rspec/rules/S6341/php/rule.adoc

WordPress makes it possible to edit theme and plugin files directly in the Administration Screens.
While it may look like an easy way to customize a theme or do a quick change, it's a dangerous feature.
When visiting the theme or plugin editor for the first time, WordPress displays a warning to make it 
clear that using such a feature may break the web site by mistake.
More importantly, users who have access to this feature can trigger the execution of any PHP code 
and may therefore take full control of the WordPress instance.
This security risk could be exploited by an attacker who manages to get access to one of the authorized users.
Setting the `DISALLOW_FILE_EDIT` option to `true` in `wp-config.php` disables this risky feature.
The default value is `false`.

== Ask Yourself Whether

* You really need to use the theme and plugin editors.
* The theme and plugin editors are available to users who cannot be fully trusted.
* There's a chance that the accounts of authorized users get compromised.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Modify the theme and plugin files using a local editor and deploy them to the server in a secure way.
* Make sure that `DISALLOW_FILE_EDIT` is defined in `wp-config.php`.
* Make sure that `DISALLOW_FILE_EDIT` is set to `true`.


== Sensitive Code Example

----
define( 'DISALLOW_FILE_EDIT', false ); // Sensitive
----


== Compliant Solution

[source,php]
----
define( 'DISALLOW_FILE_EDIT', true );
----

== See

* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* https://wordpress.org/support/article/editing-wp-config-php/#disable-the-plugin-and-theme-editor[wordpress.org] - Disable the Plugin and Theme Editor
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')]
* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')]
Create rule S6341: WordPress theme and plugin editors are security-sensitive (#236) 2021-08-12 11:19:38 +02:00			`WordPress makes it possible to edit theme and plugin files directly in the Administration Screens.`
			`While it may look like an easy way to customize a theme or do a quick change, it's a dangerous feature.`
			`When visiting the theme or plugin editor for the first time, WordPress displays a warning to make it`
			`clear that using such a feature may break the web site by mistake.`
			`More importantly, users who have access to this feature can trigger the execution of any PHP code`
			`and may therefore take full control of the WordPress instance.`
			`This security risk could be exploited by an attacker who manages to get access to one of the authorized users.`
			Setting the `DISALLOW_FILE_EDIT` option to `true` in `wp-config.php` disables this risky feature.
			The default value is `false`.

			`== Ask Yourself Whether`

			`* You really need to use the theme and plugin editors.`
			`* The theme and plugin editors are available to users who cannot be fully trusted.`
			`* There's a chance that the accounts of authorized users get compromised.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`* Modify the theme and plugin files using a local editor and deploy them to the server in a secure way.`
			* Make sure that `DISALLOW_FILE_EDIT` is defined in `wp-config.php`.
			* Make sure that `DISALLOW_FILE_EDIT` is set to `true`.


			`== Sensitive Code Example`

			`----`
			`define( 'DISALLOW_FILE_EDIT', false ); // Sensitive`
			`----`


			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Create rule S6341: WordPress theme and plugin editors are security-sensitive (#236) 2021-08-12 11:19:38 +02:00			`----`
			`define( 'DISALLOW_FILE_EDIT', true );`
			`----`

			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]`
			`* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]`
			`* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]`
Create rule S6341: WordPress theme and plugin editors are security-sensitive (#236) 2021-08-12 11:19:38 +02:00			`* https://wordpress.org/support/article/editing-wp-config-php/#disable-the-plugin-and-theme-editor[wordpress.org] - Disable the Plugin and Theme Editor`
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]`
			`* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]`
			`* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')]`
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) * Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-01-17 17:20:28 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')]`