@runsec/mcp 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/index.js +578 -0
  2. package/package.json +43 -0
  3. package/src/rules/data/rule-compliance-map.json +43563 -0
  4. package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
  5. package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
  6. package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
  7. package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
  8. package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
  9. package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
  10. package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
  11. package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
  12. package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
  13. package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
  14. package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
  15. package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
  16. package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
  17. package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
  18. package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
  19. package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
  20. package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
  21. package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
  22. package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
  23. package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
  24. package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
  25. package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
  26. package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
  27. package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
  28. package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
  29. package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
  30. package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
  31. package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
  32. package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
  33. package/src/rules/data/semgrep-rules/observability.yaml +381 -0
  34. package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
  35. package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
  36. package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
  37. package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
  38. package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
  39. package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
  40. package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
package/src/rules/data/semgrep-rules/php-security.yaml ADDED
@@ -0,0 +1,3601 @@
1
+ rules:
2
+ - id: runsec.php-security.phpx-001
3
+ metadata:
4
+ runsec_version: v1.0
5
+ confidence: |-
6
+ 0.9
7
+ exploit_scenario: |-
8
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
9
+ fix_template: |-
10
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
11
+ pattern-either:
12
+ - pattern: |-
13
+ User::whereRaw("email = '$email'")->first();
14
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-001\\b'
15
+ message: |-
16
+ RunSec Detection [PHPX-001]: CWE-89
17
+ languages:
18
+ - generic
19
+ severity: WARNING
20
+ - id: runsec.php-security.phpx-002
21
+ metadata:
22
+ runsec_version: v1.0
23
+ confidence: |-
24
+ 0.9
25
+ exploit_scenario: |-
26
+ Broad input binding enables privilege field overwrite in model attributes.
27
+ fix_template: |-
28
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
29
+ pattern-either:
30
+ - pattern: |-
31
+ User::create($request->all());
32
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-002\\b'
33
+ message: |-
34
+ RunSec Detection [PHPX-002]: CWE-915
35
+ languages:
36
+ - generic
37
+ severity: WARNING
38
+ - id: runsec.php-security.phpx-003
39
+ metadata:
40
+ runsec_version: v1.0
41
+ confidence: |-
42
+ 0.9
43
+ exploit_scenario: |-
44
+ User-controlled template source can execute server-side template payloads.
45
+ fix_template: |-
46
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
47
+ pattern-either:
48
+ - pattern: |-
49
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
50
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-003\\b'
51
+ message: |-
52
+ RunSec Detection [PHPX-003]: CWE-94
53
+ languages:
54
+ - generic
55
+ severity: WARNING
56
+ - id: runsec.php-security.phpx-004
57
+ metadata:
58
+ runsec_version: v1.0
59
+ confidence: |-
60
+ 0.9
61
+ exploit_scenario: |-
62
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
63
+ fix_template: |-
64
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
65
+ pattern-either:
66
+ - pattern: |-
67
+ $obj = unserialize($_POST['payload']);
68
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-004\\b'
69
+ message: |-
70
+ RunSec Detection [PHPX-004]: CWE-502
71
+ languages:
72
+ - generic
73
+ severity: WARNING
74
+ - id: runsec.php-security.phpx-005
75
+ metadata:
76
+ runsec_version: v1.0
77
+ confidence: |-
78
+ 0.9
79
+ exploit_scenario: |-
80
+ Over-posting maps attacker fields into protected entity properties.
81
+ fix_template: |-
82
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
83
+ pattern-either:
84
+ - pattern: |-
85
+ $form->submit($request->request->all());
86
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-005\\b'
87
+ message: |-
88
+ RunSec Detection [PHPX-005]: CWE-915
89
+ languages:
90
+ - generic
91
+ severity: WARNING
92
+ - id: runsec.php-security.phpx-006
93
+ metadata:
94
+ runsec_version: v1.0
95
+ confidence: |-
96
+ 0.9
97
+ exploit_scenario: |-
98
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
99
+ fix_template: |-
100
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
101
+ pattern-either:
102
+ - pattern: |-
103
+ $result = eval('return ' . $_GET['expr'] . ';');
104
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-006\\b'
105
+ message: |-
106
+ RunSec Detection [PHPX-006]: CWE-94
107
+ languages:
108
+ - generic
109
+ severity: WARNING
110
+ - id: runsec.php-security.phpx-007
111
+ metadata:
112
+ runsec_version: v1.0
113
+ confidence: |-
114
+ 0.9
115
+ exploit_scenario: |-
116
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
117
+ fix_template: |-
118
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
119
+ pattern-either:
120
+ - pattern: |-
121
+ User::whereRaw("email = '$email'")->first();
122
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-007\\b'
123
+ message: |-
124
+ RunSec Detection [PHPX-007]: CWE-89
125
+ languages:
126
+ - generic
127
+ severity: WARNING
128
+ - id: runsec.php-security.phpx-008
129
+ metadata:
130
+ runsec_version: v1.0
131
+ confidence: |-
132
+ 0.9
133
+ exploit_scenario: |-
134
+ Broad input binding enables privilege field overwrite in model attributes.
135
+ fix_template: |-
136
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
137
+ pattern-either:
138
+ - pattern: |-
139
+ User::create($request->all());
140
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-008\\b'
141
+ message: |-
142
+ RunSec Detection [PHPX-008]: CWE-915
143
+ languages:
144
+ - generic
145
+ severity: WARNING
146
+ - id: runsec.php-security.phpx-009
147
+ metadata:
148
+ runsec_version: v1.0
149
+ confidence: |-
150
+ 0.9
151
+ exploit_scenario: |-
152
+ User-controlled template source can execute server-side template payloads.
153
+ fix_template: |-
154
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
155
+ pattern-either:
156
+ - pattern: |-
157
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
158
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-009\\b'
159
+ message: |-
160
+ RunSec Detection [PHPX-009]: CWE-94
161
+ languages:
162
+ - generic
163
+ severity: WARNING
164
+ - id: runsec.php-security.phpx-010
165
+ metadata:
166
+ runsec_version: v1.0
167
+ confidence: |-
168
+ 0.9
169
+ exploit_scenario: |-
170
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
171
+ fix_template: |-
172
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
173
+ pattern-either:
174
+ - pattern: |-
175
+ $obj = unserialize($_POST['payload']);
176
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-010\\b'
177
+ message: |-
178
+ RunSec Detection [PHPX-010]: CWE-502
179
+ languages:
180
+ - generic
181
+ severity: WARNING
182
+ - id: runsec.php-security.phpx-011
183
+ metadata:
184
+ runsec_version: v1.0
185
+ confidence: |-
186
+ 0.9
187
+ exploit_scenario: |-
188
+ Over-posting maps attacker fields into protected entity properties.
189
+ fix_template: |-
190
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
191
+ pattern-either:
192
+ - pattern: |-
193
+ $form->submit($request->request->all());
194
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-011\\b'
195
+ message: |-
196
+ RunSec Detection [PHPX-011]: CWE-915
197
+ languages:
198
+ - generic
199
+ severity: WARNING
200
+ - id: runsec.php-security.phpx-012
201
+ metadata:
202
+ runsec_version: v1.0
203
+ confidence: |-
204
+ 0.9
205
+ exploit_scenario: |-
206
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
207
+ fix_template: |-
208
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
209
+ pattern-either:
210
+ - pattern: |-
211
+ $result = eval('return ' . $_GET['expr'] . ';');
212
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-012\\b'
213
+ message: |-
214
+ RunSec Detection [PHPX-012]: CWE-94
215
+ languages:
216
+ - generic
217
+ severity: WARNING
218
+ - id: runsec.php-security.phpx-013
219
+ metadata:
220
+ runsec_version: v1.0
221
+ confidence: |-
222
+ 0.9
223
+ exploit_scenario: |-
224
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
225
+ fix_template: |-
226
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
227
+ pattern-either:
228
+ - pattern: |-
229
+ User::whereRaw("email = '$email'")->first();
230
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-013\\b'
231
+ message: |-
232
+ RunSec Detection [PHPX-013]: CWE-89
233
+ languages:
234
+ - generic
235
+ severity: WARNING
236
+ - id: runsec.php-security.phpx-014
237
+ metadata:
238
+ runsec_version: v1.0
239
+ confidence: |-
240
+ 0.9
241
+ exploit_scenario: |-
242
+ Broad input binding enables privilege field overwrite in model attributes.
243
+ fix_template: |-
244
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
245
+ pattern-either:
246
+ - pattern: |-
247
+ User::create($request->all());
248
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-014\\b'
249
+ message: |-
250
+ RunSec Detection [PHPX-014]: CWE-915
251
+ languages:
252
+ - generic
253
+ severity: WARNING
254
+ - id: runsec.php-security.phpx-015
255
+ metadata:
256
+ runsec_version: v1.0
257
+ confidence: |-
258
+ 0.9
259
+ exploit_scenario: |-
260
+ User-controlled template source can execute server-side template payloads.
261
+ fix_template: |-
262
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
263
+ pattern-either:
264
+ - pattern: |-
265
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
266
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-015\\b'
267
+ message: |-
268
+ RunSec Detection [PHPX-015]: CWE-94
269
+ languages:
270
+ - generic
271
+ severity: WARNING
272
+ - id: runsec.php-security.phpx-016
273
+ metadata:
274
+ runsec_version: v1.0
275
+ confidence: |-
276
+ 0.9
277
+ exploit_scenario: |-
278
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
279
+ fix_template: |-
280
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
281
+ pattern-either:
282
+ - pattern: |-
283
+ $obj = unserialize($_POST['payload']);
284
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-016\\b'
285
+ message: |-
286
+ RunSec Detection [PHPX-016]: CWE-502
287
+ languages:
288
+ - generic
289
+ severity: WARNING
290
+ - id: runsec.php-security.phpx-017
291
+ metadata:
292
+ runsec_version: v1.0
293
+ confidence: |-
294
+ 0.9
295
+ exploit_scenario: |-
296
+ Over-posting maps attacker fields into protected entity properties.
297
+ fix_template: |-
298
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
299
+ pattern-either:
300
+ - pattern: |-
301
+ $form->submit($request->request->all());
302
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-017\\b'
303
+ message: |-
304
+ RunSec Detection [PHPX-017]: CWE-915
305
+ languages:
306
+ - generic
307
+ severity: WARNING
308
+ - id: runsec.php-security.phpx-018
309
+ metadata:
310
+ runsec_version: v1.0
311
+ confidence: |-
312
+ 0.9
313
+ exploit_scenario: |-
314
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
315
+ fix_template: |-
316
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
317
+ pattern-either:
318
+ - pattern: |-
319
+ $result = eval('return ' . $_GET['expr'] . ';');
320
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-018\\b'
321
+ message: |-
322
+ RunSec Detection [PHPX-018]: CWE-94
323
+ languages:
324
+ - generic
325
+ severity: WARNING
326
+ - id: runsec.php-security.phpx-019
327
+ metadata:
328
+ runsec_version: v1.0
329
+ confidence: |-
330
+ 0.9
331
+ exploit_scenario: |-
332
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
333
+ fix_template: |-
334
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
335
+ pattern-either:
336
+ - pattern: |-
337
+ User::whereRaw("email = '$email'")->first();
338
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-019\\b'
339
+ message: |-
340
+ RunSec Detection [PHPX-019]: CWE-89
341
+ languages:
342
+ - generic
343
+ severity: WARNING
344
+ - id: runsec.php-security.phpx-020
345
+ metadata:
346
+ runsec_version: v1.0
347
+ confidence: |-
348
+ 0.9
349
+ exploit_scenario: |-
350
+ Broad input binding enables privilege field overwrite in model attributes.
351
+ fix_template: |-
352
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
353
+ pattern-either:
354
+ - pattern: |-
355
+ User::create($request->all());
356
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-020\\b'
357
+ message: |-
358
+ RunSec Detection [PHPX-020]: CWE-915
359
+ languages:
360
+ - generic
361
+ severity: WARNING
362
+ - id: runsec.php-security.phpx-021
363
+ metadata:
364
+ runsec_version: v1.0
365
+ confidence: |-
366
+ 0.9
367
+ exploit_scenario: |-
368
+ User-controlled template source can execute server-side template payloads.
369
+ fix_template: |-
370
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
371
+ pattern-either:
372
+ - pattern: |-
373
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
374
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-021\\b'
375
+ message: |-
376
+ RunSec Detection [PHPX-021]: CWE-94
377
+ languages:
378
+ - generic
379
+ severity: WARNING
380
+ - id: runsec.php-security.phpx-022
381
+ metadata:
382
+ runsec_version: v1.0
383
+ confidence: |-
384
+ 0.9
385
+ exploit_scenario: |-
386
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
387
+ fix_template: |-
388
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
389
+ pattern-either:
390
+ - pattern: |-
391
+ $obj = unserialize($_POST['payload']);
392
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-022\\b'
393
+ message: |-
394
+ RunSec Detection [PHPX-022]: CWE-502
395
+ languages:
396
+ - generic
397
+ severity: WARNING
398
+ - id: runsec.php-security.phpx-023
399
+ metadata:
400
+ runsec_version: v1.0
401
+ confidence: |-
402
+ 0.9
403
+ exploit_scenario: |-
404
+ Over-posting maps attacker fields into protected entity properties.
405
+ fix_template: |-
406
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
407
+ pattern-either:
408
+ - pattern: |-
409
+ $form->submit($request->request->all());
410
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-023\\b'
411
+ message: |-
412
+ RunSec Detection [PHPX-023]: CWE-915
413
+ languages:
414
+ - generic
415
+ severity: WARNING
416
+ - id: runsec.php-security.phpx-024
417
+ metadata:
418
+ runsec_version: v1.0
419
+ confidence: |-
420
+ 0.9
421
+ exploit_scenario: |-
422
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
423
+ fix_template: |-
424
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
425
+ pattern-either:
426
+ - pattern: |-
427
+ $result = eval('return ' . $_GET['expr'] . ';');
428
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-024\\b'
429
+ message: |-
430
+ RunSec Detection [PHPX-024]: CWE-94
431
+ languages:
432
+ - generic
433
+ severity: WARNING
434
+ - id: runsec.php-security.phpx-025
435
+ metadata:
436
+ runsec_version: v1.0
437
+ confidence: |-
438
+ 0.9
439
+ exploit_scenario: |-
440
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
441
+ fix_template: |-
442
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
443
+ pattern-either:
444
+ - pattern: |-
445
+ User::whereRaw("email = '$email'")->first();
446
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-025\\b'
447
+ message: |-
448
+ RunSec Detection [PHPX-025]: CWE-89
449
+ languages:
450
+ - generic
451
+ severity: WARNING
452
+ - id: runsec.php-security.phpx-026
453
+ metadata:
454
+ runsec_version: v1.0
455
+ confidence: |-
456
+ 0.9
457
+ exploit_scenario: |-
458
+ Broad input binding enables privilege field overwrite in model attributes.
