feat: add more cases to eval rule

Bearer · Oct 9, 2023 · 346baad · 346baad
1 parent 275a473
commit 346baad
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 4 deletions.
diff --git a/rules/php/lang/eval_using_user_input.yml b/rules/php/lang/eval_using_user_input.yml
@@ -20,6 +20,16 @@ patterns:
       - variable: USER_INPUT
         detection: php_shared_lang_user_input
         scope: result
+  - pattern: assert($<USER_INPUT>$<...>)
+    filters:
+      - variable: USER_INPUT
+        detection: php_shared_lang_user_input
+        scope: result
+  - pattern: array_map($<USER_INPUT>$<...>)
+    filters:
+      - variable: USER_INPUT
+        detection: php_shared_lang_user_input
+        scope: result
 languages:
   - php
 severity: high

diff --git a/tests/php/lang/eval_using_user_input/__snapshots__/test.js.snap b/tests/php/lang/eval_using_user_input/__snapshots__/test.js.snap
@@ -71,7 +71,7 @@ exports[`php_lang_eval_using_user_input bad 1`] = `
       "snippet": "call_user_func(\\"func_\\" . $_POST[\\"oops\\"], 42)",
       "fingerprint": "43b4511ce098191dea3fa024aa7f66cc_1",
       "old_fingerprint": "2935b68ea0455100c1ee50d53b6d628a_1",
-      "code_extract": "call_user_func(\\"func_\\" . $_POST[\\"oops\\"], 42)"
+      "code_extract": "call_user_func(\\"func_\\" . $_POST[\\"oops\\"], 42);"
     },
     {
       "cwe_ids": [
@@ -106,7 +106,77 @@ exports[`php_lang_eval_using_user_input bad 1`] = `
       "snippet": "call_user_func_array(\\"func_\\" . $_POST[\\"oops\\"], [42])",
       "fingerprint": "43b4511ce098191dea3fa024aa7f66cc_2",
       "old_fingerprint": "2935b68ea0455100c1ee50d53b6d628a_2",
-      "code_extract": "call_user_func_array(\\"func_\\" . $_POST[\\"oops\\"], [42])"
+      "code_extract": "call_user_func_array(\\"func_\\" . $_POST[\\"oops\\"], [42]);"
+    },
+    {
+      "cwe_ids": [
+        "94",
+        "95"
+      ],
+      "id": "php_lang_eval_using_user_input",
+      "title": "Potential command injection with user input detected.",
+      "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_eval_using_user_input",
+      "line_number": 8,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 8,
+        "end": 8,
+        "column": {
+          "start": 1,
+          "end": 31
+        }
+      },
+      "sink": {
+        "start": 8,
+        "end": 8,
+        "column": {
+          "start": 1,
+          "end": 31
+        },
+        "content": "assert($_POST[\\"oops\\"], \\"oops\\")"
+      },
+      "parent_line_number": 8,
+      "snippet": "assert($_POST[\\"oops\\"], \\"oops\\")",
+      "fingerprint": "43b4511ce098191dea3fa024aa7f66cc_3",
+      "old_fingerprint": "2935b68ea0455100c1ee50d53b6d628a_3",
+      "code_extract": "assert($_POST[\\"oops\\"], \\"oops\\");"
+    },
+    {
+      "cwe_ids": [
+        "94",
+        "95"
+      ],
+      "id": "php_lang_eval_using_user_input",
+      "title": "Potential command injection with user input detected.",
+      "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_eval_using_user_input",
+      "line_number": 9,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 9,
+        "end": 9,
+        "column": {
+          "start": 1,
+          "end": 34
+        }
+      },
+      "sink": {
+        "start": 9,
+        "end": 9,
+        "column": {
+          "start": 1,
+          "end": 34
+        },
+        "content": "array_map($_POST[\\"oops\\"], $array)"
+      },
+      "parent_line_number": 9,
+      "snippet": "array_map($_POST[\\"oops\\"], $array)",
+      "fingerprint": "43b4511ce098191dea3fa024aa7f66cc_4",
+      "old_fingerprint": "2935b68ea0455100c1ee50d53b6d628a_4",
+      "code_extract": "array_map($_POST[\\"oops\\"], $array);"
     }
   ]
 }"

diff --git a/tests/php/lang/eval_using_user_input/testdata/bad.php b/tests/php/lang/eval_using_user_input/testdata/bad.php
@@ -2,5 +2,8 @@
 
 eval("echo " . $_GET["oops"]);
 
-call_user_func("func_" . $_POST["oops"], 42)
-call_user_func_array("func_" . $_POST["oops"], [42])
+call_user_func("func_" . $_POST["oops"], 42);
+call_user_func_array("func_" . $_POST["oops"], [42]);
+
+assert($_POST["oops"], "oops");
+array_map($_POST["oops"], $array);
diff --git a/tests/php/lang/eval_using_user_input/testdata/ok.php b/tests/php/lang/eval_using_user_input/testdata/ok.php
@@ -4,3 +4,6 @@
 
 call_user_func("func_" . $ok, 42)
 call_user_func_array("func_" . $ok, [42])
+
+assert($ok, "ok");
+array_map($ok, $array);