mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-15 21:11:02 +02:00
Performance and precision pass (#64)
This commit is contained in:
parent
c7c5e0f3a1
commit
fb698d2c27
97 changed files with 9932 additions and 517 deletions
|
|
@ -0,0 +1,30 @@
|
|||
<?php
|
||||
// Regression for the PHP `if (!validator($x))` early-return narrowing fix
|
||||
// (src/cfg/mod.rs detect_negation now recognises tree-sitter-php's
|
||||
// `unary_op_expression` for `!`) PLUS the camelCase normalisation in
|
||||
// classify_condition (src/taint/path_state.rs to_snake_lower). Before
|
||||
// either fix, the camelCase validator name didn't classify as
|
||||
// ValidationCall, and even if it did, the `!`-prefix wasn't seen as
|
||||
// negation so the True branch (which is the rejection arm) was treated
|
||||
// as the validated path, leaving `$url` un-validated past the
|
||||
// early-return. Pairs with CVE-2026-33486 patched fixture.
|
||||
|
||||
class SafeImporter
|
||||
{
|
||||
public static function fetchRemote(): void
|
||||
{
|
||||
$url = $_REQUEST['url'];
|
||||
if (!self::isSafeRemoteUrl($url)) {
|
||||
return;
|
||||
}
|
||||
// Use file_get_contents (an SSRF sink that doesn't open a long-lived
|
||||
// resource) so the regression specifically pins SSRF narrowing
|
||||
// without conflating with state-resource-leak from fopen.
|
||||
file_get_contents($url);
|
||||
}
|
||||
|
||||
private static function isSafeRemoteUrl(string $u): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
<?php
|
||||
// `Serializable::unserialize($input)` magic-method body — the legacy
|
||||
// PHP `Serializable` interface contract (deprecated since PHP 8.1).
|
||||
// PHP itself invokes `\unserialize($attacker_bytes)` and then dispatches
|
||||
// to this method during instance restoration; the body's `\unserialize($x)`
|
||||
// call is part of the deserialization machinery and cannot be removed
|
||||
// without breaking the interface. The actionable signal lives at the
|
||||
// class level (the class implements deprecated `Serializable` — fix is
|
||||
// to migrate to `__serialize` / `__unserialize`), not at this call
|
||||
// site.
|
||||
//
|
||||
// Distilled from
|
||||
// joomla/administrator/components/com_finder/src/Indexer/Result.php:488
|
||||
// joomla/libraries/src/Input/Cli.php:112 joomla/libraries/src/Input/Input.php:210.
|
||||
|
||||
class IndexerResult implements \Serializable {
|
||||
private array $data = [];
|
||||
|
||||
public function unserialize($serialized): void {
|
||||
$this->data = unserialize($serialized);
|
||||
}
|
||||
}
|
||||
|
||||
class CliInput implements \Serializable {
|
||||
public string $executable = '';
|
||||
public array $args = [];
|
||||
public array $options = [];
|
||||
|
||||
public function unserialize($input): void {
|
||||
[$this->executable, $this->args, $this->options] = unserialize($input);
|
||||
}
|
||||
}
|
||||
|
||||
class CaseFolded implements \Serializable {
|
||||
private mixed $payload = null;
|
||||
|
||||
public function UnSerialize($payload) {
|
||||
$this->payload = unserialize($payload);
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue