Fork 0
mirror of https://github.com/salesagility/SuiteCRM.git synced 2025-03-15 22:04:51 +00:00

984 lines
31 KiB
Raw Permalink Normal View History

2013-09-23 19:30:44 +00:00
2018-07-12 10:40:10 +00:00
if (!defined('sugarEntry') || !sugarEntry) {
die('Not A Valid Entry Point');
2013-09-23 19:30:44 +00:00
* SugarCRM Community Edition is a customer relationship management program developed by
* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
* SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
* Copyright (C) 2011 - 2018 SalesAgility Ltd.
2014-07-07 15:33:23 +00:00
2013-09-23 19:30:44 +00:00
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU Affero General Public License version 3 as published by the
* Free Software Foundation with the addition of the following permission added
* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
2013-09-23 19:30:44 +00:00
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
2013-09-23 19:30:44 +00:00
* details.
2013-09-23 19:30:44 +00:00
* You should have received a copy of the GNU Affero General Public License along with
* this program; if not, see http://www.gnu.org/licenses or write to the Free
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301 USA.
2013-09-23 19:30:44 +00:00
* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
* SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
2013-09-23 19:30:44 +00:00
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
2013-09-23 19:30:44 +00:00
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "Powered by
2014-07-07 15:33:23 +00:00
* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
* reasonably feasible for technical reasons, the Appropriate Legal Notices must
* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
2013-09-23 19:30:44 +00:00
if (!defined('sugarEntry') || !sugarEntry) {
die('Not A Valid Entry Point');
2013-09-23 19:30:44 +00:00
2023-06-01 13:09:49 +00:00
2018-06-21 20:05:17 +00:00
class ModuleScanner
2018-07-12 10:40:10 +00:00
private $manifestMap = array(
2017-10-05 10:13:20 +00:00
'pre_execute' => 'pre_execute',
'install_mkdirs' => 'mkdir',
'install_copy' => 'copy',
'install_images' => 'image_dir',
'install_menus' => 'menu',
'install_userpage' => 'user_page',
'install_dashlets' => 'dashlets',
'install_administration' => 'administration',
'install_connectors' => 'connectors',
'install_vardefs' => 'vardefs',
'install_layoutdefs' => 'layoutdefs',
'install_layoutfields' => 'layoutfields',
'install_relationships' => 'relationships',
'install_languages' => 'language',
'install_logichooks' => 'logic_hooks',
'post_execute' => 'post_execute',
2013-09-23 19:30:44 +00:00
2019-01-25 14:07:05 +00:00
2013-09-23 19:30:44 +00:00
2019-01-25 13:51:46 +00:00
* config settings
* @var array
private $config = array();
private $config_hash;
2013-09-23 19:30:44 +00:00
2019-01-25 13:51:46 +00:00
private $blackListExempt = array();
private $classBlackListExempt = array();
2013-09-23 19:30:44 +00:00
2017-10-05 10:13:20 +00:00
private $validExt = array(
2018-07-12 10:40:10 +00:00
private $classBlackList = array(
2013-09-23 19:30:44 +00:00
// Class names specified here must be in lowercase as the implementation
// of the tokenizer converts all tokens to lowercase.
2019-01-25 14:07:05 +00:00
2013-09-23 19:30:44 +00:00
2018-07-12 10:40:10 +00:00
private $blackList = array(
2017-10-05 10:13:20 +00:00
2021-12-17 12:36:31 +00:00
2018-07-16 01:52:19 +00:00
//mutliple files per function call
2013-09-23 19:30:44 +00:00
2019-01-25 14:07:05 +00:00
2013-09-23 19:30:44 +00:00
// Functions that have callbacks can circumvent our security measures.
// List retrieved through PHP's XML documentation, and running the
// following script in the reference directory:
// grep -R callable . | grep -v \.svn | grep methodparam | cut -d: -f1 | sort -u | cut -d"." -f2 | sed 's/\-/\_/g' | cut -d"/" -f4
// AMQPQueue
// PHP internal - arrays
// EIO functions that accept callbacks.
