php.lang.security.exec-use.exec-use

semgrep

Author

4,188

Download Count*

LGPL Commons Clause

License

Executing non-constant commands. This can lead to command injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: exec-use
    patterns:
      - pattern: $FUNC(...);
      - pattern-not: $FUNC('...', ...);
      - metavariable-regex:
          metavariable: $FUNC
          regex: exec|passthru|proc_open|popen|shell_exec|system|pcntl_exec
    message: Executing non-constant commands. This can lead to command injection.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      references:
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php
      category: security
      technology:
        - php
      owasp:
        - A03:2021 - Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - php
    severity: ERROR

Examples

exec-use.php

<?php

// ruleid: exec-use
exec($user_input);

// ok: exec-use
exec('whoami');

// ruleid: exec-use
passthru($user_input);

// ruleid: exec-use
$proc = proc_open($cmd, $descriptorspec, $pipes);

// ruleid: exec-use
$handle = popen($user_input, "r");

// ruleid: exec-use
$output = shell_exec($user_input);

// ruleid: exec-use
$output = system($user_input, $retval);

// ruleid: exec-use
pcntl_exec($path);

Short Link: https://sg.run/5Q1j