Merge branch 'develop' into switch_experimental

php/lang/security/injection/tainted-exec.php

@@ -0,0 +1,21 @@
+<?php
+
+$userinput = $_GET['userinput'];
+
+// ruleid: tainted-exec
+system("ls $userinput");
+
+$escaped = escapeshellarg($userinput);
+// ok: tainted-exec
+system("ls $escaped");
+
+$descriptors = [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]];
+$pipes = [];
+
+// ruleid: tainted-exec
+$p = proc_open("ls $userinput", $descriptors, $pipes);
+echo stream_get_contents($pipes[1]);
+
+// ok: tainted-exec
+$p = proc_open(["ls", $userinput], $descriptors, $pipes);
+echo stream_get_contents($pipes[1]);

php/lang/security/injection/tainted-exec.yaml

@@ -0,0 +1,51 @@
+rules:
+- id: tainted-exec
+  languages:
+  - php
+  severity: WARNING
+  message: >-
+    User input is passed to a function that executes a shell command. This can lead to remote code execution.
+  metadata:
+    cwe:
+    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    category: security
+    technology:
+    - php
+    owasp:
+    - A03:2021 - Injection
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    subcategory:
+    - vuln
+    impact: HIGH
+    likelihood: MEDIUM
+    confidence: MEDIUM
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: $_GET
+      - pattern: $_POST
+      - pattern: $_COOKIE
+      - pattern: $_REQUEST
+      - pattern: file_get_contents('php://input')
+  pattern-sanitizers:
+  - patterns:
+    - pattern-either:
+      - pattern: escapeshellcmd(...)
+      - pattern: escapeshellarg(...)
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: exec(...)
+      - pattern: system(...)
+      - pattern: passthru(...)
+      - patterns:
+        - pattern: proc_open(...)
+        - pattern-not: proc_open([...], ...)
+      - pattern: popen(...)
+      - pattern: expect_popen(...)
+      - pattern: shell_exec(...)
+      - pattern: |
+          `...`
+