rspec/rules/S4508/php/rule.adoc

Deserializing objects is security-sensitive. For example, it has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17672[CVE-2017-17672]: vBulletin: Unserialize PHP Code Execution
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000167[CVE-2018-1000167]: Jenkins Pipeline: arbitrary code execution vulnerability

Object deserialization from an untrusted source can lead to unexpected code execution. Deserialization takes a stream of bits and turns it into an object. If the stream contains the type of object you expect, all is well. But if you're deserializing data coming from untrusted input, and an attacker has inserted some other type of object, you're in trouble. Why? https://www.owasp.org/index.php/PHP_Object_Injection[A known attack scenario] involves the creation of a serialized PHP object with crafted attributes which will modify your application's behavior. This attack relies on https://php.net/manual/en/language.oop5.magic.php[PHP magic methods] like ``++__desctruct++``, ``++__wakeup++`` or ``++__string++``. The attacker doesn't necessarily need the source code of the targeted application to exploit the vulnerability, he can also rely on the presence of open-source component and use https://github.com/ambionics/phpggc[tools to craft malicious payloads].

== Ask Yourself Whether

* an attacker could have tampered with the source provided to the deserialization function
* you are using an unsafe deserialization function

You are at risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

To prevent insecure deserialization, it is recommended to:

* Use safe libraries that do not allow code execution at deserialization. 
* Not communicate with the outside world using serialized objects
* Limit access to the serialized source
** if it is a file, restrict the access to it.
** if it comes from the network, restrict who has access to the process, such as with a Firewall or by authenticating the sender first.

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 24 Jul 2018, 15:27:18 Pierre-Yves Nicolas wrote:
CVE-2012-0694 doesn't contain any relevant information: nothing about the fact that it's related to deserialization.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Deserializing objects is security-sensitive. For example, it has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17672[CVE-2017-17672]: vBulletin: Unserialize PHP Code Execution`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000167[CVE-2018-1000167]: Jenkins Pipeline: arbitrary code execution vulnerability`

process the in-line code syntax separately 2021-01-28 15:53:33 +01:00			Object deserialization from an untrusted source can lead to unexpected code execution. Deserialization takes a stream of bits and turns it into an object. If the stream contains the type of object you expect, all is well. But if you're deserializing data coming from untrusted input, and an attacker has inserted some other type of object, you're in trouble. Why? https://www.owasp.org/index.php/PHP_Object_Injection[A known attack scenario] involves the creation of a serialized PHP object with crafted attributes which will modify your application's behavior. This attack relies on https://php.net/manual/en/language.oop5.magic.php[PHP magic methods] like ``++__desctruct++``, ``++__wakeup++`` or ``++__string++``. The attacker doesn't necessarily need the source code of the targeted application to exploit the vulnerability, he can also rely on the presence of open-source component and use https://github.com/ambionics/phpggc[tools to craft malicious payloads].
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Ask Yourself Whether`

			`* an attacker could have tampered with the source provided to the deserialization function`
			`* you are using an unsafe deserialization function`

			`You are at risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			`To prevent insecure deserialization, it is recommended to:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* Use safe libraries that do not allow code execution at deserialization.`
			`* Not communicate with the outside world using serialized objects`
			`* Limit access to the serialized source`
			`** if it is a file, restrict the access to it.`
			`** if it comes from the network, restrict who has access to the process, such as with a Firewall or by authenticating the sender first.`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 24 Jul 2018, 15:27:18 Pierre-Yves Nicolas wrote:`
			`CVE-2012-0694 doesn't contain any relevant information: nothing about the fact that it's related to deserialization.`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`