agent-security-scanner-mcp 1.1.2 → 1.3.0

package/rules/php.security.yaml

@@ -0,0 +1,461 @@
+rules:
+  # =============================================================================
+  # PHP SECURITY RULES - SQL Injection
+  # =============================================================================
+
+  - id: php.lang.security.audit.sql-injection-query
+    languages: [php]
+    severity: ERROR
+    message: "SQL Injection detected. User input flows into SQL query. Use prepared statements with PDO or mysqli."
+    patterns:
+      - "\\$.*->query\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "mysql_query\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "mysqli_query\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "pg_query\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-89"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+
+  - id: php.lang.security.audit.sql-injection-sprintf
+    languages: [php]
+    severity: ERROR
+    message: "SQL Injection via sprintf. Use prepared statements instead of string formatting."
+    patterns:
+      - "sprintf\\s*\\(\\s*[\"']\\s*(SELECT|INSERT|UPDATE|DELETE|DROP)"
+      - "\\$sql\\s*=\\s*[\"'][^\"']*\\$"
+    metadata:
+      cwe: "CWE-89"
+      owasp: "A03:2021 - Injection"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string
+
+  # =============================================================================
+  # PHP SECURITY RULES - Command Injection
+  # =============================================================================
+
+  - id: php.lang.security.audit.command-injection-exec
+    languages: [php]
+    severity: ERROR
+    message: "Command Injection detected. User input flows into exec/system/shell_exec. Use escapeshellarg() or escapeshellcmd()."
+    patterns:
+      - "exec\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "system\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "shell_exec\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "passthru\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "popen\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "proc_open\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-78"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.injection.tainted-exec
+
+  - id: php.lang.security.audit.backticks-exec
+    languages: [php]
+    severity: ERROR
+    message: "Command execution via backticks detected. Use escapeshellarg() for user input."
+    patterns:
+      - "`[^`]*\\$_(GET|POST|REQUEST|COOKIE)[^`]*`"
+      - "`[^`]*\\$[a-zA-Z_][^`]*`"
+    metadata:
+      cwe: "CWE-78"
+      owasp: "A03:2021 - Injection"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.backticks-use
+
+  # =============================================================================
+  # PHP SECURITY RULES - Code Injection
+  # =============================================================================
+
+  - id: php.lang.security.audit.eval-usage
+    languages: [php]
+    severity: ERROR
+    message: "eval() usage detected. Avoid eval() as it can execute arbitrary code."
+    patterns:
+      - "\\beval\\s*\\("
+    metadata:
+      cwe: "CWE-95"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.eval-use
+
+  - id: php.lang.security.audit.assert-usage
+    languages: [php]
+    severity: WARNING
+    message: "assert() with string argument can execute code. Use boolean expressions instead."
+    patterns:
+      - "assert\\s*\\(\\s*[\"']"
+      - "assert\\s*\\(\\s*\\$"
+    metadata:
+      cwe: "CWE-95"
+      owasp: "A03:2021 - Injection"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.assert-use
+
+  - id: php.lang.security.audit.preg-code-exec
+    languages: [php]
+    severity: ERROR
+    message: "preg_replace with /e modifier allows code execution. Use preg_replace_callback() instead."
+    patterns:
+      - "preg_replace\\s*\\(\\s*[\"']/[^/]*/[a-z]*e"
+    metadata:
+      cwe: "CWE-95"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://owasp.org/www-community/attacks/Code_Injection
+
+  # =============================================================================
+  # PHP SECURITY RULES - File Inclusion
+  # =============================================================================
+
+  - id: php.lang.security.audit.file-inclusion
+    languages: [php]
+    severity: ERROR
+    message: "File inclusion vulnerability. User input used in include/require. Validate and sanitize file paths."
+    patterns:
+      - "include\\s*\\(?\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "include_once\\s*\\(?\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "require\\s*\\(?\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "require_once\\s*\\(?\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-98"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.file-inclusion
+
+  # =============================================================================
+  # PHP SECURITY RULES - XSS
+  # =============================================================================
+
+  - id: php.lang.security.audit.xss-echo
+    languages: [php]
+    severity: ERROR
+    message: "XSS vulnerability. User input echoed without escaping. Use htmlspecialchars() or htmlentities()."
+    patterns:
+      - "echo\\s+\\$_(GET|POST|REQUEST|COOKIE)"
+      - "print\\s+\\$_(GET|POST|REQUEST|COOKIE)"
+      - "print_r\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "<\\?=\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-79"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+
+  # =============================================================================
+  # PHP SECURITY RULES - Deserialization
+  # =============================================================================
+
+  - id: php.lang.security.audit.unsafe-unserialize
+    languages: [php]
+    severity: ERROR
+    message: "Unsafe deserialization detected. unserialize() on user input can lead to RCE. Use JSON instead."
