[Owasp-orizon] Php parser and Mirage per language skeleton brainstorm...

Paolo Perego thesp0nge at owasp.org
Mon Feb 23 14:07:41 EST 2009 

Hi Stephen, from you great work as usual :)

Some days ago I moved the single mirage tarball into orizon svn
repository, so all the changes will be made over there...
I'm going to compare your grammar and merge it with the one in the repository.

Now that we've a clever solution for parsing (freecc), we must
brainstorm about which kind of information are useful to build our
model and how to represent them.

Let's start tracking the execution flow.

I'll take some day reading the Chess book about static analysis
figuring out some ideas about "what kind of information the parser
must save and what it can discard" :)
Paolo
On Thu, Feb 19, 2009 at 7:59 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi Paolo,
>
> I have been playing with Mirage 0.2 for a couple of days and I have a
> pretty good understanding of what is going on with FreeCC, how you set
> everything up, and how the commands and methods work.
>
> I have everything set up in NetBeans 6.5 so that I can build and debug
> which is very helpful, but found out about 4 hours ago that the ant
> build file that it created was not building the parser - changes to
> php.freecc weren't getting used - so I have to go back and work on
> that a bit.
>
> I got the sample file with all of the 'include's in them to work. I
> had to add a couple of syntactical productions (I am trying to adopt
> the FreeCC/JavaCC lingo) in php.freecc to make it work. You can do a
> diff or search for my initials 'SCE' and my comments.
>
> The include-samp.php file had syntax errors for the beginning of
> heredoc syntax, a white space where it shouldn't be: "<<< EOT" so I
> fixed those. I attached both files.
>
> For those of you that want to give it a spin, build the jar file by:
> ant clean
> ant parser
> and build
>
> Maybe not the way you intended, but it works for me.
>
> I start up Mirage with "java -jar ../lib/orizon-php-modeler.jar" from
> the 'test' directory, then issue these commands from the prompt:
> $ open include-samp.php
> $ load
> $ inspect         ; parsing is done at the beginning so might get
> parsing errors here
> $ dump identifiers
> $ dump variables
> $ dump includes
> $ quit
>
> The 'dump includes' doesn't work but I'll look into that.
>
> Of course, add:
> $ crawl
> to get it to check if dangerous functions are being used, but for now
> I am focusing on the parsing.
>
> Putting "DEBUG_PARSER=true" at the beginning of php.freecc helps
> debugging immensely.
>
> Very, very cool stuff.
>
> I have a book "Core Web Application Development with PHP & MySQL" by
> Marc Wandschneider (2006) that has lots of samples so I will run those
> through the Mirage engine and see what happens. Let me know if there
> is a particular area that you want me to test or focus on.
>
> Once I go through the samples and am satisfied that a broad range has
> been tested, I'll get back to you and see what you want to do next.
>
> Great work. This is fun.
>
> Cheers,
> Stephen
>
>
> On Mon, Feb 16, 2009 at 3:16 PM, Stephen Craig Evans
> <stephencraig.evans at gmail.com> wrote:
>> Hey Paolo,
>>
>> FINALLY, I have some time. I spent the weekend upgrading my Ubuntu &
>> Kubuntu 7.10 VMs to 8.10. Of course, it never works the first time
>> (KDE 4.2 is awesome, though).
>>
>> I played around with your v.0.2 for a couple of hours. I got it to
>> build and run. Super-congrats!
>>
>> I only had to modify freecc.home in build.xml; I used freecc 0.9.3,
>> and the other versions of software I put in the attached text file.
>>
>> A couple of glitches and some might be easy for me to fix but I
>> haven't yet mastered Ant:
>> - I couldn't do "ant rebuild". The 'parser' action wasn't being done,
>> so I did 'ant clean', 'ant parser', then 'ant build'.
>> - the path for 'dangerous_php_call.txt' is hard-coded to '~/lib' (no
>> big deal; I only had to create the directory); and I had to rename it
>> from 'dangerous_call.txt'.
>>
>> The attached text file also has a small Mirage session that I ran.
>>
>> What's next? I'm going to look at your source and see what you have done.
>>
>> Have you heard the OWASP podcast with Andrew van der Stock? He is
>> doing some very cool stuff; e.g. with the code guide and making an
>> ESAPI version for PHP.
>>
>> I haven't coded a lot in PHP and it really interests me since Java &
>> .NET already have a lot of coverage vis-a-vis software security and
>> I've coded a lot in those languages.
>>
>> Cheers,
>> Stephen
>>
>>
>> On Thu, Jan 29, 2009 at 5:03 PM, Paolo Perego <thesp0nge at owasp.org> wrote:
>>> Guys... in these days I'm code reviewing a huge PHP application. In
>>> order to help my tasks I started writing some code around the Mirage
>>> subsystem.
>>> I took the php.jj grammar from javacc project and with the help of the
>>> freecc author I made some minor changes in order to have a very basic
>>> parser build (thanks Stephen to pointed me out this fabulous project,
>>> freecc is amazing).
>>>
>>> The ant build file will create the parser in the
>>> org.owasp.orizon.mirage.php.parser package, meanwhile the php modeler
>>> engine is located in org.owasp.orizon.php package.
>>> I just uploaded some stuff over sourceforge. It's far from being
>>> useful by now but it's a starting point. I think that could be used as
>>> skeleton for Mirage "modelers".
>>>
>>> orizon_php_modeler v0.1:
>>> http://downloads.sourceforge.net/orizon/orizon_php_modeler_0.1.tar.gz?use_mirror=heanet
>>>
>>> It's a really work in progress so I'll modify every day. If you want
>>> to take a look on how Mirage can become, any feedback will be useful
>>> :)
>>>
>>> Cheers
>>> thesp0nge
>>> --
>>> "stay hungry, stay foolish"
>>>
>>> OWASP Orizon project, http://orizon.sourceforge.net
>>> "enjoy your code review experience"
>>> _______________________________________________
>>> Owasp-orizon mailing list
>>> Owasp-orizon at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>>>
>>
>>
>>
>> --
>> http://www.linkedin.com/in/stephencraigevans
>>
>
>
>
> --
> http://www.linkedin.com/in/stephencraigevans
>
> _______________________________________________
> Owasp-orizon mailing list
> Owasp-orizon at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>
>



-- 
"stay hungry, stay foolish"

OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"

More information about the Owasp-orizon mailing list