You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[](https://github.com/FloeDesignTechnologies/phpcs-security-audit/releases)
[](https://github.com/FloeDesignTechnologies/phpcs-security-audit/commits/master)
phpcs-security-audit is a set of [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) rules that finds vulnerabilities and weaknesses related to security in PHP code.
7
20
8
21
It currently has core PHP rules as well as Drupal 7 specific rules.
9
22
10
-
The tool also checks for CVE issues and security advisories related to the CMS/framework. This enable you to follow the versioning of components during static code analysis.
23
+
The tool also checks for CVE issues and security advisories related to the CMS/framework. This enables you to follow the versioning of components during static code analysis.
11
24
12
-
The main reason of this project for being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems. It is also able to find security bugs that are not detected with some object oriented analysis (such as [PHPMD](http://phpmd.org/)).
25
+
The main reason for this project being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems. It also allows for finding security bugs that are not detected with some object oriented analysis (such as [PHPMD](http://phpmd.org/)).
13
26
14
27
phpcs-security-audit in its beginning was backed by Pheromone (later on named Floe design + technologies) and written by [Jonathan Marcil](https://twitter.com/jonathanmarcil).
15
28
@@ -21,43 +34,50 @@ Install
21
34
Requires [PHP CodeSniffer](http://pear.php.net/package/PHP_CodeSniffer/) version 3.x with PHP 5.4 or higher.
22
35
23
36
The easiest way to install is using [Composer](https://getcomposer.org/):
24
-
```
37
+
```bash
25
38
#WARNING: this currently doesn't work up until the v3 package is released
26
39
#See Contribute section bellow for git clone instruction
This will also install the [DealerDirect Composer PHPCS plugin](https://github.com/Dealerdirect/phpcodesniffer-composer-installer/) which will register the `Security` standard with PHP_CodeSniffer.
32
44
45
+
Now run:
46
+
```bash
47
+
./vendor/bin/phpcs -i
48
+
```
49
+
50
+
If all went right, you should see `Security` listed in the list of installed coding standards.
51
+
33
52
If you want to integrate it all with Jenkins, go see http://jenkins-php.org/ for extensive help.
34
53
35
54
36
55
Usage
37
56
-----
38
57
39
-
Simply point to any XML ruleset file and a folder:
58
+
Simply set the standard to `Security` or point to any XML ruleset file and to a folder to scan:
6 | WARNING | Possible XSS detected with . on echo
55
-
6 | ERROR | Easy XSS detected because of direct user input with $_POST on
56
-
| | echo
57
-
8 | WARNING | db_query() is deprecated except when doing a static query
58
-
8 | ERROR | Potential SQL injection found in db_query()
75
+
6 | ERROR | Easy XSS detected because of direct user input with $_POST on echo
59
76
9 | WARNING | Usage of preg_replace with /e modifier is not recommended.
60
-
77
+
10 | WARNING | Usage of preg_replace with /e modifier is not recommended.
78
+
10 | ERROR | User input and /e modifier found in preg_replace, remote code execution possible.
79
+
11 | ERROR | User input found in preg_replace, /e modifier could be used for malicious intent.
80
+
...
61
81
```
62
82
63
83
#### Drupal note
@@ -68,18 +88,21 @@ short_open_tag = On
68
88
```
69
89
in order to get rid of "No PHP code was found in this file" warnings.
70
90
71
-
Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking will probably won't work and will generate warning.
91
+
Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking probably won't work and will generate a warning.
72
92
73
93
74
94
Customize
75
95
---------
76
-
As in normal PHP CodeSniffer rules, customization is provided in the XML files that are in the top folder of the project.
96
+
As with the normal PHP CodeSniffer rules, customization is provided in the XML files that are in the top folder of the project.
77
97
78
98
These global parameters are used in many rules:
79
99
* ParanoiaMode: set to 1 to add more checks. 0 for less.
80
100
* CmsFramework: set to the name of a folder containings rules and Utils.php (such as Drupal7, Symfony2).
