Diff: tools/VisualCodeGrepper-2.1.0/phpfunctions.conf

Revision:

7:2c9c8b6a28a7

Parent:

6:aeb5a4c194c3

Child:

8:2b6bfa8d9e36

--- a/tools/VisualCodeGrepper-2.1.0/phpfunctions.conf	Tue Mar 20 16:28:33 2018 +0300
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-// Functions known to cause issues in PHP code.
-// To add new issues use the format: function name[=>][[N]][description]
-//	(where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
-//
-// NB - function names are case-sensitive for this file
-//
-// Untrusted Data
-$_REQUEST=>Population of PHP's global arrays can result in server side variables being overwritten by user-submitted data. This functionality is best avoided and should be used with extreme caution. Manually review this section of code to ensure safe usage.
-
-// Command execution
-shell_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-system=>This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
-exec =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-popen=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-passthru=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-proc_open=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-pcntl_exec=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-
-// Code execution
-eval =>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-assert =>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-preg_replace=>This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-create_function=>This function allows execution of commands. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage.
-
-// Information disclosure
-phpinfo =>This debugging function can expose sensitive data to an attacker. Perform a manual check to ensure that its out put data is not visible to normal users.
-show_source=>Shows the PHP source
-
-// Development functionality
-$_GET['debug']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
-$_GET['test']=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
-
-// Unsafe Randomisation
-mt_rand=>[3]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers.
-
-// Insecure cryptographic functions
-md5=>[3] MD5 Hashing algorithm.
-CRYPT_STD_DES=>[2] Standard DES-based hash with a two character salt.
-CRYPT_EXT_DES=>[3] Extended DES-based hash with a 9 character salt.
-CRYPT_MD5=>[3] Crypt MD5 function. Whilst this function uses a twelve character salt it is still MD5.
-mcrypt_cbc=>[3] Deprecated function. Use mcrypt_generic
-mcrypt_cfb=>[3] Deprecated function. Use mcrypt_generic 
-mcrypt_ecb=>[3] Deprecated function. Use mcrypt_generic
-mcrypt_ofb=>[3] Deprecated function. Use mcrypt_generic
-mcrypt_generic_end=>[3] Deprecated function. Use mcrypt_generic_deinit()
-
-// File system
-fopen
-tmpfile
\ No newline at end of file