Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114560
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87103 invoked from network); 21 May 2021 21:11:22 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 May 2021 21:11:22 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5EC421804E3
	for <internals@lists.php.net>; Fri, 21 May 2021 14:21:44 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 21 May 2021 14:21:44 -0700 (PDT)
Received: by mail-lj1-f175.google.com with SMTP id w15so25546819ljo.10
        for <internals@lists.php.net>; Fri, 21 May 2021 14:21:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=nMc5beOXcV6cqLe75YPQSji8i7XnzHBFxkfyQ1sL/jM=;
        b=Pb3BWeHtHStly+DNDET9gjtCos34AjukFXsXPF6uGdtr6Q+yUQBcibqn2TnmJx4PdW
         ukdrJY1eqGkTOwEJke2Dqq5o5vw+Urlw6dqy1lUCxaYpVn6uYmxsjw/A/Eqb8HfAPEF5
         hMvCPB6jUhFEqqlzFS1gA7ex3rQ93ofRqj/50=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=nMc5beOXcV6cqLe75YPQSji8i7XnzHBFxkfyQ1sL/jM=;
        b=tswnI/B7NQqEGL5Hi/76cgiLUrGRtKGA/onDjMliuEHc87xdrS+GO4JnbG1TdM8UlU
         RgcUuFyh3BasDIAoZLHbPGynJKTOVz2XpyfN7tyNekWfHMGbK/DH5tNIZNyhyNxFzzD/
         87P63QRJcQW+HUf3DZYEosQ7LrLA+qY5tRtl0FQIXDXgng8k2/mbUqtsIaX0ct54OMq5
         lwDEhbbFafc3qAMP9se/uf3q25wFmu2Q4XMNTQL0ziu4CJHx0DjzdN+fJ9gbd+jeMz35
         aoBqUHH8BPpa6Ox12Dg6TNgaZKTR76ZkIKpzGZov1BoTjUlnPgnN2ew/0xWlAxuwCs88
         8TbQ==
X-Gm-Message-State: AOAM530Uq+pn7+CAXsL8tGEaW+m4vFRUllkkt222K2wP79M7G7TBx3Qt
	YjBDkCn43doaBtWmAZEb10i3GW1YGaVJGHupfj47RNdKEcSeeQ==
X-Google-Smtp-Source: ABdhPJxv+mwCowKhM8oHLLTwNSwbMON6mqLLNPwTN5kwva135z9Z0C+6rW7TC/ys+SqsJ9/6NCrD5/LpAXSe/oawvkE=
X-Received: by 2002:a2e:91d1:: with SMTP id u17mr8290555ljg.279.1621632102555;
 Fri, 21 May 2021 14:21:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+EK_5YF+YGdKBYfYX-_730k39Fdq4hAG4gEApebyv5eDg@mail.gmail.com>
 <CAFv4g+Emp3L=w6tMG9ZLMh3a8Bb0V_aSrD9A-TRLwNn1ODNkug@mail.gmail.com>
In-Reply-To: <CAFv4g+Emp3L=w6tMG9ZLMh3a8Bb0V_aSrD9A-TRLwNn1ODNkug@mail.gmail.com>
Date: Fri, 21 May 2021 22:21:31 +0100
Message-ID: <CAFv4g+E_dfErbkovpu2YxcGrzyKNdOKzee6TfbrfCXgqEs3NCg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000006df2e305c2dda5f4"
Subject: Re: Injection vulnerabilities
From: craig@craigfrancis.co.uk (Craig Francis)

--0000000000006df2e305c2dda5f4
Content-Type: text/plain; charset="UTF-8"

Fine, I'll finish with this...

We know that HTML [3] and SQL [4] should be written by the programmer, with
user data being handled *separately*.

The same applies to OS Commands:

  $command = 'rm -rf ?';

Because we're using parameters (to escape the user values properly), we
don't need to consider injection vulnerabilities (yay).

But we must NEVER say these strings, written by a programmer, are "safe".

For example, while the use of parameters in $command does avoid an
injection vulnerability, it's still a big problem if a path to something
that shouldn't be deleted is used (insert classic `rm -rf /` joke here).

So we cannot say anything is "safe", but we can note something valuable
about a variable - was it written by the programmer.

Or, in other words, was this variable created from a literal (a string
defined in the PHP script).

---

Now you might say that we should use static analysis to identify
mistakes... yeah, most programmers do not (it's an extra step they can't be
bothered to do)... and even then, Psalm and PHPStan currently focus on
other issues (type checking, basic logic flaws, code formatting, etc)...
that said, Psalm does have a Taint Checking feature (run separately, and I
bet you're not using it), but Taint Checking is also flawed:

  $sql = 'SELECT * FROM users WHERE id = ' . $db->real_escape_string($id);

  $html = "<img src=" . htmlentities($url) . " alt='' />";

  $html = "<a href='" . htmlentities($url) . "'>...";

The first two need the values to be quoted, but would be considered
"untained".

The third example, well htmlentities, before PHP 8.1 (thank you very much)
does not escape single quotes by default... not does it consider
'javascript:' URLs.

We need something that libraries will (in the future) be able to use to
protect themselves against these mistakes... by all programmers, especially
those who aren't using static analysis.

Craig

--0000000000006df2e305c2dda5f4--