Why configuration?
The configuration file is used to configure the security-analysis within php-sat. It contains information about three things:
- Which variables bring tainted data into the script
- Which functions/constructs can make this data safe
- Which SafetyLevel the parameters of a function should have
This information can differ between projects and configurations of PHP. The most obvious example would be the
magic quotes directive. This directive influences the security algorithm directly because the input-data will have a higher
SafetyLevel.
Format
The format of the configuration file is best explained with the following example file:
1: [tainted sources]
2: array: _SERVER level: escaped-slashes
3: function: file_get_contents level: raw-input
4: [sensitive sinks]
5: construct: echo ( escaped-html && escaped-slashes )
6: function: mail ( matched-string || string-from-list, matched-string, matched-string )
7: [function result]
8: function: addslashes level: escaped-slashes
- Starts the section that lists the sources of TaintedData in the configuration file. All sources that bring TaintedData
into your script should be defined here
- An input-array can be declared as bringing in TaintedData by giving the keyword
array:
and the name followed by a
SafetyLevel. A SafetyLevel is declared by level: safety-level-name
.
- A function can be declared as TaintedData-source in the same way, but the keyword is
function:
.
- Starts the SensitiveSink-section of the configuration file. All functions and constructs that should be checked for
preconditions should be defined here.
- The precondition for a construct can be defined by the keyword
construct:
followed by the name of the construct.
This should be followed by a precondition for the parameters you want to check. A SafetyLevel can be combined by the
&&
(and) or ||
(or) operator. These operators work as expected.
- Functions can be defined as SensitiveSink in the same way as constructs, but the keyword is
function:
. This line also
gives an example of the definition of preconditions for multiple parameters.
- Starts the section that defines the functions that make the data safe. All functions that can influence data should be
defined in this section.
- Defining the SafetyLevel of the result of a function can be done by using the
function:
keyword followed by a name and
a SafetyLevel.
Default configuration
The default configuration that is used by php-sat can be found under
prefix /share/php-sat and is called
PHP-SAT.ini.
Editting the default configuration file will not influence php-sat directly.
After you have altered the file you should pass it to php-sat using the -cf f | --config-file f
flag.
The default configuration is currently very small. If you have an improved version please share it with us.