ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5335/php/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

132 lines
4.5 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Include injections occur in an application when the application retrieves data from a
user or a third-party service and inserts it into an `include` expression without sanitizing it first.
If an application contains an `include` expression that is vulnerable to injections,
it is exposed to attacks that target the underlying server.
=== What is the potential impact?
A user with malicious intent can create requests that will cause the `include` expression to
leak valuable data or achieve remote code execution on the server's website.
After creating the malicious request, the attacker can attack the servers
affected by this vulnerability without relying on any prerequisites.
The impact depends on the access control measures taken on the target system
OS. In the worst-case scenario, the process runs with root privileges, and
therefore any OS commands or programs may be affected.
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the vulnerability.
==== Denial of service and data leaks
In this scenario, the attack aims to disrupt the organization's activities and
profit from data leaks.
An attacker could, for example:
* download the internal server's data, most likely to sell it
* modify data, send malware
* stop services or exhaust resources (with fork bombs for example)
This threat is particularly insidious if the attacked organization does not
maintain a disaster recovery plan (DRP).
==== Root privilege escalation and pivot
In this scenario, the attacker can do everything described in the previous
section. The difference is that the attacker also manages to elevate their
privileges to an administrative level and attacks other servers.
Here, the impact depends on how much the target company focuses on its Defense
In Depth. For example, the entire infrastructure can be compromised by a
combination of OS injections and *misconfiguration* of:
* Docker or Kubernetes clusters
* cloud services
* network firewalls and routing
* OS access control
== How to fix it
=== Code examples
==== Noncompliant code example
[source,php,diff-id=1,diff-type=noncompliant]
----
$filename = $_GET["filename"];
include $filename; // Noncompliant
----
==== Compliant solution
[source,php,diff-id=1,diff-type=compliant]
----
$INCLUDE_ALLOW_LIST = [
"home.php",
"dashboard.php",
"profile.php",
"settings.php"
];
$filename = $_GET["filename"];
if (in_array($filename, $INCLUDE_ALLOW_LIST)) {
include $filename;
}
----
=== How does this work?
==== Pre-Approved files
The cleanest way to avoid this defect is to validate the input before using it
in an `include`-type expression.
Create a list of authorized and secure files that you want the application to
be able to load with `include`-type expressions. +
If a user input does not match an entry in this list, it should be rejected
because it is considered unsafe.
*Important note*: The application must do validation on the server side. Not on
client-side front-ends.
== Resources
=== Standards
* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
* CWE - https://cwe.mitre.org/data/definitions/97[CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page]
* CWE - https://cwe.mitre.org/data/definitions/98[CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')]
* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere]
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Refactor this code to not use tainted, user-controlled data in include expressions.
=== Highlighting
"[varname]" is tainted (assignments and parameters)
this argument is tainted (method invocations)
the returned value is tainted (returns & method invocations results)
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink