getdoorman 1.0.0

package/src/rules/security/php.js

@@ -0,0 +1,1054 @@
+/**
+ * PHP Security Rules (SEC-PHP-001 through SEC-PHP-060)
+ *
+ * Each rule scans PHP source files for security vulnerabilities.
+ */
+
+const isPHP = (f) => f.endsWith('.php');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+function checkPHP(rule, files, ...patterns) {
+  const findings = [];
+  for (const [path, content] of files) {
+    if (SKIP_PATH.test(path)) continue;
+    if (isPHP(path)) {
+      for (const p of patterns) {
+        findings.push(...scanLines(content, p, path, rule));
+      }
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // ===========================================================================
+  // SQL Injection (001–010)
+  // ===========================================================================
+
+  // SEC-PHP-001: SQL injection via string concatenation in mysql_query
+  {
+    id: 'SEC-PHP-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via mysql_query with Concatenation',
+    description: 'Concatenating user input into mysql_query() allows SQL injection.',
+    fix: { suggestion: 'Use PDO prepared statements with parameterized queries.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /mysql_query\s*\(\s*["'].*\.\s*\$/,
+      );
+    },
+  },
+
+  // SEC-PHP-002: SQL injection via mysqli_query with variables
+  {
+    id: 'SEC-PHP-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via mysqli_query with Variable Interpolation',
+    description: 'Using variable interpolation in mysqli_query() enables SQL injection.',
+    fix: { suggestion: 'Use mysqli_prepare() with bind_param() for parameterized queries.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /mysqli_query\s*\(.*["'].*\$_(?:GET|POST|REQUEST|COOKIE)/,
+      );
+    },
+  },
+
+  // SEC-PHP-003: SQL injection via PDO query with interpolation
+  {
+    id: 'SEC-PHP-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via PDO::query with Variable Interpolation',
+    description: 'Using string interpolation in PDO::query() bypasses prepared statement protection.',
+    fix: { suggestion: 'Use PDO::prepare() with bindParam() or bindValue().' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /->query\s*\(\s*["'].*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-004: SQL injection via string concatenation with $_GET
+  {
+    id: 'SEC-PHP-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via $_GET in Query String',
+    description: 'Directly embedding $_GET values in SQL queries allows injection.',
+    fix: { suggestion: 'Use prepared statements with bound parameters.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:SELECT|INSERT|UPDATE|DELETE).*\.\s*\$_GET/,
+      );
+    },
+  },
+
+  // SEC-PHP-005: SQL injection via $_POST in query
+  {
+    id: 'SEC-PHP-005',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via $_POST in Query String',
+    description: 'Directly embedding $_POST values in SQL queries allows injection.',
+    fix: { suggestion: 'Use prepared statements with bound parameters.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:SELECT|INSERT|UPDATE|DELETE).*\.\s*\$_POST/,
+      );
+    },
+  },
+
+  // SEC-PHP-006: SQL injection via sprintf in query
+  {
+    id: 'SEC-PHP-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via sprintf()',
+    description: 'Using sprintf to build SQL queries with user input allows injection.',
+    fix: { suggestion: 'Use prepared statements instead of sprintf for SQL.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /sprintf\s*\(\s*["'](?:SELECT|INSERT|UPDATE|DELETE)/,
+      );
+    },
+  },
+
+  // SEC-PHP-007: SQL injection via $_REQUEST
+  {
+    id: 'SEC-PHP-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via $_REQUEST in Query',
+    description: 'Using $_REQUEST in SQL queries allows injection from any request method.',
+    fix: { suggestion: 'Use prepared statements with bound parameters.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:SELECT|INSERT|UPDATE|DELETE).*\.\s*\$_REQUEST/,
+      );
+    },
+  },
+
+  // SEC-PHP-008: SQL injection via order by user input
+  {
+    id: 'SEC-PHP-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via ORDER BY with User Input',
+    description: 'Passing user input to ORDER BY clause allows SQL injection.',
+    fix: { suggestion: 'Whitelist allowed column names for ORDER BY.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /ORDER\s+BY.*\.\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-009: SQL injection via LIKE with user input
+  {
+    id: 'SEC-PHP-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via LIKE Clause',
+    description: 'Concatenating user input in LIKE clauses allows SQL injection.',
+    fix: { suggestion: 'Use prepared statements with bound parameters for LIKE.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /LIKE\s+['"]%.*\.\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-010: SQL injection via db->query without escaping
