php.lang.security.injection.tainted-filename.tainted-filename
semgrepAuthor
unknown
Download Count*
License
File name based on user input risks server-side request forgery.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-filename
severity: WARNING
message: File name based on user input risks server-side request forgery.
metadata:
technology:
- php
category: security
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
languages:
- php
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: $_GET
- pattern: $_POST
- pattern: $_COOKIE
- pattern: $_REQUEST
- pattern: $_SERVER
pattern-sanitizers:
- patterns:
- pattern-either:
- pattern-inside: basename($PATH, ...)
- pattern-inside: linkinfo($PATH, ...)
- pattern-inside: readlink($PATH, ...)
- pattern-inside: realpath($PATH, ...)
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: opcache_compile_file($FILENAME, ...)
- pattern-inside: opcache_invalidate($FILENAME, ...)
- pattern-inside: opcache_is_script_cached($FILENAME, ...)
- pattern-inside: runkit7_import($FILENAME, ...)
- pattern-inside: readline_read_history($FILENAME, ...)
- pattern-inside: readline_write_history($FILENAME, ...)
- pattern-inside: rar_open($FILENAME, ...)
- pattern-inside: zip_open($FILENAME, ...)
- pattern-inside: gzfile($FILENAME, ...)
- pattern-inside: gzopen($FILENAME, ...)
- pattern-inside: readgzfile($FILENAME, ...)
- pattern-inside: hash_file($ALGO, $FILENAME, ...)
- pattern-inside: hash_update_file($CONTEXT, $FILENAME, ...)
- pattern-inside: pg_trace($FILENAME, ...)
- pattern-inside: dio_open($FILENAME, ...)
- pattern-inside: finfo_file($FINFO, $FILENAME, ...)
- pattern-inside: mime_content_type($FILENAME, ...)
- pattern-inside: chgrp($FILENAME, ...)
- pattern-inside: chmod($FILENAME, ...)
- pattern-inside: chown($FILENAME, ...)
- pattern-inside: clearstatcache($CLEAR_REALPATH_CACHE, $FILENAME, ...)
- pattern-inside: file_exists($FILENAME, ...)
- pattern-inside: file_get_contents($FILENAME, ...)
- pattern-inside: file_put_contents($FILENAME, ...)
- pattern-inside: file($FILENAME, ...)
- pattern-inside: fileatime($FILENAME, ...)
- pattern-inside: filectime($FILENAME, ...)
- pattern-inside: filegroup($FILENAME, ...)
- pattern-inside: fileinode($FILENAME, ...)
- pattern-inside: filemtime($FILENAME, ...)
- pattern-inside: fileowner($FILENAME, ...)
- pattern-inside: fileperms($FILENAME, ...)
- pattern-inside: filesize($FILENAME, ...)
- pattern-inside: filetype($FILENAME, ...)
- pattern-inside: fnmatch($PATTERN, $FILENAME, ...)
- pattern-inside: fopen($FILENAME, ...)
- pattern-inside: is_dir($FILENAME, ...)
- pattern-inside: is_executable($FILENAME, ...)
- pattern-inside: is_file($FILENAME, ...)
- pattern-inside: is_link($FILENAME, ...)
- pattern-inside: is_readable($FILENAME, ...)
- pattern-inside: is_uploaded_file($FILENAME, ...)
- pattern-inside: is_writable($FILENAME, ...)
- pattern-inside: lchgrp($FILENAME, ...)
- pattern-inside: lchown($FILENAME, ...)
- pattern-inside: lstat($FILENAME, ...)
- pattern-inside: parse_ini_file($FILENAME, ...)
- pattern-inside: readfile($FILENAME, ...)
- pattern-inside: stat($FILENAME, ...)
- pattern-inside: touch($FILENAME, ...)
- pattern-inside: unlink($FILENAME, ...)
- pattern-inside: xattr_get($FILENAME, ...)
- pattern-inside: xattr_list($FILENAME, ...)
- pattern-inside: xattr_remove($FILENAME, ...)
- pattern-inside: xattr_set($FILENAME, ...)
- pattern-inside: xattr_supported($FILENAME, ...)
- pattern-inside: enchant_broker_request_pwl_dict($BROKER, $FILENAME, ...)
- pattern-inside: pspell_config_personal($CONFIG, $FILENAME, ...)
- pattern-inside: pspell_config_repl($CONFIG, $FILENAME, ...)
- pattern-inside: pspell_new_personal($FILENAME, ...)
- pattern-inside: exif_imagetype($FILENAME, ...)
- pattern-inside: getimagesize($FILENAME, ...)
- pattern-inside: image2wbmp($IMAGE, $FILENAME, ...)
- pattern-inside: imagecreatefromavif($FILENAME, ...)
- pattern-inside: imagecreatefrombmp($FILENAME, ...)
- pattern-inside: imagecreatefromgd2($FILENAME, ...)
- pattern-inside: imagecreatefromgd2part($FILENAME, ...)
- pattern-inside: imagecreatefromgd($FILENAME, ...)
- pattern-inside: imagecreatefromgif($FILENAME, ...)
- pattern-inside: imagecreatefromjpeg($FILENAME, ...)
