@runsec/mcp 1.0.35 → 1.0.37
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/data/.rag-cache.json +1 -0
- package/dist/data/skills/_exploit_overrides.json +16 -0
- package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
- package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
- package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
- package/dist/data/skills/app-logic/index.md +69 -0
- package/dist/data/skills/app-logic/patterns.md +23 -0
- package/dist/data/skills/app-logic/skill.json +24 -0
- package/dist/data/skills/auth-keycloak/index.md +69 -0
- package/dist/data/skills/auth-keycloak/patterns.md +46 -0
- package/dist/data/skills/auth-keycloak/skill.json +51 -0
- package/dist/data/skills/browser-agent/index.md +58 -0
- package/dist/data/skills/browser-agent/patterns.md +15 -0
- package/dist/data/skills/browser-agent/skill.json +24 -0
- package/dist/data/skills/cloud-secrets/index.md +66 -0
- package/dist/data/skills/cloud-secrets/patterns.md +19 -0
- package/dist/data/skills/cloud-secrets/skill.json +28 -0
- package/dist/data/skills/csharp-dotnet/index.md +103 -0
- package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
- package/dist/data/skills/csharp-dotnet/skill.json +27 -0
- package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
- package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
- package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
- package/dist/data/skills/devops-security/index.md +64 -0
- package/dist/data/skills/devops-security/patterns.md +23 -0
- package/dist/data/skills/devops-security/skill.json +42 -0
- package/dist/data/skills/domain-access-management/index.md +123 -0
- package/dist/data/skills/domain-access-management/patterns.md +58 -0
- package/dist/data/skills/domain-access-management/skill.json +36 -0
- package/dist/data/skills/domain-data-privacy/index.md +98 -0
- package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
- package/dist/data/skills/domain-data-privacy/skill.json +36 -0
- package/dist/data/skills/domain-input-validation/index.md +210 -0
- package/dist/data/skills/domain-input-validation/patterns.md +158 -0
- package/dist/data/skills/domain-input-validation/skill.json +24 -0
- package/dist/data/skills/domain-platform-hardening/index.md +169 -0
- package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
- package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
- package/dist/data/skills/ds-ml-security/patterns.md +137 -0
- package/dist/data/skills/fastapi-async/index.md +83 -0
- package/dist/data/skills/fastapi-async/patterns.md +329 -0
- package/dist/data/skills/fastapi-async/skill.json +32 -0
- package/dist/data/skills/frontend-react/index.md +26 -0
- package/dist/data/skills/frontend-react/patterns.md +226 -0
- package/dist/data/skills/frontend-react/skill.json +24 -0
- package/dist/data/skills/go-core/index.md +86 -0
- package/dist/data/skills/go-core/patterns.md +272 -0
- package/dist/data/skills/go-core/skill.json +22 -0
- package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
- package/dist/data/skills/index.md +73 -0
- package/dist/data/skills/infra-k8s-helm/index.md +138 -0
- package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
- package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
- package/dist/data/skills/integration-security/index.md +73 -0
- package/dist/data/skills/integration-security/patterns.md +132 -0
- package/dist/data/skills/integration-security/skill.json +30 -0
- package/dist/data/skills/java-enterprise/index.md +31 -0
- package/dist/data/skills/java-enterprise/patterns.md +816 -0
- package/dist/data/skills/java-enterprise/skill.json +26 -0
- package/dist/data/skills/java-spring/index.md +65 -0
- package/dist/data/skills/java-spring/patterns.md +22 -0
- package/dist/data/skills/java-spring/skill.json +23 -0
- package/dist/data/skills/license-compliance/index.md +58 -0
- package/dist/data/skills/license-compliance/patterns.md +12 -0
- package/dist/data/skills/license-compliance/skill.json +28 -0
- package/dist/data/skills/mobile-security/patterns.md +42 -0
- package/dist/data/skills/nodejs-nestjs/index.md +71 -0
- package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
- package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
- package/dist/data/skills/observability/index.md +68 -0
- package/dist/data/skills/observability/patterns.md +22 -0
- package/dist/data/skills/observability/skill.json +26 -0
- package/dist/data/skills/php-security/patterns.md +202 -0
- package/dist/data/skills/ru-regulatory/index.md +72 -0
- package/dist/data/skills/ru-regulatory/patterns.md +28 -0
- package/dist/data/skills/ru-regulatory/skill.json +53 -0
- package/dist/data/skills/ruby-rails/index.md +65 -0
- package/dist/data/skills/ruby-rails/patterns.md +172 -0
- package/dist/data/skills/ruby-rails/skill.json +24 -0
- package/dist/data/skills/rust-security/patterns.md +152 -0
- package/dist/data/trufflehog-config.yaml +407 -0
- package/dist/index.js +3766 -372
- package/package.json +1 -1
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
| ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
|
|
2
|
+
|---|---|---|---|---|---|---|
|
|
3
|
+
| LOG-001 | Silent Exception: `except Exception: pass` | `try:`<br>` await repo.save(event)`<br>`except Exception:`<br>` pass` | `try:`<br>` await repo.save(event)`<br>`except Exception:`<br>` logger.exception("audit-save-failed", extra={"event_type": event.type})`<br>` raise` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V7 Error Handling and Logging` | `try:` ` await repo.save(event)` `except Exception:` ` logger.exception("audit-save-failed", extra={"event_type": event.type})` ` raise` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-001 silent exception except pass try await repo save event logger audit failed extra type raise -->
|
|
4
|
+
| LOG-002 | Missing Trace-ID в логах запроса | `logger.info("request accepted")` | `trace_id = request.headers.get("x-trace-id") or str(uuid4())`<br>`logger.info("request accepted", extra={"trace_id": trace_id, "path": request.url.path})`<br>`response.headers["X-Trace-ID"] = trace_id` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V7` | `trace_id = request.headers.get("x-trace-id") or str(uuid4())` `logger.info("request accepted", extra={"trace_id": trace_id, "path": request.url.path})` `response.headers["X-Trace-ID"] = trace_id` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-002 missing trace id в логах запроса logger info request accepted headers get x str uuid4 extra path url response -->