459
+ fix_template: |-
460
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
461
+ pattern-either:
462
+ - pattern: |-
463
+ User::create($request->all());
464
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-026\\b'
465
+ message: |-
466
+ RunSec Detection [PHPX-026]: CWE-915
467
+ languages:
468
+ - generic
469
+ severity: WARNING
470
+ - id: runsec.php-security.phpx-027
471
+ metadata:
472
+ runsec_version: v1.0
473
+ confidence: |-
474
+ 0.9
475
+ exploit_scenario: |-
476
+ User-controlled template source can execute server-side template payloads.
477
+ fix_template: |-
478
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
479
+ pattern-either:
480
+ - pattern: |-
481
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
482
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-027\\b'
483
+ message: |-
484
+ RunSec Detection [PHPX-027]: CWE-94
485
+ languages:
486
+ - generic
487
+ severity: WARNING
488
+ - id: runsec.php-security.phpx-028
489
+ metadata:
490
+ runsec_version: v1.0
491
+ confidence: |-
492
+ 0.9
493
+ exploit_scenario: |-
494
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
495
+ fix_template: |-
496
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
497
+ pattern-either:
498
+ - pattern: |-
499
+ $obj = unserialize($_POST['payload']);
500
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-028\\b'
501
+ message: |-
502
+ RunSec Detection [PHPX-028]: CWE-502
503
+ languages:
504
+ - generic
505
+ severity: WARNING
506
+ - id: runsec.php-security.phpx-029
507
+ metadata:
508
+ runsec_version: v1.0
509
+ confidence: |-
510
+ 0.9
511
+ exploit_scenario: |-
512
+ Over-posting maps attacker fields into protected entity properties.
513
+ fix_template: |-
514
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
515
+ pattern-either:
516
+ - pattern: |-
517
+ $form->submit($request->request->all());
518
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-029\\b'
519
+ message: |-
520
+ RunSec Detection [PHPX-029]: CWE-915
521
+ languages:
522
+ - generic
523
+ severity: WARNING
524
+ - id: runsec.php-security.phpx-030
525
+ metadata:
526
+ runsec_version: v1.0
527
+ confidence: |-
528
+ 0.9
529
+ exploit_scenario: |-
530
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
531
+ fix_template: |-
532
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
533
+ pattern-either:
534
+ - pattern: |-
535
+ $result = eval('return ' . $_GET['expr'] . ';');
536
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-030\\b'
537
+ message: |-
538
+ RunSec Detection [PHPX-030]: CWE-94
539
+ languages:
540
+ - generic
541
+ severity: WARNING
542
+ - id: runsec.php-security.phpx-031
543
+ metadata:
544
+ runsec_version: v1.0
545
+ confidence: |-
546
+ 0.9
547
+ exploit_scenario: |-
548
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
549
+ fix_template: |-
550
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
551
+ pattern-either:
552
+ - pattern: |-
553
+ User::whereRaw("email = '$email'")->first();
554
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-031\\b'
555
+ message: |-
556
+ RunSec Detection [PHPX-031]: CWE-89
557
+ languages:
558
+ - generic
559
+ severity: WARNING
560
+ - id: runsec.php-security.phpx-032
561
+ metadata:
562
+ runsec_version: v1.0
563
+ confidence: |-
564
+ 0.9
565
+ exploit_scenario: |-
566
+ Broad input binding enables privilege field overwrite in model attributes.
567
+ fix_template: |-
568
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
569
+ pattern-either:
570
+ - pattern: |-
571
+ User::create($request->all());
572
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-032\\b'
573
+ message: |-
574
+ RunSec Detection [PHPX-032]: CWE-915
575
+ languages:
576
+ - generic
577
+ severity: WARNING
578
+ - id: runsec.php-security.phpx-033
579
+ metadata:
580
+ runsec_version: v1.0
581
+ confidence: |-
582
+ 0.9
583
+ exploit_scenario: |-
584
+ User-controlled template source can execute server-side template payloads.
585
+ fix_template: |-
586
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
587
+ pattern-either:
588
+ - pattern: |-
589
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
590
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-033\\b'
591
+ message: |-
592
+ RunSec Detection [PHPX-033]: CWE-94
593
+ languages:
594
+ - generic
595
+ severity: WARNING
596
+ - id: runsec.php-security.phpx-034
597
+ metadata:
598
+ runsec_version: v1.0
599
+ confidence: |-
600
+ 0.9
601
+ exploit_scenario: |-
602
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
603
+ fix_template: |-
604
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
605
+ pattern-either:
606
+ - pattern: |-
607
+ $obj = unserialize($_POST['payload']);
608
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-034\\b'
609
+ message: |-
610
+ RunSec Detection [PHPX-034]: CWE-502
611
+ languages:
612
+ - generic
613
+ severity: WARNING
614
+ - id: runsec.php-security.phpx-035
615
+ metadata:
616
+ runsec_version: v1.0
617
+ confidence: |-
618
+ 0.9
619
+ exploit_scenario: |-
620
+ Over-posting maps attacker fields into protected entity properties.
621
+ fix_template: |-
622
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
623
+ pattern-either:
624
+ - pattern: |-
625
+ $form->submit($request->request->all());
626
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-035\\b'
627
+ message: |-
628
+ RunSec Detection [PHPX-035]: CWE-915
629
+ languages:
630
+ - generic
631
+ severity: WARNING
632
+ - id: runsec.php-security.phpx-036
633
+ metadata:
634
+ runsec_version: v1.0
635
+ confidence: |-
636
+ 0.9
637
+ exploit_scenario: |-
638
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
639
+ fix_template: |-
640
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
641
+ pattern-either:
642
+ - pattern: |-
643
+ $result = eval('return ' . $_GET['expr'] . ';');
644
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-036\\b'
645
+ message: |-
646
+ RunSec Detection [PHPX-036]: CWE-94
647
+ languages:
648
+ - generic
649
+ severity: WARNING
650
+ - id: runsec.php-security.phpx-037
651
+ metadata:
652
+ runsec_version: v1.0
653
+ confidence: |-
654
+ 0.9
655
+ exploit_scenario: |-
656
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
657
+ fix_template: |-
658
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
659
+ pattern-either:
660
+ - pattern: |-
661
+ User::whereRaw("email = '$email'")->first();
662
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-037\\b'
663
+ message: |-
664
+ RunSec Detection [PHPX-037]: CWE-89
665
+ languages:
666
+ - generic
667
+ severity: WARNING
668
+ - id: runsec.php-security.phpx-038
669
+ metadata:
670
+ runsec_version: v1.0
671
+ confidence: |-
672
+ 0.9
673
+ exploit_scenario: |-
674
+ Broad input binding enables privilege field overwrite in model attributes.
675
+ fix_template: |-
676
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
677
+ pattern-either:
678
+ - pattern: |-
679
+ User::create($request->all());
680
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-038\\b'
681
+ message: |-
682
+ RunSec Detection [PHPX-038]: CWE-915
683
+ languages:
684
+ - generic
685
+ severity: WARNING
686
+ - id: runsec.php-security.phpx-039
687
+ metadata:
688
+ runsec_version: v1.0
689
+ confidence: |-
690
+ 0.9
691
+ exploit_scenario: |-
692
+ User-controlled template source can execute server-side template payloads.
693
+ fix_template: |-
694
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
695
+ pattern-either:
696
+ - pattern: |-
697
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
698
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-039\\b'
699
+ message: |-
700
+ RunSec Detection [PHPX-039]: CWE-94
701
+ languages:
702
+ - generic
703
+ severity: WARNING
704
+ - id: runsec.php-security.phpx-040
705
+ metadata:
706
+ runsec_version: v1.0
707
+ confidence: |-
708
+ 0.9
709
+ exploit_scenario: |-
710
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
711
+ fix_template: |-
712
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
713
+ pattern-either:
714
+ - pattern: |-
715
+ $obj = unserialize($_POST['payload']);
716
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-040\\b'
717
+ message: |-
718
+ RunSec Detection [PHPX-040]: CWE-502
719
+ languages:
720
+ - generic
721
+ severity: WARNING
722
+ - id: runsec.php-security.phpx-041
723
+ metadata:
724
+ runsec_version: v1.0
725
+ confidence: |-
726
+ 0.9
727
+ exploit_scenario: |-
728
+ Over-posting maps attacker fields into protected entity properties.
729
+ fix_template: |-
730
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
731
+ pattern-either:
732
+ - pattern: |-
733
+ $form->submit($request->request->all());
734
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-041\\b'
735
+ message: |-
736
+ RunSec Detection [PHPX-041]: CWE-915
737
+ languages:
738
+ - generic
739
+ severity: WARNING
740
+ - id: runsec.php-security.phpx-042
741
+ metadata:
742
+ runsec_version: v1.0
743
+ confidence: |-
744
+ 0.9
745
+ exploit_scenario: |-
746
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
747
+ fix_template: |-
748
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
749
+ pattern-either:
750
+ - pattern: |-
751
+ $result = eval('return ' . $_GET['expr'] . ';');
752
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-042\\b'
753
+ message: |-
754
+ RunSec Detection [PHPX-042]: CWE-94
755
+ languages:
756
+ - generic
757
+ severity: WARNING
758
+ - id: runsec.php-security.phpx-043
759
+ metadata:
760
+ runsec_version: v1.0
761
+ confidence: |-
762
+ 0.9
763
+ exploit_scenario: |-
764
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
765
+ fix_template: |-
766
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
767
+ pattern-either:
768
+ - pattern: |-
769
+ User::whereRaw("email = '$email'")->first();
770
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-043\\b'
771
+ message: |-
772
+ RunSec Detection [PHPX-043]: CWE-89
773
+ languages:
774
+ - generic
775
+ severity: WARNING
776
+ - id: runsec.php-security.phpx-044
777
+ metadata:
778
+ runsec_version: v1.0
779
+ confidence: |-
780
+ 0.9
781
+ exploit_scenario: |-
782
+ Broad input binding enables privilege field overwrite in model attributes.
783
+ fix_template: |-
784
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
785
+ pattern-either:
786
+ - pattern: |-
787
+ User::create($request->all());
788
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-044\\b'
789
+ message: |-
790
+ RunSec Detection [PHPX-044]: CWE-915
791
+ languages:
792
+ - generic
793
+ severity: WARNING
794
+ - id: runsec.php-security.phpx-045
795
+ metadata:
796
+ runsec_version: v1.0
797
+ confidence: |-
798
+ 0.9
799
+ exploit_scenario: |-
800
+ User-controlled template source can execute server-side template payloads.
801
+ fix_template: |-
802
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
803
+ pattern-either:
804
+ - pattern: |-
805
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
806
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-045\\b'
807
+ message: |-
808
+ RunSec Detection [PHPX-045]: CWE-94
809
+ languages:
810
+ - generic
811
+ severity: WARNING
812
+ - id: runsec.php-security.phpx-046
813
+ metadata:
814
+ runsec_version: v1.0
815
+ confidence: |-
816
+ 0.9
817
+ exploit_scenario: |-
818
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
819
+ fix_template: |-
820
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
821
+ pattern-either:
822
+ - pattern: |-
823
+ $obj = unserialize($_POST['payload']);
824
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-046\\b'
825
+ message: |-
826
+ RunSec Detection [PHPX-046]: CWE-502
827
+ languages:
828
+ - generic
829
+ severity: WARNING
830
+ - id: runsec.php-security.phpx-047
831
+ metadata:
832
+ runsec_version: v1.0
833
+ confidence: |-
834
+ 0.9
835
+ exploit_scenario: |-
836
+ Over-posting maps attacker fields into protected entity properties.
837
+ fix_template: |-
838
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
839
+ pattern-either:
840
+ - pattern: |-
841
+ $form->submit($request->request->all());
842
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-047\\b'
843
+ message: |-
844
+ RunSec Detection [PHPX-047]: CWE-915
845
+ languages:
846
+ - generic
847
+ severity: WARNING
848
+ - id: runsec.php-security.phpx-048
849
+ metadata:
850
+ runsec_version: v1.0
851
+ confidence: |-
852
+ 0.9
853
+ exploit_scenario: |-
854
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
855
+ fix_template: |-
856
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
857
+ pattern-either:
858
+ - pattern: |-
859
+ $result = eval('return ' . $_GET['expr'] . ';');
860
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-048\\b'
861
+ message: |-
862
+ RunSec Detection [PHPX-048]: CWE-94
863
+ languages:
864
+ - generic
865
+ severity: WARNING
866
+ - id: runsec.php-security.phpx-049
867
+ metadata:
868
+ runsec_version: v1.0
869
+ confidence: |-
870
+ 0.9
871
+ exploit_scenario: |-
872
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
873
+ fix_template: |-
874
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
875
+ pattern-either:
876
+ - pattern: |-
877
+ User::whereRaw("email = '$email'")->first();
878
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-049\\b'
879
+ message: |-
880
+ RunSec Detection [PHPX-049]: CWE-89
881
+ languages:
882
+ - generic
883
+ severity: WARNING
884
+ - id: runsec.php-security.phpx-050
885
+ metadata:
886
+ runsec_version: v1.0
887
+ confidence: |-
888
+ 0.9
889
+ exploit_scenario: |-
890
+ Broad input binding enables privilege field overwrite in model attributes.
891
+ fix_template: |-
892
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
893
+ pattern-either:
894
+ - pattern: |-
895
+ User::create($request->all());
896
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-050\\b'
897
+ message: |-
898
+ RunSec Detection [PHPX-050]: CWE-915
899
+ languages:
900
+ - generic
901
+ severity: WARNING
902
+ - id: runsec.php-security.phpx-051
903
+ metadata:
904
+ runsec_version: v1.0
905
+ confidence: |-
906
+ 0.9
907
+ exploit_scenario: |-
908
+ User-controlled template source can execute server-side template payloads.
909
+ fix_template: |-
910
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
911
+ pattern-either:
912
+ - pattern: |-
913
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
914
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-051\\b'
915
+ message: |-
916
+ RunSec Detection [PHPX-051]: CWE-94
917
+ languages:
918
+ - generic
919
+ severity: WARNING
920
+ - id: runsec.php-security.phpx-052
921
+ metadata:
922
+ runsec_version: v1.0
923
+ confidence: |-
924
+ 0.9
925
+ exploit_scenario: |-
926
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
927
+ fix_template: |-
928
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
929
+ pattern-either:
930
+ - pattern: |-
931
+ $obj = unserialize($_POST['payload']);
932
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-052\\b'
933
+ message: |-
934
+ RunSec Detection [PHPX-052]: CWE-502
935
+ languages:
936
+ - generic
937
+ severity: WARNING
938
+ - id: runsec.php-security.phpx-053
939
+ metadata:
940
+ runsec_version: v1.0
941
+ confidence: |-
942
+ 0.9
943
+ exploit_scenario: |-
944
+ Over-posting maps attacker fields into protected entity properties.
