Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

False positives documentation #58

Closed
ivansaurio opened this issue Aug 29, 2023 · 1 comment
Closed

False positives documentation #58

ivansaurio opened this issue Aug 29, 2023 · 1 comment

Comments

@ivansaurio
Copy link

vuln_id's depend on the full path of the sink file, therefore scanning the same source code in two different locations will produce different id's. This could be more explicit in FALSE_POSITIVES.md

There is also a bug with using non-normalized paths when invoking progpilot. For example ./progpilot.phar /tmp/myproject will generate a vuln_id from $a$_GET-/tmp/myproject/test.php$a-eval-test.php. Running ./progpilot.phar /tmp/myproject// will generate a vuln_id from $a$_GET-/tmp/myproject/test.php$a-eval-st.php, removing some characters from the start of the path.
This happens because inside MyFile->__construct(), $fullPathFileName is normalized buth $basedir is not. Running realpath() on $basedir fixes the issue but might be a breaking change for some users. This should be documented
@eric-therond
Copy link
Collaborator

Thanks for the bug report
should be fixed with v1.1.0
don't hesitate to reopen the issue if you see something missing

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eric-therond @ivansaurio