|
|
5
|
+
| LOG-003 | Unstructured logs: текст без контекста безопасности | `logger.error(f"login failed for {username}")` | `logger.warning("auth_failed", extra={"trace_id": trace_id, "user": username, "ip": client_ip, "reason": "bad_credentials"})` | Observability | `OWASP API Security Top 10 (2023) API10 Unsafe Consumption of APIs; OWASP ASVS v4.0.3 V7` | `logger.warning("auth_failed", extra={"trace_id": trace_id, "user": username, "ip": client_ip, "reason": "bad_credentials"})` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-003 unstructured logs текст без контекста безопасности logger error f login failed for username warning auth extra trace id user ip -->
|
|
6
|
+
| LOG-004 | PII/secret leakage in logs | `logger.info("auth payload=%s", payload)`<br>`# payload may include password/token` | `safe = {"username": payload.get("username"), "mfa": payload.get("mfa")}`<br>`logger.info("auth payload sanitized", extra={"trace_id": trace_id, "payload": safe})` | Observability | `OWASP Top 10 (2021) A02 Cryptographic Failures; OWASP Top 10 (2021) A09` | `safe = {"username": payload.get("username"), "mfa": payload.get("mfa")}` `logger.info("auth payload sanitized", extra={"trace_id": trace_id, "payload": safe})` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-004 pii secret leakage logs logger info auth payload s may include password token username get mfa sanitized extra trace id -->
|
|
7
|
+
| LOG-005 | Verbose stack traces returned to API client | `except Exception as exc:`<br>` raise HTTPException(status_code=500, detail=traceback.format_exc())` | `except Exception:`<br>` logger.exception("unhandled error", extra={"trace_id": trace_id})`<br>` raise HTTPException(status_code=500, detail="internal server error")` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP API Security Top 10 (2023) API8 Security Misconfiguration` | `except Exception:` ` logger.exception("unhandled error", extra={"trace_id": trace_id})` ` raise HTTPException(status_code=500, detail="internal server error")` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-005 verbose stack traces returned to api client except exception as exc raise httpexception status 500 detail traceback format logger unhandled -->
|
|
8
|
+
| LOG-006 | Missing audit events for role/permission changes | `@app.post("/admin/users/{uid}/role")`<br>`async def set_role(uid: int, role: str):`<br>` await repo.set_role(uid, role)` | `@app.post("/admin/users/{uid}/role")`<br>`async def set_role(uid: int, role: str, actor=Depends(current_user)):`<br>` await repo.set_role(uid, role)`<br>` await audit_log.write({"event": "role_change", "actor_id": actor.id, "target_user_id": uid, "new_role": role, "trace_id": trace_id})` | Observability | `OWASP Top 10 (2021) A09; OWASP ASVS v4.0.3 V7 Logging` | `@app.post("/admin/users/{uid}/role")` `async def set_role(uid: int, role: str, actor=Depends(current_user)):` ` await repo.set_role(uid, role)` ` await audit_log.write({"event": "role_change", "actor_id": actor.id, "target_user_id": uid, "new_role": role, "trace_id": trace_id})` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-006 missing audit events for role permission changes app post admin users uid async def set int str await repo actor -->
|
|
9
|
+
| LOG-007 | Missing failed-auth telemetry and lockout signals | `if not auth_ok:`<br>` raise HTTPException(status_code=401, detail="invalid credentials")` | `if not auth_ok:`<br>` await audit_log.write({"event": "auth_failed", "username": username, "ip": client_ip, "trace_id": trace_id})`<br>` await risk_counter.bump(f"auth:{username}:{client_ip}")`<br>` raise HTTPException(status_code=401, detail="invalid credentials")` | Observability | `OWASP Top 10 (2021) A07 Identification and Authentication Failures; OWASP Top 10 (2021) A09` | `if not auth_ok:` ` await audit_log.write({"event": "auth_failed", "username": username, "ip": client_ip, "trace_id": trace_id})` ` await risk_counter.bump(f"auth:{username}:{client_ip}")` ` raise HTTPException(status_code=401, detail="invalid credentials")` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-007 missing failed auth telemetry lockout signals if not ok raise httpexception status 401 detail invalid credentials await audit log write -->
|
|
10
|
+
| LOG-008 | No request/response latency telemetry | `@app.middleware("http")`<br>`async def m(request, call_next):`<br>` return await call_next(request)` | `@app.middleware("http")`<br>`async def m(request: Request, call_next):`<br>` started = time.perf_counter()`<br>` response = await call_next(request)`<br>` elapsed_ms = (time.perf_counter() - started) * 1000`<br>` logger.info("http_access", extra={"trace_id": request.state.trace_id, "path": request.url.path, "status": response.status_code, "latency_ms": round(elapsed_ms, 2)})`<br>` return response` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures` | `@app.middleware("http")` `async def m(request: Request, call_next):` ` started = time.perf_counter()` ` response = await call_next(request)` ` elapsed_ms = (time.perf_counter() - started) * 1000` ` logger.info("http_access", extra={"trace_id": request.state.trace_id, "path": request.url.path, "status": response.status_code, "latency_ms": round(elapsed_ms, 2)})` ` return response` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-008 no request response latency telemetry app middleware http async def m call next return await started time perf counter elapsed -->
|
|
11
|
+
| LOG-009 | Logs without integrity controls/immutability for security events | `await audit_log.write({"event": "payment_approved", "id": pid})` | `record = {"event": "payment_approved", "id": pid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()}`<br>`record["sig"] = hmac_sha256(audit_signing_key, json.dumps(record, sort_keys=True))`<br>`await append_only_audit_store.write(record)` | Observability | `OWASP ASVS v4.0.3 V10 Malicious Code and Business Logic; OWASP Top 10 (2021) A09` | `record = {"event": "payment_approved", "id": pid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()}` `record["sig"] = hmac_sha256(audit_signing_key, json.dumps(record, sort_keys=True))` `await append_only_audit_store.write(record)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-009 logs without integrity controls immutability for security events await audit log write event payment approved id pid record trace ts -->