+  {
+    id: 'SEC-PHP-010',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via $db->query with Concatenation',
+    description: 'Using $db->query() with concatenated variables allows SQL injection.',
+    fix: { suggestion: 'Use $db->prepare() with parameter binding.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\$\w+->query\s*\(\s*["'].*\.\s*\$/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // XSS (011–015)
+  // ===========================================================================
+
+  // SEC-PHP-011: XSS via echo with $_GET
+  {
+    id: 'SEC-PHP-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via echo with $_GET',
+    description: 'Echoing $_GET values without escaping enables reflected XSS.',
+    fix: { suggestion: 'Use htmlspecialchars($value, ENT_QUOTES, "UTF-8") before output.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /echo\s+.*\$_GET/,
+      );
+    },
+  },
+
+  // SEC-PHP-012: XSS via echo with $_POST
+  {
+    id: 'SEC-PHP-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via echo with $_POST',
+    description: 'Echoing $_POST values without escaping enables XSS.',
+    fix: { suggestion: 'Use htmlspecialchars() before outputting user input.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /echo\s+.*\$_POST/,
+      );
+    },
+  },
+
+  // SEC-PHP-013: XSS via print with user input
+  {
+    id: 'SEC-PHP-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via print with User Input',
+    description: 'Using print with unescaped user input enables XSS.',
+    fix: { suggestion: 'Use htmlspecialchars() before outputting user input.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /print\s+.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-014: XSS via printf/sprintf output
+  {
+    id: 'SEC-PHP-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via printf with User Input',
+    description: 'Using printf with unescaped user input in HTML context enables XSS.',
+    fix: { suggestion: 'Use htmlspecialchars() on user input before passing to printf.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /printf\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-015: XSS via $_REQUEST echo
+  {
+    id: 'SEC-PHP-015',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via echo with $_REQUEST',
+    description: 'Echoing $_REQUEST without escaping enables XSS from any input source.',
+    fix: { suggestion: 'Use htmlspecialchars() before outputting user input.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /echo\s+.*\$_REQUEST/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Command Injection (016–020)
+  // ===========================================================================
+
+  // SEC-PHP-016: Command injection via exec()
+  {
+    id: 'SEC-PHP-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via exec()',
+    description: 'Passing user input to exec() allows arbitrary command execution.',
+    fix: { suggestion: 'Use escapeshellarg() and escapeshellcmd() on all user inputs.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\bexec\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-017: Command injection via system()
+  {
+    id: 'SEC-PHP-017',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via system()',
+    description: 'Passing user input to system() allows arbitrary command execution.',
+    fix: { suggestion: 'Use escapeshellarg() on all user-provided arguments.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\bsystem\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-018: Command injection via shell_exec()
+  {
+    id: 'SEC-PHP-018',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via shell_exec()',
+    description: 'Passing user input to shell_exec() allows arbitrary command execution.',
+    fix: { suggestion: 'Use escapeshellarg() and avoid shell_exec with user input.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /shell_exec\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-019: Command injection via passthru()
+  {
+    id: 'SEC-PHP-019',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via passthru()',
+    description: 'Passing user input to passthru() allows arbitrary command execution.',
+    fix: { suggestion: 'Use escapeshellarg() on all user inputs passed to passthru().' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /passthru\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-020: Command injection via backtick operator
+  {
+    id: 'SEC-PHP-020',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Backtick Operator',
+    description: 'Using backtick operator with user input allows arbitrary command execution.',
+    fix: { suggestion: 'Avoid backtick operator; use escapeshellarg() with exec() instead.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /`[^`]*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // File Inclusion (021–025)