// PHP internal - error functions
// Forms Data Format functions
// PHP internal - function handling
// Gearman
// Firebird/InterBase
// LibXML
// Mailparse functions
// Memcache(d) functions
// MySQLi
// PHP internal - network functions
// Newt
// OAuth
// PHP internal - output control
// PHP internal - PCNTL
// PHP internal - PCRE
// SQLite
// RarArchive
// Readline
// PHP internal - session handling
// PHP internal - SPL
// Sybase
// PHP internal - variable handling
// XML Parser
2019-01-25 14:07:05 +00:00
2013-09-23 19:30:44 +00:00
2018-07-16 01:52:19 +00:00
// unzip
2017-10-05 10:13:20 +00:00
private $methodsBlackList = array(
'put' => array('sugarautoloader'),
'unlink' => array('sugarautoloader')
2013-09-23 19:30:44 +00:00
2019-01-25 13:51:46 +00:00
public function printToWiki()
echo "'''Default Extensions'''<br>";
foreach ($this->validExt as $b) {
echo '#' . $b . '<br>';
echo "'''Default Black Listed Functions'''<br>";
foreach ($this->blackList as $b) {
echo '#' . $b . '<br>';
2013-09-23 19:30:44 +00:00
2017-10-05 10:13:20 +00:00
* ModuleScanner constructor.
2013-09-23 19:30:44 +00:00
public function __construct()
$params = array(
2017-10-05 10:13:20 +00:00
2013-09-23 19:30:44 +00:00
2017-10-05 10:13:20 +00:00
2013-09-23 19:30:44 +00:00
$disableConfigOverride = defined('MODULE_INSTALLER_DISABLE_CONFIG_OVERRIDE')
$disableDefineOverride = defined('MODULE_INSTALLER_DISABLE_DEFINE_OVERRIDE')
if (!$disableConfigOverride && !empty($GLOBALS['sugar_config']['moduleInstaller'])) {
$this->config = $GLOBALS['sugar_config']['moduleInstaller'];
foreach ($params as $param => $constName) {
if (!$disableConfigOverride && isset($this->config[$param]) && is_array($this->config[$param])) {
$this->{$param} = array_merge($this->{$param}, $this->config[$param]);
if (!$disableDefineOverride && defined($constName)) {
$value = constant($constName);
$value = explode(',', $value);
$value = array_map('trim', $value);
$value = array_filter($value, 'strlen');
$this->{$param} = array_merge($this->{$param}, $value);
2019-01-25 13:51:46 +00:00
private $issues = array();
private $pathToModule = '';
*returns a list of issues
public function getIssues()
return $this->issues;
*returns true or false if any issues were found
public function hasIssues()
return !empty($this->issues);
*Ensures that a file has a valid extension
public function isValidExtension($file)
$file = strtolower($file);
$pi = pathinfo($file);
//make sure they don't override the files.md5
if (empty($pi['extension']) || $pi['basename'] == 'files.md5') {
return false;
return in_array($pi['extension'], $this->validExt);
public function isConfigFile($file)
$real = realpath($file);
2023-06-01 13:09:49 +00:00
if ($real === realpath("config.php")) {
2019-01-25 13:51:46 +00:00
return true;
2023-06-01 13:09:49 +00:00
if (file_exists("config_override.php") && $real === realpath("config_override.php")) {
2019-01-25 13:51:46 +00:00
return true;
return false;
*Scans a directory and calls on scan file for each file
public function scanDir($path)
static $startPath = '';
if (empty($startPath)) {
$startPath = $path;
if (!is_dir($path)) {
return false;
$d = dir($path);
while ($e = $d->read()) {
$next = $path . '/' . $e;
if (is_dir($next)) {
if (substr($e, 0, 1) == '.') {
} else {
$issues = $this->scanFile($next);
return true;
* Check if the file contents looks like PHP
* @param string $contents File contents
* @return boolean
public function isPHPFile($contents)
if (stripos($contents, '<?php') !== false) {
return true;
for ($tag=0;($tag = stripos($contents, '<?', $tag)) !== false;$tag++) {
if (strncasecmp(substr($contents, $tag, 13), '<?xml version', 13) == 0) {
2013-09-23 19:30:44 +00:00
// <?xml version is OK, skip it
2017-10-05 10:13:20 +00:00
2013-09-23 19:30:44 +00:00
// found <?, it's PHP
return true;
2019-01-25 13:51:46 +00:00
2021-12-17 12:36:31 +00:00
2019-01-25 13:51:46 +00:00
return false;
* Given a file it will open it's contents and check if it is a PHP file (not safe to just rely on extensions) if it finds <?php tags it will use the tokenizer to scan the file
* $var() and ` are always prevented then whatever is in the blacklist.