+    patterns:
+      - "unserialize\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "unserialize\\s*\\(\\s*file_get_contents"
+      - "unserialize\\s*\\(\\s*\\$"
+    metadata:
+      cwe: "CWE-502"
+      owasp: "A08:2021 - Software and Data Integrity Failures"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.unserialize-use
+
+  # =============================================================================
+  # PHP SECURITY RULES - Cryptography
+  # =============================================================================
+
+  - id: php.lang.security.audit.weak-hash-md5
+    languages: [php]
+    severity: WARNING
+    message: "MD5 is cryptographically weak. Use password_hash() for passwords or hash('sha256', ...) for checksums."
+    patterns:
+      - "\\bmd5\\s*\\("
+      - "hash\\s*\\(\\s*[\"']md5[\"']"
+    metadata:
+      cwe: "CWE-328"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.md5-used-as-password
+
+  - id: php.lang.security.audit.weak-hash-sha1
+    languages: [php]
+    severity: WARNING
+    message: "SHA1 is cryptographically weak. Use hash('sha256', ...) or stronger algorithms."
+    patterns:
+      - "\\bsha1\\s*\\("
+      - "hash\\s*\\(\\s*[\"']sha1[\"']"
+    metadata:
+      cwe: "CWE-328"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://owasp.org/www-project-web-security-testing-guide/
+
+  - id: php.lang.security.audit.mcrypt-deprecated
+    languages: [php]
+    severity: WARNING
+    message: "mcrypt is deprecated and removed in PHP 7.2+. Use OpenSSL instead."
+    patterns:
+      - "mcrypt_encrypt\\s*\\("
+      - "mcrypt_decrypt\\s*\\("
+      - "mcrypt_create_iv\\s*\\("
+    metadata:
+      cwe: "CWE-327"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.mcrypt-use
+
+  - id: php.lang.security.audit.weak-random
+    languages: [php]
+    severity: WARNING
+    message: "Weak random number generator. Use random_bytes() or random_int() for security-sensitive operations."
+    patterns:
+      - "\\brand\\s*\\("
+      - "\\bmt_rand\\s*\\("
+      - "\\bsrand\\s*\\("
+      - "\\bmt_srand\\s*\\("
+    metadata:
+      cwe: "CWE-330"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: MEDIUM
+      references:
+        - https://www.php.net/manual/en/function.random-int.php
+
+  # =============================================================================
+  # PHP SECURITY RULES - SSL/TLS
+  # =============================================================================
+
+  - id: php.lang.security.audit.curl-ssl-disabled
+    languages: [php]
+    severity: ERROR
+    message: "SSL verification disabled in cURL. This allows MITM attacks. Set CURLOPT_SSL_VERIFYPEER to true."
+    patterns:
+      - "CURLOPT_SSL_VERIFYPEER\\s*,\\s*(false|0|FALSE)"
+      - "CURLOPT_SSL_VERIFYHOST\\s*,\\s*(false|0|FALSE)"
+    metadata:
+      cwe: "CWE-295"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.curl-ssl-verifypeer-off
+
+  # =============================================================================
+  # PHP SECURITY RULES - SSRF
+  # =============================================================================
+
+  - id: php.lang.security.audit.ssrf
+    languages: [php]
+    severity: ERROR
+    message: "SSRF vulnerability. User input used in URL fetch. Validate and whitelist URLs."
+    patterns:
+      - "file_get_contents\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "curl_setopt\\s*\\([^,]*,\\s*CURLOPT_URL\\s*,\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "fopen\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-918"
+      owasp: "A10:2021 - Server-Side Request Forgery"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.php-ssrf
+
+  # =============================================================================
+  # PHP SECURITY RULES - Path Traversal
+  # =============================================================================
+
+  - id: php.lang.security.audit.path-traversal
+    languages: [php]
+    severity: ERROR
+    message: "Path traversal vulnerability. User input in file path. Use basename() and validate paths."
+    patterns:
+      - "file_get_contents\\s*\\([^)]*\\.\\./"
+      - "fopen\\s*\\([^)]*\\.\\./"
+      - "readfile\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "file_put_contents\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-22"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://owasp.org/www-community/attacks/Path_Traversal
+
+  # =============================================================================
+  # PHP SECURITY RULES - Open Redirect
+  # =============================================================================
+
+  - id: php.lang.security.audit.open-redirect
+    languages: [php]
+    severity: WARNING
+    message: "Open redirect vulnerability. User input in redirect. Validate redirect URLs against whitelist."
