php.lang.security.unlink-use.unlink-use

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Using user input when deleting files with unlink() is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unlink-use
    patterns:
      - pattern: unlink(...)
      - pattern-not: unlink("...",...)
    message: Using user input when deleting files with `unlink()` is potentially
      dangerous. A malicious actor could use this to modify or access files they
      have no right to.
    metadata:
      references:
        - https://www.php.net/manual/en/function.unlink
        - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
      category: security
      technology:
        - php
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
          ('Path Traversal')"
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Path Traversal
    languages:
      - php
    severity: WARNING

Examples

unlink-use.php

<?php

$data = $_GET["data"];
// ruleid: unlink-use
unlink("/storage/" . $data . "/test");

// ok: unlink-use
unlink('/storage/foobar/test');