Comments (2)
jmarcil
commented on July 17, 2024
Fair point.
However, those variables, especially _FILES and _SERVER can actually have user input, so we can't really suppress them just like that.
One thing that could be done would be to add a list of safe keys and skip them went not in paranoia mode. This won't be an easy task. Like 'SERVER_SOFTWARE' is okay, 'HTTP_REFERER' is definitely not okay and 'REQUEST_METHOD' is debatable depending on the server and 'SERVER_NAME' depending on the server config.
Currently there's no planned big efforts to provide a better lowered false positive (like #31), but I'm sure this would be on top of any list after we solve the documentation problem (#44).
I'll keep this open to be considered once we're there.
Thanks
from phpcs-security-audit.
jmarcil
commented on July 17, 2024
Oh wow I'm so consistent without remembering anything it's scary.
We do are using is_token_false_positive in utils with some of those safe SERVER vars I was talking about.
This is just an example on how it could be done, as I don't think getSafeServerVars is used anywhere else than the EasyRFISniff.
from phpcs-security-audit.
Related Issues (20)
- Fix compliance of project with PHPCS HOT 10
- Strings as assert expressions are deprecated. HOT 4
- Figure out repo organization and ownership for the future
- Add CI/build testing HOT 6
- Add sniff specific unit tests HOT 6
- PR #50 breaks drupal7 usage HOT 1
- phpcs built from Dockerfile gives an error HOT 9
- $utils::is_token_false_positive is fiddly and unstable HOT 1
- Solving EasyRFI via new EasyRFINotice severity HOT 7
- Create new release to fix deprecation warnings HOT 8
- Unable to view Security coding standard after Composer install HOT 3
- ERROR: Referenced sniff "Security.BadFunctions.Asserts" does not exist HOT 2
- Windows user, Unable to find phpcs command or bin file HOT 1
- Update security rulesets
- Potential vulnerabilities are being hidden with concatenation
- Installation instructions not working HOT 1
- Add support for native function imports
- Callback functions warnings
- file_put_contents warning about dynamic parameter
- Question for ErrMiscIncludeMismatchNoExt
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phpcs-security-audit.