- pattern-inside: imagecreatefrompng($FILENAME, ...)
- pattern-inside: imagecreatefromtga($FILENAME, ...)
- pattern-inside: imagecreatefromwbmp($FILENAME, ...)
- pattern-inside: imagecreatefromwebp($FILENAME, ...)
- pattern-inside: imagecreatefromxbm($FILENAME, ...)
- pattern-inside: imagecreatefromxpm($FILENAME, ...)
- pattern-inside: imageloadfont($FILENAME, ...)
- pattern-inside: imagexbm($IMAGE, $FILENAME, ...)
- pattern-inside: iptcembed($IPTC_DATA, $FILENAME, ...)
- pattern-inside: mailparse_msg_extract_part_file($MIMEMAIL, $FILENAME, ...)
- pattern-inside: mailparse_msg_extract_whole_part_file($MIMEMAIL, $FILENAME, ...)
- pattern-inside: mailparse_msg_parse_file($FILENAME, ...)
- pattern-inside: fdf_add_template($FDF_DOCUMENT, $NEWPAGE, $FILENAME, ...)
- pattern-inside: fdf_get_ap($FDF_DOCUMENT, $FIELD, $FACE, $FILENAME, ...)
- pattern-inside: fdf_open($FILENAME, ...)
- pattern-inside: fdf_save($FDF_DOCUMENT, $FILENAME, ...)
- pattern-inside: fdf_set_ap($FDF_DOCUMENT, $FIELD_NAME, $FACE, $FILENAME, ...)
- pattern-inside: ps_add_launchlink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME,
...)
- pattern-inside: ps_add_pdflink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, ...)
- pattern-inside: ps_open_file($PSDOC, $FILENAME, ...)
- pattern-inside: ps_open_image_file($PSDOC, $TYPE, $FILENAME, ...)
- pattern-inside: posix_access($FILENAME, ...)
- pattern-inside: posix_mkfifo($FILENAME, ...)
- pattern-inside: posix_mknod($FILENAME, ...)
- pattern-inside: ftok($FILENAME, ...)
- pattern-inside: fann_cascadetrain_on_file($ANN, $FILENAME, ...)
- pattern-inside: fann_read_train_from_file($FILENAME, ...)
- pattern-inside: fann_train_on_file($ANN, $FILENAME, ...)
- pattern-inside: highlight_file($FILENAME, ...)
- pattern-inside: php_strip_whitespace($FILENAME, ...)
- pattern-inside: stream_resolve_include_path($FILENAME, ...)
- pattern-inside: swoole_async_read($FILENAME, ...)
- pattern-inside: swoole_async_readfile($FILENAME, ...)
- pattern-inside: swoole_async_write($FILENAME, ...)
- pattern-inside: swoole_async_writefile($FILENAME, ...)
- pattern-inside: swoole_load_module($FILENAME, ...)
- pattern-inside: tidy_parse_file($FILENAME, ...)
- pattern-inside: tidy_repair_file($FILENAME, ...)
- pattern-inside: get_meta_tags($FILENAME, ...)
- pattern-inside: yaml_emit_file($FILENAME, ...)
- pattern-inside: yaml_parse_file($FILENAME, ...)
- pattern-inside: curl_file_create($FILENAME, ...)
- pattern-inside: ftp_chmod($FTP, $PERMISSIONS, $FILENAME, ...)
- pattern-inside: ftp_delete($FTP, $FILENAME, ...)
- pattern-inside: ftp_mdtm($FTP, $FILENAME, ...)
- pattern-inside: ftp_size($FTP, $FILENAME, ...)
- pattern-inside: rrd_create($FILENAME, ...)
- pattern-inside: rrd_fetch($FILENAME, ...)
- pattern-inside: rrd_graph($FILENAME, ...)
- pattern-inside: rrd_info($FILENAME, ...)
- pattern-inside: rrd_last($FILENAME, ...)
- pattern-inside: rrd_lastupdate($FILENAME, ...)
- pattern-inside: rrd_tune($FILENAME, ...)
- pattern-inside: rrd_update($FILENAME, ...)
- pattern-inside: snmp_read_mib($FILENAME, ...)
- pattern-inside: ssh2_sftp_chmod($SFTP, $FILENAME, ...)
- pattern-inside: ssh2_sftp_realpath($SFTP, $FILENAME, ...)
- pattern-inside: ssh2_sftp_unlink($SFTP, $FILENAME, ...)
- pattern-inside: apache_lookup_uri($FILENAME, ...)
- pattern-inside: md5_file($FILENAME, ...)
- pattern-inside: sha1_file($FILENAME, ...)
- pattern-inside: simplexml_load_file($FILENAME, ...)
- pattern: $FILENAME
Examples
tainted-filename.php
<?php
$tainted = $_GET["tainted"];
// ruleid: tainted-filename
hash_file('sha1', $tainted);
// ruleid: tainted-filename
file($tainted);
// ok: tainted-filename
hash_file($tainted, 'file.txt');
// ruleid: tainted-filename
file(dirname($tainted));
// Sanitized
// ok: tainted-filename
file(basename($tainted));
Short Link: https://sg.run/Ayqp