• This repository has been archived on 05/Jan/2024
  • Stars
    star
    133
  • Rank 272,600 (Top 6 %)
  • Language
    Java
  • License
    Other
  • Created almost 12 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pixy is a scanner static code analysis tools that scans PHP applications for security vulnerabilities.

Pixy

Authors and maintainer

Nenad Jovanonic was the original author of Pixy. The current maintainer is Oliver Klee, [email protected].

Available Ant targets

  • build: builds the whole project
  • clean: cleans up
  • test: runs the JUnit unit tests (without generating code coverage data)
  • instrument: adds code coverage markers to the generated byte code for the code coverage
  • test-coverage: runs the JUnit unit tests and generates code coverage data (needs instrument first)
  • coverage-report: creates code coverage reports in HTML and XML in the reports/ directory.

The ant targets are marked with the corresponding dependencies, e.g., if you execute the "coverage-report" target, the "test-coverage", "instrument" and "build" targets will automatically be executed first.

Settings for IntelliJ IDEA

General settings

  • Project > Project name: pixy
  • Project > Project Language level: 7.0
  • Project > Project compiler output: build/class
  • Modules > Sources: src/ (as Source) and test/ (as Test)
  • Modules > Dependencies: lib (Scope: compile)
  • Modules > Dependencies: lib/junit.jar (Scope: compile)
  • Modules > Dependencies: transducers/jauto-classes (Scope: compile)
  • Modules > Dependencies: build/class (Scope: Runtime)

Including the PhpParser Sources

If you would like to include the PhpParser sources, you will also need the following settings (assuming that "phpparser" is the path to you PhpParser project):

  • Modules > Sources: phpparser/src/JFlex
  • Modules > Sources: phpparser/src/java_cup
  • Modules > Sources: phpparser/src/project

Run configurations

In Run > Edit configurations, create a new Application configuration with the following data:

  • Name: Pixy
  • Configuration > Main class: Checker
  • Configuration > VM options: -Dpixy.home=$MODULE_DIR$
  • Configuration > Program arguments: -a -y xss:sql $MODULE_DIR$/getstarted.php
  • Configuration > Working directory: $MODULE_DIR$
  • Configuration > Use classpath of module: pixy
  • Configuration > Before launch: Ant target: Runt Ant target 'build'

For running the unit tests, create a new JUnit entry with the following data:

  • Name: Pixy unit tests
  • Single instance only
  • Configuration > Test kind: All in directory
  • Configuration > Fork mode: class ("none" will lead to test failures)
  • Configuration > Directory: test/
  • Configuration > VM options: -ea -Dpixy.home=$MODULE_DIR$
  • Configuration > Working directory: $MODULE_DIR$
  • Configuration > Use classpath of module: pixy
  • Configuration > Before launch: Ant target: Runt Ant target 'build'

Ant configuration

In the Ant Build tool window, click on the plus icon and select the build.xml file.

Developing Pixy in Eclipse

The most recent version of Eclipse can be obtained from http://www.eclipse.org/.

Importing, adjusting & initial build

  1. create a new Java project with the default settings (name: Pixy) (--> the "eclipsed" project will reside inside the Eclipse workspace after you've finished the following steps; if you want to have it somewhere else, export it, delete it, and import it again; see below)

  2. disable "build automatically" (from the project menu)

  3. from the newly created project's context menu (package explorer), select "Import"

  • File System
    • choose the Pixy home folder (i.e. double click it, then press OK)
    • select it on the following screen (to import everything inside) ("create selected folders only"), finish
  1. if a red X appears next to the icon of the Pixy project, you forgot to disable "build automatically"

  2. adjust project properties (from its context menu again):

