php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*

If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.

Run Locally

Run in CI

Defintion

rules:
  - id: wp-php-object-injection-audit
    patterns:
      - pattern-either:
          - pattern: unserialize(...)
          - pattern: maybe_unserialize(...)
    message: If the data used inside the patterns are directly used without proper
      sanitization, then this could lead to PHP Object Injection. Do not use
      these function with user-supplied input, use JSON functions instead.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      confidence: LOW
      likelihood: LOW
      impact: HIGH
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-object-injection
        - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A03:2021 - Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "

Examples

wp-php-object-injection-audit.php

<?php

// ruleid: wp-php-object-injection-audit
$content = unserialize($POST['post_content']);

// ruleid: wp-php-object-injection-audit
$rank_math=unserialize($rank_value);

// ruleid: wp-php-object-injection-audit
$import_options = maybe_unserialize($import->options);

// ruleid: wp-php-object-injection-audit
$data = unserialize(base64_decode($var));

// ok: wp-php-object-injection-audit
$data = serialize(base64_encode($var))

?>