isn't in the eval whitelist, dropping its call.",
-          current_function);
-      sp_terminate();
+      if (eval->dump) {
+        sp_log_request(
+            SNUFFLEUPAGUS_G(config).config_eval->dump,
+            SNUFFLEUPAGUS_G(config).config_eval->textual_representation,
+            SP_TOKEN_EVAL_WHITELIST);
+      }
+      if (eval->simulation) {
+        sp_log_msg(
+            "Eval_whitelist", SP_LOG_SIMULATION,
+            "The function '%s' isn't in the eval whitelist, logging its call.",
+            current_function);
+        return;
+      } else {
+        sp_log_msg(
+            "Eval_whitelist", SP_LOG_DROP,
+            "The function '%s' isn't in the eval whitelist, dropping its call.",
+            current_function);
+        sp_terminate();
+      }
     }
   }
 }
diff --git a/src/tests/config/dump_eval_blacklist.ini b/src/tests/config/dump_eval_blacklist.ini
new file mode 100644
index 0000000..503143a
--- /dev/null
+++ b/src/tests/config/dump_eval_blacklist.ini
@@ -0,0 +1 @@
+sp.eval_blacklist.list("strlen").dump("/tmp/dump_result/").simulation();
diff --git a/src/tests/config/dump_eval_whitelist.ini b/src/tests/config/dump_eval_whitelist.ini
new file mode 100644
index 0000000..2a6c909
--- /dev/null
+++ b/src/tests/config/dump_eval_whitelist.ini
@@ -0,0 +1 @@
+sp.eval_whitelist.list("my_fun,cos").simulation().dump("/tmp/dump_result/");
diff --git a/src/tests/config/eval_whitelist_simulation.ini b/src/tests/config/eval_whitelist_simulation.ini
new file mode 100644
index 0000000..9d94db3
--- /dev/null
+++ b/src/tests/config/eval_whitelist_simulation.ini
@@ -0,0 +1 @@
+sp.eval_whitelist.list("my_fun,cos").simulation();
diff --git a/src/tests/dump_eval_blacklist.phpt b/src/tests/dump_eval_blacklist.phpt
new file mode 100644
index 0000000..19da8cd
--- /dev/null
+++ b/src/tests/dump_eval_blacklist.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Dump eval blacklist
+--SKIPIF--
+<?php 
+if (!extension_loaded("snuffleupagus")) die "skip";
+?>
+--POST--
+post_a=data_post_a&post_b=data_post_b
+--GET--
+get_a=data_get_a&get_b=data_get_b
+--COOKIE--
+cookie_a=data_cookie_a&cookie_b=data_cookie_b
+--INI--
+sp.configuration_file={PWD}/config/dump_eval_blacklist.ini
+--FILE--
+<?php
+@mkdir("/tmp/dump_result/");
+foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
+    @unlink($dump);
+}
+
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = strlen("1234");');
+echo "After eval: $a\n";
+$filename = glob('/tmp/dump_result/sp_dump.*')[0];
+$res = file($filename);
+if ($res[2] != "GET:get_a='data_get_a' get_b='data_get_b' \n") {
+    echo "1\n";
+} elseif ($res[3] != "POST:post_a='data_post_a' post_b='data_post_b' \n") {
+    echo "2\n";
+} elseif ($res[4] != "COOKIE:cookie_a='data_cookie_a&cookie_b=data_cookie_b' \n") {
+    echo "3\n";
+}
+?>
+--EXPECTF--
+Outside of eval: 14
+[snuffleupagus][0.0.0.0][eval][simulation] A call to strlen was tried in eval, in %a/dump_eval_blacklist.php:1, logging it.
+After eval: 4
diff --git a/src/tests/dump_eval_whitelist.phpt b/src/tests/dump_eval_whitelist.phpt
new file mode 100644
index 0000000..24ca1d1
--- /dev/null
+++ b/src/tests/dump_eval_whitelist.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Dump eval whitelist
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) die "skip";
+?>
+--POST--
+post_a=data_post_a&post_b=data_post_b
+--GET--
+get_a=data_get_a&get_b=data_get_b
+--COOKIE--
+cookie_a=data_cookie_a&cookie_b=data_cookie_b
+--INI--
+sp.configuration_file={PWD}/config/dump_eval_whitelist.ini
+--FILE--
+<?php
+@mkdir("/tmp/dump_result/");
+foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
+    @unlink($dump);
+}
+
+function my_fun($p) {
+	return "my_fun: $p";
+}
+
+function my_other_fun($p) {
+	return "my_other_fun: $p";
+}
+
+$a = my_fun("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = my_fun("1234");');
+echo "After allowed eval: $a\n";
+eval('$a = my_other_fun("1234");');
+echo "After eval: $a\n";
+$filename = glob('/tmp/dump_result/sp_dump.*')[0];
+$res = file($filename);
+if ($res[2] != "GET:get_a='data_get_a' get_b='data_get_b' \n") {
+    echo "1\n";
+} elseif ($res[3] != "POST:post_a='data_post_a' post_b='data_post_b' \n") {
+    echo "2\n";
+} elseif ($res[4] != "COOKIE:cookie_a='data_cookie_a&cookie_b=data_cookie_b' \n") {
+    echo "3\n";
+}
+
+?>
+--EXPECTF--
+Outside of eval: my_fun: 1337 1337 1337
+After allowed eval: my_fun: 1234
+[snuffleupagus][0.0.0.0][Eval_whitelist][simulation] The function 'my_other_fun' isn't in the eval whitelist, logging its call.
