Skip to content

Commit 4487a8e

Browse files
author
Sakshis
committed
search-active-debug-php
1 parent 9a058c3 commit 4487a8e

File tree

3 files changed

+411
-0
lines changed

3 files changed

+411
-0
lines changed

rules/php/security/search-active-debug-php.yml

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
id: search-active-debug-php
2+
language: php
3+
severity: warning
4+
message: >-
5+
Debug logging is explicitly enabled. This can potentially disclose
6+
sensitive information and should never be active on production systems.
7+
note: >-
8+
[CWE-489] Active Debug Code.
9+
[REFERENCES]
10+
- https://www.php.net/manual/en/function.setcookie.php
11+
ast-grep-essentials: true
12+
utils:
13+
Match_pattern_one:
14+
kind: function_call_expression
15+
all:
16+
- has:
17+
pattern: $C
18+
- has:
19+
stopBy: end
20+
kind: arguments
21+
all:
22+
- not:
23+
has:
24+
nthChild:
25+
position: 3
26+
ofRule:
27+
not:
28+
kind: comment
29+
- has:
30+
stopBy: end
31+
kind: argument
32+
nthChild:
33+
position: 1
34+
ofRule:
35+
not:
36+
kind: comment
37+
has:
38+
kind: encapsed_string
39+
has:
40+
kind: string_content
41+
pattern: $A
42+
- has:
43+
kind: argument
44+
nthChild:
45+
position: 2
46+
ofRule:
47+
not:
48+
kind: comment
49+
has:
50+
kind: boolean
51+
pattern: $B
52+
53+
Match_pattern_two_with_integer:
54+
kind: function_call_expression
55+
all:
56+
- has:
57+
pattern: $C
58+
- has:
59+
stopBy: end
60+
kind: arguments
61+
all:
62+
- not:
63+
has:
64+
nthChild:
65+
position: 3
66+
ofRule:
67+
not:
68+
kind: comment
69+
- has:
70+
stopBy: end
71+
kind: argument
72+
nthChild:
73+
position: 1
74+
ofRule:
75+
not:
76+
kind: comment
77+
has:
78+
kind: encapsed_string
79+
has:
80+
kind: string_content
81+
pattern: $A
82+
- has:
83+
kind: argument
84+
nthChild:
85+
position: 2
86+
ofRule:
87+
not:
88+
kind: comment
89+
has:
90+
kind: integer
91+
pattern: $D
92+
93+
Match_pattern_three_with_string:
94+
kind: function_call_expression
95+
all:
96+
- has:
97+
pattern: $C
98+
- has:
99+
kind: arguments
100+
all:
101+
- not:
102+
has:
103+
nthChild:
104+
position: 3
105+
ofRule:
106+
not:
107+
kind: comment
108+
- has:
109+
stopBy: end
110+
kind: argument
111+
nthChild:
112+
position: 1
113+
ofRule:
114+
not:
115+
kind: comment
116+
has:
117+
kind: encapsed_string
118+
has:
119+
kind: string_content
120+
pattern: $A
121+
- has:
122+
stopBy: end
123+
kind: argument
124+
nthChild:
125+
position: 2
126+
ofRule:
127+
not:
128+
kind: comment
129+
has:
130+
stopBy: end
131+
kind: encapsed_string
132+
has:
133+
stopBy: neighbor
134+
regex: ^[Oo][Nn]$
135+
136+
rule:
137+
any:
138+
- matches: Match_pattern_one
139+
- matches: Match_pattern_two_with_integer
140+
- matches: Match_pattern_three_with_string
141+
not:
142+
all:
143+
- has:
144+
stopBy: end
145+
kind: ERROR
146+
- inside:
147+
stopBy: end
148+
kind: ERROR
149+
150+
constraints:
151+
C:
152+
regex: ^(define|ini_set)$
153+
A:
154+
regex: ^(WP_DEBUG|display_errors)$
155+
B:
156+
regex: ^([tT][Rr][Uu][Ee])$
157+
D:
158+
regex: ^1$