|
|
12
|
+
| LOG-010 | No centralized exception handler for sanitization and correlation | `@app.get("/x")`<br>`async def x():`<br>` raise RuntimeError("db password is wrong: secret=...")` | `@app.exception_handler(Exception)`<br>`async def handle_exc(request: Request, exc: Exception):`<br>` trace_id = getattr(request.state, "trace_id", "n/a")`<br>` logger.exception("unhandled", extra={"trace_id": trace_id, "path": request.url.path})`<br>` return JSONResponse(status_code=500, content={"detail": "internal server error", "trace_id": trace_id})` | Observability | `OWASP Top 10 (2021) A09; OWASP ASVS v4.0.3 V7 Error Handling` | `@app.exception_handler(Exception)` `async def handle_exc(request: Request, exc: Exception):` ` trace_id = getattr(request.state, "trace_id", "n/a")` ` logger.exception("unhandled", extra={"trace_id": trace_id, "path": request.url.path})` ` return JSONResponse(status_code=500, content={"detail": "internal server error", "trace_id": trace_id})` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-010 no centralized exception handler for sanitization correlation app get x async def raise runtimeerror db password is wrong secret handle -->
|
|
13
|
+
| LOG-011 | Log Injection Protection: CR/LF из пользовательских данных попадают в лог | `@app.get("/search")`<br>`async def search(q: str):`<br>` logger.info("search query=%s", q)`<br>` return {"ok": True}` | `def sanitize_for_log(value: str) -> str:`<br>` return value.replace("\\r", "\\\\r").replace("\\n", "\\\\n")`<br>`@app.get("/search")`<br>`async def search(q: str):`<br>` safe_q = sanitize_for_log(q)`<br>` logger.info("search query=%s", safe_q)`<br>` return {"ok": True}` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V8 Logging and Error Handling; CWE-117` | `def sanitize_for_log(value: str) -> str:` ` return value.replace("\\r", "\\\\r").replace("\\n", "\\\\n")` `@app.get("/search")` `async def search(q: str):` ` safe_q = sanitize_for_log(q)` ` logger.info("search query=%s", safe_q)` ` return {"ok": True}` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-011 log injection protection cr lf из пользовательских данных попадают в лог app get search async def q str logger info -->
|
|
14
|
+
| LOG-012 | Sensitive Data in Exception Context: логирование `locals()` в prod | `except Exception:`<br>` logger.exception("failed", extra={"locals": locals()})`<br>` raise` | `except Exception:`<br>` logger.exception("failed", extra={"trace_id": trace_id, "context": {"operation": "payment_create"}})`<br>` raise`<br>`# production logger must not capture locals or full frame dumps` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V8 Logging and Error Handling` | `except Exception:` ` logger.exception("failed", extra={"trace_id": trace_id, "context": {"operation": "payment_create"}})` ` raise` `# production logger must not capture locals or full frame dumps` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-012 sensitive data exception context логирование locals в prod except logger failed extra raise trace id operation payment create production must -->
|
|
15
|
+
| LOG-013 | Missing Security Heartbeat: нет периодических контрольных событий мониторинга | `# no periodic liveness/integrity security event`<br>`pass` | `async def security_heartbeat_task() -> None:`<br>` while True:`<br>` await audit_log.write({"event": "security_heartbeat", "service": "api", "status": "ok", "ts": datetime.now(timezone.utc).isoformat()})`<br>` await asyncio.sleep(60)`<br>`@app.on_event("startup")`<br>`async def start_heartbeat() -> None:`<br>` asyncio.create_task(security_heartbeat_task())` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V8 Logging and Error Handling` | `async def security_heartbeat_task() -> None:` ` while True:` ` await audit_log.write({"event": "security_heartbeat", "service": "api", "status": "ok", "ts": datetime.now(timezone.utc).isoformat()})` ` await asyncio.sleep(60)` `@app.on_event("startup")` `async def start_heartbeat() -> None:` ` asyncio.create_task(security_heartbeat_task())` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-013 missing security heartbeat нет периодических контрольных событий мониторинга no periodic liveness integrity event pass async def task none while true -->
|
|
16
|
+
| LOG-014 | High-Privilege Action Audit: админ-действия пишутся в обычный app log | `@app.post("/admin/users/{uid}/disable")`<br>`async def disable_user(uid: int):`<br>` logger.info("disabled user %s", uid)` | `@app.post("/admin/users/{uid}/disable")`<br>`async def disable_user(uid: int, actor=Depends(current_user)):`<br>` logger.info("admin action requested", extra={"trace_id": trace_id, "actor_id": actor.id})`<br>` await security_audit_log.write({"event": "admin_user_disable", "actor_id": actor.id, "target_user_id": uid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()})` | Observability | `OWASP Top 10 (2021) A09 Security Logging and Monitoring Failures; OWASP ASVS v4.0.3 V8 Logging and Error Handling` | `@app.post("/admin/users/{uid}/disable")` `async def disable_user(uid: int, actor=Depends(current_user)):` ` logger.info("admin action requested", extra={"trace_id": trace_id, "actor_id": actor.id})` ` await security_audit_log.write({"event": "admin_user_disable", "actor_id": actor.id, "target_user_id": uid, "trace_id": trace_id, "ts": datetime.now(timezone.utc).isoformat()})` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-014 high privilege action audit админ действия пишутся в обычный app log post admin users uid disable async def user int -->
|
|
17
|
+
| LOG-015 | Системный лог: пароль в plaintext (`syslog`/journald) (CWE-312) | `syslog.syslog(syslog.LOG_INFO, f"user_pass={password}")` | Никогда не писать пароли; только hash/id события и маскирование. | Observability | `CWE-312` | Structured logging + redaction filter для password fields. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-015 syslog syslog log info user pass password plaintext guardian -->
|
|
18
|
+
