Use ASTs to represent scanned code instead of going line-by-line

johnsaigle / scary-strings

Collection of wordlists containing dangerous function calls in many languages

GNU General Public License v3.0

22 stars 4 forks source link

Use ASTs to represent scanned code instead of going line-by-line #13

Closed johnsaigle closed 2 years ago

johnsaigle commented 4 years ago

Currently the project scans each file into memory and examines every single line using a regex. This is fine for now but probably not very efficient and is error-prone.

It would be interesting to try to use something like PHP-AST to parse the code in an intelligent way and scan only the function names (or alternatively just the comments along with #11). It might be more efficient and would make this tool much more robust.

johnsaigle commented 3 years ago

This is perhaps exactly what I need: https://github.com/ajinabraham/libsast