PHP 76: reviewed and improved pattern

testable-eu / sast-testability-patterns

Testability Pattern Catalogs for SAST

https://owasp.org/www-project-testability-patterns-for-web-applications/

Apache License 2.0

29 stars 2 forks source link

PHP 76: reviewed and improved pattern #26

Closed compaluca closed 1 year ago

compaluca commented 1 year ago

Made changes to retrofit discussion in https://github.com/testable-eu/sast-tp-framework/issues/49.

Ideally the discovery rule should be: get the INIT_DYNAMIC_CALL for which the called function is not a literal. I thought we could use the argument property and write something like .whereNot(_.argument(1).isLiteral), but not sure if the nodes from PHP-CPG at the opcode levels have arguments.

@mal-tee : what do you think?

mal-tee commented 1 year ago

Thank you!

The current solution should work, if you want to you can use argument. But since we don't support argumentIndex you'd have to use order, which should be equivalent here:

cpg.call("INIT_DYNAMIC_CALL").whereNot(_.argument.order(1).isLiteral).l