Fix bypassing function and class restrictions

[antman3351]

Hey, The sandbox can be bypassed to call any function/class like this:

Function / Class bypass by aliasing

<?php

use function \exec as intval;

intval( 'ls -l' );

Function bypass by declaring a function with the same name

<?php

namespace foobar;

function exec() {
    return 1;
}

return \exec( 'ls' );

[antman3351]

I probably should of created a new branch... because in the mean time I've added the option to restrict creating functions and constants in the global namespace and also restrict the namespace ( if used ). I also added some more unsafe tests to prevent future regressions

[antman3351]

Found another way to bypass function restrictions 😅

<?php

$a = [ 1 ];
// Change argument order
return array_walk( /*array*/ array: $a, /*callback*/ arg: 'intval', /*arg*/ callback: 'var_dump' );

I've added a check for the arguments name in SecurityManager->getArgumentAt()

[chriskapp]

@antman3351 thanks for this great PR 🚀

[antman3351]

Hi, let me know if there's any other changes that need doing 😎

Thanks, Antonio

[chriskapp]

Hi @antman3351 could you fix the last Psalm issue, then I can merge the PR, I can then also tag a new 0.4 version

[antman3351]

Not sure if github notifies when I make a new commit. I fixed the Psalm error ( I think 😅 )

[chriskapp]

@antman3351 thanks, I have just merged the PR

[antman3351]

Hi, can you add a new tag so composer can see the version

Thanks! Antonio

[chriskapp]

Yes, I have just released https://github.com/apioo/psx-sandbox/releases/tag/v0.4.0

[antman3351]

Hi, I think something went wrong, the release doesn't contain the merged code

[chriskapp]

@antman3351 ok, sorry indeed my bad, just tagged a new version which should contain all changes