php.lang.security.deserialization.extract-user-data

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.

Run Locally

Run in CI

Defintion

rules:
  - id: extract-user-data
    mode: taint
    pattern-sources:
      - pattern-either:
          - pattern: $_GET[...]
          - pattern: $_FILES[...]
          - pattern: $_POST[...]
    pattern-sinks:
      - pattern: extract(...)
    pattern-sanitizers:
      - pattern: extract($VAR, EXTR_SKIP,...)
    message: Do not call 'extract()' on user-controllable data. If you must, then
      you must also provide the EXTR_SKIP flag to prevent overwriting existing
      variables.
    languages:
      - php
    metadata:
      category: security
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - php
      references:
        - https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    severity: ERROR

Examples

deserialization.php


<?php

/* Suppose that $var_array is an array returned from
   wddx_deserialize */

$size = "large";
$var_array = array("color" => "blue",
                   "size"  => "medium",
                   "shape" => "sphere");
// ok: extract-user-data
extract($var_array, EXTR_PREFIX_SAME, "wddx");

$bad = $_GET['some_param'];
// ruleid:extract-user-data
extract($bad, EXTR_PREFIX_SAME, "wddx");
echo "$color, $size, $shape, $wddx_size\n";

$bad2 = $_FILES["/some/bad/path"];
// ruleid:extract-user-data
extract($bad2, EXTR_PREFIX_SAME, "wddx");

// ok: extract-user-data
$ok = $_FILES["/some/bad/path"];
extract($ok, EXTR_SKIP, "wddx");
?>