* It will also ensure that all files are of valid extension types
public function scanFile($file)
$issues = array();
if (!$this->isValidExtension($file)) {
2021-12-17 12:36:31 +00:00
$issues[] = translate('ML_INVALID_EXT', 'Administration');
2019-01-25 13:51:46 +00:00
$this->issues['file'][$file] = $issues;
return $issues;
if ($this->isConfigFile($file)) {
2021-12-17 12:36:31 +00:00
$issues[] = translate('ML_OVERRIDE_CORE_FILES', 'Administration');
2019-01-25 13:51:46 +00:00
$this->issues['file'][$file] = $issues;
2021-12-17 12:36:31 +00:00
2019-01-25 13:51:46 +00:00
return $issues;
$contents = file_get_contents($file);
if (!$this->isPHPFile($contents)) {
2023-11-02 13:35:17 +00:00
$issues[] = translate('ML_INVALID_PHP_FILE', 'Administration');
$this->issues['file'][$file] = $issues;
2019-01-25 13:51:46 +00:00
return $issues;
$tokens = @token_get_all($contents);
$checkFunction = false;
$possibleIssue = '';
$lastToken = false;
2024-10-31 08:06:51 +00:00
$return = false;
2019-01-25 13:51:46 +00:00
foreach ($tokens as $index=>$token) {
if (is_string($token[0])) {
switch ($token[0]) {
2019-01-25 14:07:05 +00:00
case '`':
2021-12-17 12:36:31 +00:00
$issues['backtick'] = translate('ML_INVALID_FUNCTION', 'Administration') . " '`'";
2019-01-25 14:16:31 +00:00
// no break
2019-01-25 14:07:05 +00:00
case '(':
if ($checkFunction) {
$issues[] = $possibleIssue;
2024-10-31 08:06:51 +00:00
case ']':
if ($checkFunction){
$issues[] = $possibleIssue;
if ($return && $checkFunction){
$issues[] = $possibleIssue;
2019-01-25 14:07:05 +00:00
2024-10-31 08:06:51 +00:00
2019-01-25 13:51:46 +00:00
$checkFunction = false;
$possibleIssue = '';
} else {
$token['_msi'] = token_name($token[0]);
switch ($token[0]) {
case T_WHITESPACE: break;
2019-01-25 14:07:05 +00:00
case T_EVAL:
if (in_array('eval', $this->blackList) && !in_array('eval', $this->blackListExempt)) {
2021-12-17 12:36:31 +00:00
$issues[]= translate('ML_INVALID_FUNCTION', 'Administration') . ' eval()';
2019-01-25 14:07:05 +00:00
2021-12-17 12:36:31 +00:00
case T_ECHO:
$issues[]= translate('ML_INVALID_FUNCTION', 'Administration') . ' echo';
case T_EXIT:
$issues[]= translate('ML_INVALID_FUNCTION', 'Administration') . ' exit / die';
2019-01-25 14:07:05 +00:00
case T_STRING:
2024-10-31 08:06:51 +00:00
$token[1] = trim(strtolower($token[1]),'\'"');
2019-01-25 14:07:05 +00:00
if ($lastToken !== false && $lastToken[0] == T_NEW) {
if (!in_array($token[1], $this->classBlackList)) {
if (in_array($token[1], $this->classBlackListExempt)) {
} elseif ($token[0] == T_DOUBLE_COLON) {
if (!in_array($lastToken[1], $this->classBlackList)) {
if (in_array($lastToken[1], $this->classBlackListExempt)) {
