phptaint 0.1.0

Security-focused PHP lexer, parser, AST, and configurable taint analysis engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

# phptaint

Security-focused PHP lexer, parser, and taint analysis engine with configurable sink registries.

`phptaint` is designed for security tooling rather than full-fidelity PHP compilation. It parses the PHP constructs that matter for taint analysis, tracks flows from superglobals into sinks, supports framework presets, and now loads custom registry rules from TOML.

## Features

- PHP lexer with span tracking
- AST and parser for security-relevant PHP constructs
- Taint analysis across assignments, calls, methods, hooks, and user-defined functions
- Built-in registries for `php_core`, `wordpress`, and `laravel`
- TOML-backed custom sink and sanitizer registry loading
- Support for modern constructs including `match`, `enum`, and `readonly`
- Single-file and multi-file analysis

## Installation

```toml
[dependencies]
phptaint = "0.1"
```

## Quick Start

```rust
use phptaint::{analyze, TaintRegistry};

let findings = analyze(
    "sample.php",
    r#"<?php
$cmd = $_GET['cmd'];
eval($cmd);
"#,
    &TaintRegistry::php_core(),
);

assert!(findings.iter().any(|finding| finding.category == "RCE"));
```

## Modern PHP Constructs

The parser intentionally supports a focused subset of modern PHP that commonly appears in real applications and plugins:

- `match` expressions
- `enum` declarations, including backed enums
- `readonly class` declarations and readonly property modifiers
- nullsafe calls, closures, arrow functions, hooks, and common control flow

Example:

```rust
use phptaint::{analyze, TaintRegistry};

let findings = analyze(
    "match.php",
    r#"<?php
$payload = match($kind) {
    "cmd" => $_GET['cmd'],
    default => "id",
};
eval($payload);
"#,
    &TaintRegistry::php_core(),
);

assert!(findings.iter().any(|finding| finding.category == "RCE"));
```

## Built-In Registries

Use the built-in presets directly:

```rust
use phptaint::{analyze, TaintRegistry};

let source = r#"<?php
$url = $_GET['redirect'];
wp_redirect($url);
"#;

let findings = analyze("plugin.php", source, &TaintRegistry::wordpress());
assert!(findings.iter().any(|finding| finding.category == "Open Redirect"));
```

## TOML Registry Configuration

Custom sinks and sanitizers can now be loaded from TOML with `RegistryFile`:

```rust
use phptaint::{analyze, RegistryFile};

let registry = RegistryFile::from_toml(
    r#"
presets = ["php_core"]
sanitizers = ["safe_template"]

[[sinks]]
function = "render_template"
dangerous_args = [0]
category = "SSTI"
severity = "high"

[[method_sinks]]
object_pattern = "renderer"
method = "render"
dangerous_args = [0]
category = "SSTI"
severity = "critical"
"#,
    "<inline>",
)?
.into_registry()?;

let findings = analyze(
    "custom.php",
    r#"<?php
$tpl = $_GET['tpl'];
render_template($tpl);
"#,
    &registry,
);

assert!(findings.iter().any(|finding| finding.category == "SSTI"));
# Ok::<(), Box<dyn std::error::Error>>(())
```

## Multi-File Analysis

```rust
use phptaint::{analyze_multi, TaintRegistry};

let findings = analyze_multi(
    &[
        ("a.php", "<?php function run_cmd($value) { exec($value); }"),
        ("b.php", "<?php $cmd = $_GET['cmd']; run_cmd($cmd);"),
    ],
    &TaintRegistry::php_core(),
);

assert!(findings.iter().any(|finding| finding.category == "RCE"));
```

## Examples

Run the bundled examples:

```bash
cargo run --example basic
cargo run --example toml_registry
```

## Development

- `cargo fmt`
- `cargo check --all-targets`
- `cargo test`

## License

MIT