CRITICAL
Rule Definition
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Remediation
Prefer using a white list of permitted callable functions or instantiable classes, hard coded.
Violation Code Sample
<?php
function evalCode(PDOStatement $stmt) {
$stmt->execute();
$row = $stmt->fetch();
$name = $row["name"];
$name(); // VIOLATION
}
Fixed Code Sample
<?php
/**
* @psalm-taint-escape callable
*/
function my_escaping_function_for_callables(string input) : string {
// Check that input is part of a hard-coded white-list of permitted callables
};
function evalCode(PDOStatement $stmt) {
$stmt->execute();
$row = $stmt->fetch();
$name = $row["name"];
$name = my_escaping_function_for_callables($name); // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape callable
$name(); // FIXED
}
Reference
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
https://cwe.mitre.org/data/definitions/470.html
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Unsafe_use_of_Reflection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
CISQ: ASCSM-CWE-470
Related Technologies
Technical Criterion
PCI-DSS4-Requirement-6.2.4 - Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.