Skip to content

Commit

Permalink
Add sinks for popen and proc_open (vimeo#4572)
Browse files Browse the repository at this point in the history 
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
  • Loading branch information
@LukasReschke @danog
LukasReschke authored and danog committed Jan 29, 2021
1 parent f9adf26 commit ff55dba
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
2 changes: 2 additions & 0 deletions dictionaries/InternalTaintSinkMap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,6 @@
'shell_exec' => [['shell']],
'system' => [['shell']],
'unserialize' => [['text']],
'popen' => [['shell']],
'proc_open' => [['shell']],
];
12 changes: 11 additions & 1 deletion tests/TaintTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1615,7 +1615,17 @@ function some_stub(string $r): string {}
echo some_stub($r);',
'error_message' => 'TaintedInput',
]
],
'taintPopen' => [
'<?php
$cb = popen($_POST[\'x\'], \'r\');',
'error_message' => 'TaintedInput',
],
'taintProcOpen' => [
'<?php
$cb = proc_open($_POST[\'x\'], [], []);',
'error_message' => 'TaintedInput',
],
/*
// TODO: Stubs do not support this type of inference even with $this->message = $message.
// Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.
Expand Down

0 comments on commit ff55dba

Please sign in to comment.