tests/__snapshots__/search-active-debug-php-snapshot.yml

Lines changed: 226 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,226 @@
1+
id: search-active-debug-php
2+
snapshots:
3+
? |
4+
<?php
5+
define("WP_DEBUG",true);
6+
: labels:
7+
- source: define("WP_DEBUG",true)
8+
style: primary
9+
start: 6
10+
end: 29
11+
- source: define
12+
style: secondary
13+
start: 6
14+
end: 12
15+
- source: WP_DEBUG
16+
style: secondary
17+
start: 14
18+
end: 22
19+
- source: '"WP_DEBUG"'
20+
style: secondary
21+
start: 13
22+
end: 23
23+
- source: '"WP_DEBUG"'
24+
style: secondary
25+
start: 13
26+
end: 23
27+
- source: 'true'
28+
style: secondary
29+
start: 24
30+
end: 28
31+
- source: 'true'
32+
style: secondary
33+
start: 24
34+
end: 28
35+
- source: ("WP_DEBUG",true)
36+
style: secondary
37+
start: 12
38+
end: 29
39+
? |
40+
<?php
41+
ini_set("display_errors","ON");
42+
: labels:
43+
- source: ini_set("display_errors","ON")
44+
style: primary
45+
start: 6
46+
end: 36
47+
- source: ini_set
48+
style: secondary
49+
start: 6
50+
end: 13
51+
- source: display_errors
52+
style: secondary
53+
start: 15
54+
end: 29
55+
- source: '"display_errors"'
56+
style: secondary
57+
start: 14
58+
end: 30
59+
- source: '"display_errors"'
60+
style: secondary
61+
start: 14
62+
end: 30
63+
- source: ON
64+
style: secondary
65+
start: 32
66+
end: 34
67+
- source: '"ON"'
68+
style: secondary
69+
start: 31
70+
end: 35
71+
- source: '"ON"'
72+
style: secondary
73+
start: 31
74+
end: 35
75+
- source: ("display_errors","ON")
76+
style: secondary
77+
start: 13
78+
end: 36
79+
? |
80+
<?php
81+
ini_set("display_errors","on");
82+
: labels:
83+
- source: ini_set("display_errors","on")
84+
style: primary
85+
start: 6
86+
end: 36
87+
- source: ini_set
88+
style: secondary
89+
start: 6
90+
end: 13
91+
- source: display_errors
92+
style: secondary
93+
start: 15
94+
end: 29
95+
- source: '"display_errors"'
96+
style: secondary
97+
start: 14
98+
end: 30
99+
- source: '"display_errors"'
100+
style: secondary
101+
start: 14
102+
end: 30
103+
- source: on
104+
style: secondary
105+
start: 32
106+
end: 34
107+
- source: '"on"'
108+
style: secondary
109+
start: 31
110+
end: 35
111+
- source: '"on"'
112+
style: secondary
113+
start: 31
114+
end: 35
115+
- source: ("display_errors","on")
116+
style: secondary
117+
start: 13
118+
end: 36
119+
? |
120+
<?php
121+
ini_set("display_errors",1);
122+
: labels:
123+
- source: ini_set("display_errors",1)
124+
style: primary
125+
start: 6
126+
end: 33
127+
- source: ini_set
128+
style: secondary
129+
start: 6
130+
end: 13
131+
- source: display_errors
132+
style: secondary
133+
start: 15
134+
end: 29
135+
- source: '"display_errors"'
136+
style: secondary
137+
start: 14
138+
end: 30
139+
- source: '"display_errors"'
140+
style: secondary
141+
start: 14
142+
end: 30
143+
- source: '1'
144+
style: secondary
145+
start: 31
146+
end: 32
147+
- source: '1'
148+
style: secondary
149+
start: 31
150+
end: 32
151+
- source: ("display_errors",1)
152+
style: secondary
153+
start: 13
154+
end: 33
155+
? |
156+
<?php
157+
ini_set("display_errors",TRUE);
158+
: labels:
159+
- source: ini_set("display_errors",TRUE)
160+
style: primary
161+
start: 6
162+
end: 36
163+
- source: ini_set
164+
style: secondary
165+
start: 6
166+
end: 13
167+
- source: display_errors
168+
style: secondary
169+
start: 15
170+
end: 29
171+
- source: '"display_errors"'
172+
style: secondary
173+
start: 14
174+
end: 30
175+
- source: '"display_errors"'
176+
style: secondary
177+
start: 14
178+
end: 30
179+
- source: 'TRUE'
180+
style: secondary
181+
start: 31
182+
end: 35
183+
- source: 'TRUE'
184+
style: secondary
185+
start: 31
186+
end: 35
187+
- source: ("display_errors",TRUE)
188+
style: secondary
189+
start: 13
190+
end: 36
191+
? |
192+
<?php
193+
ini_set("display_errors",true);
194+
: labels:
195+
- source: ini_set("display_errors",true)
196+
style: primary
197+
start: 6
198+
end: 36
199+
- source: ini_set
200+
style: secondary
201+
start: 6
202+
end: 13
203+
- source: display_errors
204+
style: secondary
205+
start: 15
206+
end: 29
207+
- source: '"display_errors"'
208+
style: secondary
209+
start: 14
210+
end: 30
211+
- source: '"display_errors"'
212+
style: secondary
213+
start: 14
214+
end: 30
215+
- source: 'true'
216+
style: secondary
217+
start: 31
218+
end: 35
219+
- source: 'true'
220+
style: secondary
221+
start: 31
222+
end: 35
223+
- source: ("display_errors",true)
224+
style: secondary
225+
start: 13
226+
end: 36

0 commit comments

Comments
 (0)