945
+ fix_template: |-
946
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
947
+ pattern-either:
948
+ - pattern: |-
949
+ $form->submit($request->request->all());
950
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-053\\b'
951
+ message: |-
952
+ RunSec Detection [PHPX-053]: CWE-915
953
+ languages:
954
+ - generic
955
+ severity: WARNING
956
+ - id: runsec.php-security.phpx-054
957
+ metadata:
958
+ runsec_version: v1.0
959
+ confidence: |-
960
+ 0.9
961
+ exploit_scenario: |-
962
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
963
+ fix_template: |-
964
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
965
+ pattern-either:
966
+ - pattern: |-
967
+ $result = eval('return ' . $_GET['expr'] . ';');
968
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-054\\b'
969
+ message: |-
970
+ RunSec Detection [PHPX-054]: CWE-94
971
+ languages:
972
+ - generic
973
+ severity: WARNING
974
+ - id: runsec.php-security.phpx-055
975
+ metadata:
976
+ runsec_version: v1.0
977
+ confidence: |-
978
+ 0.9
979
+ exploit_scenario: |-
980
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
981
+ fix_template: |-
982
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
983
+ pattern-either:
984
+ - pattern: |-
985
+ User::whereRaw("email = '$email'")->first();
986
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-055\\b'
987
+ message: |-
988
+ RunSec Detection [PHPX-055]: CWE-89
989
+ languages:
990
+ - generic
991
+ severity: WARNING
992
+ - id: runsec.php-security.phpx-056
993
+ metadata:
994
+ runsec_version: v1.0
995
+ confidence: |-
996
+ 0.9
997
+ exploit_scenario: |-
998
+ Broad input binding enables privilege field overwrite in model attributes.
999
+ fix_template: |-
1000
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1001
+ pattern-either:
1002
+ - pattern: |-
1003
+ User::create($request->all());
1004
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-056\\b'
1005
+ message: |-
1006
+ RunSec Detection [PHPX-056]: CWE-915
1007
+ languages:
1008
+ - generic
1009
+ severity: WARNING
1010
+ - id: runsec.php-security.phpx-057
1011
+ metadata:
1012
+ runsec_version: v1.0
1013
+ confidence: |-
1014
+ 0.9
1015
+ exploit_scenario: |-
1016
+ User-controlled template source can execute server-side template payloads.
1017
+ fix_template: |-
1018
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1019
+ pattern-either:
1020
+ - pattern: |-
1021
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1022
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-057\\b'
1023
+ message: |-
1024
+ RunSec Detection [PHPX-057]: CWE-94
1025
+ languages:
1026
+ - generic
1027
+ severity: WARNING
1028
+ - id: runsec.php-security.phpx-058
1029
+ metadata:
1030
+ runsec_version: v1.0
1031
+ confidence: |-
1032
+ 0.9
1033
+ exploit_scenario: |-
1034
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1035
+ fix_template: |-
1036
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1037
+ pattern-either:
1038
+ - pattern: |-
1039
+ $obj = unserialize($_POST['payload']);
1040
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-058\\b'
1041
+ message: |-
1042
+ RunSec Detection [PHPX-058]: CWE-502
1043
+ languages:
1044
+ - generic
1045
+ severity: WARNING
1046
+ - id: runsec.php-security.phpx-059
1047
+ metadata:
1048
+ runsec_version: v1.0
1049
+ confidence: |-
1050
+ 0.9
1051
+ exploit_scenario: |-
1052
+ Over-posting maps attacker fields into protected entity properties.
1053
+ fix_template: |-
1054
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1055
+ pattern-either:
1056
+ - pattern: |-
1057
+ $form->submit($request->request->all());
1058
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-059\\b'
1059
+ message: |-
1060
+ RunSec Detection [PHPX-059]: CWE-915
1061
+ languages:
1062
+ - generic
1063
+ severity: WARNING
1064
+ - id: runsec.php-security.phpx-060
1065
+ metadata:
1066
+ runsec_version: v1.0
1067
+ confidence: |-
1068
+ 0.9
1069
+ exploit_scenario: |-
1070
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1071
+ fix_template: |-
1072
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1073
+ pattern-either:
1074
+ - pattern: |-
1075
+ $result = eval('return ' . $_GET['expr'] . ';');
1076
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-060\\b'
1077
+ message: |-
1078
+ RunSec Detection [PHPX-060]: CWE-94
1079
+ languages:
1080
+ - generic
1081
+ severity: WARNING
1082
+ - id: runsec.php-security.phpx-061
1083
+ metadata:
1084
+ runsec_version: v1.0
1085
+ confidence: |-
1086
+ 0.9
1087
+ exploit_scenario: |-
1088
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1089
+ fix_template: |-
1090
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1091
+ pattern-either:
1092
+ - pattern: |-
1093
+ User::whereRaw("email = '$email'")->first();
1094
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-061\\b'
1095
+ message: |-
1096
+ RunSec Detection [PHPX-061]: CWE-89
1097
+ languages:
1098
+ - generic
1099
+ severity: WARNING
1100
+ - id: runsec.php-security.phpx-062
1101
+ metadata:
1102
+ runsec_version: v1.0
1103
+ confidence: |-
1104
+ 0.9
1105
+ exploit_scenario: |-
1106
+ Broad input binding enables privilege field overwrite in model attributes.
1107
+ fix_template: |-
1108
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1109
+ pattern-either:
1110
+ - pattern: |-
1111
+ User::create($request->all());
1112
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-062\\b'
1113
+ message: |-
1114
+ RunSec Detection [PHPX-062]: CWE-915
1115
+ languages:
1116
+ - generic
1117
+ severity: WARNING
1118
+ - id: runsec.php-security.phpx-063
1119
+ metadata:
1120
+ runsec_version: v1.0
1121
+ confidence: |-
1122
+ 0.9
1123
+ exploit_scenario: |-
1124
+ User-controlled template source can execute server-side template payloads.
1125
+ fix_template: |-
1126
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1127
+ pattern-either:
1128
+ - pattern: |-
1129
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1130
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-063\\b'
1131
+ message: |-
1132
+ RunSec Detection [PHPX-063]: CWE-94
1133
+ languages:
1134
+ - generic
1135
+ severity: WARNING
1136
+ - id: runsec.php-security.phpx-064
1137
+ metadata:
1138
+ runsec_version: v1.0
1139
+ confidence: |-
1140
+ 0.9
1141
+ exploit_scenario: |-
1142
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1143
+ fix_template: |-
1144
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1145
+ pattern-either:
1146
+ - pattern: |-
1147
+ $obj = unserialize($_POST['payload']);
1148
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-064\\b'
1149
+ message: |-
1150
+ RunSec Detection [PHPX-064]: CWE-502
1151
+ languages:
1152
+ - generic
1153
+ severity: WARNING
1154
+ - id: runsec.php-security.phpx-065
1155
+ metadata:
1156
+ runsec_version: v1.0
1157
+ confidence: |-
1158
+ 0.9
1159
+ exploit_scenario: |-
1160
+ Over-posting maps attacker fields into protected entity properties.
1161
+ fix_template: |-
1162
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1163
+ pattern-either:
1164
+ - pattern: |-
1165
+ $form->submit($request->request->all());
1166
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-065\\b'
1167
+ message: |-
1168
+ RunSec Detection [PHPX-065]: CWE-915
1169
+ languages:
1170
+ - generic
1171
+ severity: WARNING
1172
+ - id: runsec.php-security.phpx-066
1173
+ metadata:
1174
+ runsec_version: v1.0
1175
+ confidence: |-
1176
+ 0.9
1177
+ exploit_scenario: |-
1178
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1179
+ fix_template: |-
1180
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1181
+ pattern-either:
1182
+ - pattern: |-
1183
+ $result = eval('return ' . $_GET['expr'] . ';');
1184
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-066\\b'
1185
+ message: |-
1186
+ RunSec Detection [PHPX-066]: CWE-94
1187
+ languages:
1188
+ - generic
1189
+ severity: WARNING
1190
+ - id: runsec.php-security.phpx-067
1191
+ metadata:
1192
+ runsec_version: v1.0
1193
+ confidence: |-
1194
+ 0.9
1195
+ exploit_scenario: |-
1196
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1197
+ fix_template: |-
1198
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1199
+ pattern-either:
1200
+ - pattern: |-
1201
+ User::whereRaw("email = '$email'")->first();
1202
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-067\\b'
1203
+ message: |-
1204
+ RunSec Detection [PHPX-067]: CWE-89
1205
+ languages:
1206
+ - generic
1207
+ severity: WARNING
1208
+ - id: runsec.php-security.phpx-068
1209
+ metadata:
1210
+ runsec_version: v1.0
1211
+ confidence: |-
1212
+ 0.9
1213
+ exploit_scenario: |-
1214
+ Broad input binding enables privilege field overwrite in model attributes.
1215
+ fix_template: |-
1216
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1217
+ pattern-either:
1218
+ - pattern: |-
1219
+ User::create($request->all());
1220
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-068\\b'
1221
+ message: |-
1222
+ RunSec Detection [PHPX-068]: CWE-915
1223
+ languages:
1224
+ - generic
1225
+ severity: WARNING
1226
+ - id: runsec.php-security.phpx-069
1227
+ metadata:
1228
+ runsec_version: v1.0
1229
+ confidence: |-
1230
+ 0.9
1231
+ exploit_scenario: |-
1232
+ User-controlled template source can execute server-side template payloads.
1233
+ fix_template: |-
1234
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1235
+ pattern-either:
1236
+ - pattern: |-
1237
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1238
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-069\\b'
1239
+ message: |-
1240
+ RunSec Detection [PHPX-069]: CWE-94
1241
+ languages:
1242
+ - generic
1243
+ severity: WARNING
1244
+ - id: runsec.php-security.phpx-070
1245
+ metadata:
1246
+ runsec_version: v1.0
1247
+ confidence: |-
1248
+ 0.9
1249
+ exploit_scenario: |-
1250
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1251
+ fix_template: |-
1252
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1253
+ pattern-either:
1254
+ - pattern: |-
1255
+ $obj = unserialize($_POST['payload']);
1256
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-070\\b'
1257
+ message: |-
1258
+ RunSec Detection [PHPX-070]: CWE-502
1259
+ languages:
1260
+ - generic
1261
+ severity: WARNING
1262
+ - id: runsec.php-security.phpx-071
1263
+ metadata:
1264
+ runsec_version: v1.0
1265
+ confidence: |-
1266
+ 0.9
1267
+ exploit_scenario: |-
1268
+ Over-posting maps attacker fields into protected entity properties.
1269
+ fix_template: |-
1270
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1271
+ pattern-either:
1272
+ - pattern: |-
1273
+ $form->submit($request->request->all());
1274
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-071\\b'
1275
+ message: |-
1276
+ RunSec Detection [PHPX-071]: CWE-915
1277
+ languages:
1278
+ - generic
1279
+ severity: WARNING
1280
+ - id: runsec.php-security.phpx-072
1281
+ metadata:
1282
+ runsec_version: v1.0
1283
+ confidence: |-
1284
+ 0.9
1285
+ exploit_scenario: |-
1286
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1287
+ fix_template: |-
1288
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1289
+ pattern-either:
1290
+ - pattern: |-
1291
+ $result = eval('return ' . $_GET['expr'] . ';');
1292
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-072\\b'
1293
+ message: |-
1294
+ RunSec Detection [PHPX-072]: CWE-94
1295
+ languages:
1296
+ - generic
1297
+ severity: WARNING
1298
+ - id: runsec.php-security.phpx-073
1299
+ metadata:
1300
+ runsec_version: v1.0
1301
+ confidence: |-
1302
+ 0.9
1303
+ exploit_scenario: |-
1304
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1305
+ fix_template: |-
1306
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1307
+ pattern-either:
1308
+ - pattern: |-
1309
+ User::whereRaw("email = '$email'")->first();
1310
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-073\\b'
1311
+ message: |-
1312
+ RunSec Detection [PHPX-073]: CWE-89
1313
+ languages:
1314
+ - generic
1315
+ severity: WARNING
1316
+ - id: runsec.php-security.phpx-074
1317
+ metadata:
1318
+ runsec_version: v1.0
1319
+ confidence: |-
1320
+ 0.9
1321
+ exploit_scenario: |-
1322
+ Broad input binding enables privilege field overwrite in model attributes.
1323
+ fix_template: |-
1324
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1325
+ pattern-either:
1326
+ - pattern: |-
1327
+ User::create($request->all());
1328
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-074\\b'
1329
+ message: |-
1330
+ RunSec Detection [PHPX-074]: CWE-915
1331
+ languages:
1332
+ - generic
1333
+ severity: WARNING
1334
+ - id: runsec.php-security.phpx-075
1335
+ metadata:
1336
+ runsec_version: v1.0
1337
+ confidence: |-
1338
+ 0.9
1339
+ exploit_scenario: |-
1340
+ User-controlled template source can execute server-side template payloads.
1341
+ fix_template: |-
1342
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1343
+ pattern-either:
1344
+ - pattern: |-
1345
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1346
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-075\\b'
1347
+ message: |-
1348
+ RunSec Detection [PHPX-075]: CWE-94
1349
+ languages:
1350
+ - generic
1351
+ severity: WARNING
1352
+ - id: runsec.php-security.phpx-076
1353
+ metadata:
1354
+ runsec_version: v1.0
1355
+ confidence: |-
1356
+ 0.9
1357
+ exploit_scenario: |-
1358
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1359
+ fix_template: |-
1360
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1361
+ pattern-either:
1362
+ - pattern: |-
1363
+ $obj = unserialize($_POST['payload']);
1364
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-076\\b'
1365
+ message: |-
1366
+ RunSec Detection [PHPX-076]: CWE-502
1367
+ languages:
1368
+ - generic
1369
+ severity: WARNING
1370
+ - id: runsec.php-security.phpx-077
1371
+ metadata:
1372
+ runsec_version: v1.0
1373
+ confidence: |-
1374
+ 0.9
1375
+ exploit_scenario: |-
1376
+ Over-posting maps attacker fields into protected entity properties.
