php.lang.security.preg-replace-eval.preg-replace-eval

profile photo of returntocorpreturntocorp
Author
4,191
Download Count*
LGPL Commons Clause
License

This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: preg-replace-eval
    patterns:
      - pattern: a()
      - pattern: b()
    message: This rule has been deprecated, see
      https://github.com/returntocorp/semgrep-rules/issues/2506.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      references:
        - https://www.php.net/manual/en/function.preg-replace.php
        - https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PregReplaceSniff.php
      category: security
      deprecated: true
      technology:
        - php
      owasp:
        - A03:2021 - Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: ERROR

Examples

preg-replace-eval.php

<?php


preg_replace($user_input_pattern, $replacement, $string);

// ok: preg-replace-eval
preg_replace("/some_regexp/", "replacement", $string_before);

// ok: preg-replace-eval
preg_replace(array("/hello/"), array("world"), "hello world");

$input = array("/constant/");
// ok: preg-replace-eval
preg_replace($input, array("world"), "hello world");