joern icon indicating copy to clipboard operation
joern copied to clipboard
verified publisher icon joernio

[Bug] php2cpg: wrong function resolution for calls of free functions from inside classes

Open maltek opened this issue 2 years ago • 5 comments

executing this

<?php
namespace A;

function x() { echo "here"; }

class B {
  function x() { echo "not here"; }

  function c() {
    x();
  }
}

(new B())->c();

prints "here" - calling x() refers to the free function A\x (if that wasn't defined, it might also refer to just x).

$ php /tmp/test.php
here

But php2cpg thinks it refers to "A\B->x" (when only $this->x() would):

joern> cpg.call.name("x").methodFullName.l
val res4: List[String] = List("A\\B->x")

maltek avatar Jul 06 '23 12:07 maltek

is it resolved correctly now?

xywang18 avatar Sep 11 '25 07:09 xywang18

@xywang18 how about you try it out, and report back?

maltek avatar Sep 11 '25 08:09 maltek

@xywang18 how about you try it out, and report back?

Same result. I handle such cases by writing a separate pass. maybe it can be solved in CallGraphPass?

xywang18 avatar Sep 11 '25 08:09 xywang18

@xywang18 how about you try it out, and report back?

in our experiments, such cases are very common and it affects vulnerability detection. For example, many methods call helper functions defined in global, such as SQL query functions

xywang18 avatar Sep 11 '25 08:09 xywang18

At some point this issue fell off my radar, but I'm working on the php call representation now and will implement a fix for this as part of that.

johannescoetzee avatar Sep 11 '25 11:09 johannescoetzee