SugarSecurity.php

   1 <?PHP
   2 /*********************************************************************************
   3  * SugarCRM Community Edition is a customer relationship management program developed by
   4  * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
   5  *
   6  * This program is free software; you can redistribute it and/or modify it under
   7  * the terms of the GNU Affero General Public License version 3 as published by the
   8  * Free Software Foundation with the addition of the following permission added
   9  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
  10  * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
  11  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
  12  *
  13  * This program is distributed in the hope that it will be useful, but WITHOUT
  14  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  15  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
  16  * details.
  17  *
  18  * You should have received a copy of the GNU Affero General Public License along with
  19  * this program; if not, see http://www.gnu.org/licenses or write to the Free
  20  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  21  * 02110-1301 USA.
  22  *
  23  * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
  24  * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
  25  *
  26  * The interactive user interfaces in modified source and object code versions
  27  * of this program must display Appropriate Legal Notices, as required under
  28  * Section 5 of the GNU Affero General Public License version 3.
  29  *
  30  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
  31  * these Appropriate Legal Notices must retain the display of the "Powered by
  32  * SugarCRM" logo. If the display of the logo is not reasonably feasible for
  33  * technical reasons, the Appropriate Legal Notices must display the words
  34  * "Powered by SugarCRM".
  35  ********************************************************************************/
  36
  37
  38
  39
  40
  41 class SugarSecure{
  42         var $results = array();
  43         function display(){
  44                 echo '<table>';
  45                 foreach($this->results as $result){
  46                         echo '<tr><td>' . nl2br($result) . '</td></tr>';
  47                 }
  48                 echo '</table>';
  49         }
  50
  51         function save($file=''){
  52                 $fp = fopen($file, 'a');
  53                 foreach($this->results as $result){
  54                         fwrite($fp , $result);
  55                 }
  56                 fclose($fp);
  57         }
  58
  59         function scan($path= '.', $ext = '.php'){
  60                 $dir = dir($path);
  61                 while($entry = $dir->read()){
  62                         if(is_dir($path . '/' . $entry) && $entry != '.' && $entry != '..'){
  63                                 $this->scan($path .'/' . $entry);
  64                         }
  65                         if(is_file($path . '/'. $entry) && substr($entry, strlen($entry) - strlen($ext), strlen($ext)) == $ext){
  66                                 $contents = file_get_contents($path .'/'. $entry);
  67                                 $this->scanContents($contents, $path .'/'. $entry);
  68                         }
  69                 }
  70         }
  71
  72         function scanContents($contents){
  73                 return;
  74         }
  75
  76
  77 }
  78
  79 class ScanFileIncludes extends SugarSecure{
  80         function scanContents($contents, $file){
  81                 $results = array();
  82                 $found = '';
  83                 /*preg_match_all("'(require_once\([^\)]*\\$[^\)]*\))'si", $contents, $results, PREG_SET_ORDER);
  84                 foreach($results as $result){
  85
  86                         $found .= "\n" . $result[0];
  87                 }
  88                 $results = array();
  89                 preg_match_all("'include_once\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
  90                 foreach($results as $result){
  91                         $found .= "\n" . $result[0];
  92                 }
  93                 */
  94                 $results = array();
  95                 preg_match_all("'require\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
  96                 foreach($results as $result){
  97                         $found .= "\n" . $result[0];
  98                 }
  99                 $results = array();
 100                 preg_match_all("'include\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
 101                 foreach($results as $result){
 102                         $found .= "\n" . $result[0];
 103                 }
 104                 $results = array();
 105                 preg_match_all("'require_once\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
 106                 foreach($results as $result){
 107                         $found .= "\n" . $result[0];
 108                 }
 109                 $results = array();
 110                 preg_match_all("'fopen\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
 111                 foreach($results as $result){
 112                         $found .= "\n" . $result[0];
 113                 }
 114                 $results = array();
 115                 preg_match_all("'file_get_contents\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
 116                 foreach($results as $result){
 117                         $found .= "\n" . $result[0];
 118                 }
 119                 if(!empty($found)){
 120                         $this->results[] = $file . $found."\n\n";
 121                 }
 122
 123         }
 124
 125
 126 }
 127
 128
 129
 130 class SugarSecureManager{
 131         var $scanners = array();
 132         function registerScan($class){
 133                 $this->scanners[] = new $class();
 134         }
 135
 136         function scan(){
 137
 138                 while($scanner = current($this->scanners)){
 139                         $scanner->scan();
 140                         $scanner = next($this->scanners);
 141                 }
 142                 reset($this->scanners);
 143         }
 144
 145         function display(){
 146
 147                 while($scanner = current($this->scanners)){
 148                         echo 'Scan Results: ';
 149                         $scanner->display();
 150                         $scanner = next($this->scanners);
 151                 }
 152                 reset($this->scanners);
 153         }
 154
 155         function save(){
 156                 //reset($this->scanners);
 157                 $name = 'SugarSecure'. time() . '.txt';
 158                 while($this->scanners  = next($this->scanners)){
 159                         $scanner->save($name);
 160                 }
 161         }
 162
 163 }
 164 $secure = new SugarSecureManager();
 165 $secure->registerScan('ScanFileIncludes');
 166 $secure->scan();
 167 $secure->display();