#php
Rulesets (4)
Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.
Default ruleset for PHP, curated by Semgrep.
PHP Laravel framework ruleset by Semgrep
Wordpress audit ruleset, ported from WPScan
Rules (88)
semgrepStatic IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.
semgrepThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepThe function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.
semgrepDetected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.
semgrep`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.
semgrepExecuting non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.
semgrep`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.
semgrepCalling assert with user input is equivalent to eval'ing.
semgrepCalling assert with user input is equivalent to eval'ing.
semgrepThe function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.
semgrepBackticks use may lead to command injection vulnerabilities.
semgrepSSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)
semgrepDo not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.
semgrepEvaluating non-constant commands. This can lead to command injection.
semgrepExecuting non-constant commands. This can lead to command injection.
semgrepDetected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.
semgrepFTP allows for unencrypted file transfers. Consider using an encrypted alternative.
semgrepFile name based on user input risks server-side request forgery.
semgrep<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.
semgrepUser data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
semgrepDetected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.
semgrepCalling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.
semgrepMcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.
semgrepMake sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues
semgrepIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.
semgrepAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
semgrepThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA
semgrepThe 'phpinfo' function may reveal sensitive information about your environment.
semgrepRedirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.
semgrepUsing user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepCalling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
semgrepDetected usage of weak crypto function. Consider using stronger alternatives.
semgrepFound an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
semgrepHTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.
semgrepFound a configuration file where the HttpOnly attribute is not set to true. Setting `http_only` to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the 'http_only' like so: `http_only` => true
semgrepFound a configuration file where the lifetime attribute is over 30 minutes.
semgrepFound a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies.
semgrepFound a configuration file where the same_site attribute is not set to 'lax' or 'strict'. Setting 'same_site' to 'lax' or 'strict' restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.
semgrepFound a configuration file where the secure attribute is not set to 'true'. Setting 'secure' to 'true' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.
semgrepSetting `$guarded` to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.
semgrepDetected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.
semgrepFound a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.
semgrepCSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.
semgrepThe `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.
semgrepAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
semgrepThese hooks allow the developer to handle the custom AJAX endpoints."wp_ajax_$action" hook get fires for any authenticated user and "wp_ajax_nopriv_$action" hook get fires for non-authenticated users.
semgrepThese are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.
semgrepThese functions can lead to code injection if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
semgrepThese functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
semgrepPassing false or 0 as the third argument to this function will not cause the script to die, making the check useless.
semgrepThese functions can be used to read to content of the files if the data inside is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.
semgrepThis function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use "wp_safe_redirect()" to prevent this kind of attack.
semgrepIf the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
semgrepDetected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like "$wpdb->prepare" properly or escape/sanitize the data properly.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepSession key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.
semgrep`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.
semgrepUser data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id, label) VALUES (?, ?)");`) or a safe library.
semgrepThese functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.
semgrepThese functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.