-
Notifications
You must be signed in to change notification settings - Fork 0
/
taint-checking.php
71 lines (48 loc) · 2 KB
/
taint-checking.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<?php
/*
Test with:
./taint-checking.php?id=id&img=%2F+onerror%3Dalert%281%29&a1=javascript%3Aalert%281%29&a2=%2F%27+onerror%3D%27alert%281%29
composer require --dev vimeo/psalm
./vendor/bin/psalm --init ./ 1
./vendor/bin/psalm taint-checking.php
./vendor/bin/psalm --taint-analysis taint-checking.php
composer require --dev phpstan/phpstan
./vendor/bin/phpstan analyse -l 9 taint-checking.php
Did they notice any problems?
*/
//--------------------------------------------------
// Missing quotes
// e.g. $id = 'id'
$mysqli = new mysqli('localhost', 'test', 'test', 'test');
$sql = '
SELECT * FROM users WHERE id = ' . $mysqli->real_escape_string((string) $_GET['id']);
// SELECT * FROM users WHERE id = id
//--------------------------------------------------
// Missing quotes
// e.g. $img = '/ onerror=alert(1)'
$html1 = "
<img src=" . htmlentities((string) $_GET['img']) . " alt='' />";
// <img src=/ onerror=alert(1) alt='' />
//--------------------------------------------------
// Inline JavaScript
// e.g. $a1 = 'javascript:alert(1)'
$html2 = "
<a href='" . htmlentities((string) $_GET['a1']) . "'>Link 1</a>";
// <a href='javascript:alert(1)'>Link 1</a>
//--------------------------------------------------
// Single quotes aren't always escaped
// e.g. $a2 = '/' onerror='alert(1)'
//
// Before PHP 8.1
// https://github.com/php/php-src/commit/50eca61f68815005f3b0f808578cc1ce3b4297f0
// Java, Apache Commons
// https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html#escapeHtml4(java.lang.String)
// "Note that the commonly used apostrophe escape character (') is not a legal entity and so is not supported"
$html3 = "
<a href='" . htmlentities((string) $_GET['a2']) . "'>Line 2</a>";
// <a href='/' onerror='alert(1)'>Line 2</a>
//--------------------------------------------------
// Keep static analysis tools happy
/** @psalm-suppress ForbiddenCode */
var_dump($sql, $html1, $html2, $html3);
?>