php

r2c

Author

unknown

Download Count*

LGPL Commons Clause

License

Default ruleset for PHP, curated by r2c.

Run Locally

Rules (44)

php.lang.security.assert-use.assert-use

returntocorp

Calling assert with user input is equivalent to eval'ing.

php.lang.security.phpinfo-use.phpinfo-use

returntocorp

The 'phpinfo' function may reveal sensitive information about your environment.

php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off

returntocorp

SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)

php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query

returntocorp

`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.

php.lang.security.deserialization.extract-user-data

returntocorp

Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.

php.lang.security.injection.echoed-request.echoed-request

returntocorp

`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.

php.lang.security.injection.tainted-filename.tainted-filename

returntocorp

File name based on user input risks server-side request forgery.

php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation

returntocorp

<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.

php.lang.security.injection.tainted-sql-string.tainted-sql-string

returntocorp

User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id, label) VALUES (?, ?)");`) or a safe library.

php.lang.security.injection.tainted-url-host.tainted-url-host

returntocorp

User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.

php.lang.security.md5-used-as-password.md5-used-as-password

returntocorp

It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.

php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv

returntocorp

Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.

php.lang.security.redirect-to-request-uri.redirect-to-request-uri

returntocorp

Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.