PHP - Basic XSS not matching

[erwanlr]

Describe the bug
I've been trying to write a pattern to catch a basic XSS, but it's always reported as Pattern could not be parsed as a PHP semgrep pattern

To Reproduce
https://semgrep.dev/s/1Ld5/

Expected behavior
I was expecting to have at least a match for the pattern echo $X

[Sjord]

Try providing a complete statement by closing the pattern with a semicolon:

- pattern: echo $X;

[erwanlr]

@Sjord already tried that, does not work :/

[aryx]

This works: https://semgrep.dev/s/Nx3A/

[aryx]

Or this: https://semgrep.dev/s/kWye/

In semgrep you usually can't write partial construct, and echo in PHP is at the statement level, not expression level, so it has to finish with a ';'. Not sure why there was an antislash before the $_GET in your example, but yet it does not work.

[rezen]

@erwanlr a better example is https://semgrep.dev/s/KdzY - I also have a couple other rules here https://gist.github.com/rezen/9908fb3a0cbe1a38ffd15cbc8f43b6f0

@aryx where do community rulesets live? We could contribute some php rules - is https://github.com/returntocorp/semgrep-rules the place?

[aryx]

Yes! We would love you to contribute rules in semgrep-rules.
@minusworld is managing this repo.

[erwanlr]

Thank you @rezen for the examples :)

There is still a bug (false positive), taking https://semgrep.dev/s/KdzY rules, echo $settings['something']; and echo CONSTANT['a']; will match but they shouldn't. It seems like $_GET[$KEY] is taken as $Y[$KEY] (hence why I tried to escape the first $ in my example above btw).

[aryx]

You're right @erwanlr , I've created a separated issue for this bug just now: #1790