rspec/rules/S5335/php/rule.adoc

== Why is this an issue?

User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on  data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.


The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.


=== Noncompliant code example

[source,php]
----
$filename = $_GET["filename"];
include $filename . ".php";
----


=== Compliant solution

[source,php]
----
$filename = $_GET["filename"];
if (in_array($filename, $whitelist)) {
  include $filename . ".php";
}
----

include::see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00

			`The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`$filename = $_GET["filename"];`
			`include $filename . ".php";`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`$filename = $_GET["filename"];`
			`if (in_array($filename, $whitelist)) {`
			`include $filename . ".php";`
			`}`
			`----`

Update CWE mapping (#534) 2021-10-28 10:07:16 +02:00			`include::see.adoc[]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`