php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

These functions can be used to read to content of the files if the data inside is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wp-file-download-audit
    patterns:
      - pattern-either:
          - pattern: file(...)
          - pattern: readfile(...)
          - pattern: file_get_contents(...)
    message: These functions can be used to read to content of the files if the data
      inside is user-controlled. Don't use the input directly or validate the
      data properly before passing it to these functions.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      confidence: LOW
      likelihood: LOW
      impact: MEDIUM
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-download
      cwe:
        - "CWE-73: External Control of File Name or Path"
      owasp:
        - A01:2021 - Broken Access Control
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Path Traversal

Examples

wp-file-download-audit.php

<?php

// ruleid: wp-file-download-audit
$json = file_get_contents( 'php://input' );

// ruleid: wp-file-download-audit
readfile($zip_name);

// ruleid: wp-file-download-audit
$localeFunctions = file($functionNamesFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

// ok: wp-file-download-audit
some_other_function($args);


?>