| LOG-016 | Docker/k8s: `env` секреты в stdout контейнера (CWE-532) | `print(os.environ)` в startup лог | Не логировать env; использовать external secrets и mask в лог-драйверах. | Observability | `CWE-532` | Log scrubber sidecar; deny `print(environ)` in prod. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-016 print os environ docker stdout guardian -->
|
|
19
|
+
| LOG-017 | Windows Event Log: токен в `EventLog.WriteEntry` (CWE-312) | `EventLog.WriteEntry("Auth", $"token={accessToken}")` | Redact tokens; использовать event IDs без секретов. | Observability | `CWE-312` | Token hash or presence flag only in EventLog. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-017 eventlog writeentry token accesstoken guardian -->
|
|
20
|
+
| LOG-018 | `journalctl`/structured log с Bearer в поле message (CWE-532) | `logger.info({"Authorization": f"Bearer {tok}"})` | Заголовки Authorization никогда не логировать. | Observability | `CWE-532` | Redact `Authorization`/`Cookie` keys globally. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-018 logger info authorization bearer tok guardian -->
|
|
21
|
+
| LOG-019 | OpenTelemetry span: пароль в attributes (CWE-532) | `span.set_attribute("user.password", pwd)` | Запретить sensitive attrs; allowlist span attribute keys. | Observability | `CWE-532` | OTel semantic conventions + scrubbing processor. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-019 span set attribute user password pwd guardian -->
|
|
22
|
+
| LOG-020 | Избыточное логирование полного HTTP-тела ответа с PII (CWE-779) | `logger.debug("upstream=%s", response.text)` | Логировать только status/latency/correlation-id; маскировать тела. | Observability | `CWE-779` | Sampling + redaction; max body length 0 in prod logs. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: log-020 logger debug upstream response text cwe779 guardian -->
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_id": "observability",
|
|
3
|
+
"name": "Observability & Audit Logging",
|
|
4
|
+
"activation_triggers": [
|
|
5
|
+
"log-structured-traceid",
|
|
6
|
+
"log-audit-siem",
|
|
7
|
+
"log-redaction-policy",
|
|
8
|
+
"log-injection-crlf",
|
|
9
|
+
"log-security-event"
|
|
10
|
+
],
|
|
11
|
+
"relevant_extensions": [
|
|
12
|
+
".py",
|
|
13
|
+
".ts",
|
|
14
|
+
".js",
|
|
15
|
+
".yaml",
|
|
16
|
+
".yml"
|
|
17
|
+
],
|
|
18
|
+
"tools": [
|
|
19
|
+
"semgrep",
|
|
20
|
+
"syft",
|
|
21
|
+
"trufflehog"
|
|
22
|
+
],
|
|
23
|
+
"rules_path": "core/skills/observability/patterns.md",
|
|
24
|
+
"few_shot_examples": "core/gold-standard-testbed/api_vulnerable.py",
|
|
25
|
+
"security_priority": 5
|
|
26
|
+
}
|
|
@@ -0,0 +1,202 @@
|
|
|
1
|
+
| ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
|
|
2
|
+
|---|---|---|---|---|---|---|
|
|
3
|
+
| PHPX-001 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
4
|
+
| PHPX-002 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
5
|
+
| PHPX-003 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
6
|
+
| PHPX-004 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
7
|
+
| PHPX-005 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
8
|
+
| PHPX-006 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
9
|
+
| PHPX-007 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
10
|
+
| PHPX-008 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
11
|
+
| PHPX-009 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
12
|
+
| PHPX-010 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
13
|
+
| PHPX-011 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
14
|
+
| PHPX-012 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
15
|
+
| PHPX-013 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
16
|
+
| PHPX-014 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
17
|
+
| PHPX-015 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
18
|
+
| PHPX-016 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
19
|
+
| PHPX-017 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
20
|
+
| PHPX-018 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
21
|
+
| PHPX-019 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
22
|
+
| PHPX-020 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
23
|
+
| PHPX-021 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
24
|
+
| PHPX-022 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
25
|
+
| PHPX-023 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
26
|
+
| PHPX-024 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
27
|
+
| PHPX-025 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
28
|
+
| PHPX-026 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
29
|
+
| PHPX-027 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
30
|
+
| PHPX-028 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
31
|
+
| PHPX-029 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
32
|
+
| PHPX-030 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
33
|
+
| PHPX-031 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
34
|
+
| PHPX-032 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
35
|
+
| PHPX-033 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
36
|
+
| PHPX-034 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
37
|
+
| PHPX-035 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
38
|
+
| PHPX-036 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
39
|
+
| PHPX-037 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
40
|
+
| PHPX-038 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
41
|
+
| PHPX-039 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
42
|
+
| PHPX-040 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
43
|
+
| PHPX-041 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
44
|
+
| PHPX-042 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
45
|
+
| PHPX-043 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
46
|
+
| PHPX-044 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
47
|
+
| PHPX-045 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
48
|
+
| PHPX-046 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
49
|
+
| PHPX-047 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
50
|
+
| PHPX-048 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
51
|
+
| PHPX-049 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
52
|
+
| PHPX-050 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
53
|
+
| PHPX-051 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
54
|
+
| PHPX-052 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
