blob: 7e001d0797fe767c538b34ff915360f7a153f66d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
# PHP Static Scanner Instrumentalization
Static security scanners usually are not clever enough to detect our injection of parameters in the Nextcloud source code.
This instrumentalization script loops over a given directory and instrumentalizes the source code by directly injecting
a `$_GET` on code related to the Nextcloud appframework. So the original code would look like:
```php
<?php
use OCP\AppFramework\Controller;
class Foo extends Controller {
public function list($index, $bar) {
// Logic of the code
}
}
```
`$index` in the function `list` here would automatically be read from `$_GET`, to make the static scanners aware of that
the resulting code would look like:
```php
<?php
use OCP\AppFramework\Controller;
class Foo extends Controller {
public function list() {
$index = $_GET['index'];
$bar = $_GET['bar'];
// Logic of the code
}
}
```
|
