Expand description
§phptaint
Security-focused PHP lexer, parser, AST, and configurable taint analysis.
This crate provides the PHP parsing and taint analysis infrastructure shared across all Santh PHP security tools. It is NOT a general-purpose PHP parser — it parses the subset needed for security analysis.
§Architecture
PHP Source → Lexer → Tokens → Parser → AST → Taint Analysis → Findings
↑
TaintRegistry (configurable)
- php_core() → eval, exec, echo...
- wordpress() → wp_redirect, add_action...
- laravel() → DB::raw, Blade...
- custom → your rules§Usage
use phptaint::taint::{TaintRegistry, analyze};
let findings = analyze("test.php", r#"<?php
$cmd = $_GET['cmd'];
eval($cmd);
?>"#, &TaintRegistry::php_core());
assert!(!findings.is_empty());
assert_eq!(findings[0].category, "RCE");§WordPress
use phptaint::taint::{TaintRegistry, analyze};
let findings = analyze("plugin.php", r#"<?php
$url = $_GET['redirect'];
wp_redirect($url);
?>"#, &TaintRegistry::wordpress());
assert!(findings.iter().any(|f| f.category == "Open Redirect"));Re-exports§
pub use config::MethodSinkConfig;pub use config::RegistryConfig;pub use config::RegistryConfigError;pub use config::RegistryFile;pub use config::SinkConfig;pub use severity::Severity;pub use taint::analyze;pub use taint::analyze_multi;pub use taint::TaintFinding;pub use taint::TaintRegistry;
Modules§
- ast
- PHP AST node definitions —
Statement,Expression,Span, and related types used by the parser and taint analyzer. - config
- TOML-backed configuration for building
crate::taint::TaintRegistryvalues. - lexer
- PHP lexer — tokenizes PHP source into a stream of typed tokens with span tracking for line/column reporting in taint analysis.
- parser
- PHP parser — builds an AST from the token stream.
- severity
- Severity levels used by phptaint findings and rules.
- taint
- Registry-driven PHP taint analysis — tracks data flow from superglobal sources to configurable sinks with inter-procedural summary propagation.