public function analyze()
{
$vars = $this->query('g.V().hasLabel("Analysis").has("analyzer","Security/GPRAliases").out("ANALYZED").values("fullcode").unique()');
// Relayed via variable to sensitive function
// $a = $_GET['a']; f($a); function f($a) { exec($a);}
$this->atomIs('Variable')->codeIs($vars, true)->_as('result')->savePropertyAs('rank', 'rank')->inIs('ARGUMENT')->inIs('ARGUMENTS')->functionDefinition()->inIs('NAME')->outIs('ARGUMENTS')->outIs('ARGUMENT')->samePropertyAs('rank', 'rank')->savePropertyAs('code', 'varname')->inIs('ARGUMENT')->inIs('ARGUMENTS')->outIs('BLOCK')->atomInside('Functioncall')->outIs('ARGUMENTS')->outIs('ARGUMENT')->analyzerIs('Security/SensitiveArgument')->outIsIE('CODE')->atomIs('Variable')->samePropertyAs('code', 'varname')->back('result');
$this->prepareQuery();
// $_GET/_POST ... directly as argument of PHP functions
// $a = $_GET['a']; exec($a);
$this->atomIs('Variable')->codeIs($vars, true)->analyzerIs('Security/SensitiveArgument')->inIsIE('CODE')->inIs('ARGUMENT')->inIs('ARGUMENTS');
$this->prepareQuery();
// $_GET/_POST array... inside a string is useless and safe (will print Array)
// "$_GET/_POST ['index']"... inside a string or a concatenation is unsafe
$this->atomIs('Variable')->codeIs($vars, true)->inIs('CONCAT');
$this->prepareQuery();
// "$_GET/_POST ['index']"... inside an operation is probably OK if not concatenation!
$this->atomIs('Variable')->codeIs($vars, true)->inIs('VARIABLE')->inIs('CONCAT');
$this->prepareQuery();
// foreach (looping on incoming variables)
$this->atomIs('Variable')->codeIs($vars, true)->inIs('SOURCE');
$this->prepareQuery();
}