} else {
//if nothing else fit, lets check the last token to see if this is a possible method call
if ($lastToken !== false &&
2019-01-25 13:51:46 +00:00
($lastToken[0] == T_OBJECT_OPERATOR || $lastToken[0] == T_DOUBLE_COLON)) {
2019-01-25 14:07:05 +00:00
// check static blacklist for methods
if (!empty($this->methodsBlackList[$token[1]])) {
if ($this->methodsBlackList[$token[1]] == '*') {
2021-12-17 12:36:31 +00:00
$issues[]= translate('ML_INVALID_METHOD', 'Administration') . ' ' .$token[1]. '()';
2019-01-25 14:07:05 +00:00
2021-12-17 12:36:31 +00:00
if ($lastToken[0] == T_DOUBLE_COLON && $index > 2 && $tokens[$index-2][0] == T_STRING) {
$classname = strtolower($tokens[$index-2][1]);
if (in_array($classname, $this->methodsBlackList[$token[1]])) {
$issues[]= translate('ML_INVALID_METHOD', 'Administration') . ' ' .$classname . '::' . $token[1]. '()';
2019-01-25 14:07:05 +00:00
//this is a method call, check the black list
if (in_array($token[1], $this->methodsBlackList)) {
2021-12-17 12:36:31 +00:00
$issues[]= translate('ML_INVALID_METHOD', 'Administration') . ' ' .$token[1]. '()';
2019-01-25 14:07:05 +00:00
if (!in_array($token[1], $this->blackList)) {
if (in_array($token[1], $this->blackListExempt)) {
2024-10-31 08:06:51 +00:00
if ($lastToken[1] === 'return'){
$return = true;
2019-01-25 14:07:05 +00:00
2019-01-25 14:16:31 +00:00
// no break
2019-01-25 14:07:05 +00:00
$checkFunction = true;
2021-12-17 12:36:31 +00:00
$possibleIssue = translate('ML_INVALID_FUNCTION', 'Administration') . ' ' . $token[1] . '()';
2019-01-25 14:07:05 +00:00
$checkFunction = false;
$possibleIssue = '';
2019-01-25 13:51:46 +00:00
if ($token[0] != T_WHITESPACE) {
$lastToken = $token;
if (!empty($issues)) {
$this->issues['file'][$file] = $issues;
2019-01-25 13:51:46 +00:00
return $issues;
2013-09-23 19:30:44 +00:00
2014-12-24 11:49:27 +00:00
* checks files.md5 file to see if the file is from sugar
* @param string $path
* @return bool
public function sugarFileExists($path)
static $md5 = array();
if (empty($md5) && file_exists('files.md5')) {
$md5 = isset($md5_string) ? $md5_string : null;
2014-12-24 11:49:27 +00:00
if ($path[0] !== '.' || $path[1] !== '/') {
2014-12-24 11:49:27 +00:00
$path = './' . $path;
if (isset($md5[$path])) {
return true;
2013-09-23 19:30:44 +00:00
2014-12-24 11:49:27 +00:00
return false;
2013-09-23 19:30:44 +00:00
2014-12-24 11:49:27 +00:00
* Normalize a path to not contain dots & multiple slashes
* @param string $path
* @return string false
public function normalizePath($path)
2017-10-05 10:13:20 +00:00
2014-12-24 11:49:27 +00:00
// convert to / for OSes that use other separators
