php.lang.security.assert-use.assert-use
semgrepAuthor
4,212
Download Count*
License
Calling assert with user input is equivalent to eval'ing.
Run Locally
Run in CI
Defintion
rules:
- id: assert-use
mode: taint
pattern-sources:
- pattern-either:
- patterns:
- pattern-either:
- pattern: $_GET
- pattern: $_POST
- pattern: $_COOKIE
- pattern: $_REQUEST
- pattern: $_SERVER
- patterns:
- pattern: |
Route::$METHOD($ROUTENAME, function(..., $ARG, ...) { ... })
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern: assert($SINK, ...);
- pattern-not: assert("...", ...);
- pattern: $SINK
message: Calling assert with user input is equivalent to eval'ing.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
references:
- https://www.php.net/manual/en/function.assert
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php
category: security
technology:
- php
confidence: HIGH
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- php
severity: ERROR
Examples
assert-use.php
<?php
$tainted = $_GET['userinput'];
// ruleid: assert-use
assert($tainted);
// ok: assert-use
assert('2 > 1');
// todook: assert-use
assert($tainted > 1);
Route::get('bad', function ($name) {
// ruleid: assert-use
assert($name);
// ok: assert-use
assert('2 > 1');
// todook: assert-use
assert($name > 1);
});
Short Link: https://sg.run/3xXW