-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <?php | ||
|
|
||
| function test_dangerous_eval() { | ||
| $user_input = $_GET['input']; | ||
|
|
||
| // These should be flagged | ||
| // <expect-error> | ||
| eval($user_input); | ||
|
|
||
| // <expect-error> | ||
| eval("echo " . $user_input . "hi"); | ||
|
|
||
| // String interpolation | ||
| // <expect-error> | ||
| eval("echo $user_input"); | ||
|
|
||
| // Superglobal (outside our control) sources | ||
| // <expect-error> | ||
| eval($_GET['username']); | ||
|
|
||
| // These are safe and should not be flagged | ||
| // constants | ||
| eval('echo "Hello, World!"'); | ||
|
|
||
| } | ||
|
|
||
| function test_edge_cases() { | ||
| // Should not flag eval in variable names | ||
| $evaluation_result = 100; | ||
|
|
||
| // Should not flag commented-out eval | ||
| // eval($user_input); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| language: php | ||
| name: dangerous_eval | ||
| message: "Avoid using eval() with dynamic inputs as it can lead to remote code execution (RCE) vulnerabilities" | ||
| category: security | ||
| severity: critical | ||
|
|
||
| pattern: | | ||
| ;; Match direct eval calls with variable input | ||
| (expression_statement | ||
| (function_call_expression | ||
| function: (name) @function (#eq? @function "eval") | ||
| arguments: (arguments | ||
| (argument | ||
| (variable_name) @user_input | ||
| ) | ||
| ) | ||
| ) | ||
| ) @dangerous_eval | ||
| ;; Match eval calls with string concatenation | ||
| (expression_statement | ||
| (function_call_expression | ||
| function: (name) @function (#eq? @function "eval") | ||
| arguments: (arguments | ||
| (argument | ||
| (binary_expression | ||
| left: [ | ||
| (encapsed_string) | ||
| (binary_expression) | ||
| ] | ||
| right: [ | ||
| (encapsed_string) | ||
| (variable_name) @user_input | ||
| ] | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ) @dangerous_eval | ||
| ;; Match eval calls with interpolated strings containing variables | ||
| (expression_statement | ||
| (function_call_expression | ||
| function: (name) @function (#eq? @function "eval") | ||
| arguments: (arguments | ||
| (argument | ||
| (encapsed_string | ||
| (variable_name) @user_input | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ) @dangerous_eval | ||
| ;; Match eval calls with superglobal input sources | ||
| (expression_statement | ||
| (function_call_expression | ||
| function: (name) @function (#eq? @function "eval") | ||
| arguments: (arguments | ||
| (argument | ||
| (subscript_expression | ||
| (variable_name (name) @superglobal) | ||
| (#match? @superglobal "^_(GET|POST|REQUEST|COOKIE|SERVER|ENV|FILES|SESSION)$") | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ) @dangerous_eval | ||
| exclude: | ||
| - "tests/**" | ||
| - "vendor/**" | ||
| - "**/test_*.php" | ||
| - "**/*_test.php" | ||
|
|
||
| description: | | ||
| The use of eval() in PHP without validating the input can lead to the execution | ||
| of arbitrary code, resulting in potential remote code execution (RCE) vulnerabilities. |