Rules/issue 63 to Development

[noelsaw1]

• ### 1. eval() with any variable (PHP)

// CRITICAL - Almost always malware or vulnerability
eval($code);
eval($_POST['data']);
eval(base64_decode($string));

Why always critical: Legitimate eval() in WordPress is extremely rare. Dynamic code execution is the hallmark of malware and backdoors.

False positive rate: Very low (<5%)

Current coverage:

• Node.js: njs-001-eval-injection (pattern JSON + direct pattern runner)
• PHP: php-eval-injection (new Tier 1 rule, implemented in check-performance.sh v1.3.7)

Status: Implemented in scanner (Node.js + PHP) as of v1.3.7.

---

• ### 2. Dynamic include/require with variables

// CRITICAL - Local/Remote File Inclusion → RCE
include($_GET['page'] . '.php');
require($template);
include_once($user_controlled_path);

Why always critical: File inclusion with user input leads directly to remote code execution. Even with sanitization, this pattern is dangerous.

False positive rate: Low (~10%). Some template loaders do this safely, but they should use whitelists.

Current coverage:

• PHP: php-dynamic-include (new Tier 1 rule, implemented in check-performance.sh v1.3.7)

Status: Implemented in scanner (PHP) as of v1.3.7.

---

• ### 3. shell_exec/exec/system/passthru (any usage)

// CRITICAL - Command execution
shell_exec($cmd);
exec("convert " . $filename);
system($_GET['cmd']);
passthru($user_input);

Why always critical: Command execution in a web context is high-risk. Even "safe" uses (image processing, etc.) should be reviewed for injection vectors.

False positive rate: Medium (~20%). Legitimate uses exist but are rare in WordPress themes/plugins.

Current coverage:

• Node.js: njs-002-command-injection (server-side command injection checks)
• PHP: php-shell-exec-functions (new Tier 1 rule, implemented in check-performance.sh v1.3.8)

Status: Implemented in scanner (PHP + Node.js coverage) as of v1.3.8.

---

• ### 4. Direct file write with user-controlled path

// CRITICAL - Arbitrary file write → RCE
file_put_contents($_GET['file'], $content);
move_uploaded_file($tmp_name, $user_path);
fwrite($handle, $data);  // when $handle from user input

Why always critical: Arbitrary file write allows attackers to create PHP backdoors anywhere in the filesystem.

False positive rate: Low (~10%). The pattern of user input → file path is specific.

Current coverage:

• PHP: php-user-controlled-file-write (Tier 1 rule, implemented in check-performance.sh v1.3.9; detection hardened in v1.3.10)

Status: Implemented in scanner (PHP) as of v1.3.9; detection bug fixed in v1.3.10.

---

• ### 5. Hardcoded credentials in PHP

// CRITICAL - Exposed secrets
$api_key = 'sk_live_abc123def456';
define('API_SECRET', 'hardcoded_value');
$password = 'admin123';
'Authorization' => 'Bearer sk_live_...'

Why always critical: Credentials in code get committed to repos, leaked in error messages, and exposed in backups.

False positive rate: Medium (~25%). Example code and tests may trigger this, but the risk of missing a real exposure is too high.

Current coverage:

• Client-side JS: headless-api-key-exposure (existing rule for browser bundles)
• PHP: php-hardcoded-credentials (new Tier 1 rule, implemented in check-performance.sh v1.3.9)

Status: Implemented in scanner (PHP + client-side JS coverage) as of v1.3.9.

---

• ### 6. Insecure data deserialization from superglobals

// CRITICAL - Object injection / RCE via unserialize/json_decode/maybe_unserialize
$data   = unserialize($_POST['payload']);
$json   = json_decode($_GET['json'], true);
$value  = maybe_unserialize($_REQUEST['data']);