diff --git a/scripts/generate_rules.php b/scripts/generate_rules.php index f923e5da..1824e3fa 100644 --- a/scripts/generate_rules.php +++ b/scripts/generate_rules.php @@ -40,7 +40,9 @@ function help($name) { $hash = '.hash("' . hash('sha256', $file_content) . '")'; } - foreach(token_get_all($file_content) as $token) { + $tokens = token_get_all($file_content); + + foreach ($tokens as $pos => $token) { if (!is_array($token)) { continue; } @@ -49,9 +51,23 @@ function help($name) { $token[1] = substr($token[1], 1); } - if (in_array($token[1], $functions_blacklist, true)) { - $output[] = 'sp.disable_function.function("' . $token[1] . '").filename("' . $name . '")' . $hash . '.allow();' . "\n"; + if (!in_array($token[1], $functions_blacklist, true)) { + continue; } + + $prev_token = find_previous_token($tokens, $pos); + + // Ignore function definitions and class calls + // function shell_exec() -> ignored + // $db->exec() -> ignored + // MyClass::assert() -> ignored + if ($prev_token === T_FUNCTION + || $prev_token === T_DOUBLE_COLON + || $prev_token === T_OBJECT_OPERATOR) { + continue; + } + + $output[] = 'sp.disable_function.function("' . $token[1] . '").filename("' . $name . '")' . $hash . '.allow();' . "\n"; } } foreach($functions_blacklist as $fun) { @@ -61,3 +77,22 @@ function help($name) { foreach (array_unique($output) as $line) { echo $line; } + +function find_previous_token(array $tokens, int $pos): ?int +{ + for ($i = $pos - 1; $i >= 0; $i--) { + $token = $tokens[$i]; + + if ($token[0] === T_WHITESPACE) { + continue; + } + + if (!is_array($token)) { + return null; + } + + return $token[0]; + } + + return null; +} \ No newline at end of file