From 3d65a8aca98ca6ab222db17a45cdefad2d28bd81 Mon Sep 17 00:00:00 2001 From: Craig Francis Date: Sat, 4 Sep 2021 12:46:15 +0100 Subject: [PATCH] Add section on limitations --- docs/security_analysis/index.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/security_analysis/index.md b/docs/security_analysis/index.md index 0ee7d4f0709..451a7d250a4 100644 --- a/docs/security_analysis/index.md +++ b/docs/security_analysis/index.md @@ -57,6 +57,29 @@ You can also [define your own taint sinks](custom_taint_sinks.md). Nobody likes to wade through a ton of false-positives – [here’s a guide to avoiding them](avoiding_false_positives.md). +## Limitations + +Taint Analysis relies on not making any mistakes when escaping values, e.g. + +```php +$sql = 'SELECT * FROM users WHERE id = ' . $mysqli->real_escape_string((string) $_GET['id']); + +$html = " + + Link 1 + Line 2"; + +// Details: +// $id = 'id' - Missing quotes +// $img = '/ onerror=alert(1)' - Missing quotes +// $a1 = 'javascript:alert(1)' - Normal inline JavaScript +// $a2 = '/' onerror='alert(1)' - Pre PHP 8.1, single quotes are not escaped by default +// Test: +// /?id=id&img=%2F+onerror%3Dalert%281%29&a1=javascript%3Aalert%281%29&a2=%2F%27+onerror%3D%27alert%281%29 +``` + +To avoid these issues, use Parameterised Queries for SQL and Commands (e.g. `exec`); and a context-aware templating engine for HTML. Then use the [literal-string](https://psalm.dev/docs/annotating_code/type_syntax/scalar_types/#literal-string) type to ensure sensitive strings are defined in your application (i.e. have been written by a developer). + ## Using Baseline With Taint Analysis Since taint analysis is performed separately from other static code analysis, it makes sense to use a separate baseline for it.