BUGFIX - Only the nth occurence var is colored if dup vuln

detection.py

@@ -24,6 +24,7 @@ def analysis(path):
       matches = regex.findall(content)
 
       for vuln_content in matches:
+        occurence = 0
 
         # Security hole detected, is it protected ?
       	if check_protection(payload[2], vuln_content) == False:
@@ -34,13 +35,14 @@ def analysis(path):
             regax = re.compile(regex_indicators[2:-2])
             for vulnerable_var in regax.findall(sentence):
                 false_positive = False
+                occurence += 1
 
                 # No declaration for $_GET, $_POST ...
                 if check_exception(vulnerable_var[1]) == False:
 
                     # Look for the declaration of $something = xxxxx
                     false_positive, declaration_text, line_declaration = check_declaration(content, vulnerable_var[1], path)
-                    
+
                     # Set false positive if protection is in the variable's declaration
                     false_positive = false_positive or check_protection(payload[2], declaration_text)==True
 
@@ -49,7 +51,7 @@ def analysis(path):
                 if not false_positive:
                     global result_count
                     result_count = result_count + 1
-                    display(path, payload, vuln_content, line_vuln, declaration_text, line_declaration, vulnerable_var[1])
+                    display(path, payload, vuln_content, line_vuln, declaration_text, line_declaration, vulnerable_var[1], occurence)
 
 
 # Run thru every files and subdirectories

functions.py

@@ -4,8 +4,35 @@ import os
 import re
 from indicators import *
 
+# Replace the nth occurence of a string
+# From https://stackoverflow.com/questions/35091557/replace-nth-occurrence-of-substring-in-string
+def nth_replace(string, old, new, n=1, option='only nth'):
+    """
+    This function replaces occurrences of string 'old' with string 'new'.
+    There are three types of replacement of string 'old':
+    1) 'only nth' replaces only nth occurrence (default).
+    2) 'all left' replaces nth occurrence and all occurrences to the left.
+    3) 'all right' replaces nth occurrence and all occurrences to the right.
+    """
+    if option == 'only nth':
+        left_join = old
+        right_join = old
+    elif option == 'all left':
+        left_join = new
+        right_join = old
+    elif option == 'all right':
+        left_join = old
+        right_join = new
+    else:
+        print("Invalid option. Please choose from: 'only nth' (default), 'all left' or 'all right'")
+        return None
+    groups = string.split(old)
+    nth_split = [left_join.join(groups[:n]), right_join.join(groups[n:])]
+    return new.join(nth_split)
+
+
 # Display the found vulnerability with basic informations like the line
-def display(path,payload,vulnerability,line,declaration_text,declaration_line, colored):
+def display(path,payload,vulnerability,line,declaration_text,declaration_line, colored, occurence):
 
 	# Potential vulnerability found :  SQL Injection
 	header = "\033[1mPotential vulnerability found : \033[92m{}\033[0m".format(payload[1])
@@ -14,7 +41,7 @@ def display(path,payload,vulnerability,line,declaration_text,declaration_line, c
 	line = "n°\033[92m{}\033[0m in {}".format(line,path)
 
 	# Code : include($_GET['patisserie'])
-	vuln = ("".join(vulnerability)).replace(colored, "\033[93m"+colored+"\033[0m")
+	vuln = nth_replace("".join(vulnerability), colored, "\033[93m"+colored+"\033[0m", occurence)
 	vuln = "{}({})".format(payload[0], vuln)
 
 	# Final Display

index.py

@@ -5,12 +5,7 @@
 # How to use : python index.py --dir test
 # Educational purpose only !
 
-# TODO afficher toutes les modifications de la variable -
-# TODO checker recursivement les vulns dans la déclaration d'une var
-# BUG color var['something']
-# BUG PGSQL : pg_pconnect / pg_connect detected
-# BUG nt des var et mettre en couleur la bonne plutôt que la première
-# BUG ex fct(occurence) et mettre en couleur la xieme occurence
+# TODO afficher toutes les modifications de la variable
 
 import sys
 import argparse

indicators.py

@@ -37,7 +37,7 @@ payloads = [
   ["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
   ["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
   ["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
-  ["pg_query","SQL Injection",["pg_escape_string","pg_pconnect"]],
+  ["pg_query","SQL Injection",["pg_escape_string","pg_pconnect","pg_connect"]],
   ["->query","SQL Injection",["->prepare"]],
   ["->exec","SQL Injection",["->prepare"]],
   ["->execute","SQL Injection",["->prepare"]],