php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: tainted-object-instantiation
    languages:
      - php
    severity: WARNING
    message: <- A new object is created where the class name is based on user input.
      This could lead to remote code execution, as it allows to instantiate any
      class in the application.
    metadata:
      cwe:
        - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code
          ('Unsafe Reflection')"
      category: security
      technology:
        - php
      owasp:
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      subcategory:
        - vuln
      impact: MEDIUM
      likelihood: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: $_GET
              - pattern: $_POST
              - pattern: $_COOKIE
              - pattern: $_REQUEST
              - pattern: $_SERVER
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern-inside: new $SINK(...)
          - pattern: $SINK

Examples

tainted-object-instantiation.php

<?php

$parts = explode("/", $_SERVER['PATH_INFO']);
$controllerName = $parts[0];

// ruleid: tainted-object-instantiation
$controller = new $controllerName($parts[1]);

// ok: tainted-object-instantiation
$controller = new MyController($controllerName);

// ok: tainted-object-instantiation
$a = "MyController";
$controller = new $a();