function coder_review_security_reviews in Coder 7.2
Same name and namespace in other branches
- 7 coder_review/includes/coder_review_security.inc \coder_review_security_reviews()
Implements hook_reviews().
File
- coder_review/
includes/ coder_review_security.inc, line 13 - This include file implements coder functionality for Drupal Standards.
Code
function coder_review_security_reviews() {
$argex = '(((\\$?)[a-zA-Z_]+((\\([^)]*\\))|\\[[^\\]]*\\])?)|[0-9]+(\\.[0-9]*)?|\'\'|"")';
$allphp_argex = '(((\\$?)[a-zA-Z_]+((\\([^)]*\\))|\\[[^\\]]*\\])?)|[0-9]+(\\.[0-9]*)?|\'[^\']+\'|"[^"]+")';
$sanitize_argex = '((t|st|\\$t|check_plain|format_plural|check_markup|field_filter_xss|filter_xss|filter_xss_admin)\\s*\\([^\\)]+?\\))';
$table = '\\{[A-Za-z_]+\\}';
// table-regex
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]trigger_error\\s*\\(\\s*[^\\$]+.+\\$',
'#never' => '(^function\\s|trigger_error\\s*\\(\\s*(((st|t|\\$t)\\s*\\()|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_trigger_error_filter_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]trigger_error\\s*\\(\\s*(st|t|\\$t)\\s*\\(\\s*((.*?\\$)|([\'"].*?!\\w+.*?[\'"]\\s*,)|(.*?array\\(.*?!\\w+.*?\\)))',
'#never' => '(^function\\s|trigger_error\\s*\\(\\s*(((st|t|\\$t)\\s*\\(((\\s*[\'"][^!]+?[\'"]\\s*,)|(.*?array\\([^!]+\\))))|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => array(
'#text' => 'Potential problem: !trigger_error() only accepts filtered text, be sure all !placeholders for $variables in !t() are fully sanitized using !check_plain(), !filter_xss() or similar.',
'#args' => array(
'!trigger_error' => _phpapi('trigger_error'),
'!t' => _drupalapi('t'),
'!check_plain' => _drupalapi('check_plain'),
'!filter_xss' => _drupalapi('filter_xss'),
),
'#link' => _drupalnode(28984),
),
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]drupal_set_message\\s*\\(\\s*[^\\$)]+.+\\$',
'#never' => '(^function\\s|drupal_set_message\\s*\\(\\s*(((st|t|\\$t)\\s*\\()|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_drupal_set_message_filter_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]drupal_set_message\\s*\\(\\s*(st|t|\\$t)\\s*\\(\\s*((.*?\\$)|([\'"].*?!\\w+.*?[\'"]\\s*,)|(.*?array\\(.*?!\\w+.*?\\)))',
'#never' => '(^function\\s|drupal_set_message\\s*\\(\\s*(((st|t|\\$t)\\s*\\(((\\s*[\'"][^!]+?[\'"]\\s*,)|(.*?array\\([^!]+\\))))|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_drupal_set_message_filter_t_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(](form_set_error|form_error)\\s*\\(\\s*' . $argex . '\\s*,\\s*[^\\$)]+.+\\$',
'#never' => '(^function\\s|(form_set_error|form_error)\\s*\\(\\s*' . $argex . '\\s*,\\s*(((st|t|\\$t)\\s*\\()|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_form_set_error_filter_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(](form_set_error|form_error)\\s*\\(\\s*' . $argex . '\\s*,\\s*(st|t|\\$t)\\s*\\(\\s*((.*?\\$)|([\'"].*?!\\w+.*?[\'"]\\s*,)|(.*?array\\(.*?!\\w+.*?\\)))',
'#never' => '(^function\\s|(form_set_error|form_error)\\s*\\(\\s*' . $argex . '\\s*,\\s*(((st|t|\\$t)\\s*\\(((\\s*[\'"][^!]+?[\'"]\\s*,)|(.*?array\\([^!]+\\))))|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_form_set_error_filter_t_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]confirm_form\\s*\\(\\s*' . $argex . '\\s*,\\s*[^\\$\\s]+.+\\$[^,]+,\\s*' . $argex . '\\s*\\)',
