rspec/rules/S6346/php/rule.adoc

WordPress has a database repair and optimization mode that can be activated by setting `WP_ALLOW_REPAIR` to `true` in the configuration.

If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the authentication mechanism might not work. 

Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.

== Ask Yourself Whether
* The database is not currently corrupted.

There is a risk if you answered yes to this question.

== Recommended Secure Coding Practices

It's recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the database issue is resolved.

== Noncompliant Code Example

----
define( 'WP_ALLOW_REPAIR', true ); // Sensitive
----

== Compliant Solution

----
// The default value is false, so the value does not have to be expilicitly set.
define( 'WP_ALLOW_REPAIR', false );
----

== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
Create rule S6346: Allowing unauthenticated database repair in WordPress is security-sensitive (#244) * Create rule S6346 * Add description * Type and title * Address review comments Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 11:56:50 +00:00			WordPress has a database repair and optimization mode that can be activated by setting `WP_ALLOW_REPAIR` to `true` in the configuration.

			`If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the authentication mechanism might not work.`

			`Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.`

			`== Ask Yourself Whether`
			`* The database is not currently corrupted.`

			`There is a risk if you answered yes to this question.`

			`== Recommended Secure Coding Practices`

			`It's recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the database issue is resolved.`

			`== Noncompliant Code Example`

			`----`
			`define( 'WP_ALLOW_REPAIR', true ); // Sensitive`
			`----`

			`== Compliant Solution`

			`----`
			`// The default value is false, so the value does not have to be expilicitly set.`
			`define( 'WP_ALLOW_REPAIR', false );`
			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
Create rule S6346: Allowing unauthenticated database repair in WordPress is security-sensitive (#244) * Create rule S6346 * Add description * Type and title * Address review comments Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 11:56:50 +00:00			`* https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing`
			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration`