Re: [RFC] is_literal()

From:	tyson andre	Date:	Sat, 21 Mar 2020 21:59:29 +0000
Subject:	Re: [RFC] is_literal()
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Craig,

https://github.com/laruence/taint#taint notes
that
"Please note that do not enable this extension in product(ion) env, since it will slowdown your
app."

- That repo already provides is_tainted()  http://docs.php.net/is_tainted

  A fork of that repo would theoretically allow implementing is_literal() as described in the RFC -
is that the implementation plan?
- The slowdown would be a large problem if this feature was always on.

  And if it can be implemented as a PECL module, that would be more preferable to me than a core
module of php.
  If it was in core, having to support that feature may limit optimizations or implementation
changes that could be done in the future.

If it's implemented in the same way as taint (i.e. cannot be used in combination with XDebug,
blackfire, newrelic, etc),
that would also be a problem for including it in core.
If it wasn't, then it'd slow down concatenation, calls, etc. even when the application
didn't need is_literal.

I also imagine that whether or not opcache was enabled is likely to affect whether or not
something ends up being a literal or not
(e.g. opcache can evaluate functions such as str_repeat() for literals at compile time)
https://github.com/laruence/taint/blob/master/taint.c
seems to already support a whitelist (php_taint_override_func),
so that isn't insurmountable for functions,
but it's possible if ($local === 'literal') { process($local); } would
only satisfy is_literal() with opcache enabled.

Related projects (static analysis instead of runtime checks, though):

It's also worth noting that vimeo/psalm had an in progress way to detect some ways
in which tainted strings may be used by applications, based on a paper by Facebook.
(https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-facebook/fulltext (for
HHVM, though))
https://github.com/vimeo/psalm/issues/611#issuecomment-515153305
- but it isn't completed or usable yet, as far as I can tell.

Wikimedia also created https://gerrit.wikimedia.org/g/mediawiki/tools/phan/SecurityCheckPlugin/
, but that's currently beta.
Both would have ways they fail to catch every way an argument could be passed to a function (e.g.
unanalyzable dynamic/framework calls)

- Tyson


   

Thread (13 messages)

• Craig FrancisSat, 21 Mar 2020 19:13:43 +0000
  • Larry GarfieldSat, 21 Mar 2020 19:50:44 +0000
    • Craig FrancisSat, 21 Mar 2020 20:09:34 +0000
  • Dan AckroydSat, 21 Mar 2020 19:54:38 +0000
    • Craig FrancisSat, 21 Mar 2020 20:21:26 +0000
  • Ben RamseySat, 21 Mar 2020 20:06:13 +0000
    • Craig FrancisSat, 21 Mar 2020 20:26:37 +0000
      • Jakob GivoniSat, 21 Mar 2020 21:23:35 +0000
        • Craig FrancisSat, 21 Mar 2020 21:58:31 +0000
          • Jakob GivoniSat, 21 Mar 2020 23:22:45 +0000
            • Craig FrancisSun, 22 Mar 2020 01:48:08 +0000
  • tyson andreSat, 21 Mar 2020 21:59:29 +0000
    • Craig FrancisSat, 21 Mar 2020 22:55:33 +0000