+  // ===========================================================================
+
+  // SEC-PHP-021: Local file inclusion via include
+  {
+    id: 'SEC-PHP-021',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Local File Inclusion via include()',
+    description: 'Using include() with user input allows including arbitrary files.',
+    fix: { suggestion: 'Whitelist allowed files and validate against a fixed set of paths.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\binclude\s*\(?\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-022: Local file inclusion via require
+  {
+    id: 'SEC-PHP-022',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Local File Inclusion via require()',
+    description: 'Using require() with user input allows including arbitrary files.',
+    fix: { suggestion: 'Whitelist allowed files and use a map of safe paths.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\brequire\s*\(?\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-023: File inclusion via include_once with variable
+  {
+    id: 'SEC-PHP-023',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'File Inclusion via include_once with Variable',
+    description: 'Using include_once with user-controlled variable allows file inclusion.',
+    fix: { suggestion: 'Validate file paths against a whitelist before inclusion.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /include_once\s*\(?\s*\$/,
+      );
+    },
+  },
+
+  // SEC-PHP-024: Remote file inclusion via allow_url_include
+  {
+    id: 'SEC-PHP-024',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Remote File Inclusion Enabled',
+    description: 'Setting allow_url_include=On enables remote file inclusion attacks.',
+    fix: { suggestion: 'Set allow_url_include=Off in php.ini.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /allow_url_include\s*=\s*(?:On|1|true)/i,
+      );
+    },
+  },
+
+  // SEC-PHP-025: File inclusion via require_once with variable
+  {
+    id: 'SEC-PHP-025',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'File Inclusion via require_once with Variable',
+    description: 'Using require_once with user-controlled variable allows file inclusion.',
+    fix: { suggestion: 'Validate file paths against a whitelist before inclusion.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /require_once\s*\(?\s*\$/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Deserialization (026–030)
+  // ===========================================================================
+
+  // SEC-PHP-026: Unsafe unserialize
+  {
+    id: 'SEC-PHP-026',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Unsafe unserialize() with User Input',
+    description: 'Using unserialize() on user input allows object injection and RCE.',
+    fix: { suggestion: 'Use json_decode() instead or pass allowed_classes option.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /unserialize\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE)/,
+      );
+    },
+  },
+
+  // SEC-PHP-027: Unsafe unserialize with any variable
+  {
+    id: 'SEC-PHP-027',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Potentially Unsafe unserialize()',
+    description: 'Using unserialize() without allowed_classes restriction may enable object injection.',
+    fix: { suggestion: 'Pass ["allowed_classes" => false] or use json_decode().' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /unserialize\s*\(\s*\$(?!_(GET|POST|REQUEST|COOKIE))/,
+      );
+    },
+  },
+
+  // SEC-PHP-028: PHP object injection via __wakeup
+  {
+    id: 'SEC-PHP-028',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'PHP Object Injection via __wakeup Magic Method',
+    description: 'Classes with __wakeup that perform dangerous operations are gadgets for deserialization attacks.',
+    fix: { suggestion: 'Avoid dangerous operations in __wakeup; validate all properties.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /function\s+__wakeup\s*\(/,
+      );
+    },
+  },
+
+  // SEC-PHP-029: Unsafe phar deserialization
+  {
+    id: 'SEC-PHP-029',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Phar Deserialization Attack',
+    description: 'File operations on phar:// streams with user input trigger deserialization.',
+    fix: { suggestion: 'Never pass user input to file functions with phar:// protocol.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /phar:\/\/.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-030: Unsafe object hydration via __destruct
+  {
+    id: 'SEC-PHP-030',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Dangerous __destruct Magic Method',
+    description: 'Classes with __destruct that execute commands or delete files are deserialization gadgets.',
+    fix: { suggestion: 'Avoid file/command operations in __destruct; validate state first.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /function\s+__destruct\s*\(.*(?:exec|system|unlink|file_put_contents)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Eval / Code Execution (031–035)
