Unsanitized user input in 'eval' type function

• Rule ID: php_lang_eval_using_user_input
• Languages: php
• Source: eval_using_user_input.yml

Description

Executing code with 'eval' or similar functions using unsanitized user input is risky and can lead to code injection vulnerabilities. This happens when external input is used directly in functions that execute code, allowing attackers to run malicious code within your application.

Remediations

• Do not use 'eval' or similar functions with user-supplied data. This can open your application to severe security risks.

  eval("echo " . $_GET["untrusted"]);  // unsafe

• Do validate and sanitize all user input before using it in your code. Ensure that the input does not contain malicious code or commands.
• Do use safer alternatives to 'eval' for dynamic code execution. Consider using functions that limit the scope and capabilities of executed code to reduce risk.

References

• OWASP Code injection explained

Associated CWE

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_eval_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_eval_using_user_input