|
3 | 3 | namespace Yousha\PhpSecurityLinter\Rules; |
4 | 4 |
|
5 | 5 | /** |
6 | | - * OWASP Security Rules Implementation |
| 6 | + * OWASP Top 10 Security Rules Implementation |
7 | 7 | * |
8 | | - * Provides security rules based on OWASP Top 10 and other application security standards |
9 | | - * covering web application vulnerabilities and secure coding practices. |
| 8 | + * Provides security rules based on the OWASP Top 10 (2021) list, |
| 9 | + * focusing on common, high-impact web application vulnerabilities in PHP. |
10 | 10 | * |
11 | 11 | * @package PhpSecurityLinter\Rules |
12 | 12 | */ |
13 | 13 | final class OwaspRules |
14 | 14 | { |
15 | 15 | /** |
16 | | - * Get all OWASP security rules |
| 16 | + * Get all OWASP Top 10 security rules |
17 | 17 | * |
18 | 18 | * @return array[] Array of rule definitions with: |
19 | | - * - severity: string (critical/high/medium/low) |
20 | | - * - message: string Description of the vulnerability |
21 | | - * - pattern: string Regex pattern to detect the issue |
22 | | - * - reference: string OWASP standard reference |
| 19 | + * - id: string Unique identifier for the rule (e.g., OWASP-001) |
| 20 | + * - severity: string (critical/high/medium/low) |
| 21 | + * - message: string Description of the vulnerability |
| 22 | + * - pattern: string Regex pattern to detect the issue |
| 23 | + * - reference: string OWASP A-Code reference (optional) |
23 | 24 | */ |
24 | 25 | public static function getRules(): array |
25 | 26 | { |
26 | 27 | return [ |
27 | | - // A1: Injection (20 rules) |
| 28 | + // A03:2021 - Injection (SQL, Command, etc.) |
28 | 29 | [ |
| 30 | + 'id' => 'OWASP-001', |
29 | 31 | 'severity' => 'critical', |
30 | | - 'message' => 'OWASP-A1: SQL Injection (concatenated)', |
31 | | - 'pattern' => '/\$sql\s*=\s*["\'].*?\$_(GET|POST)/i', |
| 32 | + 'message' => 'OWASP-001: SQL Injection risk (unsanitized input in query)', |
| 33 | + 'pattern' => '/(PDO|mysqli)->query\s*\([^)]*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 34 | + 'reference' => 'A03:2021', |
32 | 35 | ], |
| 36 | + // A03:2021 - Injection (Command) |
33 | 37 | [ |
| 38 | + 'id' => 'OWASP-002', |
34 | 39 | 'severity' => 'critical', |
35 | | - 'message' => 'OWASP-A1: Command Injection', |
36 | | - 'pattern' => '/(exec|system|passthru)\s*\(.*\$_(GET|POST)/i', |
| 40 | + 'message' => 'OWASP-002: OS Command Injection risk (exec/system with unsanitized input)', |
| 41 | + 'pattern' => '/(exec|shell_exec|passthru|system)\s*\([^)]*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 42 | + 'reference' => 'A03:2021', |
37 | 43 | ], |
38 | | - |
39 | | - // A2: Cryptographic (15 rules) |
| 44 | + // A04:2021 - Insecure Design / PHP Object Injection |
40 | 45 | [ |
| 46 | + 'id' => 'OWASP-003', |
41 | 47 | 'severity' => 'critical', |
42 | | - 'message' => 'OWASP-A2: Hardcoded credentials', |
43 | | - 'pattern' => '/\$?(user|pass|pwd)\s*=\s*[\'"][^\'"]+[\'"]/i', |
| 48 | + 'message' => 'OWASP-003: PHP Object Injection risk (unserialize on user input)', |
| 49 | + 'pattern' => '/unserialize\s*\([^)]*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 50 | + 'reference' => 'A04:2021', |
44 | 51 | ], |
45 | | - |
46 | | - // A3: XSS (15 rules) |
| 52 | + // A07:2021 - Identification and Authentication Failures |
47 | 53 | [ |
| 54 | + 'id' => 'OWASP-004', |
| 55 | + 'severity' => 'critical', |
| 56 | + 'message' => 'OWASP-004: Weak password hashing or storing sensitive data in session', |
| 57 | + // FIXED: All capture groups are now correctly closed. |
| 58 | + 'pattern' => '/(hash\s*\([^,]*,\s*password\))|(\$_(SESSION)\s*\[.*(password|key|secret)\])/i', |
| 59 | + 'reference' => 'A07:2021', |
| 60 | + ], |
| 61 | + // A01:2021 - Broken Access Control |
| 62 | + [ |
| 63 | + 'id' => 'OWASP-005', |
48 | 64 | 'severity' => 'high', |
