Php Sat Configuration

Static analysis for PHP

Why configuration?

The configuration file is used to configure the security-analysis within php-sat. It contains information about three things:
  • Which variables bring tainted data into the script
  • Which functions/constructs can make this data safe
  • Which SafetyLevel the parameters of a function should have

This information can differ between projects and configurations of PHP. The most obvious example would be the magic quotes directive. This directive influences the security algorithm directly because the input-data will have a higher SafetyLevel.


The format of the configuration file is best explained with the following example file:
1: [tainted sources]
2:   array:    _SERVER           level: escaped-slashes 
3:   function: file_get_contents level: raw-input 
4: [sensitive sinks]
5:   construct: echo ( escaped-html   && escaped-slashes )
6:   function:  mail ( matched-string || string-from-list, matched-string, matched-string )
7: [function result]
8:   function: addslashes       level: escaped-slashes
  1. Starts the section that lists the sources of TaintedData in the configuration file. All sources that bring TaintedData into your script should be defined here
  2. An input-array can be declared as bringing in TaintedData by giving the keyword array: and the name followed by a SafetyLevel. A SafetyLevel is declared by level: safety-level-name.
  3. A function can be declared as TaintedData-source in the same way, but the keyword is function:.
  4. Starts the SensitiveSink-section of the configuration file. All functions and constructs that should be checked for preconditions should be defined here.
  5. The precondition for a construct can be defined by the keyword construct: followed by the name of the construct. This should be followed by a precondition for the parameters you want to check. A SafetyLevel can be combined by the && (and) or || (or) operator. These operators work as expected.
  6. Functions can be defined as SensitiveSink in the same way as constructs, but the keyword is function:. This line also gives an example of the definition of preconditions for multiple parameters.
  7. Starts the section that defines the functions that make the data safe. All functions that can influence data should be defined in this section.
  8. Defining the SafetyLevel of the result of a function can be done by using the function: keyword followed by a name and a SafetyLevel.

Default configuration

The default configuration that is used by php-sat can be found under prefix /share/php-sat and is called PHP-SAT.ini.

ALERT! Editting the default configuration file will not influence php-sat directly.
ALERT! After you have altered the file you should pass it to php-sat using the -cf f | --config-file f flag.

The default configuration is currently very small. If you have an improved version please share it with us.