[pitboss/grind] deferred session-0007 (20260520T233019Z-6958)

2026-06-12 19:55:14 +02:00 · 2026-05-21 01:36:46 -05:00 · 2026-05-21 01:36:46 -05:00 · bb8484bb28
commit bb8484bb28
parent 9a0529e8f8
19 changed files with 934 additions and 0 deletions
--- a/src/dynamic/framework/adapters/xxe_php.rs
+++ b/src/dynamic/framework/adapters/xxe_php.rs
@ -48,6 +48,47 @@ fn source_imports_xml(file_bytes: &[u8]) -> bool {
        .any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
 }

+/// Returns `true` when the surrounding source visibly hardens the
+/// libxml-backed PHP parser against external-entity expansion.  PHP
+/// 8.0+ disables the entity loader by default, so the absence of the
+/// `LIBXML_NOENT` flag combined with `libxml_disable_entity_loader(true)`
+/// (the canonical PHP < 8.0 hardener) or the `LIBXML_NONET` flag is
+/// the canonical safe shape.
+fn parser_is_hardened(file_bytes: &[u8]) -> bool {
+    // If LIBXML_NOENT is explicitly used, the parser is *un*-hardened
+    // (the flag asks libxml to substitute entities). Treat as unsafe
+    // regardless of any other tokens.
+    let mentions_noent = file_bytes
+        .windows(b"LIBXML_NOENT".len())
+        .any(|w| w == b"LIBXML_NOENT");
+    if mentions_noent {
+        return false;
+    }
+    const HARDENING_NEEDLES: &[&[u8]] = &[
+        b"libxml_disable_entity_loader(true)",
+        b"libxml_disable_entity_loader(TRUE)",
+        b"libxml_disable_entity_loader( true",
+        b"libxml_disable_entity_loader( TRUE",
+        b"LIBXML_NONET",
+        b"LIBXML_DTDLOAD",
+    ];
+    // LIBXML_DTDLOAD on its own is neutral but commonly paired with
+    // explicit hardening; require at least one of the disable_entity
+    // / NONET tokens for a hardening verdict.
+    const STRONG: &[&[u8]] = &[
+        b"libxml_disable_entity_loader(true)",
+        b"libxml_disable_entity_loader(TRUE)",
+        b"libxml_disable_entity_loader( true",
+        b"libxml_disable_entity_loader( TRUE",
+        b"LIBXML_NONET",
+    ];
+    let has_strong = STRONG
+        .iter()
+        .any(|n| file_bytes.windows(n.len()).any(|w| w == *n));
+    let _ = HARDENING_NEEDLES; // retained for documentation of recognised tokens
+    has_strong
+}
+
 impl FrameworkAdapter for XxePhpAdapter {
    fn name(&self) -> &'static str {
        ADAPTER_NAME
@ -63,6 +104,9 @@ impl FrameworkAdapter for XxePhpAdapter {
        _ast: tree_sitter::Node<'_>,
        file_bytes: &[u8],
    ) -> Option<FrameworkBinding> {
+        if parser_is_hardened(file_bytes) {
+            return None;
+        }
        let matches_call = super::any_callee_matches(summary, callee_is_xml_parser);
        let matches_source = source_imports_xml(file_bytes);
        if matches_call || matches_source {
@ -117,4 +161,53 @@ mod tests {
            .detect(&summary, tree.root_node(), src)
            .is_none());
    }
+
+    #[test]
+    fn skips_when_disable_entity_loader_true() {
+        let src: &[u8] = b"<?php\nfunction run($body) {\n\
+            libxml_disable_entity_loader(true);\n\
+            return simplexml_load_string($body);\n}\n";
+        let tree = parse_php(src);
+        let summary = FuncSummary {
+            name: "run".into(),
+            callees: vec![crate::summary::CalleeSite::bare("simplexml_load_string")],
+            ..Default::default()
+        };
+        assert!(XxePhpAdapter
+            .detect(&summary, tree.root_node(), src)
+            .is_none());
+    }
+
+    #[test]
+    fn skips_when_libxml_nonet_used() {
+        let src: &[u8] = b"<?php\nfunction run($body) {\n\
+            return simplexml_load_string($body, 'SimpleXMLElement', LIBXML_NONET);\n}\n";
+        let tree = parse_php(src);
+        let summary = FuncSummary {
+            name: "run".into(),
+            callees: vec![crate::summary::CalleeSite::bare("simplexml_load_string")],
+            ..Default::default()
+        };
+        assert!(XxePhpAdapter
+            .detect(&summary, tree.root_node(), src)
+            .is_none());
+    }
+
+    #[test]
+    fn still_fires_when_libxml_noent_present() {
+        // LIBXML_NOENT explicitly enables entity substitution -- the
+        // dangerous flag overrides any other apparent hardening.
+        let src: &[u8] = b"<?php\nfunction run($body) {\n\
+            libxml_disable_entity_loader(true);\n\
+            return simplexml_load_string($body, 'SimpleXMLElement', LIBXML_NOENT);\n}\n";
+        let tree = parse_php(src);
+        let summary = FuncSummary {
+            name: "run".into(),
+            callees: vec![crate::summary::CalleeSite::bare("simplexml_load_string")],
+            ..Default::default()
+        };
+        assert!(XxePhpAdapter
+            .detect(&summary, tree.root_node(), src)
+            .is_some());
+    }
 }