  • Builders:
    • deselect "Java Builder"
  • Java Build Path:
    • Source Tab:
      • remove existing folder (Pixy)
      • add new folders:
        • Pixy/src/project
        • Pixy/src/java_cup (UPDATE: not necessary any more)
        • Pixy/src/JFlex (UPDATE: not necessary any more)
        • [after the first successful build:] Pixy/build/java
      • set default output folder to Pixy/build/class
    • Libraries Tab:
      • Add Class Folder:
        • Pixy/lib
      • Add Jar:
        • Pixy/lib/junit.jar
  1. context menu of build.xml: Run / 2.Ant Build...
  • name it "Pixy build"
  • main tab:
    • Base directory = Pixy folder
  • refresh tab:
    • select "refresh upon completion", "project containing the selected resource"
  • targets tab:
    • select "build" target instead of preselected default target
  • run! (should be successful)

Building and cleaning the project with Ant from within Eclipse

  1. Project > Properties > Builders
  2. Deactivate the Java Builder.
  3. New ...
  4. Select "Ant builder"
  5. Name it "Ant build" or "Pixy build" (or any other suitable name).
  6. In the Main tab, select the build.xml in the project directory as Buildfile and the project directory as Base directory.
  7. In the Targets tab for "Manual build", select "build".
  8. In the Targets tab for "During a clean", select "clean".
  9. OK the changes for both dialogs.

You then can build the project using Project > Build Project and Clean the project using Project > Clean ... (You might need to refresh to project first.)

Or you can build the project using the command line from within the project main directory:

ant build

Running Pixy from within Eclipse

To run the application, you first need to build it. After that is done, create a suitable run configuration:

  1. Run > Run Configurations...
  2. Right-click on "Java Application" > New (or double-click on "Java Application")
  3. Enter a name, e.g., "Run Pixy"
  4. The main project should be your Pixy project.
  5. As Main class, press "Search..." and select the Checker class.
  6. In the Arguments tab, set the following as Program arguments: ${project_loc}/getstarted.php
  7. Still in the Arguments tab, set the following VM arguments: -Dpixy.home=${project_loc}
  8. Click on "Run".

After the configuration is complete, you can run Pixy by just using Run > Run (CTRL + F11).

Running the unit tests from within Eclipse

This also requires that you have build the application.

  1. Run > Run Configurations...
  2. Right-click on "JUnit" > New (or double-click on "JUnit")
  3. Enter a name, e.g., "Pixy unit tests"
  4. In the Test tab, select the "Run all tests ..." radio button and select the "test" folder in your Pixy project.
  5. In the Arguments tab, set the following VM arguments: -Dpixy.home=${project_loc}
  6. Click on "Run".

After the configuration is complete, you can run Pixy by right-clicking the "test" folder and selecting Run As > 3 JUnit test

Note: Currently, this is broken as one test case completely fails (although it runs when using the "test" ant target from the command line).

Development building

  1. context menu of build.xml: Run / External tools
  • duplicate existing build configuration
  • rename the copy to "Pixy javac"
  • replace target "build" with "javac"
  • run

Exporting

  1. don't forget to clean up first
  2. as zipfile or to file system
  3. check if it contains a .project file (that's how it should be, otherwise you can't import it back to Eclipse easily)

Importing again

  1. unzip file outside eclipse (if zipped); that location is not just temporary, but will be used by eclipse as project home
  2. don't create a project
  3. context menu of package explorer: Import... Existing project into workspace, select unzipped home folder, finish

Usage (Eclipse)

Thanks to Chuck Burgess (cburgess at PROGRESSRAIL dot com) for contributing these instructions.

To set up Pixy as an "External Tool" to use inside Eclipse (tested on v3.1.2), perform these steps:

  1. From the "Run" menu, choose "External Tools", then "External Tools" again. This brings up the dialogue where you can edit/create "External Tools" items.
  2. On the left-side menu, highlight the "Programs" heading and click the "New" button.
  3. Populate the "Name" field on the main top-center area with whatever name you want to use to recognize this program for yourself (i.e. "Pixy Vulnerability Scanner for PHP").
  4. On the "Main" tab, I populated these items in this manner:
    • Location: ${workspace_loc}/Pixy/run.bat
    • Working Directory: ${workspace_loc}${project_path}
    • Arguments: "${workspace_loc}${resource_path}" Notice the quotes in the "Arguments" value... they are needed here, though not allowed in the other values. If you physically put the Pixy code in your Eclipse workspace, you can use the ${workspace_loc} variable in the path to the "run" or "run.bat" file in the "Location" item, rather than having to hardcode the path. Otherwise, you should hardcode the path in the "Location" item, but not in the "Working Directory" or "Arguments" items... (these items refer to your workspace area/items specifically).
  5. No changes should be necessary on the "Refresh", "Environment", or "Common" tabs.

