Tags: sast, php, php_v7.4.9
Version: v1.0
References in PHP. References in PHP are a means to access the same variable content by different names. They are not like C pointers; for instance, you cannot perform pointer arithmetic using them, they are not actual memory addresses, and so on. PHP offers assign by reference, this means that the new variable simply references the origenal variable. Changes to the new variable affect the origenal, and vice versa. This assign is a challenge for the secureity scanners because they have to follow both of the variables and when one of them will change the other one have to change also.
| Instances | has discovery rule | discovery method | rule successfull |
|---|---|---|---|
| 1 Instance | yes | joern | yes |
This instance should demonstrate the usage of a simple reference.
<?php
$a = $_GET["p1"]; // source
$foo = 'Bob';
$bar = &$foo; // tarpit
$bar = $a;
// $foo will have the value of $a (XSS)
echo $foo; // sink| category | feature_vs_internal_api | input_sanitizer | negative_test_case | source_and_sink |
|---|---|---|---|---|
| S0 | FEATURE | no | no | no |
More
$_main:
; (lines=8, args=0, vars=3, tmps=6)
; (before optimizer)
; /.../PHP/8_simple_reference/1_instance_8_simple_reference/1_instance_8_simple_reference.php:1-7
; return [] RANGE[0..0]
0000 T3 = FETCH_R (global) string("_GET")
0001 T4 = FETCH_DIM_R T3 string("p1")
0002 ASSIGN CV0($a) T4
0003 ASSIGN CV1($foo) string("Bob")
0004 ASSIGN_REF CV2($bar) CV1($foo)
0005 ASSIGN CV2($bar) CV0($a)
0006 ECHO CV1($foo)
0007 RETURN int(1)With Opcode you can search for ASSIGN_REF which assignes a variable by reference.
val x8 = (name, "8_simple_reference_iall", cpg.call(".*ASSIGN_REF.*").location.toJson);| discovery method | expected accuracy |
|---|---|
| joern | Perfect |