1377
+ fix_template: |-
1378
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1379
+ pattern-either:
1380
+ - pattern: |-
1381
+ $form->submit($request->request->all());
1382
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-077\\b'
1383
+ message: |-
1384
+ RunSec Detection [PHPX-077]: CWE-915
1385
+ languages:
1386
+ - generic
1387
+ severity: WARNING
1388
+ - id: runsec.php-security.phpx-078
1389
+ metadata:
1390
+ runsec_version: v1.0
1391
+ confidence: |-
1392
+ 0.9
1393
+ exploit_scenario: |-
1394
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1395
+ fix_template: |-
1396
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1397
+ pattern-either:
1398
+ - pattern: |-
1399
+ $result = eval('return ' . $_GET['expr'] . ';');
1400
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-078\\b'
1401
+ message: |-
1402
+ RunSec Detection [PHPX-078]: CWE-94
1403
+ languages:
1404
+ - generic
1405
+ severity: WARNING
1406
+ - id: runsec.php-security.phpx-079
1407
+ metadata:
1408
+ runsec_version: v1.0
1409
+ confidence: |-
1410
+ 0.9
1411
+ exploit_scenario: |-
1412
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1413
+ fix_template: |-
1414
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1415
+ pattern-either:
1416
+ - pattern: |-
1417
+ User::whereRaw("email = '$email'")->first();
1418
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-079\\b'
1419
+ message: |-
1420
+ RunSec Detection [PHPX-079]: CWE-89
1421
+ languages:
1422
+ - generic
1423
+ severity: WARNING
1424
+ - id: runsec.php-security.phpx-080
1425
+ metadata:
1426
+ runsec_version: v1.0
1427
+ confidence: |-
1428
+ 0.9
1429
+ exploit_scenario: |-
1430
+ Broad input binding enables privilege field overwrite in model attributes.
1431
+ fix_template: |-
1432
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1433
+ pattern-either:
1434
+ - pattern: |-
1435
+ User::create($request->all());
1436
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-080\\b'
1437
+ message: |-
1438
+ RunSec Detection [PHPX-080]: CWE-915
1439
+ languages:
1440
+ - generic
1441
+ severity: WARNING
1442
+ - id: runsec.php-security.phpx-081
1443
+ metadata:
1444
+ runsec_version: v1.0
1445
+ confidence: |-
1446
+ 0.9
1447
+ exploit_scenario: |-
1448
+ User-controlled template source can execute server-side template payloads.
1449
+ fix_template: |-
1450
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1451
+ pattern-either:
1452
+ - pattern: |-
1453
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1454
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-081\\b'
1455
+ message: |-
1456
+ RunSec Detection [PHPX-081]: CWE-94
1457
+ languages:
1458
+ - generic
1459
+ severity: WARNING
1460
+ - id: runsec.php-security.phpx-082
1461
+ metadata:
1462
+ runsec_version: v1.0
1463
+ confidence: |-
1464
+ 0.9
1465
+ exploit_scenario: |-
1466
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1467
+ fix_template: |-
1468
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1469
+ pattern-either:
1470
+ - pattern: |-
1471
+ $obj = unserialize($_POST['payload']);
1472
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-082\\b'
1473
+ message: |-
1474
+ RunSec Detection [PHPX-082]: CWE-502
1475
+ languages:
1476
+ - generic
1477
+ severity: WARNING
1478
+ - id: runsec.php-security.phpx-083
1479
+ metadata:
1480
+ runsec_version: v1.0
1481
+ confidence: |-
1482
+ 0.9
1483
+ exploit_scenario: |-
1484
+ Over-posting maps attacker fields into protected entity properties.
1485
+ fix_template: |-
1486
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1487
+ pattern-either:
1488
+ - pattern: |-
1489
+ $form->submit($request->request->all());
1490
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-083\\b'
1491
+ message: |-
1492
+ RunSec Detection [PHPX-083]: CWE-915
1493
+ languages:
1494
+ - generic
1495
+ severity: WARNING
1496
+ - id: runsec.php-security.phpx-084
1497
+ metadata:
1498
+ runsec_version: v1.0
1499
+ confidence: |-
1500
+ 0.9
1501
+ exploit_scenario: |-
1502
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1503
+ fix_template: |-
1504
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1505
+ pattern-either:
1506
+ - pattern: |-
1507
+ $result = eval('return ' . $_GET['expr'] . ';');
1508
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-084\\b'
1509
+ message: |-
1510
+ RunSec Detection [PHPX-084]: CWE-94
1511
+ languages:
1512
+ - generic
1513
+ severity: WARNING
1514
+ - id: runsec.php-security.phpx-085
1515
+ metadata:
1516
+ runsec_version: v1.0
1517
+ confidence: |-
1518
+ 0.9
1519
+ exploit_scenario: |-
1520
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1521
+ fix_template: |-
1522
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1523
+ pattern-either:
1524
+ - pattern: |-
1525
+ User::whereRaw("email = '$email'")->first();
1526
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-085\\b'
1527
+ message: |-
1528
+ RunSec Detection [PHPX-085]: CWE-89
1529
+ languages:
1530
+ - generic
1531
+ severity: WARNING
1532
+ - id: runsec.php-security.phpx-086
1533
+ metadata:
1534
+ runsec_version: v1.0
1535
+ confidence: |-
1536
+ 0.9
1537
+ exploit_scenario: |-
1538
+ Broad input binding enables privilege field overwrite in model attributes.
1539
+ fix_template: |-
1540
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1541
+ pattern-either:
1542
+ - pattern: |-
1543
+ User::create($request->all());
1544
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-086\\b'
1545
+ message: |-
1546
+ RunSec Detection [PHPX-086]: CWE-915
1547
+ languages:
1548
+ - generic
1549
+ severity: WARNING
1550
+ - id: runsec.php-security.phpx-087
1551
+ metadata:
1552
+ runsec_version: v1.0
1553
+ confidence: |-
1554
+ 0.9
1555
+ exploit_scenario: |-
1556
+ User-controlled template source can execute server-side template payloads.
1557
+ fix_template: |-
1558
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1559
+ pattern-either:
1560
+ - pattern: |-
1561
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1562
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-087\\b'
1563
+ message: |-
1564
+ RunSec Detection [PHPX-087]: CWE-94
1565
+ languages:
1566
+ - generic
1567
+ severity: WARNING
1568
+ - id: runsec.php-security.phpx-088
1569
+ metadata:
1570
+ runsec_version: v1.0
1571
+ confidence: |-
1572
+ 0.9
1573
+ exploit_scenario: |-
1574
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1575
+ fix_template: |-
1576
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1577
+ pattern-either:
1578
+ - pattern: |-
1579
+ $obj = unserialize($_POST['payload']);
1580
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-088\\b'
1581
+ message: |-
1582
+ RunSec Detection [PHPX-088]: CWE-502
1583
+ languages:
1584
+ - generic
1585
+ severity: WARNING
1586
+ - id: runsec.php-security.phpx-089
1587
+ metadata:
1588
+ runsec_version: v1.0
1589
+ confidence: |-
1590
+ 0.9
1591
+ exploit_scenario: |-
1592
+ Over-posting maps attacker fields into protected entity properties.
1593
+ fix_template: |-
1594
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1595
+ pattern-either:
1596
+ - pattern: |-
1597
+ $form->submit($request->request->all());
1598
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-089\\b'
1599
+ message: |-
1600
+ RunSec Detection [PHPX-089]: CWE-915
1601
+ languages:
1602
+ - generic
1603
+ severity: WARNING
1604
+ - id: runsec.php-security.phpx-090
1605
+ metadata:
1606
+ runsec_version: v1.0
1607
+ confidence: |-
1608
+ 0.9
1609
+ exploit_scenario: |-
1610
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1611
+ fix_template: |-
1612
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1613
+ pattern-either:
1614
+ - pattern: |-
1615
+ $result = eval('return ' . $_GET['expr'] . ';');
1616
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-090\\b'
1617
+ message: |-
1618
+ RunSec Detection [PHPX-090]: CWE-94
1619
+ languages:
1620
+ - generic
1621
+ severity: WARNING
1622
+ - id: runsec.php-security.phpx-091
1623
+ metadata:
1624
+ runsec_version: v1.0
1625
+ confidence: |-
1626
+ 0.9
1627
+ exploit_scenario: |-
1628
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1629
+ fix_template: |-
1630
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1631
+ pattern-either:
1632
+ - pattern: |-
1633
+ User::whereRaw("email = '$email'")->first();
1634
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-091\\b'
1635
+ message: |-
1636
+ RunSec Detection [PHPX-091]: CWE-89
1637
+ languages:
1638
+ - generic
1639
+ severity: WARNING
1640
+ - id: runsec.php-security.phpx-092
1641
+ metadata:
1642
+ runsec_version: v1.0
1643
+ confidence: |-
1644
+ 0.9
1645
+ exploit_scenario: |-
1646
+ Broad input binding enables privilege field overwrite in model attributes.
1647
+ fix_template: |-
1648
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1649
+ pattern-either:
1650
+ - pattern: |-
1651
+ User::create($request->all());
1652
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-092\\b'
1653
+ message: |-
1654
+ RunSec Detection [PHPX-092]: CWE-915
1655
+ languages:
1656
+ - generic
1657
+ severity: WARNING
1658
+ - id: runsec.php-security.phpx-093
1659
+ metadata:
1660
+ runsec_version: v1.0
1661
+ confidence: |-
1662
+ 0.9
1663
+ exploit_scenario: |-
1664
+ User-controlled template source can execute server-side template payloads.
1665
+ fix_template: |-
1666
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1667
+ pattern-either:
1668
+ - pattern: |-
1669
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1670
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-093\\b'
1671
+ message: |-
1672
+ RunSec Detection [PHPX-093]: CWE-94
1673
+ languages:
1674
+ - generic
1675
+ severity: WARNING
1676
+ - id: runsec.php-security.phpx-094
1677
+ metadata:
1678
+ runsec_version: v1.0
1679
+ confidence: |-
1680
+ 0.9
1681
+ exploit_scenario: |-
1682
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1683
+ fix_template: |-
1684
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1685
+ pattern-either:
1686
+ - pattern: |-
1687
+ $obj = unserialize($_POST['payload']);
1688
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-094\\b'
1689
+ message: |-
1690
+ RunSec Detection [PHPX-094]: CWE-502
1691
+ languages:
1692
+ - generic
1693
+ severity: WARNING
1694
+ - id: runsec.php-security.phpx-095
1695
+ metadata:
1696
+ runsec_version: v1.0
1697
+ confidence: |-
1698
+ 0.9
1699
+ exploit_scenario: |-
1700
+ Over-posting maps attacker fields into protected entity properties.
1701
+ fix_template: |-
1702
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1703
+ pattern-either:
1704
+ - pattern: |-
1705
+ $form->submit($request->request->all());
1706
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-095\\b'
1707
+ message: |-
1708
+ RunSec Detection [PHPX-095]: CWE-915
1709
+ languages:
1710
+ - generic
1711
+ severity: WARNING
1712
+ - id: runsec.php-security.phpx-096
1713
+ metadata:
1714
+ runsec_version: v1.0
1715
+ confidence: |-
1716
+ 0.9
1717
+ exploit_scenario: |-
1718
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1719
+ fix_template: |-
1720
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1721
+ pattern-either:
1722
+ - pattern: |-
1723
+ $result = eval('return ' . $_GET['expr'] . ';');
1724
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-096\\b'
1725
+ message: |-
1726
+ RunSec Detection [PHPX-096]: CWE-94
1727
+ languages:
1728
+ - generic
1729
+ severity: WARNING
1730
+ - id: runsec.php-security.phpx-097
1731
+ metadata:
1732
+ runsec_version: v1.0
1733
+ confidence: |-
1734
+ 0.9
1735
+ exploit_scenario: |-
1736
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1737
+ fix_template: |-
1738
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1739
+ pattern-either:
1740
+ - pattern: |-
1741
+ User::whereRaw("email = '$email'")->first();
1742
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-097\\b'
1743
+ message: |-
1744
+ RunSec Detection [PHPX-097]: CWE-89
1745
+ languages:
1746
+ - generic
1747
+ severity: WARNING
1748
+ - id: runsec.php-security.phpx-098
1749
+ metadata:
1750
+ runsec_version: v1.0
1751
+ confidence: |-
1752
+ 0.9
1753
+ exploit_scenario: |-
1754
+ Broad input binding enables privilege field overwrite in model attributes.
1755
+ fix_template: |-
1756
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1757
+ pattern-either:
1758
+ - pattern: |-
1759
+ User::create($request->all());
1760
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-098\\b'
1761
+ message: |-
1762
+ RunSec Detection [PHPX-098]: CWE-915
1763
+ languages:
1764
+ - generic
1765
+ severity: WARNING
1766
+ - id: runsec.php-security.phpx-099
1767
+ metadata:
1768
+ runsec_version: v1.0
1769
+ confidence: |-
1770
+ 0.9
1771
+ exploit_scenario: |-
1772
+ User-controlled template source can execute server-side template payloads.
1773
+ fix_template: |-
1774
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1775
+ pattern-either:
1776
+ - pattern: |-
1777
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1778
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-099\\b'
1779
+ message: |-
1780
+ RunSec Detection [PHPX-099]: CWE-94
1781
+ languages:
1782
+ - generic
1783
+ severity: WARNING
1784
+ - id: runsec.php-security.phpx-100
1785
+ metadata:
1786
+ runsec_version: v1.0
1787
+ confidence: |-
1788
+ 0.9
1789
+ exploit_scenario: |-
1790
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1791
+ fix_template: |-
1792
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1793
+ pattern-either:
1794
+ - pattern: |-
1795
+ $obj = unserialize($_POST['payload']);
1796
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-100\\b'
1797
+ message: |-
1798
+ RunSec Detection [PHPX-100]: CWE-502
1799
+ languages:
1800
+ - generic
1801
+ severity: WARNING
1802
+ - id: runsec.php-security.phpx-101
1803
+ metadata:
1804
+ runsec_version: v1.0
1805
+ confidence: |-
1806
+ 0.9
1807
+ exploit_scenario: |-
1808
+ Over-posting maps attacker fields into protected entity properties.
