Sorry for the very broad question but we have some problems, e.g. Checkmarx is complaining about code injection in something like the following
$accesskey = $_GET['accesskey'] ?? $argv[1] ?? null;
if (!$accesskey || !ctype_alnum($accesskey)) {
throw new RuntimeException(sprintf('Passed accesskey "%s" is invalid', $accesskey));
}
$commandParts = ['echo', $accesskey]
$commandParts = array_map('escapeshellarg', $commandParts);
$command = implode(' ', $commandParts);
$command = escapeshellcmd($command);
system($command);
I think the commands are escaped and everything is fine but why is Checkmarx thinking different?
The application's <?php method calls an OS (shell) command with system, at line 1 of REDACTED, using an untrusted string with the command to execute.
This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.
The attacker may be able to inject the executed command via user input, _GET, which is retrieved by the application in the <?php method, at line 1 of REDACTED.
I'm also wondering if and how Checkmarx is able to understand library or framework code which is installed via Composer? E.g.
Assert::oneOf($unsafeUserInput, ['foo', 'bar']); // throws an Exception if $unsafeUserInput is not 'foo' or 'bar'
// $unsafeUserInput is now safe
or WP related stuff which is also often falsely flagged as being prone to SQL injections
global $wpdb;
$foo = $wpdb->getVar($wpdb->prepare('SELECT foo FROM bar WHERE baz = %s', $_GET['baz'] ?? ''));
If it checks for sanitisation methods is there a specific way they have to look? I honestly want to avoid changing too much code for Checkmarx.
Your question of how well Checkmarx analyzes PHP code could lean towards a subjective answer and your perception of the tool can be biased given that you are using methods (escapeshellcmd) that are not recognized as sanitizers and the framework that you are inquiring about (Wordpress and Composer) are not technically supported.
In fairness to Checkmarx, they do support a variety of PHP frameworks such as Zend, Kohana, CakePHP, Symfony and Smarty which could end in lesser false positives (note: I'm not suggesting you switch platforms)
Any static analyzers would need some help from it users for it to be effective. I would advice you to exclude the Composer files from the scan.
You don't really don't have to make changes to the code and just argue with your AppSec team that these findings are false positives since the prepare method prevent SQL injection attacks and that escapeshellcmd does encode string. My recommendation however is to use escapeshellarg on $accesskey instead
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Find the answer in similar questions on our website.
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.
PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites.
The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/
Symfony compares favorably with other PHP frameworks in terms of reliability and maturity. This framework appeared a long time ago, in 2005, that is, it has existed much longer than most of the other tools we are considering. It is popular for its web standards compliance and PHP design patterns.
https://symfony.com/
CakePHP is a framework that has been around since 2005 and is known for the convenience it gives web developers. It needs very modest settings, does not require the use of XML or YAML files. It has its own ORM, which sets it apart from other similar tools. In terms of security, it is also doing well, in particular, it has a protection system against CSRF attacks.
https://cakephp.org/
Welcome to the Q&A site for web developers. Here you can ask a question about the problem you are facing and get answers from other experts. We have created a user-friendly interface so that you can quickly and free of charge ask a question about a web programming problem. We also invite other experts to join our community and help other members who ask questions. In addition, you can use our search for questions with a solution.
Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.
Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.