{"id":20456342,"url":"https://github.com/chanthmiao/vld","last_synced_at":"2025-04-13T04:02:00.920Z","repository":{"id":245741680,"uuid":"230314054","full_name":"ChanthMiao/vld","owner":"ChanthMiao","description":"Forked from https://github.com/derickr/vld.git, add json dump support","archived":false,"fork":false,"pushed_at":"2020-09-28T04:34:20.000Z","size":396,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-26T21:02:49.893Z","etag":null,"topics":["json","json-output","php","php-extension","vld"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ChanthMiao.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-26T19:02:00.000Z","updated_at":"2023-09-13T04:44:41.000Z","dependencies_parsed_at":"2024-06-23T20:46:58.093Z","dependency_job_id":"c2961bc1-3ae0-47f6-8e51-9fa6aade6a99","html_url":"https://github.com/ChanthMiao/vld","commit_stats":null,"previous_names":["chanthmiao/vld"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChanthMiao%2Fvld","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChanthMiao%2Fvld/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChanthMiao%2Fvld/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChanthMiao%2Fvld/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ChanthMiao","download_url":"https://codeload.github.com/ChanthMiao/vld/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248661706,"owners_count":21141450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["json","json-output","php","php-extension","vld"],"created_at":"2024-11-15T11:22:20.431Z","updated_at":"2025-04-13T04:02:00.864Z","avatar_url":"https://github.com/ChanthMiao.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VLD With JSON Support\n\n此仓库fork自[derickr/vld](https://github.com/derickr/vld.git)，在尽量不改变已有代码的前提下，添加了json输出支持。\n\n## 原README\n\n移步至[README.rst](./README.rst)。\n\n## 起因\n\n为了对PHP源码做XSS检测，需要提取vld输出信息做分析。vld的原版信息输出格式不方便做提取，故自行为其添加json输出。\n\n## JSON输出\n\n现有test.php内容如下\n\n```php\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead/\u003e\n\u003cbody\u003e\n\u003c?php\n\nfunction tainte($src)\n{\n    $dst = $src + 0;\n    return \"\u003cdiv id='\". $dst.\"'\u003econtent\u003c/div\u003e\";\n}\n\n$array = array();\n$array[] = 'safe' ;\n$array[] = $_GET['userData'] ;\n$array[] = 'safe' ;\n$tainted = $array[1] ;\n\n$tainted = tainte($tainted);\n\necho $tainted;\n\n?\u003e\n\u003ch1\u003eHello World!\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n执行`php -dvld.active=1 -dvld.execute=0 -dvld.dump_json=1 -dvld.format test.php`得到以下输出。\n\n```json\n[\n{\n     \"class\": null,\n     \"filename\": \"/home/dev/test.php\",\n     \"function name\": null,\n     \"number of ops\": 20,\n     \"compiled vars\": [\"array\", \"tainted\"],\n     \"ops\": {\n          \"line\": [1, 7, 13, 14, null, 15, null, null, null, 16, null, 17, null, 19, null, null, null, 21, 24, 27],\n          \"#\": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19],\n          \"*\": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null],\n          \"E\": [\"E\", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null],\n          \"I\": [\"\u003e\", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null],\n          \"O\": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, \"\u003e\"],\n          \"op_code\": [40, 0, 38, 147, 137, 80, 81, 147, 137, 147, 137, 81, 38, 61, 117, 60, 38, 40, 40, 62],\n          \"op\": [\"ECHO\", \"NOP\", \"ASSIGN\", \"ASSIGN_DIM\", \"OP_DATA\", \"FETCH_R\", \"FETCH_DIM_R\", \"ASSIGN_DIM\", \"OP_DATA\", \"ASSIGN_DIM\", \"OP_DATA\", \"FETCH_DIM_R\", \"ASSIGN\", \"INIT_FCALL\", \"SEND_VAR\", \"DO_FCALL\", \"ASSIGN\", \"ECHO\", \"ECHO\", \"RETURN\"],\n          \"fetch\": [\"\", \"\", \"\", \"\", \"\", \"global\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\"],\n          \"ext\": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null],\n          \"return_type\": [null, null, null, null, null, \"IS_TMP_VAR\", \"IS_TMP_VAR\", null, null, null, null, \"IS_TMP_VAR\", null, null, null, \"IS_VAR\", null, null, null, null],\n          \"return\": [null, null, null, null, null, \"~5\", \"~6\", null, null, null, null, \"~8\", null, null, null, \"$10\", null, null, null, null],\n          \"op1_type\": [\"IS_CONST (40)\", null, \"IS_CV\", \"IS_CV\", \"IS_CONST (34)\", \"IS_CONST (33)\", \"IS_TMP_VAR\", \"IS_CV\", \"IS_TMP_VAR\", \"IS_CV\", \"IS_CONST (25)\", \"IS_CV\", \"IS_CV\", \"IS_UNUSED\", \"IS_CV\", \"IS_UNUSED\", \"IS_CV\", \"IS_CV\", \"IS_CONST (12)\", \"IS_CONST (11)\"],\n          \"op1\": [\"%3C%21DOCTYPE+html%3E%0A%3Chtml%3E%0A%3Chead%2F%3E%0A%3Cbody%3E%0A\", null, \"!0\", \"!0\", \"safe\", \"_GET\", \"~5\", \"!0\", \"~6\", \"!0\", \"safe\", \"!0\", \"!1\", null, \"!1\", null, \"!1\", \"!1\", \"%3Ch1%3EHello+World%21%3C%2Fh1%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A\", 1],\n          \"op2_type\": [null, null, \"IS_CONST (37)\", \"IS_UNUSED\", \"IS_UNUSED\", null, \"IS_CONST (32)\", \"IS_UNUSED\", \"IS_UNUSED\", \"IS_UNUSED\", \"IS_UNUSED\", \"IS_CONST (24)\", \"IS_TMP_VAR\", \"IS_CONST (21)\", \"IS_UNUSED\", null, \"IS_VAR\", null, null, null],\n          \"op2\": [null, null, \"\u003carray\u003e\", null, null, null, \"userData\", null, null, null, null, 1, \"~8\", \"tainte\", null, null, \"$10\", null, null, null],\n          \"ext_op_type\": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null],\n          \"ext_op\": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null]\n     },\n     \"path\": [[0]],\n     \"branch\": {\n          \"sline\": [1],\n          \"eline\": [27],\n          \"sop\": [0],\n          \"eop\": [19],\n          \"outs\": [[-2]]\n     }\n},\n{\n     \"class\": null,\n     \"filename\": \"/home/dev/test.php\",\n     \"function name\": \"tainte\",\n     \"number of ops\": 7,\n     \"compiled vars\": [\"src\", \"dst\"],\n     \"ops\": {\n          \"line\": [7, 9, null, 10, null, null, 11],\n          \"#\": [0, 1, 2, 3, 4, 5, 6],\n          \"*\": [null, null, null, null, null, null, \"*\"],\n          \"E\": [\"E\", null, null, null, null, null, null],\n          \"I\": [\"\u003e\", null, null, null, null, null, null],\n          \"O\": [null, null, null, null, null, \"\u003e\", \"\u003e\"],\n          \"op_code\": [63, 1, 38, 8, 8, 62, 62],\n          \"op\": [\"RECV\", \"ADD\", \"ASSIGN\", \"CONCAT\", \"CONCAT\", \"RETURN\", \"RETURN\"],\n          \"fetch\": [\"\", \"\", \"\", \"\", \"\", \"\", \"\"],\n          \"ext\": [null, null, null, null, null, null, null],\n          \"return_type\": [\"IS_CV\", \"IS_TMP_VAR\", null, \"IS_TMP_VAR\", \"IS_TMP_VAR\", null, null],\n          \"return\": [\"!0\", \"~2\", null, \"~4\", \"~5\", null, null],\n          \"op1_type\": [\"IS_UNUSED\", \"IS_CV\", \"IS_CV\", \"IS_CONST (9)\", \"IS_TMP_VAR\", \"IS_TMP_VAR\", \"IS_CONST (5)\"],\n          \"op1\": [null, \"!0\", \"!1\", \"%3Cdiv+id%3D%27\", \"~4\", \"~5\", null],\n          \"op2_type\": [null, \"IS_CONST (12)\", \"IS_TMP_VAR\", \"IS_CV\", \"IS_CONST (8)\", null, null],\n          \"op2\": [null, 0, \"~2\", \"!1\", \"%27%3Econtent%3C%2Fdiv%3E\", null, null],\n          \"ext_op_type\": [null, null, null, null, null, null, null],\n          \"ext_op\": [null, null, null, null, null, null, null]\n     },\n     \"path\": [[0]],\n     \"branch\": {\n          \"sline\": [7],\n          \"eline\": [11],\n          \"sop\": [0],\n          \"eop\": [6],\n          \"outs\": [[]]\n     }\n}]\n```\n\n相比原版纯文本输出，对编程调用更为友好。\n\n## 脚本调用\n\n现假设我们需要对一批(10000+)独立的php脚本进行分析，且工作目录结构如下图所示。\n\n```txt\npwd\n|--samples\n   |--good\n   |  |--g0001.php\n   |  |--g0002.php\n   |     ```\n   |--bad\n      |--b0001.php\n      |--b0002.php\n         ```\n```\n\n本仓库的`utils`子目录提供了一个用于快速生成同构路径信息的使用程序，自行编译并复制至系统`PATH`。\n\n```bash\n$ gcc utils/chloc.c -o utils/chloc \u0026\u0026 cp utils/chloc /usr/local/bin/\n# 复制文件至/usr/local/bin/需要root权限或sudo提取\n```\n\n然后，手动创建同结构的子目录（opcodes）用于存放vld的输出（如下图所示）。\n\n```txt\npwd\n|--samples\n|--opcodes\n   |--good\n   |--bad\n```\n\n使用`find`和`awk`批量构建vld调用命令，具体命令如下。\n\n```bash\n$ export vld=\"php -dvld.active=1 -dvld.execute=0 -dvld.dump_json=1 -dvld.format=1 -dvld.verbosity=3\"\n# 通过环境变量向awk传递vld命令\n$ find . -wholename \"./samples/good/*.php\" -or -wholename \"./samples/bad/*.php\"\\\n  |awk '{cmd=\"chloc . ./opcodes .json \"$1;\n  cmd|getline dst;\n  print vld, $1, \"\u003e\",dst;\n  close(cmd);\n  print \"echo -ne \\r No.\",NR,\" \"}' vld=\"$VLD_COMMAND\"|bash \u0026\u0026 \\\n  echo -e \"\\ndone\"\n```\n\n以上命令可以在指定的子目录生成对应的json格式的vld分析报告，并附带进度显示。\n\n## TODO\n\n- [x] ~~补上原版输出中的branch info内容。~~\n- [x] ~~添加对class_table和function_table的支持。~~\n- [x] ~~提供调用脚本demo(项目于2020/7月下旬开始了重构，原脚本作废)~~\n- [x] ~~对大体积json输出做内存优化，防内存错误。~~\n- [ ] 等待新需求出现(欢迎提交issues)。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchanthmiao%2Fvld","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchanthmiao%2Fvld","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchanthmiao%2Fvld/lists"}