81
101
82
-
They can be set in a custom ruleset `phpcs.xml[.dist]` XML file or from the command line for permanent config with `--config-set` or at runtime with `--runtime-set`. Note that the XML override all CLI options so remove it if you want to use it. The CLI usage is as follow `phpcs --runtime-set ParanoiaMode 0 --extensions=php --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml tests.php`;
102
+
They can be set in a custom ruleset `phpcs.xml[.dist]` XML file or from the command line for permanent config with `--config-set` or at runtime with `--runtime-set`. Note that the XML overrides all CLI options so remove it if you want to use it. The CLI usage is as follows:
In some case you can force the paranoia mode on or off with the parameter `forceParanoia` inside the XML rule.
85
108
@@ -91,8 +114,8 @@ If you want to fork and help or just do your own sniffs you can use the utilitie
91
114
92
115
Let's say you have a custom CMS function that is taking user input from `$_GET` when a function call to `get_param()` is done.
93
116
94
-
You have to create a new Folder in Sniffs/ that will be the name of your framework. Then you'll need
95
-
to create a file named Utils.php that will actually be the function that will specialise the generic sniffs. To guide you, just copy the file from another folder such as Drupal7/.
117
+
You have to create a new Folder in `Sniffs/` that will be the name of your framework. Then you'll need
118
+
to create a file named `Utils.php` that will actually be the function that will specialise the generic sniffs. To guide you, just copy the file from another folder such as `Drupal7/`.
96
119
97
120
The main function you'll want to change is `is_direct_user_input` where you'll want to return TRUE when `get_param()` is seen:
98
121
```php
@@ -130,30 +153,30 @@ PHP CodeSniffer Config installed_paths set to ../../../
130
153
131
154
If for any reason you need to change this (should work out of the box) you will need to `phpcs --config-set installed_paths` as explained in [PHP_CodeSniffer docs](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Configuration-Options#setting-the-installed-standard-paths).
132
155
133
-
Master can contain breaking changes, so people are better to rely on releases for stable versions.
156
+
Master can contain breaking changes, so people are better off relying on releases for stable versions.
134
157
135
158
Those release packages are available [here on GitHub](releases) or on [Packagist](https://packagist.org/packages/pheromone/phpcs-security-audit).
136
159
137
-
Some guidelines if you want to create new rules:
138
-
* Ensure that `ParanoiaMode` controls how verbose your sniff is
139
-
* If sometime the sniff is a valid security concern, run it when paranoia=true only
140
-
* Warnings are generally issued instead of Errors for most-of-the-time when paranoia=false
141
-
* Errors are always generated when you are use about user input being used
* `paranoia=false` should solve false positive, otherwise warn on anything remotely suspicious.
167
+
* Include at least one test that triggers your sniff into `tests.php`.
168
+
* Keep the test as a one liner, it doesn't need to make sense.
146
169
* Don't forget to include your new sniff in the `example_base_ruleset.xml` and `example_drupal7_ruleset.xml` when it applies.
147
170
148
171
149
172
Annoyances
150
173
----------
151
174
152
-
As any security tools, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.
175
+
As with any security tool, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.
153
176
154
177
* It's a generator of false positives. This can actually help you learn what are the weak functions in PHP. Paranoia mode will fix that by doing a major cut-off on warnings when set to 0.
155
178
* This tool was created around 10 years ago. Some of its parts might look outdated, and support for old PHP code will still be present. The reality is that many code base scanned with it might be as old as the tool.
156
-
* It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure cli/php.ini to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for .info parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometime around 5 minute. You can try using the `--parallel=8` (or another number) option to try and speed things up on supported OSes. Possible workaround is to use phpcs --ignore=folder to skip scanning of those parts.
179
+
* It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure `cli/php.ini` to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for `.info` parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometimes around 5 minute. You can try using the `--parallel=8` (or another number) option to try and speed things up on supported OSes. Possible work-around is to use `phpcs --ignore=folder` to skip scanning of those parts.
157
180
* For Drupal advisories checking: a module with multiple versions might be secure if a lesser fixed version exists and you'll still get the error or warning. Keep everything updated at latest as recommended on Drupal's website.
0 commit comments