CRITICAL
Rule Definition
The software constructs all or part of a function call via user-controllable inputs. These inputs are not neutralized or are incorrectly neutralized. As a consequence, the function call may be completely altered.
Remediation
Prefer using a white list of permitted callable functions, hard coded.
Violation Code Sample
<?php
$name = $_GET["name"];
evalCode($name);
function evalCode(string $name) {
if (is_callable($name)) {
$name(); // VIOLATION
}
}
Fixed Code Sample
<?php
/**
* @psalm-taint-escape callable
*/
function my_escaping_function_for_callables(string input) : string {
// Check that input is part of a hard-coded white-list of permitted callables
};
$name = $_GET["name"];
$name = my_escaping_function_for_callables($name); // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape callable
evalCode($name);
function evalCode(string $name) {
if (is_callable($name)) {
$name(); // FIXED
}
}
Reference
CWE-94: Improper Control of Generation of Code ('Code Injection')
https://cwe.mitre.org/data/definitions/94.html
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
https://cwe.mitre.org/data/definitions/95.html
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
OWASP Top Ten 2021 Category A03:2021 - Injection
https://owasp.org/Top10/A03_2021-Injection/
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.