1809
+ fix_template: |-
1810
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1811
+ pattern-either:
1812
+ - pattern: |-
1813
+ $form->submit($request->request->all());
1814
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-101\\b'
1815
+ message: |-
1816
+ RunSec Detection [PHPX-101]: CWE-915
1817
+ languages:
1818
+ - generic
1819
+ severity: WARNING
1820
+ - id: runsec.php-security.phpx-102
1821
+ metadata:
1822
+ runsec_version: v1.0
1823
+ confidence: |-
1824
+ 0.9
1825
+ exploit_scenario: |-
1826
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1827
+ fix_template: |-
1828
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1829
+ pattern-either:
1830
+ - pattern: |-
1831
+ $result = eval('return ' . $_GET['expr'] . ';');
1832
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-102\\b'
1833
+ message: |-
1834
+ RunSec Detection [PHPX-102]: CWE-94
1835
+ languages:
1836
+ - generic
1837
+ severity: WARNING
1838
+ - id: runsec.php-security.phpx-103
1839
+ metadata:
1840
+ runsec_version: v1.0
1841
+ confidence: |-
1842
+ 0.9
1843
+ exploit_scenario: |-
1844
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1845
+ fix_template: |-
1846
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1847
+ pattern-either:
1848
+ - pattern: |-
1849
+ User::whereRaw("email = '$email'")->first();
1850
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-103\\b'
1851
+ message: |-
1852
+ RunSec Detection [PHPX-103]: CWE-89
1853
+ languages:
1854
+ - generic
1855
+ severity: WARNING
1856
+ - id: runsec.php-security.phpx-104
1857
+ metadata:
1858
+ runsec_version: v1.0
1859
+ confidence: |-
1860
+ 0.9
1861
+ exploit_scenario: |-
1862
+ Broad input binding enables privilege field overwrite in model attributes.
1863
+ fix_template: |-
1864
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1865
+ pattern-either:
1866
+ - pattern: |-
1867
+ User::create($request->all());
1868
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-104\\b'
1869
+ message: |-
1870
+ RunSec Detection [PHPX-104]: CWE-915
1871
+ languages:
1872
+ - generic
1873
+ severity: WARNING
1874
+ - id: runsec.php-security.phpx-105
1875
+ metadata:
1876
+ runsec_version: v1.0
1877
+ confidence: |-
1878
+ 0.9
1879
+ exploit_scenario: |-
1880
+ User-controlled template source can execute server-side template payloads.
1881
+ fix_template: |-
1882
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1883
+ pattern-either:
1884
+ - pattern: |-
1885
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1886
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-105\\b'
1887
+ message: |-
1888
+ RunSec Detection [PHPX-105]: CWE-94
1889
+ languages:
1890
+ - generic
1891
+ severity: WARNING
1892
+ - id: runsec.php-security.phpx-106
1893
+ metadata:
1894
+ runsec_version: v1.0
1895
+ confidence: |-
1896
+ 0.9
1897
+ exploit_scenario: |-
1898
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
1899
+ fix_template: |-
1900
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1901
+ pattern-either:
1902
+ - pattern: |-
1903
+ $obj = unserialize($_POST['payload']);
1904
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-106\\b'
1905
+ message: |-
1906
+ RunSec Detection [PHPX-106]: CWE-502
1907
+ languages:
1908
+ - generic
1909
+ severity: WARNING
1910
+ - id: runsec.php-security.phpx-107
1911
+ metadata:
1912
+ runsec_version: v1.0
1913
+ confidence: |-
1914
+ 0.9
1915
+ exploit_scenario: |-
1916
+ Over-posting maps attacker fields into protected entity properties.
1917
+ fix_template: |-
1918
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1919
+ pattern-either:
1920
+ - pattern: |-
1921
+ $form->submit($request->request->all());
1922
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-107\\b'
1923
+ message: |-
1924
+ RunSec Detection [PHPX-107]: CWE-915
1925
+ languages:
1926
+ - generic
1927
+ severity: WARNING
1928
+ - id: runsec.php-security.phpx-108
1929
+ metadata:
1930
+ runsec_version: v1.0
1931
+ confidence: |-
1932
+ 0.9
1933
+ exploit_scenario: |-
1934
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
1935
+ fix_template: |-
1936
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1937
+ pattern-either:
1938
+ - pattern: |-
1939
+ $result = eval('return ' . $_GET['expr'] . ';');
1940
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-108\\b'
1941
+ message: |-
1942
+ RunSec Detection [PHPX-108]: CWE-94
1943
+ languages:
1944
+ - generic
1945
+ severity: WARNING
1946
+ - id: runsec.php-security.phpx-109
1947
+ metadata:
1948
+ runsec_version: v1.0
1949
+ confidence: |-
1950
+ 0.9
1951
+ exploit_scenario: |-
1952
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
1953
+ fix_template: |-
1954
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1955
+ pattern-either:
1956
+ - pattern: |-
1957
+ User::whereRaw("email = '$email'")->first();
1958
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-109\\b'
1959
+ message: |-
1960
+ RunSec Detection [PHPX-109]: CWE-89
1961
+ languages:
1962
+ - generic
1963
+ severity: WARNING
1964
+ - id: runsec.php-security.phpx-110
1965
+ metadata:
1966
+ runsec_version: v1.0
1967
+ confidence: |-
1968
+ 0.9
1969
+ exploit_scenario: |-
1970
+ Broad input binding enables privilege field overwrite in model attributes.
1971
+ fix_template: |-
1972
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1973
+ pattern-either:
1974
+ - pattern: |-
1975
+ User::create($request->all());
1976
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-110\\b'
1977
+ message: |-
1978
+ RunSec Detection [PHPX-110]: CWE-915
1979
+ languages:
1980
+ - generic
1981
+ severity: WARNING
1982
+ - id: runsec.php-security.phpx-111
1983
+ metadata:
1984
+ runsec_version: v1.0
1985
+ confidence: |-
1986
+ 0.9
1987
+ exploit_scenario: |-
1988
+ User-controlled template source can execute server-side template payloads.
1989
+ fix_template: |-
1990
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
1991
+ pattern-either:
1992
+ - pattern: |-
1993
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
1994
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-111\\b'
1995
+ message: |-
1996
+ RunSec Detection [PHPX-111]: CWE-94
1997
+ languages:
1998
+ - generic
1999
+ severity: WARNING
2000
+ - id: runsec.php-security.phpx-112
2001
+ metadata:
2002
+ runsec_version: v1.0
2003
+ confidence: |-
2004
+ 0.9
2005
+ exploit_scenario: |-
2006
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2007
+ fix_template: |-
2008
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2009
+ pattern-either:
2010
+ - pattern: |-
2011
+ $obj = unserialize($_POST['payload']);
2012
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-112\\b'
2013
+ message: |-
2014
+ RunSec Detection [PHPX-112]: CWE-502
2015
+ languages:
2016
+ - generic
2017
+ severity: WARNING
2018
+ - id: runsec.php-security.phpx-113
2019
+ metadata:
2020
+ runsec_version: v1.0
2021
+ confidence: |-
2022
+ 0.9
2023
+ exploit_scenario: |-
2024
+ Over-posting maps attacker fields into protected entity properties.
2025
+ fix_template: |-
2026
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2027
+ pattern-either:
2028
+ - pattern: |-
2029
+ $form->submit($request->request->all());
2030
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-113\\b'
2031
+ message: |-
2032
+ RunSec Detection [PHPX-113]: CWE-915
2033
+ languages:
2034
+ - generic
2035
+ severity: WARNING
2036
+ - id: runsec.php-security.phpx-114
2037
+ metadata:
2038
+ runsec_version: v1.0
2039
+ confidence: |-
2040
+ 0.9
2041
+ exploit_scenario: |-
2042
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2043
+ fix_template: |-
2044
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2045
+ pattern-either:
2046
+ - pattern: |-
2047
+ $result = eval('return ' . $_GET['expr'] . ';');
2048
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-114\\b'
2049
+ message: |-
2050
+ RunSec Detection [PHPX-114]: CWE-94
2051
+ languages:
2052
+ - generic
2053
+ severity: WARNING
2054
+ - id: runsec.php-security.phpx-115
2055
+ metadata:
2056
+ runsec_version: v1.0
2057
+ confidence: |-
2058
+ 0.9
2059
+ exploit_scenario: |-
2060
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2061
+ fix_template: |-
2062
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2063
+ pattern-either:
2064
+ - pattern: |-
2065
+ User::whereRaw("email = '$email'")->first();
2066
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-115\\b'
2067
+ message: |-
2068
+ RunSec Detection [PHPX-115]: CWE-89
2069
+ languages:
2070
+ - generic
2071
+ severity: WARNING
2072
+ - id: runsec.php-security.phpx-116
2073
+ metadata:
2074
+ runsec_version: v1.0
2075
+ confidence: |-
2076
+ 0.9
2077
+ exploit_scenario: |-
2078
+ Broad input binding enables privilege field overwrite in model attributes.
2079
+ fix_template: |-
2080
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2081
+ pattern-either:
2082
+ - pattern: |-
2083
+ User::create($request->all());
2084
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-116\\b'
2085
+ message: |-
2086
+ RunSec Detection [PHPX-116]: CWE-915
2087
+ languages:
2088
+ - generic
2089
+ severity: WARNING
2090
+ - id: runsec.php-security.phpx-117
2091
+ metadata:
2092
+ runsec_version: v1.0
2093
+ confidence: |-
2094
+ 0.9
2095
+ exploit_scenario: |-
2096
+ User-controlled template source can execute server-side template payloads.
2097
+ fix_template: |-
2098
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2099
+ pattern-either:
2100
+ - pattern: |-
2101
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2102
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-117\\b'
2103
+ message: |-
2104
+ RunSec Detection [PHPX-117]: CWE-94
2105
+ languages:
2106
+ - generic
2107
+ severity: WARNING
2108
+ - id: runsec.php-security.phpx-118
2109
+ metadata:
2110
+ runsec_version: v1.0
2111
+ confidence: |-
2112
+ 0.9
2113
+ exploit_scenario: |-
2114
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2115
+ fix_template: |-
2116
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2117
+ pattern-either:
2118
+ - pattern: |-
2119
+ $obj = unserialize($_POST['payload']);
2120
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-118\\b'
2121
+ message: |-
2122
+ RunSec Detection [PHPX-118]: CWE-502
2123
+ languages:
2124
+ - generic
2125
+ severity: WARNING
2126
+ - id: runsec.php-security.phpx-119
2127
+ metadata:
2128
+ runsec_version: v1.0
2129
+ confidence: |-
2130
+ 0.9
2131
+ exploit_scenario: |-
2132
+ Over-posting maps attacker fields into protected entity properties.
2133
+ fix_template: |-
2134
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2135
+ pattern-either:
2136
+ - pattern: |-
2137
+ $form->submit($request->request->all());
2138
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-119\\b'
2139
+ message: |-
2140
+ RunSec Detection [PHPX-119]: CWE-915
2141
+ languages:
2142
+ - generic
2143
+ severity: WARNING
2144
+ - id: runsec.php-security.phpx-120
2145
+ metadata:
2146
+ runsec_version: v1.0
2147
+ confidence: |-
2148
+ 0.9
2149
+ exploit_scenario: |-
2150
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2151
+ fix_template: |-
2152
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2153
+ pattern-either:
2154
+ - pattern: |-
2155
+ $result = eval('return ' . $_GET['expr'] . ';');
2156
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-120\\b'
2157
+ message: |-
2158
+ RunSec Detection [PHPX-120]: CWE-94
2159
+ languages:
2160
+ - generic
2161
+ severity: WARNING
2162
+ - id: runsec.php-security.phpx-121
2163
+ metadata:
2164
+ runsec_version: v1.0
2165
+ confidence: |-
2166
+ 0.9
2167
+ exploit_scenario: |-
2168
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2169
+ fix_template: |-
2170
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2171
+ pattern-either:
2172
+ - pattern: |-
2173
+ User::whereRaw("email = '$email'")->first();
2174
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-121\\b'
2175
+ message: |-
2176
+ RunSec Detection [PHPX-121]: CWE-89
2177
+ languages:
2178
+ - generic
2179
+ severity: WARNING
2180
+ - id: runsec.php-security.phpx-122
2181
+ metadata:
2182
+ runsec_version: v1.0
2183
+ confidence: |-
2184
+ 0.9
2185
+ exploit_scenario: |-
2186
+ Broad input binding enables privilege field overwrite in model attributes.
2187
+ fix_template: |-
2188
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2189
+ pattern-either:
2190
+ - pattern: |-
2191
+ User::create($request->all());
2192
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-122\\b'
2193
+ message: |-
2194
+ RunSec Detection [PHPX-122]: CWE-915
2195
+ languages:
2196
+ - generic
2197
+ severity: WARNING
2198
+ - id: runsec.php-security.phpx-123
2199
+ metadata:
2200
+ runsec_version: v1.0
2201
+ confidence: |-
2202
+ 0.9
2203
+ exploit_scenario: |-
2204
+ User-controlled template source can execute server-side template payloads.
2205
+ fix_template: |-
2206
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2207
+ pattern-either:
2208
+ - pattern: |-
2209
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2210
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-123\\b'
2211
+ message: |-
2212
+ RunSec Detection [PHPX-123]: CWE-94
2213
+ languages:
2214
+ - generic
2215
+ severity: WARNING
2216
+ - id: runsec.php-security.phpx-124
2217
+ metadata:
2218
+ runsec_version: v1.0
2219
+ confidence: |-
2220
+ 0.9
2221
+ exploit_scenario: |-
2222
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2223
+ fix_template: |-
2224
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2225
+ pattern-either:
2226
+ - pattern: |-
2227
+ $obj = unserialize($_POST['payload']);
2228
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-124\\b'
2229
+ message: |-
2230
+ RunSec Detection [PHPX-124]: CWE-502
2231
+ languages:
2232
+ - generic
2233
+ severity: WARNING
2234
+ - id: runsec.php-security.phpx-125
2235
+ metadata:
2236
+ runsec_version: v1.0
2237
+ confidence: |-
2238
+ 0.9
2239
+ exploit_scenario: |-
2240
+ Over-posting maps attacker fields into protected entity properties.
2241
+ fix_template: |-
2242
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2243
+ pattern-either:
2244
+ - pattern: |-
2245
+ $form->submit($request->request->all());
2246
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-125\\b'
2247
+ message: |-
2248
+ RunSec Detection [PHPX-125]: CWE-915
2249
+ languages:
2250
+ - generic
2251
+ severity: WARNING
2252
+ - id: runsec.php-security.phpx-126
2253
+ metadata:
2254
+ runsec_version: v1.0
2255
+ confidence: |-
2256
+ 0.9
2257
+ exploit_scenario: |-
2258
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2259
+ fix_template: |-
2260
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2261
+ pattern-either:
2262
+ - pattern: |-
2263
+ $result = eval('return ' . $_GET['expr'] . ';');
2264
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-126\\b'
2265
+ message: |-
2266
+ RunSec Detection [PHPX-126]: CWE-94
2267
+ languages:
2268
+ - generic
2269
+ severity: WARNING
2270
+ - id: runsec.php-security.phpx-127
2271
+ metadata:
2272
+ runsec_version: v1.0
2273
+ confidence: |-
2274
+ 0.9
2275
+ exploit_scenario: |-
2276
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2277
+ fix_template: |-
2278
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2279
+ pattern-either:
2280
+ - pattern: |-
2281
+ User::whereRaw("email = '$email'")->first();
2282
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-127\\b'
2283
+ message: |-
2284
+ RunSec Detection [PHPX-127]: CWE-89
2285
+ languages:
2286
+ - generic
2287
+ severity: WARNING
2288
+ - id: runsec.php-security.phpx-128
2289
+ metadata:
2290
+ runsec_version: v1.0
2291
+ confidence: |-
2292
+ 0.9
2293
+ exploit_scenario: |-
2294
+ Broad input binding enables privilege field overwrite in model attributes.