55
|
+
| PHPX-053 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
56
|
+
| PHPX-054 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
57
|
+
| PHPX-055 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
58
|
+
| PHPX-056 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
59
|
+
| PHPX-057 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
60
|
+
| PHPX-058 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
61
|
+
| PHPX-059 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
62
|
+
| PHPX-060 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
63
|
+
| PHPX-061 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
64
|
+
| PHPX-062 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
65
|
+
| PHPX-063 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
66
|
+
| PHPX-064 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
67
|
+
| PHPX-065 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
68
|
+
| PHPX-066 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
69
|
+
| PHPX-067 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
70
|
+
| PHPX-068 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
71
|
+
| PHPX-069 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
72
|
+
| PHPX-070 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
73
|
+
| PHPX-071 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
74
|
+
| PHPX-072 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
75
|
+
| PHPX-073 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
76
|
+
| PHPX-074 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
77
|
+
| PHPX-075 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
78
|
+
| PHPX-076 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
79
|
+
| PHPX-077 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
80
|
+
| PHPX-078 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
81
|
+
| PHPX-079 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
82
|
+
| PHPX-080 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
83
|
+
| PHPX-081 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
84
|
+
| PHPX-082 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
85
|
+
| PHPX-083 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
86
|
+
| PHPX-084 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
87
|
+
| PHPX-085 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
88
|
+
| PHPX-086 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
89
|
+
| PHPX-087 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
90
|
+
| PHPX-088 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
91
|
+
| PHPX-089 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
92
|
+
| PHPX-090 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
93
|
+
| PHPX-091 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
94
|
+
| PHPX-092 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
95
|
+
| PHPX-093 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
96
|
+
| PHPX-094 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
97
|
+
| PHPX-095 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
98
|
+
| PHPX-096 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
99
|
+
| PHPX-097 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
100
|
+
| PHPX-098 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
101
|
+
| PHPX-099 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
102
|
+
| PHPX-100 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
103
|
+
| PHPX-101 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
104
|
+
| PHPX-102 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
105
|
+
| PHPX-103 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
106
|
+
| PHPX-104 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
107
|
+
| PHPX-105 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
108
|
+
| PHPX-106 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
109
|
+
| PHPX-107 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
110
|
+
| PHPX-108 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
111
|
+
| PHPX-109 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
112
|
+
| PHPX-110 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
113
|
+
| PHPX-111 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
114
|
+
| PHPX-112 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
115
|
+
| PHPX-113 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
116
|
+
| PHPX-114 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
117
|
+
| PHPX-115 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
118
|
+
| PHPX-116 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
119
|
+
| PHPX-117 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
120
|
+
| PHPX-118 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
121
|
+
| PHPX-119 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
122
|
+
| PHPX-120 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
123
|
+
| PHPX-121 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
124
|
+
| PHPX-122 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
125
|
+
| PHPX-123 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
126
|
+
| PHPX-124 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
127
|
+
| PHPX-125 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
128
|
+
| PHPX-126 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
129
|
+
| PHPX-127 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
130
|
+
| PHPX-128 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
131
|
+
| PHPX-129 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
132
|
+
| PHPX-130 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
133
|
+
| PHPX-131 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
134
|
+
| PHPX-132 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
135
|
+
| PHPX-133 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
136
|
+
| PHPX-134 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
137
|
+
| PHPX-135 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
138
|
+
| PHPX-136 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
139
|
+
| PHPX-137 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
140
|
+
| PHPX-138 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
141
|
+
| PHPX-139 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
142
|
+
| PHPX-140 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
