rspec/rules/S5335/php/rule.adoc

== Why is this an issue?

User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on  data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.


The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.


=== Noncompliant code example

[source,php]
----
$filename = $_GET["filename"];
include $filename . ".php";
----


=== Compliant solution

[source,php]
----
$filename = $_GET["filename"];
if (in_array($filename, $whitelist)) {
  include $filename . ".php";
}
----

== Resources

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation
* https://cwe.mitre.org/data/definitions/97[MITRE, CWE-97] - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
* https://cwe.mitre.org/data/definitions/98[MITRE, CWE-98] - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Refactor this code to not use tainted, user-controlled data in include statements.


=== Highlighting

"[varname]" is tainted (assignments and parameters)

this argument is tainted (method invocations)

the returned value is tainted (returns & method invocations results)


endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00

			`The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`$filename = $_GET["filename"];`
			`include $filename . ".php";`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`$filename = $_GET["filename"];`
			`if (in_array($filename, $whitelist)) {`
			`include $filename . ".php";`
			`}`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== Resources`

			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection`
			`* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures`
			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation`
			`* https://cwe.mitre.org/data/definitions/97[MITRE, CWE-97] - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page`
			`* https://cwe.mitre.org/data/definitions/98[MITRE, CWE-98] - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')`
			`* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere`
			`* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Refactor this code to not use tainted, user-controlled data in include statements.`


			`=== Highlighting`

			`"[varname]" is tainted (assignments and parameters)`

			`this argument is tainted (method invocations)`

			`the returned value is tainted (returns & method invocations results)`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

			`endif::env-github,rspecator-view[]`