php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval

profile photo of semgrepsemgrep
Author
166
Download Count*
LGPL Commons Clause
License

Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (e) evaluates the replacement argument as code.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mb-ereg-replace-eval
    patterns:
      - pattern: mb_ereg_replace($PATTERN, $REPL, $STR, $OPTIONS);
      - pattern-not: mb_ereg_replace($PATTERN, $REPL, $STR, "...");
    message: Calling mb_ereg_replace with user input in the options can lead to
      arbitrary code execution. The eval modifier (`e`) evaluates the
      replacement argument as code.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      references:
        - https://www.php.net/manual/en/function.mb-ereg-replace.php
        - https://www.php.net/manual/en/function.mb-regex-set-options.php
      category: security
      technology:
        - php
      owasp:
        - A03:2021 - Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - php
    severity: ERROR

Examples

mb-ereg-replace-eval.php

<?php

// ruleid: mb-ereg-replace-eval
mb_ereg_replace($pattern, $replacement, $string, $user_input_options);

// ok: mb-ereg-replace-eval
mb_ereg_replace($pattern, $replacement, $string, "msr");

// ok: mb-ereg-replace-eval
mb_ereg_replace($pattern, $replacement, $string);