143
|
+
| PHPX-141 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
144
|
+
| PHPX-142 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
145
|
+
| PHPX-143 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
146
|
+
| PHPX-144 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
147
|
+
| PHPX-145 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
148
|
+
| PHPX-146 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
149
|
+
| PHPX-147 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
150
|
+
| PHPX-148 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
151
|
+
| PHPX-149 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
152
|
+
| PHPX-150 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
153
|
+
| PHPX-151 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
154
|
+
| PHPX-152 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
155
|
+
| PHPX-153 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
156
|
+
| PHPX-154 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
157
|
+
| PHPX-155 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
158
|
+
| PHPX-156 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
159
|
+
| PHPX-157 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
160
|
+
| PHPX-158 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
161
|
+
| PHPX-159 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
162
|
+
| PHPX-160 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
163
|
+
| PHPX-161 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
164
|
+
| PHPX-162 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
165
|
+
| PHPX-163 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
166
|
+
| PHPX-164 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
167
|
+
| PHPX-165 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
168
|
+
| PHPX-166 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
169
|
+
| PHPX-167 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
170
|
+
| PHPX-168 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
171
|
+
| PHPX-169 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
172
|
+
| PHPX-170 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
173
|
+
| PHPX-171 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
174
|
+
| PHPX-172 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
175
|
+
| PHPX-173 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
176
|
+
| PHPX-174 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
177
|
+
| PHPX-175 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
178
|
+
| PHPX-176 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
179
|
+
| PHPX-177 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
180
|
+
| PHPX-178 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
181
|
+
| PHPX-179 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
182
|
+
| PHPX-180 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
183
|
+
| PHPX-181 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
184
|
+
| PHPX-182 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
185
|
+
| PHPX-183 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
186
|
+
| PHPX-184 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
187
|
+
| PHPX-185 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
188
|
+
| PHPX-186 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
189
|
+
| PHPX-187 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
190
|
+
| PHPX-188 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
191
|
+
| PHPX-189 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
192
|
+
| PHPX-190 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
193
|
+
| PHPX-191 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
194
|
+
| PHPX-192 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
195
|
+
| PHPX-193 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
196
|
+
| PHPX-194 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
197
|
+
| PHPX-195 | Symfony Twig render with untrusted template source | `$twig->createTemplate($request->get('tpl'))->render($ctx);` | `$twig->render('safe/' . $name . '.html.twig', $ctx);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | User-controlled template source can execute server-side template payloads. |
|
|
198
|
+
| PHPX-196 | Classic PHP unserialize on untrusted input | `$obj = unserialize($_POST['payload']);` | `$obj = json_decode($_POST['payload'], true, 512, JSON_THROW_ON_ERROR);` | PHP/Laravel/Symfony | CWE-502 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Deserialization gadgets may trigger arbitrary code paths during object hydration. |
|
|
199
|
+
| PHPX-197 | Symfony Form directly maps privileged fields (Logic: strong) | `$form->submit($request->request->all());` | `$form->submit($request->request->only(['email','displayName']));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Over-posting maps attacker fields into protected entity properties. |
|
|
200
|
+
| PHPX-198 | PHP eval on request expression | `$result = eval('return ' . $_GET['expr'] . ';');` | `$result = safe_math_eval($_GET['expr']);` | PHP/Laravel/Symfony | CWE-94 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Evaluating attacker-controlled expression can execute arbitrary PHP code. |
|
|
201
|
+
| PHPX-199 | Laravel Eloquent raw SQL interpolation (Logic: strong) | `User::whereRaw("email = '$email'")->first();` | `User::where("email", $email)->first();` | PHP/Laravel/Symfony | CWE-89 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Raw SQL interpolation in Eloquent allows attacker-controlled SQL fragments. |
|
|
202
|
+
| PHPX-200 | Laravel mass assignment with unguarded model (Logic: strong) | `User::create($request->all());` | `User::create($request->only(["email","display_name"]));` | PHP/Laravel/Symfony | CWE-915 | Autofix: replace dynamic unsafe construct with strict allowlist and framework-safe API. | Broad input binding enables privilege field overwrite in model attributes. |
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
# RU Regulatory (152-FZ / КИИ)
|
|
2
|
+
|
|
3
|
+
## Stack overview
|
|
4
|
+
|
|
5
|
+
Russian regulatory controls for PII logging (152-FZ), data residency/anonymization before foreign AI APIs, GOST / certified crypto usage inside KII, and import substitution portability. Metrics are prefixed **`RRC`**.
