php.lang.security.deserialization.extract-user-data
returntocorpAuthor
unknown
Download Count*
License
Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.
Run Locally
Run in CI
Defintion
rules:
- id: extract-user-data
mode: taint
pattern-sources:
- pattern-either:
- pattern: $_GET[...]
- pattern: $_FILES[...]
- pattern: $_POST[...]
pattern-sinks:
- pattern: extract(...)
pattern-sanitizers:
- pattern: extract($VAR, EXTR_SKIP,...)
message: Do not call 'extract()' on user-controllable data. If you must, then
you must also provide the EXTR_SKIP flag to prevent overwriting existing
variables.
languages:
- php
metadata:
license: MIT
category: security
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
technology:
- php
references:
- https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
severity: ERROR
Examples
deserialization.php
<?php
/* Suppose that $var_array is an array returned from
wddx_deserialize */
$size = "large";
$var_array = array("color" => "blue",
"size" => "medium",
"shape" => "sphere");
// ok: extract-user-data
extract($var_array, EXTR_PREFIX_SAME, "wddx");
$bad = $_GET['some_param'];
// ruleid:extract-user-data
extract($bad, EXTR_PREFIX_SAME, "wddx");
echo "$color, $size, $shape, $wddx_size\n";
$bad2 = $_FILES["/some/bad/path"];
// ruleid:extract-user-data
extract($bad2, EXTR_PREFIX_SAME, "wddx");
// ok: extract-user-data
$ok = $_FILES["/some/bad/path"];
extract($ok, EXTR_SKIP, "wddx");
?>
Short Link: https://sg.run/6bv1