49 | | - 'message' => 'OWASP-A3: Reflected XSS', |
50 | | - 'pattern' => '/echo\s+\$_(GET|POST)\s*\[.*\]/i', |
| 65 | + 'message' => 'OWASP-005: File inclusion risk (potential Local File Inclusion)', |
| 66 | + 'pattern' => '/(include|require)(_once)?\s*\([^)]*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 67 | + 'reference' => 'A01:2021', |
51 | 68 | ], |
52 | | - |
53 | | - // A4: Insecure Design (10 rules) |
| 69 | + // A10:2021 - Server-Side Request Forgery (SSRF) |
54 | 70 | [ |
| 71 | + 'id' => 'OWASP-006', |
55 | 72 | 'severity' => 'high', |
56 | | - 'message' => 'OWASP-A4: Missing CSRF protection', |
57 | | - 'pattern' => '/<form[^>]*>(?!.*(csrf|_token))/i', |
| 73 | + 'message' => 'OWASP-006: Server-Side Request Forgery (SSRF) risk', |
| 74 | + 'pattern' => '/(file_get_contents|curl_exec|fsockopen|guzzle|httpclient)\s*\([^)]*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 75 | + 'reference' => 'A10:2021', |
58 | 76 | ], |
59 | | - |
60 | | - // A5: Misconfig (10 rules) |
| 77 | + // A07:2021 - XSS (Cross-Site Scripting) |
61 | 78 | [ |
| 79 | + 'id' => 'OWASP-007', |
62 | 80 | 'severity' => 'high', |
63 | | - 'message' => 'OWASP-A5: Debug mode enabled', |
64 | | - 'pattern' => '/define\s*\(\s*[\'"]APP_DEBUG[\'"]\s*,\s*true\s*\)/i', |
| 81 | + 'message' => 'OWASP-007: Cross-Site Scripting (XSS) risk (unescaped output)', |
| 82 | + 'pattern' => '/echo\s*(\$_GET|\$_POST|\$_REQUEST)/i', |
| 83 | + 'reference' => 'A07:2021', |
65 | 84 | ], |
66 | | - |
67 | | - // A6: Vulnerable Components (10 rules) |
| 85 | + // A02:2021 - Cryptographic Failures |
| 86 | + [ |
| 87 | + 'id' => 'OWASP-008', |
| 88 | + 'severity' => 'medium', |
| 89 | + 'message' => 'OWASP-008: Use of weak random number generator', |
| 90 | + 'pattern' => '/(rand|mt_rand)\s*\(/i', |
| 91 | + 'reference' => 'A02:2021', |
| 92 | + ], |
| 93 | + // A05:2021 - Security Misconfiguration (File Upload) |
68 | 94 | [ |
| 95 | + 'id' => 'OWASP-009', |
| 96 | + 'severity' => 'medium', |
| 97 | + 'message' => 'OWASP-009: Insecure file upload handling (missing validation)', |
| 98 | + 'pattern' => '/move_uploaded_file\s*\([^)]*\)\s*;\s*(?!.*is_uploaded_file)/i', |
| 99 | + 'reference' => 'A05:2021', |
| 100 | + ], |
| 101 | + // A05:2021 - Security Misconfiguration (Global Variables) |
| 102 | + [ |
| 103 | + 'id' => 'OWASP-010', |
| 104 | + 'severity' => 'low', |
| 105 | + 'message' => 'OWASP-010: Accessing raw superglobals directly (security best practice)', |
| 106 | + 'pattern' => '/(\$_GET|\$_POST|\$_REQUEST|\$_COOKIE|eval)/i', |
| 107 | + 'reference' => 'A05:2021', |
| 108 | + ], |
| 109 | + // A08:2021 - Software and Data Integrity Failures (CSRF is a related issue) |
| 110 | + [ |
| 111 | + 'id' => 'OWASP-011', |
69 | 112 | 'severity' => 'high', |
70 | | - 'message' => 'OWASP-A6: Known vulnerable library', |
71 | | - 'pattern' => '/(jquery\s+1\.[0-9]|bootstrap\s+3\.[0-3])/i', |
| 113 | + 'message' => 'OWASP-011: Missing Cross-Site Request Forgery (CSRF) protection', |
| 114 | + // Checks for a <form method="post"> tag that doesn't contain a hidden input for a token |
| 115 | + 'pattern' => '/<form\s+[^>]*method=["\']post["\'][^>]*>(?![^<]*<input[^>]*type=["\']hidden["\'][^>]*name=["\']csrf_token)/i', |
| 116 | + 'reference' => 'A08:2021', |
| 117 | + ], |
| 118 | + // A05:2021 - Security Misconfiguration (Cookies) |
| 119 | + [ |
| 120 | + 'id' => 'OWASP-012', |
| 121 | + 'severity' => 'medium', |
| 122 | + 'message' => 'OWASP-012: Insecure cookie flags (missing HttpOnly or Secure)', |
| 123 | + // Checks for setcookie() without 'httponly' or 'secure' flags set in the last parameter array or arguments |
| 124 | + 'pattern' => '/setcookie\s*\([^)]*,\s*[^)]*,\s*[^)]*,\s*[^)]*,\s*[^)]*,\s*[^)]*,\s*(?!.*(true|secure|httponly))/i', |
| 125 | + 'reference' => 'A05:2021', |