+  // ===========================================================================
+
+  // SEC-PHP-031: eval() with user input
+  {
+    id: 'SEC-PHP-031',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Code Injection via eval()',
+    description: 'Using eval() with user-controlled input allows arbitrary code execution.',
+    fix: { suggestion: 'Avoid eval() entirely; use safe alternatives.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\beval\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-032: eval with any variable
+  {
+    id: 'SEC-PHP-032',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Potentially Unsafe eval() Usage',
+    description: 'Using eval() with variables that may contain user input allows RCE.',
+    fix: { suggestion: 'Avoid eval() entirely; use a safe interpreter or whitelist approach.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\beval\s*\(\s*\$/,
+      );
+    },
+  },
+
+  // SEC-PHP-033: assert() used as eval
+  {
+    id: 'SEC-PHP-033',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Code Execution via assert()',
+    description: 'assert() with string arguments evaluates code like eval() in PHP < 8.',
+    fix: { suggestion: 'Never pass strings to assert(); use boolean expressions only.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\bassert\s*\(\s*["']\$/,
+      );
+    },
+  },
+
+  // SEC-PHP-034: preg_replace with /e modifier
+  {
+    id: 'SEC-PHP-034',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Code Execution via preg_replace /e Modifier',
+    description: 'The /e modifier in preg_replace evaluates replacement as PHP code.',
+    fix: { suggestion: 'Use preg_replace_callback() instead of the /e modifier.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /preg_replace\s*\(\s*['"]\/.*\/e['"]/,
+      );
+    },
+  },
+
+  // SEC-PHP-035: create_function (deprecated eval wrapper)
+  {
+    id: 'SEC-PHP-035',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Code Execution via create_function()',
+    description: 'create_function() uses eval internally and allows code injection.',
+    fix: { suggestion: 'Use anonymous functions (closures) instead of create_function().' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /create_function\s*\(/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Type Juggling (036–040)
+  // ===========================================================================
+
+  // SEC-PHP-036: Loose comparison with == for authentication
+  {
+    id: 'SEC-PHP-036',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Type Juggling via Loose Comparison in Auth',
+    description: 'Using == for password or token comparison is vulnerable to type juggling.',
+    fix: { suggestion: 'Use === (strict comparison) or hash_equals() for security comparisons.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:password|token|secret|hash)\s*==\s*(?!\=)/,
+      );
+    },
+  },
+
+  // SEC-PHP-037: Loose comparison with strcmp bypass
+  {
+    id: 'SEC-PHP-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'strcmp() Bypass via Type Juggling',
+    description: 'strcmp() returns NULL on array input, which loosely equals 0 (success).',
+    fix: { suggestion: 'Use hash_equals() or === with strict type checking.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /strcmp\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-038: Switch statement with loose comparison
+  {
+    id: 'SEC-PHP-038',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Type Juggling in switch Statement',
+    description: 'PHP switch uses loose comparison, which can be exploited via type juggling.',
+    fix: { suggestion: 'Use if/elseif with === (strict comparison) instead of switch.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /switch\s*\(\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-039: in_array without strict mode
+  {
+    id: 'SEC-PHP-039',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Type Juggling in in_array()',
+    description: 'in_array() without strict=true uses loose comparison and may bypass checks.',
+    fix: { suggestion: 'Pass true as the third argument: in_array($val, $arr, true).' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /in_array\s*\([^)]*\$_(?:GET|POST|REQUEST)[^)]*\)\s*(?!.*true)/,
+      );
+    },
+  },
+
+  // SEC-PHP-040: array_search without strict mode
+  {
+    id: 'SEC-PHP-040',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Type Juggling in array_search()',
+    description: 'array_search() without strict=true uses loose comparison.',
+    fix: { suggestion: 'Pass true as the third argument: array_search($val, $arr, true).' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /array_search\s*\([^)]*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Laravel (041–045)