$path = str_replace(DIRECTORY_SEPARATOR, '/', $path);
$res = array();
foreach (explode("/", $path) as $component) {
if (empty($component)) {
2017-10-05 10:13:20 +00:00
if ($component === '.') {
2014-12-24 11:49:27 +00:00
2017-10-05 10:13:20 +00:00
if ($component === '..') {
2014-12-24 11:49:27 +00:00
// this is not allowed, bail
return false;
$res[] = $component;
2013-09-23 19:30:44 +00:00
return implode("/", $res);
2014-12-24 11:49:27 +00:00
2013-09-23 19:30:44 +00:00
2019-01-25 13:51:46 +00:00
*This function will scan the Manifest for disabled actions specified in $GLOBALS['sugar_config']['moduleInstaller']['disableActions']
*if $GLOBALS['sugar_config']['moduleInstaller']['disableRestrictedCopy'] is set to false or not set it will call on scanCopy to ensure that it is not overriding files
2014-12-24 11:49:27 +00:00
public function scanManifest($manifestPath)
2019-01-25 13:51:46 +00:00
$issues = array();
if (!file_exists($manifestPath)) {
$this->issues['manifest'][$manifestPath] = translate('ML_NO_MANIFEST');
return $issues;
$fileIssues = $this->scanFile($manifestPath);
//if the manifest contains malicious code do not open it
if (!empty($fileIssues)) {
return $fileIssues;
list($manifest, $installdefs) = MSLoadManifest($manifestPath);
$fileIssues = $this->checkConfig($manifestPath);
if (!empty($fileIssues)) {
return $fileIssues;
//scan for disabled actions
if (isset($this->config['disableActions'])) {
foreach ($this->config['disableActions'] as $action) {
if (isset($installdefs[$this->manifestMap[$action]])) {
$issues[] = translate('ML_INVALID_ACTION_IN_MANIFEST') . $this->manifestMap[$action];
2013-09-23 19:30:44 +00:00
2014-12-24 11:49:27 +00:00
// now lets scan for files that will override our files
if (empty($this->config['disableRestrictedCopy']) && isset($installdefs['copy'])) {
foreach ($installdefs['copy'] as $copy) {
$from = $this->normalizePath($copy['from']);
if ($from === false) {
2017-10-05 10:13:20 +00:00
$this->issues['copy'][$copy['from']] = translate('ML_PATH_MAY_NOT_CONTAIN') .
' ".." -' . $copy['from'];
2014-12-24 11:49:27 +00:00
$from = str_replace('<basepath>', $this->pathToModule, $from);
$to = $this->normalizePath($copy['to']);
if ($to === false) {
$this->issues['copy'][$copy['to']] = translate('ML_PATH_MAY_NOT_CONTAIN') . ' ".." -' . $copy['to'];
if ($to === '') {
$to = ".";
$this->scanCopy($from, $to);
if (!empty($issues)) {
$this->issues['manifest'][$manifestPath] = $issues;
2019-01-25 13:51:46 +00:00
2013-09-23 19:30:44 +00:00
2014-12-24 11:49:27 +00:00
* Takes in where the file will is specified to be copied from and to
* and ensures that there is no official sugar file there.
* If the file exists it will check
* against the MD5 file list to see if Sugar Created the file
* @param string $from source filename
* @param string $to destination filename
public function scanCopy($from, $to)
// if the file doesn't exist for the $to then it is not overriding anything
if (!file_exists($to)) {
if (is_dir($from)) {
$d = dir($from);
while ($e = $d->read()) {
2017-10-05 10:13:20 +00:00
if ($e === '.' || $e === '..') {
2014-12-24 11:49:27 +00:00
$this->scanCopy($from . '/' . $e, $to . '/' . $e);
2017-10-05 10:13:20 +00:00
2014-12-24 11:49:27 +00:00
// if $to is a dir and $from is a file then make $to a full file path as well
if (is_dir($to) && is_file($from)) {
2017-10-05 10:13:20 +00:00
$to = rtrim($to, '/') . '/' . basename($from);
2014-12-24 11:49:27 +00:00
// if the $to is a file and it is found in sugarFileExists then don't allow overriding it
if (is_file($to) && $this->sugarFileExists($to)) {
$this->issues['copy'][$from] = translate('ML_OVERRIDE_CORE_FILES') . '(' . $to . ')';
2018-07-12 10:40:10 +00:00
*Main external function that takes in a path to a package and then scans
*that package's manifest for disabled actions and then it scans the PHP files
*for restricted function calls
public function scanPackage($path)
$this->pathToModule = $path;
$this->scanManifest($path . '/manifest.php');
if (empty($this->config['disableFileScan'])) {
2018-07-12 10:40:10 +00:00
*This function will take all issues of the current instance and print them to the screen
2021-12-17 12:36:31 +00:00
public function displayIssues($package = 'Package')
2018-07-12 10:40:10 +00:00
2021-12-17 12:36:31 +00:00
foreach ($this->issues as $type => $issues) {
echo '<h2 class="error">' . ucfirst($type) . ' ' . translate('ML_ISSUES', 'Administration') . '</h2>';
2019-01-25 13:51:46 +00:00
echo '<div id="details' . $type . '" >';
2021-12-17 12:36:31 +00:00
foreach ($issues as $file => $issue) {
2023-06-01 13:09:49 +00:00
$file = preg_replace('/.*\//', '', (string) $file);
2019-01-25 13:51:46 +00:00
echo '<div style="position:relative;left:10px"><b>' . $file . '</b></div><div style="position:relative;left:20px">';
if (is_array($issue)) {
foreach ($issue as $i) {
echo "$i<br>";
} else {
echo "$issue<br>";
echo "</div>";
echo '</div>';
echo "<br><input class='button' onclick='document.location.href=\"index.php?module=Administration&action=UpgradeWizard&view=module\"' type='button' value=\"" . translate('LBL_UW_BTN_BACK_TO_MOD_LOADER') . "\" />";
2013-09-23 19:30:44 +00:00
2021-12-17 12:36:31 +00:00
*This function will take all issues of the current instance and add them to a string
public function getIssuesLog($package = 'Package')
$message = '';
foreach ($this->issues as $type => $issues) {
$message .= '<h2 class="error">' . ucfirst($type) . ' ' . translate('ML_ISSUES',
'Administration') . '</h2>';
$message .= '<div id="details' . $type . '" >';
foreach ($issues as $file => $issue) {
2023-06-01 13:09:49 +00:00
$file = preg_replace('/.*\//', '', (string) $file);
2021-12-17 12:36:31 +00:00
$message .= '<div style="position:relative;left:10px"><b>' . $file . '</b></div><div style="position:relative;left:20px">';
if (is_array($issue)) {
foreach ($issue as $i) {
$message .= "$i<br>";
} else {
$message .= "$issue<br>";
$message .= "</div>";
$message .= '</div>';
return $message;
2019-01-25 13:51:46 +00:00
* Lock config settings
public function lockConfig()
if (empty($this->config_hash)) {
$this->config_hash = md5(serialize($GLOBALS['sugar_config']));
* Check if config was modified. Return
* @param string $file
* @return array Errors if something wrong, false if no problems
public function checkConfig($file)
$config_hash_after = md5(serialize($GLOBALS['sugar_config']));
if ($config_hash_after != $this->config_hash) {
2021-12-17 12:36:31 +00:00
$this->issues['file'][$file] = array(translate('ML_CONFIG_OVERRIDE', 'Administration'));
2019-01-25 13:51:46 +00:00
return $this->issues;
return false;
2013-09-23 19:30:44 +00:00
* Load manifest file
* Outside of the class to isolate the context
* @param string $manifest_file
* @return array
function MSLoadManifest($manifest_file)
2019-01-25 13:51:46 +00:00
return array($manifest, $installdefs);
2013-09-23 19:30:44 +00:00