php.lang.security.assert-use.assert-use

profile photo of returntocorpreturntocorp
Author
4,212
Download Count*
LGPL Commons Clause
License

Calling assert with user input is equivalent to eval'ing.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: assert-use
    mode: taint
    pattern-sources:
      - pattern-either:
          - patterns:
              - pattern-either:
                  - pattern: $_GET
                  - pattern: $_POST
                  - pattern: $_COOKIE
                  - pattern: $_REQUEST
                  - pattern: $_SERVER
          - patterns:
              - pattern: |
                  Route::$METHOD($ROUTENAME, function(..., $ARG, ...) { ... })
              - focus-metavariable: $ARG
    pattern-sinks:
      - patterns:
          - pattern: assert($SINK, ...);
          - pattern-not: assert("...", ...);
          - pattern: $SINK
    message: Calling assert with user input is equivalent to eval'ing.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      references:
        - https://www.php.net/manual/en/function.assert
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php
      category: security
      technology:
        - php
      confidence: HIGH
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: ERROR

Examples

assert-use.php

<?php

$tainted = $_GET['userinput'];

// ruleid: assert-use
assert($tainted);

// ok: assert-use
assert('2 > 1');

// todook: assert-use
assert($tainted > 1);

Route::get('bad', function ($name) {
  // ruleid: assert-use
  assert($name);

  // ok: assert-use
  assert('2 > 1');

  // todook: assert-use
  assert($name > 1);
});