php.lang.security.eval-use.eval-use

profile photo of semgrepsemgrep
Author
4,204
Download Count*

Evaluating non-constant commands. This can lead to command injection.

Run Locally

Run in CI

Defintion

rules:
  - id: eval-use
    patterns:
      - pattern: eval(...);
      - pattern-not: eval('...');
    message: Evaluating non-constant commands. This can lead to command injection.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      references:
        - https://www.php.net/manual/en/function.eval
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php
      category: security
      technology:
        - php
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    languages:
      - php
    severity: ERROR

Examples

eval-use.php

<?php

// ruleid: eval-use
eval($user_input);

// ok: eval-use
eval('echo "OK"');