cgi-bin/js_check/validate.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

#!/usr/bin/python2
import jsparser, re, sys, types, getopt
import cgi
import cgitb

RESERVED_WORDLIST = ['document',
 'window',
 'document'
 'alert',
 'console',
 '$',
 'jQuery',
 'xmlhttp',
 'eval',
 'XMLHttpRequest',
 'String',
 'this']
opt_v = False
ITERATION_BLOCKS = ['expression',
 'body',
 'block',
 'initializer',
 'condition',
 'thenPart',
 'elsePart',
 'tryBlock',
 'catchClauses',
 'varDecls']

def test_script(tree, rec_level = 1):
    if opt_v:
        sys.stderr.write( 'test_script(tree,%d)' % rec_level);
    for i, v in enumerate(tree):
        if v.type == 'IDENTIFIER' and v.value in RESERVED_WORDLIST:
            return 'BAD SCRIPT ERROR reserved word "%s" used in assignment at line number %s\n' % (v.value, v.lineno)
        if v.type == 'STRING':
            return 'BAD SCRIPT ERROR illegal type "%s" used at line number %s\n' % (v.type, v.lineno)
        if opt_v:
            sys.stderr.write( 'this is the type: %s at line number %s\n' % (v.type, v.lineno));
        if opt_v:
            sys.stderr.write( 'this is the value: %s at line number %s\n' % (v.value, v.lineno));
        inner_test = test_script(v, rec_level + 1)
        if inner_test:
            return inner_test

    for block in ITERATION_BLOCKS:
        if hasattr(tree, block):
            b = getattr(tree, block)
            try:
                if opt_v:
                    sys.stderr.write( ' this is the expression type: %s \n' % getattr(b, 'type'));
            except Exception as e:
                sys.stderr.write('python execution error %s \n' % e)
                continue

            try:
                for i, v in enumerate(b):
                    if b.type == 'PLUS' and v.type == 'ARRAY_INIT':
                        return 'BAD SCRIPT ERROR illegal use of arrays to cast strings at %s\n' % v.lineno
                    if opt_v:
                        sys.stderr.write( 'this is the (inner iteration) type: %s, at line number %s, rec_lev: %d' % (v.type, v.lineno, rec_level));
                    if v.type == 'STRING':
                        return 'BAD SCRIPT ERROR illegal type "%s" used at line number %s\n' % (v.type, v.lineno)
                    if opt_v:
                        sys.stderr.write( 'this is the (inner iteration) value: %s\n' % v.value);
                    inner_test = test_script(v, rec_level + 1)
                    if inner_test:
                        return inner_test 

            except Exception as e:
                sys.stderr.write('this was the error %s\n' % e)
                continue

    if opt_v:
        sys.stderr.write( 'test_script(tree,%d) end\n' % rec_level);
    
    return False

if __name__ == "__main__":
    f = open(sys.argv[1], 'r')
    data = f.read()
    f.close()
    test = jsparser.parse(data)

    test = test_script(test)
    if test:
       print( test)
       sys.exit(1)
    else:
       sys.exit(0)