Insecure Use of Dangerous Function
This vulnerability category covers the following issues:
Command Injection
Why is this important?
PHP, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. PHP offers several ways to execute operating system commands, such as:
- backtick operator
- exec()
- system()
assert()
eval()
Attacker controlled input, that is processed by any of these functions, can be leveraged to gain full access to your production environment.
Check out this video for a high-level explanation:
Read below to find out how to fix this issue in your code.
Fixing Insecure Use of Dangerous Function
Option A: Escape dangerous user input
- Go through the issues that GuardRails identified in the PR.
- Locate the dangerous function. For example:
# One example is exec, but many other dangerous functions exist in PHP.
exec('./configure '.$_POST['configure_options']);
- Otherwise, replace the dangerous function with the following:
$command = './configure '.$_POST['configure_options'];
# For escaping whole command strings use escapeshellcmd
$escaped_command = escapeshellcmd($command);
exec($escaped_command)
or for escaping single arguments:
# For escaping single arguments escapeshellarg
$safe_command = './configure ' . escapeshellarg($_POST['configure_options']);
exec($safe_command)
- Test it and ensure the functionality works as expected
- Ship it 🚢 and relax 🌴
Option B: Remove the dangerous function
- Using dangerous functions should be avoided whenever possible.
If eval() is the answer, you're almost certainly asking the
wrong question. -- Rasmus Lerdorf, BDFL of PHP
- Go through the issues that GuardRails identified in the PR.
- Verify if the dangerous function is needed, or can be replaced.
- Remove the dangerous function
- Test it and ensure the functionality works as expected
- Ship it 🚢 and relax 🌴