'#never' => '(^function\\s|confirm_form\\s*\\(\\s*' . $argex . '\\s*,\\s*(((st|t|\\$t)\\s*\\()|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_confirm_form_filter_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]confirm_form\\s*\\(\\s*' . $argex . '\\s*,\\s*(st|t|\\$t)\\s*\\(\\s*((\\$\\w+[,\\)])|("[^"]+?\\$\\w+.*?"\\s*[,\\)])|([\'"].*?[\'"]\\s*\\.\\s*\\$\\w)|([\'"].*?!\\w+.*?[\'"]\\s*,)|(.*?array\\(.*?!\\w+.*?\\)))',
'#never' => '(^function\\s|confirm_form\\s*\\(\\s*' . $argex . '\\s*,\\s*(((st|t|\\$t)\\s*\\(((\\s*[\'"][^!]+?[\'"]\\s*,)|(.*?array\\([^!]+\\))))|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\().*$)',
'#source' => 'allphp',
'#warning' => _coder_review_security_confirm_form_filter_t_warning(),
);
// confirm_form 4th, 5th and 6th args
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]confirm_form\\s*\\(\\s*((' . $allphp_argex . '|' . $sanitize_argex . ')\\s*,\\s*){3,5}([^\\$\\s]+.+\\$[^,\\)]+)(' . $allphp_argex . ')??\\)\\s*;',
'#never' => '(^function\\s|confirm_form\\s*\\(\\s*((' . $allphp_argex . '|' . $sanitize_argex . ')\\s*,\\s*){3,5}((st|t|\\$t|format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\([^\\)\\$]+\\)).*?(' . $allphp_argex . ')??\\)\\s*;)',
'#source' => 'allphp',
'#warning' => '_coder_review_security_confirm_form_filter_warning',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(]confirm_form\\s*\\(\\s*((' . $allphp_argex . '|' . $sanitize_argex . ')\\s*,\\s*){3,5}(st|t|\\$t)\\s*\\(\\s*((\\$\\w+[,\\)])|("[^"]+?\\$\\w+.*?"\\s*[,\\)])|([\'"].*?[\'"]\\s*\\.\\s*\\$\\w)|([\'"].*?!\\w+.*?[\'"]\\s*,)|(.*?array\\(.*?!\\w+.*?\\))).*?(' . $allphp_argex . ')??\\)\\s*;',
'#never' => '(^function\\s|confirm_form\\s*\\(\\s*((' . $allphp_argex . '|' . $sanitize_argex . ')\\s*,\\s*){3,5}(((st|t|\\$t)\\s*\\(((\\s*[\'"][^!]+?[\'"]\\s*,)|(.*?array\\([^!]+\\))))|(format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup)\\s*\\([^\\)\\$]+\\)).*?(' . $allphp_argex . ')??\\)\\s*;)',
'#source' => 'allphp',
'#warning' => _coder_review_security_confirm_form_filter_t_warning(),
);
$rules[] = array(
'#type' => 'regex',
'#severity' => 'minor',
'#value' => '[\\s\\(]l\\(check_plain\\(.*',
'#never' => '[\'"]html[\'"]\\s*=>\\s*(TRUE|1)',
'#source' => 'allphp',
'#warning' => array(
'#text' => '!l() already contains a !check_plain() call by default.',
'#args' => array(
'!l' => _drupalapi('l'),
'!check_plain' => _drupalapi('check_plain'),
),
'#link' => _drupalnode(28984),
),
);
$rules[] = array(
'#type' => 'regex',
'#value' => '(?-i)\\$REQUEST_URI',
'#warning' => _coder_review_security_request_uri_warning(),
'#function-not' => '^(request_uri|request_path|drupal_detect_baseurl)$',
);
$rules[] = array(
'#type' => 'regex',
'#source' => 'allphp',
'#value' => '(?-i)\\"REQUEST_URI\\"|\'REQUEST_URI\'',
'#warning' => _coder_review_security_request_uri_warning(),
'#function-not' => '^(request_uri|request_path|drupal_detect_baseurl)$',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '^(select\\s+.*\\s+from\\s+' . $table . '|insert\\s+into\\s+' . $table . '|update\\s+' . $table . '\\s+set|delete\\s+from\\s+' . $table . ')\\s+.*\\$[a-z0-9_]+',
'#not' => '\\$placeholder',
'#source' => 'quote',
'#warning' => array(
'#text' => 'In SQL strings, Use !db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data.',
'#args' => array(
'!db_query' => _drupalapi('db_query'),
),
'#link' => _drupalnode(62304),
'#description' => 'Use %s and %d variable substitution. When inserting an array of values use <code>$placeholders = implode(\',\', array_fill(0, count($args), "\'%s\'"));</code>',
),
);
$rules[] = array(
'#type' => 'regex',
'#value' => '^(select\\s+.*\\s+from\\s+' . $table . '|insert\\s+into\\s+' . $table . '|update\\s+' . $table . '\\s+set|delete\\s+from\\s' . $table . ')\\s+[^\']*?(\\s+|\\(|=|,)\\%s',