|
|
6
|
+
|
|
7
|
+
## Top threats
|
|
8
|
+
|
|
9
|
+
- Logging PII to stdout or external log systems (`RRC-001`).
|
|
10
|
+
- Sending PII to foreign APIs (OpenAI/Claude) without anonymization (`RRC-002`).
|
|
11
|
+
- Non-certified / unsafe crypto libraries in the KII contour (`RRC-003`).
|
|
12
|
+
- Hardcoded cloud metadata (e.g. AWS IMDS) hurting migration/import substitution (`RRC-004`).
|
|
13
|
+
|
|
14
|
+
## Pattern catalog
|
|
15
|
+
|
|
16
|
+
Complete Anti-Pattern / Safe-Pattern definitions live in [`patterns.md`](patterns.md). The table below is a **table of contents** by metric ID.
|
|
17
|
+
|
|
18
|
+
| ID | Metric | Stack |
|
|
19
|
+
|---|---|---|
|
|
20
|
+
| `RRC-001` | 152-ФЗ: PII в stdout / внешние логи | Использовать редактирование/маскирование до логирования (например, `redact_email`, `redact_snils`), а также уровень логов без PII по умолчанию. |
|
|
21
|
+
| `RRC-002` | Data Residency: ПДн в зарубежные API без обезличивания | Обезличить/агрегировать ПДн перед отправкой, отделить идентификаторы и payload, добавить контроль/аудит передачи данных. |
|
|
22
|
+
| `RRC-003` | GOST: небезопасные/несертифицированные крипто-библиотеки | Использовать сертифицированные средства криптографии / GOST-совместимые библиотеки, соответствующие требованиям контура КИИ. |
|
|
23
|
+
| `RRC-004` | Import Substitution: hardcoded cloud metadata | Уйти от hardcoded metadata: использовать абстракции конфигурации/переменные окружения и единый механизм discovery для целевого облака. |
|
|
24
|
+
| `RRC-005` | Foreign DNS/NTP | Использовать российские или внутренние корпоративные DNS/NTP резолверы (например, `10.0.0.53`, `ntp.local`). |
|
|
25
|
+
| `RRC-006` | Insecure External Repositories | В CI/CD разрешать только доверенные внутренние зеркала/репозитории артефактов (Nexus/Artifactory/internal registry). |
|
|
26
|
+
| `RRC-007` | Information Leakage in Errors | Возвращать обобщенное сообщение пользователю; детали и stacktrace писать только во внутренние журналы. |
|
|
27
|
+
| `RRC-008` | Missing Security Audit | Централизованно логировать неудачные входы, смену паролей и чувствительные события безопасности (SIEM/audit bus). |
|
|
28
|
+
| `RRC-009` | Unsigned binary execution | Перед запуском проверять цифровую подпись/доверенную цепочку и хэш (особенно на критических узлах). |
|
|
29
|
+
| `RRC-010` | Insecure Data Deletion | Перед удалением перезаписать файл нулями/случайными данными, затем удалить (`fsync` + `remove`) с учетом политики хранения. |
|
|
30
|
+
| `RRC-011` | Banned Functions (Security Policy) | Использовать `subprocess.run([...], shell=False, check=True)` с фиксированным whitelist аргументов. |
|
|
31
|
+
| `RRC-012` | Missing Config Integrity Check | Проверять SHA-256/HMAC целостность конфигурации при старте; при mismatch — fail closed и аудит-событие. |
|
|
32
|
+
| `RRC-013` | ГОСТ 57580.1 / ЦБ: "мясные" учетки вместо УДИ/УДА токенов | Использовать токены УДИ/УДА (OIDC/OAuth2, client credentials, mTLS-bound tokens), запрет static user/pass в интеграциях и сервис-аккаунтах. |
|
|
33
|
+
| `RRC-014` | ЦБ: Недостаточная аутентификация интеграций (нет токен-ротации) | Обязательная короткоживущая токен-модель, ротация, revoke/introspection, аудит выдачи и использования токенов. |
|
|
34
|
+
| `RRC-015` | FAPI.SEC/PAOK: запрет Implicit Flow, обязательный Code+PKCE+mTLS | Использовать Authorization Code Flow + PKCE, а для межсервисного взаимодействия включать mTLS (client cert/key) и проверку FAPI-профиля. |
|
|
35
|
+
