Instrumentalizes the Nextcloud PHP code to be scanned with static PHP source code scanners
Перейти к файлу
Lukas Reschke 5ec276fb51 Merge pull request #6 from nextcloud/run-only-when-required
Run onyl when required
2016-12-27 20:47:57 +01:00
src Run onyl when required 2016-12-27 20:47:19 +01:00
tests/integration Adjust JSON Response to echo 2016-12-27 20:42:09 +01:00
vendor Initial import 2016-12-20 15:32:58 +01:00
.drone.yml Add basic integration tests 2016-12-27 19:46:54 +01:00
LICENSE Initial commit 2016-12-20 13:26:20 +01:00
README.md Remove parameters completely and move into GET 2016-12-21 20:50:10 +01:00
composer.json Initial import 2016-12-20 15:32:58 +01:00
composer.lock Initial import 2016-12-20 15:32:58 +01:00
instrumentalize.php Higher defaults 2016-12-20 15:34:57 +01:00

README.md

PHP Static Scanner Instrumentalization

Static security scanners usually are not clever enough to detect our injection of parameters in the Nextcloud source code.

This instrumentalization script loops over a given directory and instrumentalizes the source code by directly injecting a $_GET on code related to the Nextcloud appframework. So the original code would look like:

<?php
use OCP\AppFramework\Controller;

class Foo extends Controller {
    public function list($index, $bar) {
        // Logic of the code
    }
}

$index in the function list here would automatically be read from $_GET, to make the static scanners aware of that the resulting code would look like:

<?php
use OCP\AppFramework\Controller;

class Foo extends Controller {
    public function list() {
        $index = $_GET['index'];
        $bar = $_GET['bar'];
        // Logic of the code
    }
}