fix(php): testing fixes and rule improvements (#173)

rules/php/lang/information_leakage.yml

@@ -0,0 +1,60 @@
+patterns:
+  - pattern: echo $<EXCEPTION_DETAILS>
+    filters:
+      - variable: EXCEPTION_DETAILS
+        detection: php_lang_information_leakage_exception_details
+        scope: result
+  - pattern: print $<EXCEPTION_DETAILS>;
+    filters:
+      - variable: EXCEPTION_DETAILS
+        detection: php_lang_information_leakage_exception_details
+        scope: result
+  - pattern: print_r($<EXCEPTION_DETAILS>)
+    filters:
+      - variable: EXCEPTION_DETAILS
+        detection: php_lang_information_leakage_exception_details
+        scope: result
+  - pattern: $<METHOD>($<_>, $<...>$<EXCEPTION_DETAILS>$<...>)
+    filters:
+      - variable: METHOD
+        values:
+          - printf
+          - vprintf
+      - variable: EXCEPTION_DETAILS
+        detection: php_lang_information_leakage_exception_details
+        scope: result
+auxiliary:
+  - id: php_lang_information_leakage_exception_details
+    patterns:
+      - try {} catch ($<_> $<!>$$<_>) {}
+      - pattern: $<EXCEPTION>->$<_>()
+        filters:
+          - variable: EXCEPTION
+            detection: php_lang_information_leakage_exception_details
+            scope: cursor
+languages:
+  - php
+severity: warning
+metadata:
+  description: Possible information leakage detected.
+  remediation_message: |
+    ## Description
+
+    Printing an exception message to the default output is risky because it may
+    contain sensitive information such as the technical details of your
+    application or environment (which in turn could expose your application to
+    path traversal attacks, for example), or worse, user-specific data.
+
+    ## Remediations
+
+    ❌ Avoid printing the full stack trace
+
+    ✅ Less is more! Only log the minimum required details in error messages
+
+    ## Resources
+
+    - [Web Application Security Consortium: Information Leakage](http://projects.webappsec.org/w/page/13246936/Information%20Leakage)
+  cwe_id:
+    - 209
+  id: php_lang_information_leakage
+  documentation_url: https://docs.bearer.com/reference/rules/php_lang_information_leakage