+After eval: my_other_fun: 1234
diff --git a/src/tests/dump_request.phpt b/src/tests/dump_request.phpt
index 23cafdc..abff870 100644
--- a/src/tests/dump_request.phpt
+++ b/src/tests/dump_request.phpt
@@ -22,6 +22,9 @@ sp.configuration_file={PWD}/config/dump_request.ini
 --FILE--
 <?php
 @mkdir("/tmp/dump_result/");
+foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
+    @unlink($dump);
+}
 echo "1\n";
 system("echo 1337;");
 $filename = glob('/tmp/dump_result/sp_dump.*')[0];
diff --git a/src/tests/dump_request_too_big.phpt b/src/tests/dump_request_too_big.phpt
index 795a5c2..d67ce6f 100644
--- a/src/tests/dump_request_too_big.phpt
+++ b/src/tests/dump_request_too_big.phpt
@@ -4,12 +4,7 @@ Dump request -- to big, so it's truncated.
 <?php
 if (!extension_loaded("snuffleupagus")) {
     print "skip";
-} 
-
-foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
-    @unlink($dump);
 }
-@rmdir("/tmp/dump_result/");
 ?>
 --POST--
 post_a=data_post_a&post_b=data_post_b&post_c=c
@@ -25,6 +20,11 @@ END;
 sp.configuration_file={PWD}/config/dump_request.ini
 --FILE--
 <?php
+@mkdir("/tmp/dump_result/");
+foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
+    @unlink($dump);
+}
+
 echo "1\n";
 system("echo 1337;");
 $filename = glob('/tmp/dump_result/*')[0];
diff --git a/src/tests/dump_unserialize.phpt b/src/tests/dump_unserialize.phpt
index 9c3906d..dfa8501 100644
--- a/src/tests/dump_unserialize.phpt
+++ b/src/tests/dump_unserialize.phpt
@@ -5,11 +5,6 @@ Dump unserialize
 if (!extension_loaded("snuffleupagus")) {
     print "skip";
 } 
-
-foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
-    @unlink($dump);
-}
-@rmdir("/tmp/dump_result/");
 ?>
 --POST--
 post_a=data_post_a&post_b=data_post_b
@@ -22,6 +17,10 @@ sp.configuration_file={PWD}/config/dump_unserialize.ini
 --FILE--
 <?php
 @mkdir("/tmp/dump_result/");
+foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) {
+    @unlink($dump);
+}
+
 echo "1\n";
 var_dump(unserialize('s:1:"a";alyualskdufyhalkdjsfhalkjdhflaksjdfhlkasdhflkahdawkuerylksjdfhlkssjgdflaksjdhflkasjdf'));
 $filename = glob('/tmp/dump_result/sp_dump.*')[0];
diff --git a/src/tests/eval_backlist_simulation.phpt b/src/tests/eval_backlist_simulation.phpt
index ddeae60..bea5115 100644
--- a/src/tests/eval_backlist_simulation.phpt
+++ b/src/tests/eval_backlist_simulation.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Eval blacklist
+Eval blacklist simulation
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
 --INI--
@@ -13,5 +13,5 @@ echo "After eval: $a\n";
 ?>
 --EXPECTF--
 Outside of eval: 14
-[snuffleupagus][0.0.0.0][eval][simulation] A call to strlen was tried in eval, in %a/tests/eval_backlist_simulation.php:1, dropping it.
+[snuffleupagus][0.0.0.0][eval][simulation] A call to strlen was tried in eval, in %a/tests/eval_backlist_simulation.php:1, logging it.
 After eval: 4
diff --git a/src/tests/eval_whitelist_simulation.phpt b/src/tests/eval_whitelist_simulation.phpt
new file mode 100644
index 0000000..ff2f970
--- /dev/null
+++ b/src/tests/eval_whitelist_simulation.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Eval whitelist simulation
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_whitelist_simulation.ini
+--FILE--
+<?php 
+function my_fun($p) {
+	return "my_fun: $p";
+}
+
+function my_other_fun($p) {
+	return "my_other_fun: $p";
+}
+
+$a = my_fun("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval('$a = my_fun("1234");');
+echo "After allowed eval: $a\n";
+eval('$a = my_other_fun("1234");');
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: my_fun: 1337 1337 1337
+After allowed eval: my_fun: 1234
+[snuffleupagus][0.0.0.0][Eval_whitelist][simulation] The function 'my_other_fun' isn't in the eval whitelist, logging its call.
+After eval: my_other_fun: 1234
\ No newline at end of file
-- 
cgit v1.3