feat: session key using user input rules

rules/php/lang/session_key_using_user_input.yml

@@ -0,0 +1,27 @@
+imports:
+  - php_shared_lang_user_input
+patterns:
+  - pattern: $_SESSION[$<USER_INPUT>]
+    filters:
+      - variable: USER_INPUT
+        detection: php_shared_lang_user_input
+        scope: result
+languages:
+  - php
+severity: high
+metadata:
+  description: "User input detected in a session key."
+  remediation_message: |
+    ## Description
+    Using user-defined data in a session key is bad practice and can allow
+    attackers to perform unsafe actions.
+
+    ## Remediations
+    ❌ Avoid using user-defined data in session keys
+
+    ## Resources
+    - [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+  cwe_id:
+    - 276
+  id: php_lang_session_key_using_user_input
+  documentation_url: https://docs.bearer.com/reference/rules/php_lang_session_key_using_user_input

rules/php/shared/lang/instance.yml

@@ -2,7 +2,15 @@ type: shared
 languages:
   - php
 patterns:
-  - pattern: new $<CLASS>;
+  - new $<CLASS>;
+  - |
+      class $<_> {
+        public function $<_>($<...>$<CLASS> $<!>$<_>$<...>) {}
+      }
+  - |
+      class $<_> {
+        public function __construct($<...>public $<CLASS> $<!>$<_>$<...>) {}
+      }
 metadata:
   description: "PHP instance."
   id: php_shared_lang_instance

rules/php/symfony/session_key_using_user_input.yml

@@ -0,0 +1,56 @@
+imports:
+  - php_shared_lang_user_input
+  - php_shared_lang_instance
+patterns:
+  - pattern: $<SESSION>->$<METHOD>($<USER_INPUT>$<...>)
+    filters:
+      - variable: SESSION
+        detection: php_symfony_session_key_using_user_input_session
+        scope: cursor
+      - variable: METHOD
+        values:
+          - get
+          - put
+      - variable: USER_INPUT
+        detection: php_shared_lang_user_input
+        scope: result
+auxiliary:
+  - id: php_symfony_session_key_using_user_input_session
+    patterns:
+      - pattern: $<REQUEST_STACK>->getSession()
+        filters:
+          - variable: REQUEST_STACK
+            detection: php_shared_lang_instance
+            scope: cursor
+            filters:
+              - variable: CLASS
+                regex: \A(Symfony\\Component\\HttpFoundation\\)?RequestStack\z
+      - pattern: $<REQUEST>->getSession()
+        filters:
+          - variable: REQUEST
+            detection: php_shared_lang_instance
+            scope: cursor
+            filters:
+              - variable: CLASS
+                regex: \A(Symfony\\Component\\HttpFoundation\\)?Request\z
+      # fallback until we have instance variable support
+      - $<_>->getSession()
+languages:
+  - php
+severity: high
+metadata:
+  description: "User input detected in a session key."
+  remediation_message: |
+    ## Description
+    Using user-defined data in a session key is bad practice and can allow
+    attackers to perform unsafe actions.
+
+    ## Remediations
+    ❌ Avoid using user-defined data in session keys
+
+    ## Resources
+    - [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+  cwe_id:
+    - 276
+  id: php_symfony_session_key_using_user_input
+  documentation_url: https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input

tests/php/lang/session_key_using_user_input/__snapshots__/test.js.snap

@@ -0,0 +1,44 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`php_lang_session_key_using_user_input bad 1`] = `
+"{
+  "high": [
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_lang_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_session_key_using_user_input",
+      "line_number": 5,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 5,
+        "end": 5,
+        "column": {
+          "start": 6,
+          "end": 27
+        }
+      },
+      "sink": {
+        "start": 5,
+        "end": 5,
+        "column": {
+          "start": 6,
+          "end": 27
+        },
+        "content": "$_SESSION[$userInput]"
+      },
+      "parent_line_number": 5,
+      "snippet": "$_SESSION[$userInput]",
+      "fingerprint": "45a4ba0fe307692b0fc18a487074b1d5_0",
+      "old_fingerprint": "5b3a52e61b58df6745c36dd832d1e655_0",
+      "code_extract": "call($_SESSION[$userInput]);"
+    }
+  ]
+}"
+`;
+
+exports[`php_lang_session_key_using_user_input ok 1`] = `"{}"`;

tests/php/lang/session_key_using_user_input/test.js

@@ -0,0 +1,16 @@
+const { createInvoker, getEnvironment } = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createInvoker(ruleId, ruleFile, testBase)
+
+  test("ok", () => {
+    const testCase = "ok.php"
+    expect(invoke(testCase)).toMatchSnapshot()
+  })
+
+  test("bad", () => {
+    const testCase = "bad.php"
+    expect(invoke(testCase)).toMatchSnapshot()
+  })
+})

