In some cases, static analysis is not enough, especially for configuration or runtime specific variables, such as
$_SERVER. Thankfully, phantm provides features to instrument your runtime environment so that it can re-use it as part of the analysis. This is done in two ways.
It is not always possible to infer the exact files getting included when the path is dynamic. phantm provides a function that you can wrap around your include expressions. For instance, the following code
can be instrumentalized using:
This will not affect your application, as
phantm_incl will simply return its argument, but it will also keep a trace of it in a “.incl” file. You can tell phantm to use this file, so that whenever it encounters this expression, it will simply look in the file to resolve the inclusion.
For example, you could use --importincludes last.incl
You can also use another function, to dump all the information that would be relevant for phantm. For instance:
$a = $_SESSION['test']; $a = $a . "foo";
will output a notice since phantm knows nothing about what a session holds. If you feel that the first part of the code is valid, and would like to analyze the second part using phantm, you can import the runtime environment directly into phantm:
$a = $_SESSION['test']; phantm_collect_state(get_defined_vars()); $a = $a . "foo";
When running the following code like usual, it will die at the point of the call, and create “.dump” files. Those files can be imported back into phantm.
For example, you could use --importState last.dump.