nicoswd / php-rule-parser Goto Github PK

View Code? Open in Web Editor NEW

124.0 7.0 20.0 764 KB

PHP Rule Engine - Parses & Evaluates JavaScript-like expressions

License: MIT License

PHP 99.79% HCL 0.21%

evaluator rule-engine parser rule-parser rule-system brms business-rules dsl workflow php-rule-engine

php-rule-parser's Issues

CVE-2020-11022 (Medium) detected in phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js

phpunit/php-code-coverage-7.0.10

Library that provides collection, processing, and rendering functionality for PHP code coverage information.

Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f1884187926fbb755a9aaf0b3836ad3165b478bf

Dependency Hierarchy:

phpunit/phpunit-8.5.8 (Root Library)
- ❌ phpunit/php-code-coverage-7.0.10 (Vulnerable Library)

jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

❌ jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: 23bb2982bb26d1c85d175d7aac61babd770d0964

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - phpunit/php-code-coverage-7.0.10, jquery-3.4.1.min.js

phpunit/php-code-coverage-7.0.10

Library that provides collection, processing, and rendering functionality for PHP code coverage information.

Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f1884187926fbb755a9aaf0b3836ad3165b478bf

Dependency Hierarchy:

phpunit/phpunit-8.5.8 (Root Library)
- ❌ phpunit/php-code-coverage-7.0.10 (Vulnerable Library)

jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

❌ jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: 23bb2982bb26d1c85d175d7aac61babd770d0964

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20677 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-3.1.1.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

❌ jquery-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14042 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2

Step up your Open Source Security Game with WhiteSource here

Cannot use variables where one of the keys has a dash in it.

See the following test (which fails currently) for an example. Not sure if it's work-as-design or not.

Btw, awesome project!

public function testArrayWithDashInKeyDoesParseCorrectly()
    {
        $this->assertTrue($this->evaluate(
            'foo-bar === [
                "foo", // This is foo
                "bar"  // And this is bar
            ]',
            ['foo-bar' => ['foo', 'bar']]
        ));
    }

Being worked on?

Will there be any future updates/changes to this library?

CVE-2019-8331 (Medium) detected in bootstrap-4.1.3.min.js

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-4.1.3.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-4.1.3.min.js (Vulnerable Library)

Found in HEAD commit: 55bcb305d719a98ccd59aa3cc5013a5b82b9f27a

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14040 (Medium) detected in bootstrap-3.3.7-3.3.13.min.js

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to vulnerable library: /php-rule-parser/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: bb0ee0725f2362333a5d83f12ae078c759af4cfb

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2

Step up your Open Source Security Game with WhiteSource here

How to can I register a new function?

I'm trying to add a new function to use each function in my custom code

Negative Containment check possible?

Is it possible to do a negative containment check, like !in_array(needle, haystack) ?
I have tried x not in y and x !in y and both failed.

ReadMe Mis-type?

Hi There,

Just getting to know this package and had a tough time getting up and running with it, PHP throwing exceptions about now being able to find the class itself. Mucked around with composer to no avail, then took a look under the hood and saw that the namespace of this library should be nicoSWD\Rules\.... note the Rules plural, however it's got in the example Read Me, use nicoSWD\Rule\Rule - Might just want to double check the docs!

Cheers :)

Multiple tests cause parser error

If a function contains more than one instance of the test function, it complains of a parse error

// example bad rule:
/a/.test('a') && /x/.test('x')

Error: "preg_match(): Unknown modifier '.'"
File: nicoswd/php-rule-parser/src/Grammar/JavaScript/Methods/Test.php
Line: 46
Function: preg_match
PHP Version: 7.4.3 (ubuntu)

I have tried reordering them, changing contents of test, and removing "i" modifier. It simply doesn't like it when there are two.

Related side issue: documentation provides use as "foo".test(/oo/i) but actual usage requires the reverse:/oo/i.test("foo")

Thanks for providing this helpful utility.

This is a test issue from WhiteSource, it will be closed shortly

Fatal error with Bool variables and ||

There is a PHP fatal error when === false/true isn't added after "boolean" functions.

Version: 0.7.1
PHP version: 8.1
How to replicate:

$engine_rule = new Rule('VAR.startsWith("xXx") || VAR.startsWith("xXx") === false', ['VAR' => 'blablabla']);
$engine_rule->isTrue();

Expected result: Validation error like "invalid token || blablabla" until === false/true is added.
Actual result: nicoSWD\Rule\Expression\ExpressionFactory::createFromOperator(): Argument #1 ($operator) must be of type nicoSWD\Rule\TokenStream\Token\BaseToken, null given, called in libs\php-rule-parser\src\Parser\Parser.php on line 61

Thank you.

nicoswd / php-rule-parser Goto Github PK

php-rule-parser's Issues

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

CVE-2018-20677 - Medium Severity Vulnerability

CVE-2019-11358 - Medium Severity Vulnerability

CVE-2018-14042 - Medium Severity Vulnerability

CVE-2019-8331 - Medium Severity Vulnerability

CVE-2018-14040 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org