2295
+ fix_template: |-
2296
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2297
+ pattern-either:
2298
+ - pattern: |-
2299
+ User::create($request->all());
2300
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-128\\b'
2301
+ message: |-
2302
+ RunSec Detection [PHPX-128]: CWE-915
2303
+ languages:
2304
+ - generic
2305
+ severity: WARNING
2306
+ - id: runsec.php-security.phpx-129
2307
+ metadata:
2308
+ runsec_version: v1.0
2309
+ confidence: |-
2310
+ 0.9
2311
+ exploit_scenario: |-
2312
+ User-controlled template source can execute server-side template payloads.
2313
+ fix_template: |-
2314
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2315
+ pattern-either:
2316
+ - pattern: |-
2317
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2318
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-129\\b'
2319
+ message: |-
2320
+ RunSec Detection [PHPX-129]: CWE-94
2321
+ languages:
2322
+ - generic
2323
+ severity: WARNING
2324
+ - id: runsec.php-security.phpx-130
2325
+ metadata:
2326
+ runsec_version: v1.0
2327
+ confidence: |-
2328
+ 0.9
2329
+ exploit_scenario: |-
2330
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2331
+ fix_template: |-
2332
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2333
+ pattern-either:
2334
+ - pattern: |-
2335
+ $obj = unserialize($_POST['payload']);
2336
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-130\\b'
2337
+ message: |-
2338
+ RunSec Detection [PHPX-130]: CWE-502
2339
+ languages:
2340
+ - generic
2341
+ severity: WARNING
2342
+ - id: runsec.php-security.phpx-131
2343
+ metadata:
2344
+ runsec_version: v1.0
2345
+ confidence: |-
2346
+ 0.9
2347
+ exploit_scenario: |-
2348
+ Over-posting maps attacker fields into protected entity properties.
2349
+ fix_template: |-
2350
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2351
+ pattern-either:
2352
+ - pattern: |-
2353
+ $form->submit($request->request->all());
2354
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-131\\b'
2355
+ message: |-
2356
+ RunSec Detection [PHPX-131]: CWE-915
2357
+ languages:
2358
+ - generic
2359
+ severity: WARNING
2360
+ - id: runsec.php-security.phpx-132
2361
+ metadata:
2362
+ runsec_version: v1.0
2363
+ confidence: |-
2364
+ 0.9
2365
+ exploit_scenario: |-
2366
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2367
+ fix_template: |-
2368
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2369
+ pattern-either:
2370
+ - pattern: |-
2371
+ $result = eval('return ' . $_GET['expr'] . ';');
2372
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-132\\b'
2373
+ message: |-
2374
+ RunSec Detection [PHPX-132]: CWE-94
2375
+ languages:
2376
+ - generic
2377
+ severity: WARNING
2378
+ - id: runsec.php-security.phpx-133
2379
+ metadata:
2380
+ runsec_version: v1.0
2381
+ confidence: |-
2382
+ 0.9
2383
+ exploit_scenario: |-
2384
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2385
+ fix_template: |-
2386
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2387
+ pattern-either:
2388
+ - pattern: |-
2389
+ User::whereRaw("email = '$email'")->first();
2390
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-133\\b'
2391
+ message: |-
2392
+ RunSec Detection [PHPX-133]: CWE-89
2393
+ languages:
2394
+ - generic
2395
+ severity: WARNING
2396
+ - id: runsec.php-security.phpx-134
2397
+ metadata:
2398
+ runsec_version: v1.0
2399
+ confidence: |-
2400
+ 0.9
2401
+ exploit_scenario: |-
2402
+ Broad input binding enables privilege field overwrite in model attributes.
2403
+ fix_template: |-
2404
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2405
+ pattern-either:
2406
+ - pattern: |-
2407
+ User::create($request->all());
2408
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-134\\b'
2409
+ message: |-
2410
+ RunSec Detection [PHPX-134]: CWE-915
2411
+ languages:
2412
+ - generic
2413
+ severity: WARNING
2414
+ - id: runsec.php-security.phpx-135
2415
+ metadata:
2416
+ runsec_version: v1.0
2417
+ confidence: |-
2418
+ 0.9
2419
+ exploit_scenario: |-
2420
+ User-controlled template source can execute server-side template payloads.
2421
+ fix_template: |-
2422
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2423
+ pattern-either:
2424
+ - pattern: |-
2425
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2426
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-135\\b'
2427
+ message: |-
2428
+ RunSec Detection [PHPX-135]: CWE-94
2429
+ languages:
2430
+ - generic
2431
+ severity: WARNING
2432
+ - id: runsec.php-security.phpx-136
2433
+ metadata:
2434
+ runsec_version: v1.0
2435
+ confidence: |-
2436
+ 0.9
2437
+ exploit_scenario: |-
2438
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2439
+ fix_template: |-
2440
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2441
+ pattern-either:
2442
+ - pattern: |-
2443
+ $obj = unserialize($_POST['payload']);
2444
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-136\\b'
2445
+ message: |-
2446
+ RunSec Detection [PHPX-136]: CWE-502
2447
+ languages:
2448
+ - generic
2449
+ severity: WARNING
2450
+ - id: runsec.php-security.phpx-137
2451
+ metadata:
2452
+ runsec_version: v1.0
2453
+ confidence: |-
2454
+ 0.9
2455
+ exploit_scenario: |-
2456
+ Over-posting maps attacker fields into protected entity properties.
2457
+ fix_template: |-
2458
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2459
+ pattern-either:
2460
+ - pattern: |-
2461
+ $form->submit($request->request->all());
2462
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-137\\b'
2463
+ message: |-
2464
+ RunSec Detection [PHPX-137]: CWE-915
2465
+ languages:
2466
+ - generic
2467
+ severity: WARNING
2468
+ - id: runsec.php-security.phpx-138
2469
+ metadata:
2470
+ runsec_version: v1.0
2471
+ confidence: |-
2472
+ 0.9
2473
+ exploit_scenario: |-
2474
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2475
+ fix_template: |-
2476
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2477
+ pattern-either:
2478
+ - pattern: |-
2479
+ $result = eval('return ' . $_GET['expr'] . ';');
2480
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-138\\b'
2481
+ message: |-
2482
+ RunSec Detection [PHPX-138]: CWE-94
2483
+ languages:
2484
+ - generic
2485
+ severity: WARNING
2486
+ - id: runsec.php-security.phpx-139
2487
+ metadata:
2488
+ runsec_version: v1.0
2489
+ confidence: |-
2490
+ 0.9
2491
+ exploit_scenario: |-
2492
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2493
+ fix_template: |-
2494
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2495
+ pattern-either:
2496
+ - pattern: |-
2497
+ User::whereRaw("email = '$email'")->first();
2498
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-139\\b'
2499
+ message: |-
2500
+ RunSec Detection [PHPX-139]: CWE-89
2501
+ languages:
2502
+ - generic
2503
+ severity: WARNING
2504
+ - id: runsec.php-security.phpx-140
2505
+ metadata:
2506
+ runsec_version: v1.0
2507
+ confidence: |-
2508
+ 0.9
2509
+ exploit_scenario: |-
2510
+ Broad input binding enables privilege field overwrite in model attributes.
2511
+ fix_template: |-
2512
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2513
+ pattern-either:
2514
+ - pattern: |-
2515
+ User::create($request->all());
2516
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-140\\b'
2517
+ message: |-
2518
+ RunSec Detection [PHPX-140]: CWE-915
2519
+ languages:
2520
+ - generic
2521
+ severity: WARNING
2522
+ - id: runsec.php-security.phpx-141
2523
+ metadata:
2524
+ runsec_version: v1.0
2525
+ confidence: |-
2526
+ 0.9
2527
+ exploit_scenario: |-
2528
+ User-controlled template source can execute server-side template payloads.
2529
+ fix_template: |-
2530
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2531
+ pattern-either:
2532
+ - pattern: |-
2533
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2534
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-141\\b'
2535
+ message: |-
2536
+ RunSec Detection [PHPX-141]: CWE-94
2537
+ languages:
2538
+ - generic
2539
+ severity: WARNING
2540
+ - id: runsec.php-security.phpx-142
2541
+ metadata:
2542
+ runsec_version: v1.0
2543
+ confidence: |-
2544
+ 0.9
2545
+ exploit_scenario: |-
2546
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2547
+ fix_template: |-
2548
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2549
+ pattern-either:
2550
+ - pattern: |-
2551
+ $obj = unserialize($_POST['payload']);
2552
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-142\\b'
2553
+ message: |-
2554
+ RunSec Detection [PHPX-142]: CWE-502
2555
+ languages:
2556
+ - generic
2557
+ severity: WARNING
2558
+ - id: runsec.php-security.phpx-143
2559
+ metadata:
2560
+ runsec_version: v1.0
2561
+ confidence: |-
2562
+ 0.9
2563
+ exploit_scenario: |-
2564
+ Over-posting maps attacker fields into protected entity properties.
2565
+ fix_template: |-
2566
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2567
+ pattern-either:
2568
+ - pattern: |-
2569
+ $form->submit($request->request->all());
2570
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-143\\b'
2571
+ message: |-
2572
+ RunSec Detection [PHPX-143]: CWE-915
2573
+ languages:
2574
+ - generic
2575
+ severity: WARNING
2576
+ - id: runsec.php-security.phpx-144
2577
+ metadata:
2578
+ runsec_version: v1.0
2579
+ confidence: |-
2580
+ 0.9
2581
+ exploit_scenario: |-
2582
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2583
+ fix_template: |-
2584
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2585
+ pattern-either:
2586
+ - pattern: |-
2587
+ $result = eval('return ' . $_GET['expr'] . ';');
2588
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-144\\b'
2589
+ message: |-
2590
+ RunSec Detection [PHPX-144]: CWE-94
2591
+ languages:
2592
+ - generic
2593
+ severity: WARNING
2594
+ - id: runsec.php-security.phpx-145
2595
+ metadata:
2596
+ runsec_version: v1.0
2597
+ confidence: |-
2598
+ 0.9
2599
+ exploit_scenario: |-
2600
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2601
+ fix_template: |-
2602
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2603
+ pattern-either:
2604
+ - pattern: |-
2605
+ User::whereRaw("email = '$email'")->first();
2606
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-145\\b'
2607
+ message: |-
2608
+ RunSec Detection [PHPX-145]: CWE-89
2609
+ languages:
2610
+ - generic
2611
+ severity: WARNING
2612
+ - id: runsec.php-security.phpx-146
2613
+ metadata:
2614
+ runsec_version: v1.0
2615
+ confidence: |-
2616
+ 0.9
2617
+ exploit_scenario: |-
2618
+ Broad input binding enables privilege field overwrite in model attributes.
2619
+ fix_template: |-
2620
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2621
+ pattern-either:
2622
+ - pattern: |-
2623
+ User::create($request->all());
2624
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-146\\b'
2625
+ message: |-
2626
+ RunSec Detection [PHPX-146]: CWE-915
2627
+ languages:
2628
+ - generic
2629
+ severity: WARNING
2630
+ - id: runsec.php-security.phpx-147
2631
+ metadata:
2632
+ runsec_version: v1.0
2633
+ confidence: |-
2634
+ 0.9
2635
+ exploit_scenario: |-
2636
+ User-controlled template source can execute server-side template payloads.
2637
+ fix_template: |-
2638
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2639
+ pattern-either:
2640
+ - pattern: |-
2641
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2642
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-147\\b'
2643
+ message: |-
2644
+ RunSec Detection [PHPX-147]: CWE-94
2645
+ languages:
2646
+ - generic
2647
+ severity: WARNING
2648
+ - id: runsec.php-security.phpx-148
2649
+ metadata:
2650
+ runsec_version: v1.0
2651
+ confidence: |-
2652
+ 0.9
2653
+ exploit_scenario: |-
2654
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2655
+ fix_template: |-
2656
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2657
+ pattern-either:
2658
+ - pattern: |-
2659
+ $obj = unserialize($_POST['payload']);
2660
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-148\\b'
2661
+ message: |-
2662
+ RunSec Detection [PHPX-148]: CWE-502
2663
+ languages:
2664
+ - generic
2665
+ severity: WARNING
2666
+ - id: runsec.php-security.phpx-149
2667
+ metadata:
2668
+ runsec_version: v1.0
2669
+ confidence: |-
2670
+ 0.9
2671
+ exploit_scenario: |-
2672
+ Over-posting maps attacker fields into protected entity properties.
2673
+ fix_template: |-
2674
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2675
+ pattern-either:
2676
+ - pattern: |-
2677
+ $form->submit($request->request->all());
2678
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-149\\b'
2679
+ message: |-
2680
+ RunSec Detection [PHPX-149]: CWE-915
2681
+ languages:
2682
+ - generic
2683
+ severity: WARNING
2684
+ - id: runsec.php-security.phpx-150
2685
+ metadata:
2686
+ runsec_version: v1.0
2687
+ confidence: |-
2688
+ 0.9
2689
+ exploit_scenario: |-
2690
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2691
+ fix_template: |-
2692
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2693
+ pattern-either:
2694
+ - pattern: |-
2695
+ $result = eval('return ' . $_GET['expr'] . ';');
2696
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-150\\b'
2697
+ message: |-
2698
+ RunSec Detection [PHPX-150]: CWE-94
2699
+ languages:
2700
+ - generic
2701
+ severity: WARNING
2702
+ - id: runsec.php-security.phpx-151
2703
+ metadata:
2704
+ runsec_version: v1.0
2705
+ confidence: |-
2706
+ 0.9
2707
+ exploit_scenario: |-
2708
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2709
+ fix_template: |-
2710
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2711
+ pattern-either:
2712
+ - pattern: |-
2713
+ User::whereRaw("email = '$email'")->first();
2714
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-151\\b'
2715
+ message: |-
2716
+ RunSec Detection [PHPX-151]: CWE-89
2717
+ languages:
2718
+ - generic
2719
+ severity: WARNING
2720
+ - id: runsec.php-security.phpx-152
2721
+ metadata:
2722
+ runsec_version: v1.0
2723
+ confidence: |-
2724
+ 0.9
2725
+ exploit_scenario: |-
2726
+ Broad input binding enables privilege field overwrite in model attributes.