rules/php/lang/weak_hash_md.yml

@@ -0,0 +1,92 @@
+imports:
+  - php_shared_lang_datatype
+patterns:
+  - pattern: |
+      md5($<DATA_TYPE>$<...>)
+    filters:
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
+  - pattern: |
+      $<FUNCTION>($<ALGORITHM>, $<DATA_TYPE>$<...>)
+    filters:
+      - variable: FUNCTION
+        values:
+          - hash
+          - hash_hmac
+      - variable: ALGORITHM
+        string_regex: md\d
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
+  - pattern: md5_file();
+  - pattern: hash_update($<CONTEXT>, $<DATA_TYPE>)
+    filters:
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_md_context
+        scope: cursor
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
+  - pattern: $<FUNCTION>($<CONTEXT>$<...>)
+    filters:
+      - variable: FUNCTION
+        values:
+          - hash_update_file
+          - hash_update_stream
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_md_context
+        scope: cursor
+auxiliary:
+  - id: php_lang_weak_hash_md_context
+    patterns:
+      - pattern: hash_init($<ALGORITHM>$<...>)
+        filters:
+          - variable: ALGORITHM
+            string_regex: md\d
+languages:
+  - php
+skip_data_types:
+  - "Unique Identifier"
+  - Passwords # see php_lang_weak_password_hash_md5
+metadata:
+  description: "Weak hashing library (MDx) detected"
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 is considered a weak hashing algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```php
+      $encrypted = md5($input)
+    ```
+
+    ✅ Use stronger encryption algorithms when storing data.
+
+    ```php
+      $encrypted = hash('sha256', $input)
+    ```
+  cwe_id:
+    - 327
+  id: php_lang_weak_hash_md
+  documentation_url: https://docs.bearer.com/reference/rules/php_lang_weak_hash_md

rules/php/lang/weak_hash_sha1.yml

@@ -4,23 +4,60 @@ patterns:
   - pattern: |
       sha1($<DATA_TYPE>$<...>)
     filters:
-      - variable: DATA_TYPE
-        detection: php_shared_lang_datatype
-        scope: result
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
   - pattern: |
-      hash($<ALGORITHM>, $<DATA_TYPE>$<...>)
+      $<FUNCTION>($<ALGORITHM>, $<DATA_TYPE>$<...>)
     filters:
+      - variable: FUNCTION
+        values:
+          - hash
+          - hash_hmac
       - variable: ALGORITHM
-        detection: php_lang_weak_hash_sha1_algo
-      - variable: DATA_TYPE
-        detection: php_shared_lang_datatype
-        scope: result
+        string_regex: sha1
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
+  - pattern: sha1_file()
+  - pattern: hash_update($<CONTEXT>, $<DATA_TYPE>)
+    filters:
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_sha1_context
+        scope: cursor
+      - either:
+          - variable: DATA_TYPE
+            detection: php_shared_lang_datatype
+            scope: result
+          - not:
+              variable: DATA_TYPE
+              detection: php_shared_lang_datatype
+              scope: result
+  - pattern: $<FUNCTION>($<CONTEXT>$<...>)
+    filters:
+      - variable: FUNCTION
+        values:
+          - hash_update_file
+          - hash_update_stream
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_sha1_context
+        scope: cursor
 auxiliary:
-  - id: php_lang_weak_hash_sha1_algo
+  - id: php_lang_weak_hash_sha1_context
     patterns:
-      - pattern: $<ALGO>;
+      - pattern: hash_init($<ALGORITHM>$<...>)
         filters:
-          - variable: ALGO
+          - variable: ALGORITHM
             string_regex: sha1
 languages:
   - php

rules/php/lang/weak_password_hash_md5.yml → rules/php/lang/weak_password_hash_md.yml

@@ -8,26 +8,38 @@ patterns:
         detection: php_shared_lang_datatype
         scope: result
   - pattern: |
-      hash($<ALGORITHM>, $<PASSWORD>$<...>)
+      $<FUNCTION>($<ALGORITHM>, $<PASSWORD>$<...>)
     filters:
+      - variable: FUNCTION
+        values:
+          - hash
+          - hash_hmac
       - variable: ALGORITHM
-        detection: php_lang_weak_password_hash_md5_algo
+        string_regex: md\d
+      - variable: PASSWORD
+        detection: php_shared_lang_datatype
+        scope: result
+  - pattern: hash_update($<CONTEXT>, $<PASSWORD>)
+    filters:
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_md_context
+        scope: cursor
       - variable: PASSWORD
         detection: php_shared_lang_datatype
         scope: result
 auxiliary:
-  - id: php_lang_weak_password_hash_md5_algo
+  - id: php_lang_weak_hash_md_context
     patterns:
-      - pattern: $<ALGO>;
+      - pattern: hash_init($<ALGORITHM>$<...>)
         filters:
-          - variable: ALGO
-            string_regex: md5
+          - variable: ALGORITHM
+            string_regex: md\d
 languages:
   - php
 only_data_types:
   - Passwords
 metadata:
-  description: "Weak hashing library (MD5) detected"
+  description: "Weak hashing library (MDx) detected"
   remediation_message: |
     ## Description
 
@@ -51,5 +63,5 @@ metadata:
   cwe_id:
     - 327
     - 916
-  id: php_lang_weak_password_hash_md5
-  documentation_url: https://docs.bearer.com/reference/rules/php_lang_weak_password_hash_md5
+  id: php_lang_weak_password_hash_md
+  documentation_url: https://docs.bearer.com/reference/rules/php_lang_weak_password_hash_md

rules/php/lang/weak_password_hash_sha1.yml

@@ -8,19 +8,31 @@ patterns:
         detection: php_shared_lang_datatype
         scope: result
   - pattern: |
-      hash($<ALGO>, $<PASSWORD>$<...>)
+      $<FUNCTION>($<ALGORITHM>, $<PASSWORD>$<...>)
     filters:
-      - variable: ALGO
-        detection: php_lang_weak_password_hash_sha1_algo
+      - variable: FUNCTION
+        values:
+          - hash
+          - hash_hmac
+      - variable: ALGORITHM
+        string_regex: sha1
+      - variable: PASSWORD
+        detection: php_shared_lang_datatype
+        scope: result
+  - pattern: hash_update($<CONTEXT>, $<PASSWORD>)
+    filters:
+      - variable: CONTEXT
+        detection: php_lang_weak_hash_sha1_context
+        scope: cursor
       - variable: PASSWORD
         detection: php_shared_lang_datatype
         scope: result
 auxiliary:
-  - id: php_lang_weak_password_hash_sha1_algo
+  - id: php_lang_weak_hash_sha1_context
     patterns:
-      - pattern: $<ALGO>;
+      - pattern: hash_init($<ALGORITHM>$<...>)
         filters:
-          - variable: ALGO
+          - variable: ALGORITHM
             string_regex: sha1
 languages:
   - php