Unsanitized user input in FTP request

• Rule ID: php_lang_ftp_using_user_input
• Languages: php
• Source: ftp_using_user_input.yml

Description

Incorporating unsanitized user input directly into FTP requests poses a significant security risk. This practice can lead to code injection attacks, where attackers exploit the application to execute malicious code, or path traversal attacks, allowing unauthorized access to files and directories outside the intended area.

Remediations

• Do not use unsanitized user input to construct filenames or file paths in FTP operations. Always sanitize and validate input before use.

  $connection = ftp_ssl_connect("ftp.example.com", 21);
  ftp_delete($connection, $_GET["name"]); // unsafe

• Do not use unsanitized user input as arguments in FTP connection methods or any FTP operations. Validate and sanitize all input first.

  $connection = ftp_ssl_connect($_GET["host"], 21); // unsafe

References

• OWASP code injection
• OWASP path traversal

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_ftp_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_ftp_using_user_input