| `RRC-016` | Docker Root: запуск контейнера от root | Явно создавать непривилегированного пользователя и переключаться на него (`RUN useradd -m appuser`, `USER appuser`). |
|
|
36
|
+
| `RRC-017` | Vault/ESO: запрет hardcoded Secret, требование ExternalSecret | Использовать `kind: ExternalSecret` (ESO) + backend Vault; исключить plaintext секреты в Git/YAML. |
|
|
37
|
+
| `RRC-018` | Tech Stack: запрет drop-технологий в новых сервисах | Для новых микросервисов использовать поддерживаемый стек (Python >= 3.10, без legacy PHP), фиксировать baseline в архитектурном стандарте. |
|
|
38
|
+
| `RRC-019` | Клинкер/Keycloak: обязательный auth middleware для внутренних API | Все внутренние API должны проходить через middleware аутентификации Keycloak (`VerifyToken`/аналог), deny-by-default. |
|
|
39
|
+
| `RRC-020` | Целостность КИИ: контрольные суммы исполняемых файлов и конфигов перед стартом | Перед запуском проверять SHA-256/ГОСТ-хэш исполняемого файла и критичных конфигов; при mismatch — fail closed и аудит-событие (Приказ 239). |
|
|
40
|
+
| `RRC-021` | СЗИ-контроль: отсутствие проверки состояния AV/IDS в контуре | Перед запуском проверять наличие и работоспособность СЗИ (антивирус, IDS/IPS, EDR агент), логировать статус и блокировать старт при критическом отказе. |
|
|
41
|
+
| `RRC-022` | SDL/ГОСТ Р 56939: результаты статанализа не фиксируются в логах сборки | Обязательная фиксация результатов SAST/SCA в артефактах CI (лог/отчет), подпись и хранение для аудита SDL по ГОСТ Р 56939. |
|
|
42
|
+
| `RRC-023` | Key Rotation: отсутствует `rotation_period` в Vault/KMS политиках | Для криптографических ключей задать и контролировать `rotation_period`, автоматическую ротацию и журналировать события смены ключей. |
|
|
43
|
+
| `RRC-024` | Anti-Overlay/Integrity: нет CSP и контроля целостности UI | Включить строгий CSP, SRI для внешних скриптов и проверки целостности DOM/critical forms для защиты ДБО от overlay/injection атак. |
|
|
44
|
+
| `RRC-025` | Payment Control: неизменность реквизитов между create и sign не контролируется | Фиксировать hash реквизитов на этапе create и сравнивать перед sign/submit; при несовпадении — reject + audit event. |
|
|
45
|
+
| `RRC-026` | Post-Quantum Readiness: отсутствует стратегия крипто-миграции | Вести инвентаризацию криптопримитивов, план гибридных схем и процедуру миграции ключей/сертификатов под PQ-ready профиль. |
|
|
46
|
+
|
|
47
|
+
## Verification
|
|
48
|
+
|
|
49
|
+
**Verification:** Check the gold testbed file(s) below for `Vulnerable: <ID>` markers (static Semgrep + `detection-matrix.md` ground truth).
|
|
50
|
+
|
|
51
|
+
- [`gold-standard-testbed/ru_regulatory_vulnerable.py`](../gold-standard-testbed/ru_regulatory_vulnerable.py)
|
|
52
|
+
|
|
53
|
+
After changing [`patterns.md`](patterns.md), run from the repo root:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
python scripts/sync_semgrep.py
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
## Workflow: Recon → Scan → Verify
|
|
60
|
+
|
|
61
|
+
### 1) Recon
|
|
62
|
+
- Map entrypoints, data flows, and trust boundaries for this stack.
|
|
63
|
+
- Identify which metrics in [`patterns.md`](patterns.md) apply to the code under review.
|
|
64
|
+
|
|
65
|
+
### 2) Scan
|
|
66
|
+
- Run Semgrep with `semgrep-rules/<skill>.yaml` (generated) and correlate with Anti-Patterns.
|
|
67
|
+
- Eliminate findings that cannot bind to a metric row.
|
|
68
|
+
|
|
69
|
+
### 3) Verify
|
|
70
|
+
- Confirm markers or scanner hits for touched IDs in the gold testbed when adding metrics.
|
|
71
|
+
- Emit findings as `Vulnerable: <PREFIX>-<NNN>` in written reviews.
|
|
72
|
+
|