2727
+ fix_template: |-
2728
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2729
+ pattern-either:
2730
+ - pattern: |-
2731
+ User::create($request->all());
2732
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-152\\b'
2733
+ message: |-
2734
+ RunSec Detection [PHPX-152]: CWE-915
2735
+ languages:
2736
+ - generic
2737
+ severity: WARNING
2738
+ - id: runsec.php-security.phpx-153
2739
+ metadata:
2740
+ runsec_version: v1.0
2741
+ confidence: |-
2742
+ 0.9
2743
+ exploit_scenario: |-
2744
+ User-controlled template source can execute server-side template payloads.
2745
+ fix_template: |-
2746
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2747
+ pattern-either:
2748
+ - pattern: |-
2749
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2750
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-153\\b'
2751
+ message: |-
2752
+ RunSec Detection [PHPX-153]: CWE-94
2753
+ languages:
2754
+ - generic
2755
+ severity: WARNING
2756
+ - id: runsec.php-security.phpx-154
2757
+ metadata:
2758
+ runsec_version: v1.0
2759
+ confidence: |-
2760
+ 0.9
2761
+ exploit_scenario: |-
2762
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2763
+ fix_template: |-
2764
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2765
+ pattern-either:
2766
+ - pattern: |-
2767
+ $obj = unserialize($_POST['payload']);
2768
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-154\\b'
2769
+ message: |-
2770
+ RunSec Detection [PHPX-154]: CWE-502
2771
+ languages:
2772
+ - generic
2773
+ severity: WARNING
2774
+ - id: runsec.php-security.phpx-155
2775
+ metadata:
2776
+ runsec_version: v1.0
2777
+ confidence: |-
2778
+ 0.9
2779
+ exploit_scenario: |-
2780
+ Over-posting maps attacker fields into protected entity properties.
2781
+ fix_template: |-
2782
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2783
+ pattern-either:
2784
+ - pattern: |-
2785
+ $form->submit($request->request->all());
2786
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-155\\b'
2787
+ message: |-
2788
+ RunSec Detection [PHPX-155]: CWE-915
2789
+ languages:
2790
+ - generic
2791
+ severity: WARNING
2792
+ - id: runsec.php-security.phpx-156
2793
+ metadata:
2794
+ runsec_version: v1.0
2795
+ confidence: |-
2796
+ 0.9
2797
+ exploit_scenario: |-
2798
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2799
+ fix_template: |-
2800
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2801
+ pattern-either:
2802
+ - pattern: |-
2803
+ $result = eval('return ' . $_GET['expr'] . ';');
2804
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-156\\b'
2805
+ message: |-
2806
+ RunSec Detection [PHPX-156]: CWE-94
2807
+ languages:
2808
+ - generic
2809
+ severity: WARNING
2810
+ - id: runsec.php-security.phpx-157
2811
+ metadata:
2812
+ runsec_version: v1.0
2813
+ confidence: |-
2814
+ 0.9
2815
+ exploit_scenario: |-
2816
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2817
+ fix_template: |-
2818
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2819
+ pattern-either:
2820
+ - pattern: |-
2821
+ User::whereRaw("email = '$email'")->first();
2822
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-157\\b'
2823
+ message: |-
2824
+ RunSec Detection [PHPX-157]: CWE-89
2825
+ languages:
2826
+ - generic
2827
+ severity: WARNING
2828
+ - id: runsec.php-security.phpx-158
2829
+ metadata:
2830
+ runsec_version: v1.0
2831
+ confidence: |-
2832
+ 0.9
2833
+ exploit_scenario: |-
2834
+ Broad input binding enables privilege field overwrite in model attributes.
2835
+ fix_template: |-
2836
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2837
+ pattern-either:
2838
+ - pattern: |-
2839
+ User::create($request->all());
2840
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-158\\b'
2841
+ message: |-
2842
+ RunSec Detection [PHPX-158]: CWE-915
2843
+ languages:
2844
+ - generic
2845
+ severity: WARNING
2846
+ - id: runsec.php-security.phpx-159
2847
+ metadata:
2848
+ runsec_version: v1.0
2849
+ confidence: |-
2850
+ 0.9
2851
+ exploit_scenario: |-
2852
+ User-controlled template source can execute server-side template payloads.
2853
+ fix_template: |-
2854
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2855
+ pattern-either:
2856
+ - pattern: |-
2857
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2858
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-159\\b'
2859
+ message: |-
2860
+ RunSec Detection [PHPX-159]: CWE-94
2861
+ languages:
2862
+ - generic
2863
+ severity: WARNING
2864
+ - id: runsec.php-security.phpx-160
2865
+ metadata:
2866
+ runsec_version: v1.0
2867
+ confidence: |-
2868
+ 0.9
2869
+ exploit_scenario: |-
2870
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2871
+ fix_template: |-
2872
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2873
+ pattern-either:
2874
+ - pattern: |-
2875
+ $obj = unserialize($_POST['payload']);
2876
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-160\\b'
2877
+ message: |-
2878
+ RunSec Detection [PHPX-160]: CWE-502
2879
+ languages:
2880
+ - generic
2881
+ severity: WARNING
2882
+ - id: runsec.php-security.phpx-161
2883
+ metadata:
2884
+ runsec_version: v1.0
2885
+ confidence: |-
2886
+ 0.9
2887
+ exploit_scenario: |-
2888
+ Over-posting maps attacker fields into protected entity properties.
2889
+ fix_template: |-
2890
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2891
+ pattern-either:
2892
+ - pattern: |-
2893
+ $form->submit($request->request->all());
2894
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-161\\b'
2895
+ message: |-
2896
+ RunSec Detection [PHPX-161]: CWE-915
2897
+ languages:
2898
+ - generic
2899
+ severity: WARNING
2900
+ - id: runsec.php-security.phpx-162
2901
+ metadata:
2902
+ runsec_version: v1.0
2903
+ confidence: |-
2904
+ 0.9
2905
+ exploit_scenario: |-
2906
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
2907
+ fix_template: |-
2908
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2909
+ pattern-either:
2910
+ - pattern: |-
2911
+ $result = eval('return ' . $_GET['expr'] . ';');
2912
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-162\\b'
2913
+ message: |-
2914
+ RunSec Detection [PHPX-162]: CWE-94
2915
+ languages:
2916
+ - generic
2917
+ severity: WARNING
2918
+ - id: runsec.php-security.phpx-163
2919
+ metadata:
2920
+ runsec_version: v1.0
2921
+ confidence: |-
2922
+ 0.9
2923
+ exploit_scenario: |-
2924
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
2925
+ fix_template: |-
2926
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2927
+ pattern-either:
2928
+ - pattern: |-
2929
+ User::whereRaw("email = '$email'")->first();
2930
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-163\\b'
2931
+ message: |-
2932
+ RunSec Detection [PHPX-163]: CWE-89
2933
+ languages:
2934
+ - generic
2935
+ severity: WARNING
2936
+ - id: runsec.php-security.phpx-164
2937
+ metadata:
2938
+ runsec_version: v1.0
2939
+ confidence: |-
2940
+ 0.9
2941
+ exploit_scenario: |-
2942
+ Broad input binding enables privilege field overwrite in model attributes.
2943
+ fix_template: |-
2944
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2945
+ pattern-either:
2946
+ - pattern: |-
2947
+ User::create($request->all());
2948
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-164\\b'
2949
+ message: |-
2950
+ RunSec Detection [PHPX-164]: CWE-915
2951
+ languages:
2952
+ - generic
2953
+ severity: WARNING
2954
+ - id: runsec.php-security.phpx-165
2955
+ metadata:
2956
+ runsec_version: v1.0
2957
+ confidence: |-
2958
+ 0.9
2959
+ exploit_scenario: |-
2960
+ User-controlled template source can execute server-side template payloads.
2961
+ fix_template: |-
2962
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2963
+ pattern-either:
2964
+ - pattern: |-
2965
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
2966
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-165\\b'
2967
+ message: |-
2968
+ RunSec Detection [PHPX-165]: CWE-94
2969
+ languages:
2970
+ - generic
2971
+ severity: WARNING
2972
+ - id: runsec.php-security.phpx-166
2973
+ metadata:
2974
+ runsec_version: v1.0
2975
+ confidence: |-
2976
+ 0.9
2977
+ exploit_scenario: |-
2978
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
2979
+ fix_template: |-
2980
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2981
+ pattern-either:
2982
+ - pattern: |-
2983
+ $obj = unserialize($_POST['payload']);
2984
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-166\\b'
2985
+ message: |-
2986
+ RunSec Detection [PHPX-166]: CWE-502
2987
+ languages:
2988
+ - generic
2989
+ severity: WARNING
2990
+ - id: runsec.php-security.phpx-167
2991
+ metadata:
2992
+ runsec_version: v1.0
2993
+ confidence: |-
2994
+ 0.9
2995
+ exploit_scenario: |-
2996
+ Over-posting maps attacker fields into protected entity properties.
2997
+ fix_template: |-
2998
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
2999
+ pattern-either:
3000
+ - pattern: |-
3001
+ $form->submit($request->request->all());
3002
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-167\\b'
3003
+ message: |-
3004
+ RunSec Detection [PHPX-167]: CWE-915
3005
+ languages:
3006
+ - generic
3007
+ severity: WARNING
3008
+ - id: runsec.php-security.phpx-168
3009
+ metadata:
3010
+ runsec_version: v1.0
3011
+ confidence: |-
3012
+ 0.9
3013
+ exploit_scenario: |-
3014
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3015
+ fix_template: |-
3016
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3017
+ pattern-either:
3018
+ - pattern: |-
3019
+ $result = eval('return ' . $_GET['expr'] . ';');
3020
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-168\\b'
3021
+ message: |-
3022
+ RunSec Detection [PHPX-168]: CWE-94
3023
+ languages:
3024
+ - generic
3025
+ severity: WARNING
3026
+ - id: runsec.php-security.phpx-169
3027
+ metadata:
3028
+ runsec_version: v1.0
3029
+ confidence: |-
3030
+ 0.9
3031
+ exploit_scenario: |-
3032
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3033
+ fix_template: |-
3034
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3035
+ pattern-either:
3036
+ - pattern: |-
3037
+ User::whereRaw("email = '$email'")->first();
3038
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-169\\b'
3039
+ message: |-
3040
+ RunSec Detection [PHPX-169]: CWE-89
3041
+ languages:
3042
+ - generic
3043
+ severity: WARNING
3044
+ - id: runsec.php-security.phpx-170
3045
+ metadata:
3046
+ runsec_version: v1.0
3047
+ confidence: |-
3048
+ 0.9
3049
+ exploit_scenario: |-
3050
+ Broad input binding enables privilege field overwrite in model attributes.
3051
+ fix_template: |-
3052
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3053
+ pattern-either:
3054
+ - pattern: |-
3055
+ User::create($request->all());
3056
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-170\\b'
3057
+ message: |-
3058
+ RunSec Detection [PHPX-170]: CWE-915
3059
+ languages:
3060
+ - generic
3061
+ severity: WARNING
3062
+ - id: runsec.php-security.phpx-171
3063
+ metadata:
3064
+ runsec_version: v1.0
3065
+ confidence: |-
3066
+ 0.9
3067
+ exploit_scenario: |-
3068
+ User-controlled template source can execute server-side template payloads.
3069
+ fix_template: |-
3070
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3071
+ pattern-either:
3072
+ - pattern: |-
3073
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
3074
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-171\\b'
3075
+ message: |-
3076
+ RunSec Detection [PHPX-171]: CWE-94
3077
+ languages:
3078
+ - generic
3079
+ severity: WARNING
3080
+ - id: runsec.php-security.phpx-172
3081
+ metadata:
3082
+ runsec_version: v1.0
3083
+ confidence: |-
3084
+ 0.9
3085
+ exploit_scenario: |-
3086
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
3087
+ fix_template: |-
3088
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3089
+ pattern-either:
3090
+ - pattern: |-
3091
+ $obj = unserialize($_POST['payload']);
3092
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-172\\b'
3093
+ message: |-
3094
+ RunSec Detection [PHPX-172]: CWE-502
3095
+ languages:
3096
+ - generic
3097
+ severity: WARNING
3098
+ - id: runsec.php-security.phpx-173
3099
+ metadata:
3100
+ runsec_version: v1.0
3101
+ confidence: |-
3102
+ 0.9
3103
+ exploit_scenario: |-
3104
+ Over-posting maps attacker fields into protected entity properties.
3105
+ fix_template: |-
3106
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3107
+ pattern-either:
3108
+ - pattern: |-
3109
+ $form->submit($request->request->all());
3110
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-173\\b'
3111
+ message: |-
3112
+ RunSec Detection [PHPX-173]: CWE-915
3113
+ languages:
3114
+ - generic
3115
+ severity: WARNING
3116
+ - id: runsec.php-security.phpx-174
3117
+ metadata:
3118
+ runsec_version: v1.0
3119
+ confidence: |-
3120
+ 0.9
3121
+ exploit_scenario: |-
3122
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3123
+ fix_template: |-
3124
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3125
+ pattern-either:
3126
+ - pattern: |-
3127
+ $result = eval('return ' . $_GET['expr'] . ';');
3128
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-174\\b'
3129
+ message: |-
3130
+ RunSec Detection [PHPX-174]: CWE-94
3131
+ languages:
3132
+ - generic
3133
+ severity: WARNING
3134
+ - id: runsec.php-security.phpx-175
3135
+ metadata:
3136
+ runsec_version: v1.0
3137
+ confidence: |-
3138
+ 0.9
3139
+ exploit_scenario: |-
3140
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3141
+ fix_template: |-
3142
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3143
+ pattern-either:
3144
+ - pattern: |-
3145
+ User::whereRaw("email = '$email'")->first();
3146
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-175\\b'
3147
+ message: |-
3148
+ RunSec Detection [PHPX-175]: CWE-89
3149
+ languages:
3150
+ - generic
3151
+ severity: WARNING
3152
+ - id: runsec.php-security.phpx-176
3153
+ metadata:
3154
+ runsec_version: v1.0
3155
+ confidence: |-
3156
+ 0.9
3157
+ exploit_scenario: |-
3158
+ Broad input binding enables privilege field overwrite in model attributes.