+    patterns:
+      - "header\\s*\\(\\s*[\"']Location:\\s*[\"']\\s*\\.\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "header\\s*\\(\\s*[\"']Location:\\s*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-601"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.redirect-to-request-uri
+
+  # =============================================================================
+  # PHP SECURITY RULES - LDAP Injection
+  # =============================================================================
+
+  - id: php.lang.security.audit.ldap-injection
+    languages: [php]
+    severity: ERROR
+    message: "LDAP Injection detected. User input in LDAP query. Escape special characters."
+    patterns:
+      - "ldap_search\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+      - "ldap_bind\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)"
+    metadata:
+      cwe: "CWE-90"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
+
+  # =============================================================================
+  # PHP SECURITY RULES - XXE
+  # =============================================================================
+
+  - id: php.lang.security.audit.xxe
+    languages: [php]
+    severity: ERROR
+    message: "XXE vulnerability. External entities enabled in XML parsing. Use libxml_disable_entity_loader(true)."
+    patterns:
+      - "simplexml_load_string\\s*\\("
+      - "simplexml_load_file\\s*\\("
+      - "DOMDocument\\s*\\(\\)->loadXML"
+      - "new\\s+SimpleXMLElement\\s*\\("
+    metadata:
+      cwe: "CWE-611"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+
+  # =============================================================================
+  # PHP SECURITY RULES - Hardcoded Credentials
+  # =============================================================================
+
+  - id: php.lang.security.audit.hardcoded-password
+    languages: [php]
+    severity: ERROR
+    message: "Hardcoded password detected. Use environment variables or secure configuration."
+    patterns:
+      - "\\$password\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "\\$pass\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "\\$pwd\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "\\$secret\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "'password'\\s*=>\\s*[\"'][^\"']{4,}[\"']"
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.hardcoded-credentials
+
+  - id: php.lang.security.audit.hardcoded-api-key
+    languages: [php]
+    severity: ERROR
+    message: "Hardcoded API key detected. Use environment variables."
+    patterns:
+      - "\\$api_key\\s*=\\s*[\"'][a-zA-Z0-9_-]{20,}[\"']"
+      - "\\$apiKey\\s*=\\s*[\"'][a-zA-Z0-9_-]{20,}[\"']"
+      - "'api_key'\\s*=>\\s*[\"'][a-zA-Z0-9_-]{20,}[\"']"
+      - "Authorization.*Bearer\\s+[a-zA-Z0-9_-]{20,}"
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://owasp.org/www-project-web-security-testing-guide/
+
+  # =============================================================================
+  # PHP SECURITY RULES - Information Disclosure
+  # =============================================================================
+
+  - id: php.lang.security.audit.phpinfo-exposure
+    languages: [php]
+    severity: WARNING
+    message: "phpinfo() exposes sensitive server information. Remove from production code."
+    patterns:
+      - "\\bphpinfo\\s*\\("
+    metadata:
+      cwe: "CWE-200"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.phpinfo-use
+
+  - id: php.lang.security.audit.error-display
+    languages: [php]
+    severity: WARNING
+    message: "Error display enabled. Disable display_errors in production to prevent information leakage."
+    patterns:
+      - "ini_set\\s*\\(\\s*[\"']display_errors[\"']\\s*,\\s*[\"']?(1|on|true)[\"']?\\s*\\)"
+      - "error_reporting\\s*\\(\\s*E_ALL\\s*\\)"
+    metadata:
+      cwe: "CWE-209"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://www.php.net/manual/en/errorfunc.configuration.php
+
+  # =============================================================================
+  # PHP SECURITY RULES - CORS
+  # =============================================================================
+
+  - id: php.lang.security.audit.permissive-cors
+    languages: [php]
+    severity: WARNING
+    message: "Permissive CORS configuration. Wildcard origin allows any site to make requests."
+    patterns:
+      - "header\\s*\\(\\s*[\"']Access-Control-Allow-Origin:\\s*\\*[\"']\\s*\\)"
+      - "Access-Control-Allow-Origin.*\\*"
+    metadata:
+      cwe: "CWE-942"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/php.lang.security.audit.php-permissive-cors
+
+  # =============================================================================
+  # PHP SECURITY RULES - Session Security
+  # =============================================================================
+
+  - id: php.lang.security.audit.session-fixation
+    languages: [php]
+    severity: WARNING
+    message: "Potential session fixation. Regenerate session ID after authentication with session_regenerate_id(true)."
+    patterns:
+      - "\\$_SESSION\\s*\\[[\"']user[\"']\\]\\s*="
+      - "\\$_SESSION\\s*\\[[\"']logged_in[\"']\\]\\s*=\\s*true"
+    metadata:
+      cwe: "CWE-384"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: LOW
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html