nicoswd / php-rule-parser Goto Github PK
View Code? Open in Web Editor NEWPHP Rule Engine - Parses & Evaluates JavaScript-like expressions
License: MIT License
php-rule-parser's People
Stargazers
Watchers
Forkers
jamoli sebidchi nandychen illusiard openwebx karser danny-source phpsean cawa0505 igorora davgit michaelvaes engshdaifat lozynskyi googolgroups syranez rodrigopedra xianlinzhangphp-rule-parser's Issues
CVE-2020-11023 (Medium) detected in phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js
phpunit/php-code-coverage-7.0.10
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f1884187926fbb755a9aaf0b3836ad3165b478bf
Dependency Hierarchy:
- phpunit/phpunit-8.5.8 (Root Library)
- ❌ phpunit/php-code-coverage-7.0.10 (Vulnerable Library)
jquery-3.4.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
- ❌ jquery-3.4.1.min.js (Vulnerable Library)
Found in HEAD commit: 23bb2982bb26d1c85d175d7aac61babd770d0964
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14042 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js
Dependency Hierarchy:
- ❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)
Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2
Step up your Open Source Security Game with WhiteSource here
ReadMe Mis-type?
Hi There,
Just getting to know this package and had a tough time getting up and running with it, PHP throwing exceptions about now being able to find the class itself. Mucked around with composer to no avail, then took a look under the hood and saw that the namespace of this library should be nicoSWD\Rules\.... note the Rules plural, however it's got in the example Read Me, use nicoSWD\Rule\Rule - Might just want to double check the docs!
Cheers :)
How to can I register a new function?
I'm trying to add a new function to use each function in my custom code
Being worked on?
Will there be any future updates/changes to this library?
Multiple tests cause parser error
If a function contains more than one instance of the test function, it complains of a parse error
// example bad rule:
/a/.test('a') && /x/.test('x')
Error: "preg_match(): Unknown modifier '.'"
File: nicoswd/php-rule-parser/src/Grammar/JavaScript/Methods/Test.php
Line: 46
Function: preg_match
PHP Version: 7.4.3 (ubuntu)
I have tried reordering them, changing contents of test, and removing "i" modifier. It simply doesn't like it when there are two.
Related side issue: documentation provides use as "foo".test(/oo/i) but actual usage requires the reverse:/oo/i.test("foo")
Thanks for providing this helpful utility.
CVE-2020-11022 (Medium) detected in phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Libraries - phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js
phpunit/php-code-coverage-7.0.10
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f1884187926fbb755a9aaf0b3836ad3165b478bf
Dependency Hierarchy:
- phpunit/phpunit-8.5.8 (Root Library)
- ❌ phpunit/php-code-coverage-7.0.10 (Vulnerable Library)
jquery-3.4.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
- ❌ jquery-3.4.1.min.js (Vulnerable Library)
Found in HEAD commit: 23bb2982bb26d1c85d175d7aac61babd770d0964
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-11358 (Medium) detected in jquery-3.1.1.min.js
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Change files
Origin: jquery/jquery@753d591
Release Date: 2019-03-25
Fix Resolution: Replace or update the following files: core.js, core.js
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14040 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js
Dependency Hierarchy:
- ❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)
Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2
Step up your Open Source Security Game with WhiteSource here
Cannot use variables where one of the keys has a dash in it.
See the following test (which fails currently) for an example. Not sure if it's work-as-design or not.
Btw, awesome project!
public function testArrayWithDashInKeyDoesParseCorrectly()
{
$this->assertTrue($this->evaluate(
'foo-bar === [
"foo", // This is foo
"bar" // And this is bar
]',
['foo-bar' => ['foo', 'bar']]
));
}CVE-2018-20677 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js
Dependency Hierarchy:
- ❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)
Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with WhiteSource here
Fatal error with Bool variables and ||
There is a PHP fatal error when === false/true isn't added after "boolean" functions.
Version: 0.7.1
PHP version: 8.1
How to replicate:
$engine_rule = new Rule('VAR.startsWith("xXx") || VAR.startsWith("xXx") === false', ['VAR' => 'blablabla']);
$engine_rule->isTrue();Expected result: Validation error like "invalid token || blablabla" until === false/true is added.
Actual result: nicoSWD\Rule\Expression\ExpressionFactory::createFromOperator(): Argument #1 ($operator) must be of type nicoSWD\Rule\TokenStream\Token\BaseToken, null given, called in libs\php-rule-parser\src\Parser\Parser.php on line 61
Thank you.
Negative Containment check possible?
Is it possible to do a negative containment check, like !in_array(needle, haystack) ?
I have tried x not in y and x !in y and both failed.
CVE-2019-8331 (Medium) detected in bootstrap-4.1.3.min.js
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-4.1.3.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js
Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js
Dependency Hierarchy:
- ❌ bootstrap-4.1.3.min.js (Vulnerable Library)
Found in HEAD commit: 55bcb305d719a98ccd59aa3cc5013a5b82b9f27a
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with WhiteSource here
This is a test issue from WhiteSource, it will be closed shortly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.