3159
+ fix_template: |-
3160
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3161
+ pattern-either:
3162
+ - pattern: |-
3163
+ User::create($request->all());
3164
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-176\\b'
3165
+ message: |-
3166
+ RunSec Detection [PHPX-176]: CWE-915
3167
+ languages:
3168
+ - generic
3169
+ severity: WARNING
3170
+ - id: runsec.php-security.phpx-177
3171
+ metadata:
3172
+ runsec_version: v1.0
3173
+ confidence: |-
3174
+ 0.9
3175
+ exploit_scenario: |-
3176
+ User-controlled template source can execute server-side template payloads.
3177
+ fix_template: |-
3178
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3179
+ pattern-either:
3180
+ - pattern: |-
3181
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
3182
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-177\\b'
3183
+ message: |-
3184
+ RunSec Detection [PHPX-177]: CWE-94
3185
+ languages:
3186
+ - generic
3187
+ severity: WARNING
3188
+ - id: runsec.php-security.phpx-178
3189
+ metadata:
3190
+ runsec_version: v1.0
3191
+ confidence: |-
3192
+ 0.9
3193
+ exploit_scenario: |-
3194
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
3195
+ fix_template: |-
3196
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3197
+ pattern-either:
3198
+ - pattern: |-
3199
+ $obj = unserialize($_POST['payload']);
3200
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-178\\b'
3201
+ message: |-
3202
+ RunSec Detection [PHPX-178]: CWE-502
3203
+ languages:
3204
+ - generic
3205
+ severity: WARNING
3206
+ - id: runsec.php-security.phpx-179
3207
+ metadata:
3208
+ runsec_version: v1.0
3209
+ confidence: |-
3210
+ 0.9
3211
+ exploit_scenario: |-
3212
+ Over-posting maps attacker fields into protected entity properties.
3213
+ fix_template: |-
3214
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3215
+ pattern-either:
3216
+ - pattern: |-
3217
+ $form->submit($request->request->all());
3218
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-179\\b'
3219
+ message: |-
3220
+ RunSec Detection [PHPX-179]: CWE-915
3221
+ languages:
3222
+ - generic
3223
+ severity: WARNING
3224
+ - id: runsec.php-security.phpx-180
3225
+ metadata:
3226
+ runsec_version: v1.0
3227
+ confidence: |-
3228
+ 0.9
3229
+ exploit_scenario: |-
3230
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3231
+ fix_template: |-
3232
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3233
+ pattern-either:
3234
+ - pattern: |-
3235
+ $result = eval('return ' . $_GET['expr'] . ';');
3236
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-180\\b'
3237
+ message: |-
3238
+ RunSec Detection [PHPX-180]: CWE-94
3239
+ languages:
3240
+ - generic
3241
+ severity: WARNING
3242
+ - id: runsec.php-security.phpx-181
3243
+ metadata:
3244
+ runsec_version: v1.0
3245
+ confidence: |-
3246
+ 0.9
3247
+ exploit_scenario: |-
3248
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3249
+ fix_template: |-
3250
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3251
+ pattern-either:
3252
+ - pattern: |-
3253
+ User::whereRaw("email = '$email'")->first();
3254
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-181\\b'
3255
+ message: |-
3256
+ RunSec Detection [PHPX-181]: CWE-89
3257
+ languages:
3258
+ - generic
3259
+ severity: WARNING
3260
+ - id: runsec.php-security.phpx-182
3261
+ metadata:
3262
+ runsec_version: v1.0
3263
+ confidence: |-
3264
+ 0.9
3265
+ exploit_scenario: |-
3266
+ Broad input binding enables privilege field overwrite in model attributes.
3267
+ fix_template: |-
3268
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3269
+ pattern-either:
3270
+ - pattern: |-
3271
+ User::create($request->all());
3272
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-182\\b'
3273
+ message: |-
3274
+ RunSec Detection [PHPX-182]: CWE-915
3275
+ languages:
3276
+ - generic
3277
+ severity: WARNING
3278
+ - id: runsec.php-security.phpx-183
3279
+ metadata:
3280
+ runsec_version: v1.0
3281
+ confidence: |-
3282
+ 0.9
3283
+ exploit_scenario: |-
3284
+ User-controlled template source can execute server-side template payloads.
3285
+ fix_template: |-
3286
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3287
+ pattern-either:
3288
+ - pattern: |-
3289
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
3290
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-183\\b'
3291
+ message: |-
3292
+ RunSec Detection [PHPX-183]: CWE-94
3293
+ languages:
3294
+ - generic
3295
+ severity: WARNING
3296
+ - id: runsec.php-security.phpx-184
3297
+ metadata:
3298
+ runsec_version: v1.0
3299
+ confidence: |-
3300
+ 0.9
3301
+ exploit_scenario: |-
3302
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
3303
+ fix_template: |-
3304
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3305
+ pattern-either:
3306
+ - pattern: |-
3307
+ $obj = unserialize($_POST['payload']);
3308
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-184\\b'
3309
+ message: |-
3310
+ RunSec Detection [PHPX-184]: CWE-502
3311
+ languages:
3312
+ - generic
3313
+ severity: WARNING
3314
+ - id: runsec.php-security.phpx-185
3315
+ metadata:
3316
+ runsec_version: v1.0
3317
+ confidence: |-
3318
+ 0.9
3319
+ exploit_scenario: |-
3320
+ Over-posting maps attacker fields into protected entity properties.
3321
+ fix_template: |-
3322
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3323
+ pattern-either:
3324
+ - pattern: |-
3325
+ $form->submit($request->request->all());
3326
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-185\\b'
3327
+ message: |-
3328
+ RunSec Detection [PHPX-185]: CWE-915
3329
+ languages:
3330
+ - generic
3331
+ severity: WARNING
3332
+ - id: runsec.php-security.phpx-186
3333
+ metadata:
3334
+ runsec_version: v1.0
3335
+ confidence: |-
3336
+ 0.9
3337
+ exploit_scenario: |-
3338
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3339
+ fix_template: |-
3340
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3341
+ pattern-either:
3342
+ - pattern: |-
3343
+ $result = eval('return ' . $_GET['expr'] . ';');
3344
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-186\\b'
3345
+ message: |-
3346
+ RunSec Detection [PHPX-186]: CWE-94
3347
+ languages:
3348
+ - generic
3349
+ severity: WARNING
3350
+ - id: runsec.php-security.phpx-187
3351
+ metadata:
3352
+ runsec_version: v1.0
3353
+ confidence: |-
3354
+ 0.9
3355
+ exploit_scenario: |-
3356
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3357
+ fix_template: |-
3358
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3359
+ pattern-either:
3360
+ - pattern: |-
3361
+ User::whereRaw("email = '$email'")->first();
3362
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-187\\b'
3363
+ message: |-
3364
+ RunSec Detection [PHPX-187]: CWE-89
3365
+ languages:
3366
+ - generic
3367
+ severity: WARNING
3368
+ - id: runsec.php-security.phpx-188
3369
+ metadata:
3370
+ runsec_version: v1.0
3371
+ confidence: |-
3372
+ 0.9
3373
+ exploit_scenario: |-
3374
+ Broad input binding enables privilege field overwrite in model attributes.
3375
+ fix_template: |-
3376
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3377
+ pattern-either:
3378
+ - pattern: |-
3379
+ User::create($request->all());
3380
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-188\\b'
3381
+ message: |-
3382
+ RunSec Detection [PHPX-188]: CWE-915
3383
+ languages:
3384
+ - generic
3385
+ severity: WARNING
3386
+ - id: runsec.php-security.phpx-189
3387
+ metadata:
3388
+ runsec_version: v1.0
3389
+ confidence: |-
3390
+ 0.9
3391
+ exploit_scenario: |-
3392
+ User-controlled template source can execute server-side template payloads.
3393
+ fix_template: |-
3394
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3395
+ pattern-either:
3396
+ - pattern: |-
3397
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
3398
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-189\\b'
3399
+ message: |-
3400
+ RunSec Detection [PHPX-189]: CWE-94
3401
+ languages:
3402
+ - generic
3403
+ severity: WARNING
3404
+ - id: runsec.php-security.phpx-190
3405
+ metadata:
3406
+ runsec_version: v1.0
3407
+ confidence: |-
3408
+ 0.9
3409
+ exploit_scenario: |-
3410
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
3411
+ fix_template: |-
3412
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3413
+ pattern-either:
3414
+ - pattern: |-
3415
+ $obj = unserialize($_POST['payload']);
3416
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-190\\b'
3417
+ message: |-
3418
+ RunSec Detection [PHPX-190]: CWE-502
3419
+ languages:
3420
+ - generic
3421
+ severity: WARNING
3422
+ - id: runsec.php-security.phpx-191
3423
+ metadata:
3424
+ runsec_version: v1.0
3425
+ confidence: |-
3426
+ 0.9
3427
+ exploit_scenario: |-
3428
+ Over-posting maps attacker fields into protected entity properties.
3429
+ fix_template: |-
3430
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3431
+ pattern-either:
3432
+ - pattern: |-
3433
+ $form->submit($request->request->all());
3434
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-191\\b'
3435
+ message: |-
3436
+ RunSec Detection [PHPX-191]: CWE-915
3437
+ languages:
3438
+ - generic
3439
+ severity: WARNING
3440
+ - id: runsec.php-security.phpx-192
3441
+ metadata:
3442
+ runsec_version: v1.0
3443
+ confidence: |-
3444
+ 0.9
3445
+ exploit_scenario: |-
3446
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3447
+ fix_template: |-
3448
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3449
+ pattern-either:
3450
+ - pattern: |-
3451
+ $result = eval('return ' . $_GET['expr'] . ';');
3452
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-192\\b'
3453
+ message: |-
3454
+ RunSec Detection [PHPX-192]: CWE-94
3455
+ languages:
3456
+ - generic
3457
+ severity: WARNING
3458
+ - id: runsec.php-security.phpx-193
3459
+ metadata:
3460
+ runsec_version: v1.0
3461
+ confidence: |-
3462
+ 0.9
3463
+ exploit_scenario: |-
3464
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3465
+ fix_template: |-
3466
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3467
+ pattern-either:
3468
+ - pattern: |-
3469
+ User::whereRaw("email = '$email'")->first();
3470
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-193\\b'
3471
+ message: |-
3472
+ RunSec Detection [PHPX-193]: CWE-89
3473
+ languages:
3474
+ - generic
3475
+ severity: WARNING
3476
+ - id: runsec.php-security.phpx-194
3477
+ metadata:
3478
+ runsec_version: v1.0
3479
+ confidence: |-
3480
+ 0.9
3481
+ exploit_scenario: |-
3482
+ Broad input binding enables privilege field overwrite in model attributes.
3483
+ fix_template: |-
3484
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3485
+ pattern-either:
3486
+ - pattern: |-
3487
+ User::create($request->all());
3488
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-194\\b'
3489
+ message: |-
3490
+ RunSec Detection [PHPX-194]: CWE-915
3491
+ languages:
3492
+ - generic
3493
+ severity: WARNING
3494
+ - id: runsec.php-security.phpx-195
3495
+ metadata:
3496
+ runsec_version: v1.0
3497
+ confidence: |-
3498
+ 0.9
3499
+ exploit_scenario: |-
3500
+ User-controlled template source can execute server-side template payloads.
3501
+ fix_template: |-
3502
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3503
+ pattern-either:
3504
+ - pattern: |-
3505
+ $twig->createTemplate($request->get('tpl'))->render($ctx);
3506
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-195\\b'
3507
+ message: |-
3508
+ RunSec Detection [PHPX-195]: CWE-94
3509
+ languages:
3510
+ - generic
3511
+ severity: WARNING
3512
+ - id: runsec.php-security.phpx-196
3513
+ metadata:
3514
+ runsec_version: v1.0
3515
+ confidence: |-
3516
+ 0.9
3517
+ exploit_scenario: |-
3518
+ Deserialization gadgets may trigger arbitrary code paths during object hydration.
3519
+ fix_template: |-
3520
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3521
+ pattern-either:
3522
+ - pattern: |-
3523
+ $obj = unserialize($_POST['payload']);
3524
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-196\\b'
3525
+ message: |-
3526
+ RunSec Detection [PHPX-196]: CWE-502
3527
+ languages:
3528
+ - generic
3529
+ severity: WARNING
3530
+ - id: runsec.php-security.phpx-197
3531
+ metadata:
3532
+ runsec_version: v1.0
3533
+ confidence: |-
3534
+ 0.9
3535
+ exploit_scenario: |-
3536
+ Over-posting maps attacker fields into protected entity properties.
3537
+ fix_template: |-
3538
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3539
+ pattern-either:
3540
+ - pattern: |-
3541
+ $form->submit($request->request->all());
3542
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-197\\b'
3543
+ message: |-
3544
+ RunSec Detection [PHPX-197]: CWE-915
3545
+ languages:
3546
+ - generic
3547
+ severity: WARNING
3548
+ - id: runsec.php-security.phpx-198
3549
+ metadata:
3550
+ runsec_version: v1.0
3551
+ confidence: |-
3552
+ 0.9
3553
+ exploit_scenario: |-
3554
+ Evaluating attacker-controlled expression can execute arbitrary PHP code.
3555
+ fix_template: |-
3556
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3557
+ pattern-either:
3558
+ - pattern: |-
3559
+ $result = eval('return ' . $_GET['expr'] . ';');
3560
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-198\\b'
3561
+ message: |-
3562
+ RunSec Detection [PHPX-198]: CWE-94
3563
+ languages:
3564
+ - generic
3565
+ severity: WARNING
3566
+ - id: runsec.php-security.phpx-199
3567
+ metadata:
3568
+ runsec_version: v1.0
3569
+ confidence: |-
3570
+ 0.9
3571
+ exploit_scenario: |-
3572
+ Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments.
3573
+ fix_template: |-
3574
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3575
+ pattern-either:
3576
+ - pattern: |-
3577
+ User::whereRaw("email = '$email'")->first();
3578
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-199\\b'
3579
+ message: |-
3580
+ RunSec Detection [PHPX-199]: CWE-89
3581
+ languages:
3582
+ - generic
3583
+ severity: WARNING
3584
+ - id: runsec.php-security.phpx-200
3585
+ metadata:
3586
+ runsec_version: v1.0
3587
+ confidence: |-
3588
+ 0.9
3589
+ exploit_scenario: |-
3590
+ Broad input binding enables privilege field overwrite in model attributes.
3591
+ fix_template: |-
3592
+ Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API.
3593
+ pattern-either:
3594
+ - pattern: |-
3595
+ User::create($request->all());
3596
+ - pattern-regex: 'Vulnerable:\\s*PHPX\\-200\\b'
3597
+ message: |-
3598
+ RunSec Detection [PHPX-200]: CWE-915
3599
+ languages:
3600
+ - generic
3601
+ severity: WARNING