'#source' => 'quote',
'#warning' => 'SQL query handling data in a potentially insecure way by using the %%s placeholder without wrapping it in single quotes. This is a potential source of SQL injection attacks when the value can come from user data.',
);
$rules[] = array(
'#type' => 'regex',
'#source' => 'allphp',
// allow us to look inside the regex string
'#value' => '\\bpreg_replace\\s*\\(\\s*(\'(.)([^\'\\\\]|\\\\.)*\\2([^\'\\\\]|\\\\.)*|"(.)([^"\\\\]|\\\\.)*\\5([^"\\\\]|\\\\.)*)e',
'#warning' => "Use preg_replace_callback() instead of the 'e' modifier to preg_replace()",
'#severity' => 'critical',
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\'"]access callback.*=.*\\(',
'#source' => 'allphp',
'#warning' => array(
'#text' => "The value for the 'access callback' must always be a string which is the the name of the function - never a function call. It may also be assigned the value TRUE or FALSE if the callback is always (or never) accessible.",
'#link' => _drupalnode(109157),
),
'#function' => '_menu$',
);
$rules[] = array(
'#type' => 'regex',
'#severity' => 'minor',
'#value' => '\\$_(POST)\\[.+?\\]',
'#never' => '((((==|!=|>=|<=|>|<)\\s*|[!\\s\\(](form_get_cache|form_set_cache|format_plural|field_filter_xss|filter_xss|filter_xss_admin|check_plain|check_markup|isset|empty|foreach|while|if|elseif)\\s*\\(\\s*)\\$_(POST)\\[.+?\\])|\\$_(POST)\\[.+?\\]\\s*(\\.=|=|!=))',
'#source' => 'allphp',
'#warning' => array(
'#text' => 'Potential problem: use the Form API to prevent against CSRF attacks. If you need to use $_POST variables, ensure they are fully sanitized if displayed by using !check_plain(), !filter_xss() or similar.',
'#args' => array(
'!check_plain' => _drupalapi('check_plain'),
'!filter_xss' => _drupalapi('filter_xss'),
),
'#link' => _drupalnode(178896),
),
);
$rules[] = array(
'#type' => 'regex',
'#source' => 'html',
'#value' => '<form[\\s\'"]',
'#warning' => array(
'#text' => 'Use the Form API to build forms to help prevent against CSRF attacks.',
'#link' => _drupalnode(178896),
),
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\(](drupal_)*?eval\\s*\\([^\\)]*?\\$',
'#never' => '(^function\\s)',
'#source' => 'php',
'#warning' => array(
'#text' => "Using !eval() or !drupal_eval() in your module's code could have a security risk if the PHP input provided to the function contains malicious code.",
'#args' => array(
'!eval' => _phpapi('eval'),
'!drupal_eval' => _drupalapi('drupal_eval'),
),
'#link' => _drupalnode(715010),
),
);
$rules[] = array(
'#type' => 'regex',
'#value' => '[\\s\\[][\'"]subject[\'"](\\])*?\\s*=(>)*?\\s*\\$',
'#source' => 'allphp',
'#warning' => array(
'#text' => 'Potential problem: !hook_block() only accepts filtered text as the block title, be sure to use !check_plain(), !filter_xss() or similar to ensure your $variable is fully sanitized.',
'#args' => array(
'!hook_block' => _drupalapi('hook_block'),
'!check_plain' => _drupalapi('check_plain'),
'!filter_xss' => _drupalapi('filter_xss'),
),
'#link' => _drupalnode(28984),
),
'#function' => '_block$',
);
$rules[] = array(
'#type' => 'callback',
'#value' => '_coder_review_security_callback',
);
$review = array(
'#title' => 'Drupal Security Checks',
'#link' => _drupalnode(28984),
'#rules' => $rules,
'#severity' => 'critical',
'#description' => 'Checks for security issues. This is a very basic security check. It errs on the side of caution so may give false positives.',
'#version' => 2,
'#image' => 'images/security.png',
);
return array(
'security' => $review,
);
}