phpcs-security-audit

Verifed by r2c

Community Favorite

r2c

Author

459

Download Count*

LGPL Commons Clause

License

Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.

Run Locally

Rules (10)

php.lang.security.assert-use.assert-use

returntocorp

php

Calling assert with user input is equivalent to eval'ing.

php.lang.security.eval-use.eval-use

returntocorp

php

Evaluating non-constant commands. This can lead to command injection.

php.lang.security.backticks-use.backticks-use

returntocorp

php

Backticks use may lead to command injection vulnerabilities.

php.lang.security.ftp-use.ftp-use

returntocorp

php

FTP allows for unencrypted file transfers. Consider using an encrypted alternative.

php.lang.security.mcrypt-use.mcrypt-use

returntocorp

php

Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.

php.lang.security.phpinfo-use.phpinfo-use

returntocorp

php

The 'phpinfo' function may reveal sensitive information about your environment.

php.lang.security.preg-replace-eval.preg-replace-eval

returntocorp

php

This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506.

php.lang.security.weak-crypto.weak-crypto

returntocorp

php

Detected usage of weak crypto function. Consider using stronger alternatives.

php.lang.security.exec-use.exec-use

returntocorp

php

Executing non-constant commands. This can lead to command injection.

php.lang.security.file-inclusion.file-inclusion

returntocorp

php

Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.