| 126 | + ], |
| 127 | + // A01:2021 - Path Traversal |
| 128 | + [ |
| 129 | + 'id' => 'OWASP-013', |
| 130 | + 'severity' => 'critical', |
| 131 | + 'message' => 'OWASP-A01: Path Traversal (Local File Inclusion)', |
| 132 | + 'pattern' => '/(include|require|file_get_contents|fopen|readfile)\s*\([^)]*["\']?\s*\.\s*\$_(GET|POST|REQUEST)\s*\.\s*["\']?\)/i', // Looks for direct user input concatenated into file operations. |
72 | 133 | ], |
73 | 134 |
|
74 | | - // A7: Auth Failures (10 rules) |
| 135 | + // A06:2021 - Improper Asset Management - Debug files |
75 | 136 | [ |
76 | | - 'severity' => 'high', |
77 | | - 'message' => 'OWASP-A7: Weak password policy', |
78 | | - 'pattern' => '/min_password_length\s*[<=]\s*6/i', |
| 137 | + 'id' => 'OWASP-014', |
| 138 | + 'severity' => 'medium', |
| 139 | + 'message' => 'OWASP-A06: Potential debug file exposed', |
| 140 | + 'pattern' => '/\.(log|sql|bak|backup|old|tmp)$/i', // Checks for common debug file extensions. |
| 141 | + ], |
| 142 | + // A07:2021 - Identification and Authentication Failures - Weak Password Hashing |
| 143 | + [ |
| 144 | + 'id' => 'OWASP-015', |
| 145 | + 'severity' => 'critical', |
| 146 | + 'message' => 'OWASP-A07: Weak password hashing algorithm used', |
| 147 | + 'pattern' => '/hash\s*\(\s*[\'"](?i)(md2|md4|md5|sha1|sha224)[\'"]/i', // Checks for weak hash functions in hash(). |
79 | 148 | ], |
80 | 149 |
|
81 | | - // A8: Data Protection (10 rules) |
| 150 | + // A08:2021 - Software and Data Integrity Failures - Unserialize |
82 | 151 | [ |
| 152 | + 'id' => 'OWASP-016', |
83 | 153 | 'severity' => 'critical', |
84 | | - 'message' => 'OWASP-A8: Plaintext sensitive data', |
85 | | - 'pattern' => '/\$_(POST|GET)\s*\[[\'"]?(credit_card|ssn)[\'"]?\]/i', |
| 154 | + 'message' => 'OWASP-A08: Insecure deserialization (unserialize)', |
| 155 | + 'pattern' => '/unserialize\s*\(\s*\$_(GET|POST|COOKIE|REQUEST)/i', // Checks for user input in unserialize (same as CIS-017). |
86 | 156 | ], |
87 | 157 |
|
88 | | - // A10: SSRF (10 rules) |
| 158 | + // A10:2021 - Server-Side Request Forgery |
89 | 159 | [ |
| 160 | + 'id' => 'OWASP-017', |
90 | 161 | 'severity' => 'critical', |
91 | | - 'message' => 'OWASP-A10: Potential SSRF', |
92 | | - 'pattern' => '/file_get_contents\s*\(\s*\$_(GET|POST)/i', |
| 162 | + 'message' => 'OWASP-A10: Potential Server-Side Request Forgery (SSRF)', |
| 163 | + 'pattern' => '/(file_get_contents|fopen|curl_init|fsockopen|stream_socket_client)\s*\([^)]*\$_(GET|POST|REQUEST)/i', // Checks for user input in various HTTP/file functions. |
93 | 164 | ], |
94 | 165 |
|
95 | | - // API Security (15 rules) |
| 166 | + // Cross-Site Scripting (XSS) - Reflected |
96 | 167 | [ |
| 168 | + 'id' => 'OWASP-018', |
97 | 169 | 'severity' => 'high', |
98 | | - 'message' => 'OWASP-API1: Missing rate limiting', |
99 | | - 'pattern' => '/function\s+api_\w+\s*\(\)[^{]*\{[^}]*\}(?!.*sleep\s*\(\d+\))/i', |
| 170 | + 'message' => 'OWASP-A07: Potential Reflected XSS (outputting user input)', |
| 171 | + 'pattern' => '/echo\s+\$_(GET|POST|REQUEST|COOKIE)/i', // Checks for direct output of user input. |
100 | 172 | ], |
101 | 173 |
|
102 | | - // Cloud (10 rules) |
| 174 | + // A08:2021 - Insecure Deserialization - Alternative pattern |
103 | 175 | [ |
104 | | - 'severity' => 'high', |
105 | | - 'message' => 'OWASP-CLOUD1: Hardcoded AWS keys', |
106 | | - 'pattern' => '/\$aws_(key|secret)\s*=\s*[\'"][^\'"]+[\'"]/i', |
| 176 | + 'id' => 'OWASP-019', |
| 177 | + 'severity' => 'critical', |
| 178 | + 'message' => 'OWASP-A08: Potential Insecure Deserialization (serialize/unserialize mismatch)', |
| 179 | + 'pattern' => '/serialize\s*\(\s*\$_(GET|POST|REQUEST)/i', // Checks for serializing user input (less common than unserialize). |
107 | 180 | ], |
108 | 181 | ]; |
109 | 182 | } |
|
0 commit comments