feat: path using user input rule

Bearer · Sep 22, 2023 · 7e97d4a · 7e97d4a
1 parent 3903f1a
commit 7e97d4a
Show file tree

Hide file tree

Showing 6 changed files with 2,274 additions and 1 deletion.
diff --git a/.envrc.example b/.envrc.example
@@ -1,2 +1,3 @@
 export BEARER_VERSION=latest
-export BEARER_WORKSPACE=$PWD/../bearer
+export BEARER_WORKSPACE=$PWD/../bearer
+export BEARER_PHP_ENABLED=true
diff --git a/rules/php/lang/path_using_user_input.yml b/rules/php/lang/path_using_user_input.yml
@@ -0,0 +1,123 @@
+imports:
+  - php_shared_lang_user_input
+patterns:
+  - pattern: $<FUNCTION>($<USER_INPUT>$<...>)
+    filters:
+      - variable: FUNCTION
+        values:
+          # filesystem
+          - chgrp
+          - chmod
+          - chown
+          - disk_free_space
+          - diskfreespace
+          - disk_total_space
+          - file
+          - file_exists
+          - file_get_contents
+          - file_put_contents
+          - fileatime
+          - filectime
+          - filegroup
+          - fileinode
+          - filemtime
+          - fileowner
+          - fileperms
+          - filesize
+          - filetype
+          - fopen
+          - is_dir
+          - is_executable
+          - is_file
+          - is_link
+          - is_readable
+          - is_uploaded_file
+          - is_writable
+          - is_writeable
+          - lchgrp
+          - lchown
+          - linkinfo
+          - lstat
+          - mkdir
+          - parse_ini_file
+          - pathinfo
+          - readfile
+          - readlink
+          - rmdir
+          - stat
+          - touch
+          - unlink
+          # directory
+          - chdir
+          - chroot
+          - dir
+          - opendir
+          - scandir
+      - variable: USER_INPUT
+        detection: php_shared_lang_user_input
+        scope: result
+  - pattern: $<FUNCTION>($<ONE>, $<TWO>$<...>)
+    filters:
+      - variable: FUNCTION
+        values:
+          - copy
+          - link
+          - rename
+          - symlink
+          - tempnam
+      - either:
+          - variable: ONE
+            detection: php_shared_lang_user_input
+            scope: result
+          - variable: TWO
+            detection: php_shared_lang_user_input
+            scope: result
+  - pattern: move_uploaded_file($<_>, $<DESTINATION>)
+    filters:
+      - variable: DESTINATION
+        detection: php_shared_lang_user_input
+        scope: result
+languages:
+  - php
+severity: high
+metadata:
+  description: "Do not use user input to form file paths."
+  remediation_message: |
+    ## Description
+    Using raw unsanitized input when forming filenames or file paths is bad practice.
+    It can lead to path manipulation, by which attackers can gain access to resources outside of the intended scope.
+
+    ## Remediations
+    ❌ Avoid wherever possible
+
+    ✅ Restrict the user input to known values
+
+    ```php
+      $allowed_filenames = array("resource-1", "resource-2");
+      $filename = $_GET["resource_name"];
+
+      if (in_array($filename, $allowed_filenames)) {
+        readfile("/files/${filename}");
+      } else {
+        // filename is unexpected
+      }
+    ```
+
+    ✅ Validate expected file paths
+
+    ```php
+      $path = realpath("/safe/prefix/" . $_GET["resource_name"]);
+      if (str_starts_with($path, "/safe/prefix/")) {
+        readfile($path);
+      } else {
+        // path is unexpected
+      }
+    ```
+
+    ## Resources
+    - [OWASP path traversal attack](https://owasp.org/www-community/attacks/Path_Traversal)
+  cwe_id:
+    - 22
+    - 73
+  id: php_lang_path_using_user_input
+  documentation_url: https://docs.bearer.com/reference/rules/php_lang_path_using_user_input