+  // ===========================================================================
+
+  // SEC-PHP-041: Laravel raw DB query with user input
+  {
+    id: 'SEC-PHP-041',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via Laravel DB::raw()',
+    description: 'Using DB::raw() with user input bypasses query builder protections.',
+    fix: { suggestion: 'Use query builder bindings: DB::raw("... ?", [$value]).' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /DB::raw\s*\(.*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-042: Laravel mass assignment without $fillable
+  {
+    id: 'SEC-PHP-042',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Laravel Mass Assignment via $guarded = []',
+    description: 'Setting $guarded to empty array allows all attributes to be mass-assigned.',
+    fix: { suggestion: 'Define $fillable with only allowed attributes instead of empty $guarded.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\$guarded\s*=\s*\[\s*\]/,
+      );
+    },
+  },
+
+  // SEC-PHP-043: Laravel blade {!! !!} unescaped output
+  {
+    id: 'SEC-PHP-043',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via Laravel Blade Unescaped Output',
+    description: 'Using {!! !!} outputs raw HTML without escaping, enabling XSS.',
+    fix: { suggestion: 'Use {{ }} for auto-escaped output; sanitize when {!! !!} is needed.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\{!!\s*\$(?:request|_GET|_POST)/,
+      );
+    },
+  },
+
+  // SEC-PHP-044: Laravel debug mode in production
+  {
+    id: 'SEC-PHP-044',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Laravel Debug Mode Enabled',
+    description: 'APP_DEBUG=true in production exposes sensitive information in error pages.',
+    fix: { suggestion: 'Set APP_DEBUG=false in production .env files.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /['"]APP_DEBUG['"]\s*(?:=>|,)\s*true/,
+      );
+    },
+  },
+
+  // SEC-PHP-045: Laravel whereRaw with user input
+  {
+    id: 'SEC-PHP-045',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via Laravel whereRaw()',
+    description: 'Using whereRaw() with concatenated user input enables SQL injection.',
+    fix: { suggestion: 'Pass bindings as second argument: whereRaw("col = ?", [$value]).' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /whereRaw\s*\(.*\.\s*\$_(?:GET|POST|REQUEST)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // WordPress (046–050)
+  // ===========================================================================
+
+  // SEC-PHP-046: WordPress direct SQL query without prepare
+  {
+    id: 'SEC-PHP-046',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'WordPress SQL Injection via $wpdb->query()',
+    description: 'Using $wpdb->query() without $wpdb->prepare() allows SQL injection.',
+    fix: { suggestion: 'Use $wpdb->prepare() for all queries with user input.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\$wpdb->query\s*\(\s*["'].*\.\s*\$/,
+      );
+    },
+  },
+
+  // SEC-PHP-047: WordPress missing nonce verification
+  {
+    id: 'SEC-PHP-047',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'WordPress Missing Nonce Verification',
+    description: 'Processing form data without wp_verify_nonce() is vulnerable to CSRF.',
+    fix: { suggestion: 'Add wp_verify_nonce() or check_admin_referer() before processing.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\$_POST\[.*\].*(?:update_option|delete_option|add_option)/,
+      );
+    },
+  },
+
+  // SEC-PHP-048: WordPress unescaped output
+  {
+    id: 'SEC-PHP-048',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'WordPress XSS via Unescaped Output',
+    description: 'Echoing user input without esc_html() or esc_attr() enables XSS.',
+    fix: { suggestion: 'Use esc_html(), esc_attr(), esc_url() for output escaping.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /echo\s+\$_(?:GET|POST|REQUEST)(?!.*esc_)/,
+      );
+    },
+  },
+
+  // SEC-PHP-049: WordPress file upload without validation
+  {
+    id: 'SEC-PHP-049',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'WordPress Insecure File Upload',
+    description: 'Using move_uploaded_file without proper WordPress upload handling.',
+    fix: { suggestion: 'Use wp_handle_upload() with proper mime type checking.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /move_uploaded_file\s*\(\s*\$_FILES/,
+      );
+    },
+  },
+
+  // SEC-PHP-050: WordPress register_rest_route without permission_callback
+  {
+    id: 'SEC-PHP-050',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'WordPress REST API Without Permission Check',
+    description: 'REST routes without permission_callback are publicly accessible.',
+    fix: { suggestion: 'Add permission_callback to all register_rest_route() calls.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /register_rest_route\s*\([^)]*(?!permission_callback)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Session / Upload (051–055)
+  // ===========================================================================
+
+  // SEC-PHP-051: Session fixation via session_id
+  {
+    id: 'SEC-PHP-051',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Session Fixation via session_id()',
+    description: 'Setting session_id from user input allows session fixation attacks.',
+    fix: { suggestion: 'Call session_regenerate_id(true) after authentication.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /session_id\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE)/,
+      );
+    },
+  },
+
+  // SEC-PHP-052: File upload without mime validation
+  {
+    id: 'SEC-PHP-052',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'File Upload Without MIME Type Validation',
+    description: 'Accepting file uploads without validating MIME types allows malicious uploads.',
+    fix: { suggestion: 'Validate file type using finfo_file() and check against an allowlist.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /move_uploaded_file\s*\(\s*\$_FILES\s*\[/,
+      );
+    },
+  },
+
+  // SEC-PHP-053: Insecure session configuration
+  {
+    id: 'SEC-PHP-053',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Session Cookie Configuration',
+    description: 'Session cookies without httponly and secure flags are vulnerable to theft.',
+    fix: { suggestion: 'Set session.cookie_httponly=1 and session.cookie_secure=1.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /session\.cookie_httponly\s*=\s*(?:0|false|off)/i,
+      );
+    },
+  },
+
+  // SEC-PHP-054: File upload directory in web root
+  {
+    id: 'SEC-PHP-054',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Upload Directory in Web Root Without .htaccess',
+    description: 'Uploading files to web-accessible directories allows direct execution.',
+    fix: { suggestion: 'Store uploads outside web root or use .htaccess to deny execution.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /move_uploaded_file\s*\(.*["']uploads?\//,
+      );
+    },
+  },
+
+  // SEC-PHP-055: Missing session_regenerate_id after login
+  {
+    id: 'SEC-PHP-055',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing Session Regeneration After Login',
+    description: 'Not calling session_regenerate_id after authentication allows session fixation.',
+    fix: { suggestion: 'Call session_regenerate_id(true) immediately after successful login.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /\$_SESSION\s*\[\s*['"](?:logged_in|user_id|authenticated)['"].*=\s*(?:true|\$)/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Encryption (056–060)
+  // ===========================================================================
+
+  // SEC-PHP-056: Use of MD5 for passwords
+  {
+    id: 'SEC-PHP-056',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Weak Password Hashing: md5()',
+    description: 'Using md5() for password hashing is trivially crackable.',
+    fix: { suggestion: 'Use password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /md5\s*\(\s*\$(?:_POST|_REQUEST|password|pass)/,
+      );
+    },
+  },
+
+  // SEC-PHP-057: Use of SHA1 for passwords
+  {
+    id: 'SEC-PHP-057',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Password Hashing: sha1()',
+    description: 'Using sha1() for password hashing is not sufficient for security.',
+    fix: { suggestion: 'Use password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /sha1\s*\(\s*\$(?:_POST|_REQUEST|password|pass)/,
+      );
+    },
+  },
+
+  // SEC-PHP-058: Hardcoded encryption key
+  {
+    id: 'SEC-PHP-058',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Encryption Key',
+    description: 'Hardcoded encryption keys in source code can be extracted by attackers.',
+    fix: { suggestion: 'Load encryption keys from environment variables or a key management service.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:encryption_key|secret_key|cipher_key|ENCRYPTION_KEY)\s*=\s*['"][a-zA-Z0-9+\/=]{16,}['"]/,
+      );
+    },
+  },
+
+  // SEC-PHP-059: Weak cipher algorithm (DES)
+  {
+    id: 'SEC-PHP-059',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Cipher: DES',
+    description: 'DES has a 56-bit key and is easily brute-forced.',
+    fix: { suggestion: 'Use AES-256-GCM or AES-256-CBC via openssl_encrypt().' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:mcrypt_encrypt|openssl_encrypt)\s*\(.*['"](?:des-|DES|MCRYPT_DES)/,
+      );
+    },
+  },
+
+  // SEC-PHP-060: ECB mode usage
+  {
+    id: 'SEC-PHP-060',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Cipher Mode: ECB',
+    description: 'ECB mode does not provide semantic security and leaks data patterns.',
+    fix: { suggestion: 'Use GCM or CBC mode with HMAC instead of ECB.' },
+    check({ files }) {
+      return checkPHP(this, files,
+        /(?:openssl_encrypt|mcrypt_encrypt)\s*\(.*(?:ECB|ecb)/,
+      );
+    },
+  },
+];
+
+export default rules;