tests/php/lang/session_key_using_user_input/testdata/bad.php

@@ -0,0 +1,5 @@
+<?php
+
+$userInput = "thing_" . $_GET["oops"];
+
+call($_SESSION[$userInput]);

tests/php/lang/session_key_using_user_input/testdata/ok.php

@@ -0,0 +1,7 @@
+<?php
+
+$userInput = "thing_" . $_GET["oops"];
+
+call($_SESSION[$ok]);
+
+$_SESSION[$ok] = $userInput;

tests/php/symfony/session_key_using_user_input/__snapshots__/test.js.snap

@@ -0,0 +1,214 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`php_symfony_session_key_using_user_input bad 1`] = `
+"{
+  "high": [
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 13,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 13,
+        "end": 13,
+        "column": {
+          "start": 9,
+          "end": 38
+        }
+      },
+      "sink": {
+        "start": 13,
+        "end": 13,
+        "column": {
+          "start": 9,
+          "end": 38
+        },
+        "content": "$session->get($userInput, [])"
+      },
+      "parent_line_number": 13,
+      "snippet": "$session->get($userInput, [])",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_0",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_0",
+      "code_extract": "        $session->get($userInput, []);"
+    },
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 14,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 14,
+        "end": 14,
+        "column": {
+          "start": 9,
+          "end": 41
+        }
+      },
+      "sink": {
+        "start": 14,
+        "end": 14,
+        "column": {
+          "start": 9,
+          "end": 41
+        },
+        "content": "$session->put($userInput, $data)"
+      },
+      "parent_line_number": 14,
+      "snippet": "$session->put($userInput, $data)",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_1",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_1",
+      "code_extract": "        $session->put($userInput, $data);"
+    },
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 20,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 20,
+        "end": 20,
+        "column": {
+          "start": 9,
+          "end": 38
+        }
+      },
+      "sink": {
+        "start": 20,
+        "end": 20,
+        "column": {
+          "start": 9,
+          "end": 38
+        },
+        "content": "$session->get($userInput, [])"
+      },
+      "parent_line_number": 20,
+      "snippet": "$session->get($userInput, [])",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_2",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_2",
+      "code_extract": "        $session->get($userInput, []);"
+    },
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 21,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 21,
+        "end": 21,
+        "column": {
+          "start": 9,
+          "end": 41
+        }
+      },
+      "sink": {
+        "start": 21,
+        "end": 21,
+        "column": {
+          "start": 9,
+          "end": 41
+        },
+        "content": "$session->put($userInput, $data)"
+      },
+      "parent_line_number": 21,
+      "snippet": "$session->put($userInput, $data)",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_3",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_3",
+      "code_extract": "        $session->put($userInput, $data);"
+    },
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 33,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 33,
+        "end": 33,
+        "column": {
+          "start": 5,
+          "end": 34
+        }
+      },
+      "sink": {
+        "start": 33,
+        "end": 33,
+        "column": {
+          "start": 5,
+          "end": 34
+        },
+        "content": "$session->get($userInput, [])"
+      },
+      "parent_line_number": 33,
+      "snippet": "$session->get($userInput, [])",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_4",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_4",
+      "code_extract": "    $session->get($userInput, []);"
+    },
+    {
+      "cwe_ids": [
+        "276"
+      ],
+      "id": "php_symfony_session_key_using_user_input",
+      "title": "User input detected in a session key.",
+      "description": "## Description\\nUsing user-defined data in a session key is bad practice and can allow\\nattackers to perform unsafe actions.\\n\\n## Remediations\\n❌ Avoid using user-defined data in session keys\\n\\n## Resources\\n- [OWASP Session management cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_symfony_session_key_using_user_input",
+      "line_number": 34,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "source": {
+        "start": 34,
+        "end": 34,
+        "column": {
+          "start": 5,
+          "end": 37
+        }
+      },
+      "sink": {
+        "start": 34,
+        "end": 34,
+        "column": {
+          "start": 5,
+          "end": 37
+        },
+        "content": "$session->put($userInput, $data)"
+      },
+      "parent_line_number": 34,
+      "snippet": "$session->put($userInput, $data)",
+      "fingerprint": "b08def3e86ed6dc5cba388f51f1f206b_5",
+      "old_fingerprint": "e48a41fc1e83e126fc89b1f1f2a00793_5",
+      "code_extract": "    $session->put($userInput, $data);"
+    }
+  ]
+}"
+`;
+
+exports[`php_symfony_session_key_using_user_input ok 1`] = `"{}"`;