#php
Rulesets (4)
Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.
Default ruleset for PHP, curated by Semgrep.
PHP Laravel framework ruleset by Semgrep
Wordpress audit ruleset, ported from WPScan
Rules (86)
returntocorpCalling assert with user input is equivalent to eval'ing.
returntocorpBackticks use may lead to command injection vulnerabilities.
returntocorpSSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
returntocorpEvaluating non-constant commands. This can lead to command injection.
returntocorpExecuting non-constant commands. This can lead to command injection.
returntocorpDetected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.
returntocorpFTP allows for unencrypted file transfers. Consider using an encrypted alternative.
returntocorpCalling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.
returntocorpMcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.
returntocorpMake sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues
returntocorpIf the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
returntocorpDetected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like "$wpdb->prepare" properly or escape/sanitize the data properly.
returntocorpHTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpStatic IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.
returntocorpUser data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id, label) VALUES (?, ?)");`) or a safe library.
returntocorpUser data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
returntocorpCalling assert with user input is equivalent to eval'ing.
returntocorpDo not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.
returntocorpIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.
returntocorpThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA
returntocorpSetting `$guarded` to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.
returntocorpFound a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.
returntocorpThese hooks allow the developer to handle the custom AJAX endpoints."wp_ajax_$action" hook get fires for any authenticated user and "wp_ajax_nopriv_$action" hook get fires for non-authenticated users.
returntocorpThese are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.
returntocorpThese functions can lead to code injection if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
returntocorpThese functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
returntocorpPassing false or 0 as the third argument to this function will not cause the script to die, making the check useless.
returntocorpThese functions can be used to read to content of the files if the data inside is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
returntocorpThis function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use "wp_safe_redirect()" to prevent this kind of attack.
returntocorpRedirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.
returntocorpThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
returntocorpThese functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.
returntocorpThis rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506.
returntocorpFile name based on user input risks server-side request forgery.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorp`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpThese functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorp<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.
returntocorpDetected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.
returntocorpThe `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpDetected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorp`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.
returntocorpUsing user input when setting headers with `header()` is potentially dangerous. This could allow an attacker to inject a new line and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace inside `header()`: '[^\s]+'.
returntocorpUsing user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
returntocorpCalling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
returntocorpCSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.
returntocorpDetected usage of weak crypto function. Consider using stronger alternatives.
returntocorpDetected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.
returntocorpFound an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
returntocorpFound a configuration file where the HttpOnly attribute is not set to true. Setting `http_only` to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the 'http_only' like so: `http_only` => true
returntocorpFound a configuration file where the lifetime attribute is over 30 minutes.
returntocorpFound a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies.
returntocorpFound a configuration file where the same_site attribute is not set to 'lax' or 'strict'. Setting 'same_site' to 'lax' or 'strict' restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.
returntocorpFound a configuration file where the secure attribute is not set to 'true'. Setting 'secure' to 'true' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.
returntocorpThe function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.
returntocorpThe 'phpinfo' function may reveal sensitive information about your environment.