joern icon indicating copy to clipboard operation
joern copied to clipboard
verified publisher icon joernio

There is no cpg input and output edge in php class function call

Open 0kooo opened this issue 7 months ago • 0 comments

Describe the bug In PHP code, there are instances of other classes and then functions of the class are called. However, in CPG, there is no way to find the edge from the method node to the call node by using the in or out function. For example, in class A, there is an instantiation of class B and the methodB function is called. In CPG, there is no in-out edge from the method label node named methodB to the call label node named methodB.

To Reproduce My test code is as follows

b($cmd); } } class B{ public function b($cmd){ system($cmd); } } $classa = new A(); $classa->a(); ?>

CPG statements for the test joern> cpg.method.name("b").p val res22: List[String] = List( "(METHOD,111669149700): AST_PARENT_FULL_NAME: B, AST_PARENT_TYPE: TYPE_DECL, CODE: PUBLIC function b(this), FILENAME: case6.php, FULL_NAME: B->b, LINE_NUMBER: 10, NAME: b, ORDER: 2, SIGNATURE: <unresolvedSignature>(0)", """(METHOD,111669149703): AST_PARENT_FULL_NAME: , AST_PARENT_TYPE: NAMESPACE_BLOCK, FULL_NAME: <unresolvedNamespace>$classb->b, IS_EXTERNAL: true, NAME: b, ORDER: 0, SIGNATURE: <unresolvedSignature>(0)""" )

joern> cpg.method.name("b").l(0).in.p val res23: List[String] = List( "(TYPE_DECL,171798691843): AST_PARENT_FULL_NAME: case6.php:, AST_PARENT_TYPE: METHOD, CODE: class B, FILENAME: case6.php, FULL_NAME: B, LINE_NUMBER: 9, NAME: B, ORDER: 5", "(TYPE_DECL,171798691843): AST_PARENT_FULL_NAME: case6.php:, AST_PARENT_TYPE: METHOD, CODE: class B, FILENAME: case6.php, FULL_NAME: B, LINE_NUMBER: 9, NAME: B, ORDER: 5", "(IDENTIFIER,68719476743): ARGUMENT_INDEX: 1, CODE: $cmd, LINE_NUMBER: 11, NAME: cmd, ORDER: 1, TYPE_FULL_NAME: B->b-><returnValue>" )

joern> cpg.method.name("b").l(1).in.p val res24: List[String] = List( "(NAMESPACE_BLOCK,141733920768): FILENAME: , FULL_NAME: , NAME: , ORDER: 1", "(CALL,30064771077): ARGUMENT_INDEX: 2, CODE: $classb->b(), DISPATCH_TYPE: DYNAMIC_DISPATCH, LINE_NUMBER: 5, METHOD_FULL_NAME: B->b, NAME: b, ORDER: 2, SIGNATURE: <unresolvedSignature>(0), TYPE_FULL_NAME: B->b-><returnValue>", "(METHOD_RETURN,128849018887): CODE: RET, EVALUATION_STRATEGY: BY_VALUE, ORDER: 2, TYPE_FULL_NAME: ANY" )

joern> cpg.call.name("system").in.p val res25: List[String] = List( "(BLOCK,25769803778): LINE_NUMBER: 3, ORDER: 2, TYPE_FULL_NAME: ANY", "(IDENTIFIER,68719476742): ARGUMENT_INDEX: 1, CODE: $cmd, LINE_NUMBER: 6, NAME: cmd, ORDER: 1, TYPE_FULL_NAME: B->b-><returnValue>", "(METHOD,111669149698): AST_PARENT_FULL_NAME: A, AST_PARENT_TYPE: TYPE_DECL, CODE: PUBLIC function a(this), FILENAME: case6.php, FULL_NAME: A->a, LINE_NUMBER: 3, NAME: a, ORDER: 2, SIGNATURE: <unresolvedSignature>(0)", "(IDENTIFIER,68719476742): ARGUMENT_INDEX: 1, CODE: $cmd, LINE_NUMBER: 6, NAME: cmd, ORDER: 1, TYPE_FULL_NAME: B->b-><returnValue>", "(METHOD_RETURN,128849018881): CODE: RET, EVALUATION_STRATEGY: BY_VALUE, LINE_NUMBER: 3, ORDER: 4, TYPE_FULL_NAME: ANY", "(IDENTIFIER,68719476742): ARGUMENT_INDEX: 1, CODE: $cmd, LINE_NUMBER: 6, NAME: cmd, ORDER: 1, TYPE_FULL_NAME: B->b-><returnValue>" )

Expected behavior My expectation is that after running the following line, there should appear a call node of class b joern> cpg.call.name("system").in.l(2).in.p val res27: List[String] = List( "(TYPE_DECL,171798691841): AST_PARENT_FULL_NAME: case6.php:, AST_PARENT_TYPE: METHOD, CODE: class A, FILENAME: case6.php, FULL_NAME: A, LINE_NUMBER: 2, NAME: A, ORDER: 3", "(TYPE_DECL,171798691841): AST_PARENT_FULL_NAME: case6.php:, AST_PARENT_TYPE: METHOD, CODE: class A, FILENAME: case6.php, FULL_NAME: A, LINE_NUMBER: 2, NAME: A, ORDER: 3", "(IDENTIFIER,68719476736): ARGUMENT_INDEX: 1, CODE: $classb, LINE_NUMBER: 4, NAME: classb, ORDER: 1, TYPE_FULL_NAME: B" ) There should also be a node about class B instantiation calls here Or there is a normal node that can have edges and b-like method tags, and the name is methodb, and there are links cpg.method.name("b").l(1) Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • os:linux kali
  • Joern Version :4.0.365
  • Java version:17.0.13

Additional context Add any other context about the problem here.

0kooo avatar Jun 09 '25 09:06 0kooo