phpcs-security-audit

Verifed by r2c

Community Favorite

Semgrep

Author

459

Download Count*

LGPL Commons Clause

License

Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.

Run Locally

Rules (10)

php.lang.security.assert-use.assert-use

semgrep

php

Calling assert with user input is equivalent to eval'ing.

php.lang.security.eval-use.eval-use

semgrep

php

Evaluating non-constant commands. This can lead to command injection.

php.lang.security.backticks-use.backticks-use

semgrep

php

Backticks use may lead to command injection vulnerabilities.

php.lang.security.ftp-use.ftp-use

semgrep

php

FTP allows for unencrypted file transfers. Consider using an encrypted alternative.

php.lang.security.mcrypt-use.mcrypt-use

semgrep

php

Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.

php.lang.security.phpinfo-use.phpinfo-use

semgrep

php

The 'phpinfo' function may reveal sensitive information about your environment.

php.lang.security.preg-replace-eval.preg-replace-eval

semgrep

php

This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506.

php.lang.security.weak-crypto.weak-crypto

semgrep

php

Detected usage of weak crypto function. Consider using stronger alternatives.

php.lang.security.exec-use.exec-use

semgrep

php

Executing non-constant commands. This can lead to command injection.

php.lang.security.file-inclusion.file-inclusion

semgrep

php

Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.