Skip to content

Commit

Permalink
Add sinks for popen and proc_open (#4572)
Browse files Browse the repository at this point in the history 
User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
  • Loading branch information
@LukasReschke
LukasReschke committed Nov 16, 2020
1 parent 4e8fb9c commit 09abcfb
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
2 changes: 2 additions & 0 deletions dictionaries/InternalTaintSinkMap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,6 @@
'shell_exec' => [['shell']],
'system' => [['shell']],
'unserialize' => [['text']],
'popen' => [['shell']],
'proc_open' => [['shell']],
];
12 changes: 11 additions & 1 deletion tests/TaintTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1615,7 +1615,17 @@ function some_stub(string $r): string {}
echo some_stub($r);',
'error_message' => 'TaintedInput',
]
],
'taintPopen' => [
'<?php
$cb = popen($_POST[\'x\'], \'r\');',
'error_message' => 'TaintedInput',
],
'taintProcOpen' => [
'<?php
$cb = proc_open($_POST[\'x\'], [], []);',
'error_message' => 'TaintedInput',
],
/*
// TODO: Stubs do not support this type of inference even with $this->message = $message.
// Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.
Expand Down

0 comments on commit 09abcfb

Please sign in to comment.