Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/checks/94.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast/checks/94.1.md')
-rw-r--r--doc/user/application_security/dast/checks/94.1.md53
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/94.1.md b/doc/user/application_security/dast/checks/94.1.md
new file mode 100644
index 00000000000..ec30b41c5e8
--- /dev/null
+++ b/doc/user/application_security/dast/checks/94.1.md
@@ -0,0 +1,53 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Server-side code injection (PHP)
+
+## Description
+
+The target application was found vulnerable to code injection. A malicious actor could inject arbitrary
+PHP code to be executed on the server. This could lead to a full system compromise by accessing
+stored secrets, injecting code to take over accounts, or executing OS commands.
+
+## Remediation
+
+Never pass user input directly into functions which evaluate string data as code, such as `eval`.
+There is almost no benefit of passing string values to `eval`, as such the best recommendation is
+to replace the current logic with more safe implementations of dynamically evaluating logic with
+user input. One alternative is to use an `array()`, storing expected user inputs in an array
+key, and use that key as a look up to execute functions:
+
+```php
+$func_to_run = function()
+{
+ print('hello world');
+};
+
+$function_map = array();
+$function_map["fn"] = $func_to_run; // store additional input to function mappings here
+
+$input = "fn";
+
+// lookup "fn" as the key
+if (array_key_exists($input, $function_map)) {
+ // run the $func_to_run that was stored in the "fn" array hash value.
+ $func = $function_map[$input];
+ $func();
+} else {
+ print('invalid input');
+}
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 94.1 | false | 94 | Active | high |
+
+## Links
+
+- [CWE](https://cwe.mitre.org/data/definitions/94.html)
+- [OWASP](https://owasp.org/www-community/attacks/Code_Injection)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 19:12:09 +0300