[Owasp-orizon] Php parser and Mirage per language skeleton brainstorm...
Stephen Craig Evans
stephencraig.evans at gmail.com
Thu Feb 19 13:59:08 EST 2009
I have been playing with Mirage 0.2 for a couple of days and I have a
pretty good understanding of what is going on with FreeCC, how you set
everything up, and how the commands and methods work.
I have everything set up in NetBeans 6.5 so that I can build and debug
which is very helpful, but found out about 4 hours ago that the ant
build file that it created was not building the parser - changes to
php.freecc weren't getting used - so I have to go back and work on
that a bit.
I got the sample file with all of the 'include's in them to work. I
had to add a couple of syntactical productions (I am trying to adopt
the FreeCC/JavaCC lingo) in php.freecc to make it work. You can do a
diff or search for my initials 'SCE' and my comments.
The include-samp.php file had syntax errors for the beginning of
heredoc syntax, a white space where it shouldn't be: "<<< EOT" so I
fixed those. I attached both files.
For those of you that want to give it a spin, build the jar file by:
Maybe not the way you intended, but it works for me.
I start up Mirage with "java -jar ../lib/orizon-php-modeler.jar" from
the 'test' directory, then issue these commands from the prompt:
$ open include-samp.php
$ inspect ; parsing is done at the beginning so might get
parsing errors here
$ dump identifiers
$ dump variables
$ dump includes
The 'dump includes' doesn't work but I'll look into that.
Of course, add:
to get it to check if dangerous functions are being used, but for now
I am focusing on the parsing.
Putting "DEBUG_PARSER=true" at the beginning of php.freecc helps
Very, very cool stuff.
I have a book "Core Web Application Development with PHP & MySQL" by
Marc Wandschneider (2006) that has lots of samples so I will run those
through the Mirage engine and see what happens. Let me know if there
is a particular area that you want me to test or focus on.
Once I go through the samples and am satisfied that a broad range has
been tested, I'll get back to you and see what you want to do next.
Great work. This is fun.
On Mon, Feb 16, 2009 at 3:16 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hey Paolo,
> FINALLY, I have some time. I spent the weekend upgrading my Ubuntu &
> Kubuntu 7.10 VMs to 8.10. Of course, it never works the first time
> (KDE 4.2 is awesome, though).
> I played around with your v.0.2 for a couple of hours. I got it to
> build and run. Super-congrats!
> I only had to modify freecc.home in build.xml; I used freecc 0.9.3,
> and the other versions of software I put in the attached text file.
> A couple of glitches and some might be easy for me to fix but I
> haven't yet mastered Ant:
> - I couldn't do "ant rebuild". The 'parser' action wasn't being done,
> so I did 'ant clean', 'ant parser', then 'ant build'.
> - the path for 'dangerous_php_call.txt' is hard-coded to '~/lib' (no
> big deal; I only had to create the directory); and I had to rename it
> from 'dangerous_call.txt'.
> The attached text file also has a small Mirage session that I ran.
> What's next? I'm going to look at your source and see what you have done.
> Have you heard the OWASP podcast with Andrew van der Stock? He is
> doing some very cool stuff; e.g. with the code guide and making an
> ESAPI version for PHP.
> I haven't coded a lot in PHP and it really interests me since Java &
> .NET already have a lot of coverage vis-a-vis software security and
> I've coded a lot in those languages.
> On Thu, Jan 29, 2009 at 5:03 PM, Paolo Perego <thesp0nge at owasp.org> wrote:
>> Guys... in these days I'm code reviewing a huge PHP application. In
>> order to help my tasks I started writing some code around the Mirage
>> I took the php.jj grammar from javacc project and with the help of the
>> freecc author I made some minor changes in order to have a very basic
>> parser build (thanks Stephen to pointed me out this fabulous project,
>> freecc is amazing).
>> The ant build file will create the parser in the
>> org.owasp.orizon.mirage.php.parser package, meanwhile the php modeler
>> engine is located in org.owasp.orizon.php package.
>> I just uploaded some stuff over sourceforge. It's far from being
>> useful by now but it's a starting point. I think that could be used as
>> skeleton for Mirage "modelers".
>> orizon_php_modeler v0.1:
>> It's a really work in progress so I'll modify every day. If you want
>> to take a look on how Mirage can become, any feedback will be useful
>> "stay hungry, stay foolish"
>> OWASP Orizon project, http://orizon.sourceforge.net
>> "enjoy your code review experience"
>> Owasp-orizon mailing list
>> Owasp-orizon at lists.owasp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 20480 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-orizon/attachments/20090220/8f73bad4/attachment-0001.tar
More information about the Owasp-orizon