rspec/rules/S5335/php/rule.adoc

User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on  data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.


The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.


== Noncompliant Code Example

----
$filename = $_GET["filename"];
include $filename . ".php";
----


== Compliant Solution

----
$filename = $_GET["filename"];
if (in_array($filename, $whitelist)) {
  include $filename . ".php";
}
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/97.html[MITRE, CWE-97] - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
* https://cwe.mitre.org/data/definitions/98.html[MITRE, CWE-98] - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
* https://cwe.mitre.org/data/definitions/829.html[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.`


			`The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`$filename = $_GET["filename"];`
			`include $filename . ".php";`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`$filename = $_GET["filename"];`
			`if (in_array($filename, $whitelist)) {`
			`include $filename . ".php";`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* https://cwe.mitre.org/data/definitions/97.html[MITRE, CWE-97] - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page`
			`* https://cwe.mitre.org/data/definitions/98.html[MITRE, CWE-98] - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')`
			`* https://cwe.mitre.org/data/definitions/829.html[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere`
			`* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`