To run Pixy on a workspace PHP file, just highlight the file (either on the left-side Navigator menu listing, or else the opened file's tab in the center view area). Click "Run -> External Tools", and choose your Pixy item's name. The output from its run will appear in the "Console" view at the bottom of the screen layout. Remember, Pixy runs against the file you have HIGHLIGHTED, which is not necessarily the one you have OPEN.

Pixy and PhpParser

Pixy makes use of the sub-project PhpParser. It already brings the compiled classes from that project. PhpParser resides on Github.

Modifications to JFlex 1.4.1

  • marked with "NJ"
  • modified files:
    • skeleton.default
    • Emitter.java
  • reasons:
    • emulation of Flex's yymore()
    • in case of error: also include file name and line number in the output message
  • state stacks are emulated without modifying the JFlex sources, simply by including the relevant data structures into the specification file

Modifications to Cup 10k

  • marked with "NJ"
  • modified files:
    • emit.java
  • reasons:
    • indices for terminals and nonterminals in the generated symbols class shall not overlap
    • nonterminals in the generated symbols class shall be public
    • rule actions shall have access to
      • the production's symbol index (i.e. the index of the symbol on the left side)
      • the production's symbol name
      • the production's length since that makes the generation of explicit parse trees much easier

More Repositories

1

workshop-handouts

Dies sind die Handouts zu vielen meiner Workshops und Seminare.
TeX
27
star
2

ext-tea

TYPO3 example extension for unit testing and best practices.
PHP
24
star
3

tdd-reader

Reader/handout for my workshops on test-driven development (TDD) with TYPO3 CMS
TeX
22
star
4

phpparser

Pure Java parser for PHP programs, used by the Pixy project.
Java
19
star
5

tdd-exercises

This is a starter repository for a project with PHPUnit.
PHP
7
star
6

ext-seminars

TYPO3 extension "seminars"
PHP
6
star
7

massagereader

Reader zu den Entspannungsmassage-Workshops von Oliver Klee
TeX
5
star
8

ext-feuserextrafields

TYPO3 extension that adds additional common fields to FE users
PHP
3
star
9

ext-onetimeaccount

TYPO3 extension "onetimaccount"
PHP
3
star
10

helper-scripts

Collection of helper scripts that reside in `~/bin`.
Shell
3
star
11

latex-examples

Examples for getting started with LaTeX
TeX
3
star
12

spielereader

Spielereader
TeX
3
star
13

ext-crowdfunding

TYPO3 extension for conducting crowdfunding campaigns.
PHP
2
star
14

TYPO3-testing-distribution

TYPO3 installation for testing my extensions
PHP
1
star
15

pixy-thesis

This is my diploma thesis about the security vulnerability scanner Pixy.
TeX
1
star
16

ext-csv_to_openimmo

TYPO3 Extension for converting CSV files to OpenImmo files
PHP
1
star
17

ext-realty

TYPO3 extension "realty"
PHP
1
star
18

dungeon-of-bugs

A dungeon crawler and TDD exercise.
PHP
1
star
19

selenium-demo

Just a short demo for Selenium with PHPUnit.
PHP
1
star
20

ext-phpunit

PHPUnit extension for TYPO3
PHP
1
star
21

insecurity

An educational web application that consists of a plethora of security vulnerabilities held together by some functionality.
PHP
1
star
22

lilypond-templates

Template files for typesetting music with LilyPond.
LilyPond
1
star
23

typo3-devsite

This is a TYPO3 extension that contains the basics of a site which I use for developing in TYPO3.
HTML
1
star
24

coffee

Coffee unit testing example
PHP
1
star
25

word-combinations

This is a programming exercise (or coding kata) about finding words that are the concatenation of two other words.
PHP
1
star