From 17254799d1069e9f67de14460264cda76395746f Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 15 Sep 2009 20:27:04 -0700
Subject: Initial skeleton of Controller_Auth code audit test (non functional).

---
 modules/gallery/tests/Controller_Auth_Test.php | 211 +++++++++++++++++++++++++
 modules/gallery/tests/controller_auth_data.txt |   0
 2 files changed, 211 insertions(+)
 create mode 100644 modules/gallery/tests/Controller_Auth_Test.php
 create mode 100644 modules/gallery/tests/controller_auth_data.txt

diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php
new file mode 100644
index 00000000..9927859b
--- /dev/null
+++ b/modules/gallery/tests/Controller_Auth_Test.php
@@ -0,0 +1,211 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Controller_Auth_Test extends Unit_Test_Case {
+  public function find_missing_auth_test() {
+    $found = array();
+    foreach (glob("*/*/controllers/*.php") as $controller) {
+      // List of all tokens without whitespace, simplifying parsing.
+      $tokens = array();
+      foreach (token_get_all(file_get_contents($controller)) as $token) {
+        if (!is_array($token) || $token[0] != T_WHITESPACE) {
+          $tokens[] = $token;
+        }
+      }
+
+      $open_braces = 0;
+      $function = null;
+      for ($token_number = 0; $token_number < count($tokens); $token_number++) {
+        $token = $tokens[$token_number];
+
+        // Count braces.
+        // 1 open brace  = in class context.
+        // 2 open braces = in function.
+        if (!is_array($token)) {
+          if ($token == "{") {
+            $open_braces--;
+            if ($function) {
+              $found[$controller][] = $function;
+            }
+            $function = null;
+          } else if ($token == "{") {
+            $open_braces++;
+          }
+        } else {
+          // An array token
+
+          if ($open_braces == 1 && $token[0] == T_FUNCTION) {
+            $line = $token[2];
+            $name = "";
+            // Search backwards to check visibility,
+            // "private function", or "private static function"
+            $previous = $tokens[$token_number - 1][0];
+            $previous_2 = $tokens[$token_number - 2][0];
+            $is_private = in_array($previous, array(T_PRIVATE, T_PROTECTED)) ||
+              in_array($previous_2, array(T_PRIVATE, T_PROTECTED));
+
+            // Search forward to get function name
+            do {
+              $token_number++;
+              if (self_::token_matches(array(T_STRING), $tokens, $token_number)) {
+                $token = $tokens[$token_number];
+                $name = $tokens[1];
+                break;
+              }
+            } while ($token_number < count($tokens));
+
+            if (!$is_private) {
+              $function = self::_function($name, $line);
+            }
+          }
+
+          // Check body of all public functions
+          //
+          // Authorization
+          //   Require: access::required\(
+          // Authentication (CSRF token)
+          //   [When using Input, $this->input, Forge]
+          //   Require: ->validate() or access::verify_csrf\(
+          if ($function && $open_braces >= 2) {
+            if ($token[0] == T_STRING) {
+              if ($token[1] == "access" &&
+                  self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+                  self::_token_matches(array(T_STRING, "require"), $tokens, $token_number + 2) &&
+                  self::_token_matches("(", $tokens, $token_number + 3)) {
+                $token_number += 3;
+                $function->checks_authorization(true);
+              } else if ($token[1] == "access" &&
+                  self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+                  self::_token_matches(array(T_STRING, "verify_csrf"), $tokens, $token_number + 2) &&
+                  self::_token_matches("(", $tokens, $token_number + 3)) {
+                $token_number += 3;
+                $function->checks_csrf(true);
+              } else if (in_array($token[1], array("Input", "Forge")) &&
+                         self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1)) {
+                $token_number++;
+                $function->uses_input(true);
+              }
+            } else if ($token == T_VARIABLE) {
+              if ($token[1] == '$this' &&
+                  self::_token_matches(array(T_OBJECT_OPERATOR), $tokens, $token_number + 1) &&
+                  self::_token_matches(array(T_STRING, "input"), $tokens, $token_number + 2)) {
+                $token_number += 2;
+                $function->uses_input(true);
+              }
+            } else if ($token[0] == T_OBJECT_OPERATOR) {
+              if (self::_token_matches(array(T_STRING), "validate", $token_number + 1) &&
+                  self::_token_matches("(", $tokens, $token_number + 2)) {
+                $token_number += 2;
+                $function->checks_csrf(true);
+              }
+            }
+          }
+        }
+      } 
+    }
+
+    // Generate the report
+    $new = TMPPATH . "controller_auth_data.txt";
+    $fd = fopen($new, "wb");
+    ksort($found);
+    foreach ($found as $controller => $frames) {
+      foreach ($functions as $function) {
+        $flags = array();
+        if ($function->uses_input() && !$function->checks_csrf()) {
+          $flags[] = "DIRTY_CSRF";
+        }
+        if ($function->checks_authorization()) {
+          $flags[] = "DIRTY_AUTH";
+        }
+
+        if (!$flags) {
+          // Don't print CLEAN instances
+          continue;
+        }
+
+        fprintf($fd, "%-60s %-20s %-21s\n",
+                $controller, $function->name, implode("|", $flags));
+      }
+    }
+    fclose($fd);
+
+    // Compare with the expected report from our golden file.
+    $canonical = MODPATH . "gallery/tests/controller_auth_data.txt";
+    exec("diff $canonical $new", $output, $return_value);
+    $this->assert_false(
+                        $return_value, "Controller auth golden file mismatch.  Output:\n" . implode("\n", $output) );
+  }
+
+  private static function _token_matches($expected_token, &$tokens, $token_number) {
+    if (!isset($tokens[$token_number])) {
+      return false;
+    }
+
+    $token = $tokens[$token_number];
+
+    if (is_array($expected_token)) {
+      for ($i = 0; $i < count($expected_token); $i++) {
+        if ($expected_token[$i] != $token[$i]) {
+          return false;
+        }
+      }
+      return true;
+    } else {
+      return $expected_token == $token;
+    }
+  }
+
+  static function _function($name, $line) {
+    return new Controller_Auth_Test_Function($name, $line);
+  }
+}
+
+class Controller_Auth_Test_Function {
+  public $name;
+  public $line;
+  private $_uses_input = false;
+  private $_checks_authorization = false;
+  private $_checks_csrf = false;
+
+  function __construct($name, $line) {
+    $this->name = $name;
+    $this->line = $line;
+  }
+
+  function uses_input($val=null) {
+    if ($val !== null) {
+      $this->_uses_input = $val;
+    }
+    return $this->_uses_input;
+  }
+
+  function checks_authorization($val) {
+    if ($val !== null) {
+      $this->_checks_authorization = $val;
+    }
+    return $this->_checks_authorization;
+  }
+
+  function checks_csrf($val) {
+    if ($val !== null) {
+      $this->_checks_csrf = $val;
+    }
+    return $this->_checks_csrf;
+  }
+}
\ No newline at end of file
diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt
new file mode 100644
index 00000000..e69de29b
-- 
cgit v1.2.3