PHP Rewrite Update (v9.6.0)
Overview
This page showcases the different PHP language upgrade scenarios on version 9.6.0.
Note
Every query and general query was updated to use the latest query best coding practices and avoid false positives.
Warning
It’s important to note that all the query customizations (and/or overrides) should be revalidated after upgrading.
Most of the results are new since the queries were improved. Similarly, the inputs, outputs, and sanitizers are different; these changes will generate different similarity IDs resulting in new results.
RelatedLinks: SAST Resources and New and Changed Query Details (PDF)
Queries Scenarios
If you overrode a PHP query that was modified
The query and the override will be available. It is advised to revalidate the custom query.
If you overrode a PHP general query that was deprecated
The override will be removed.
Warning
Any query override of a deprecated general query should be backed up before the upgrade, to avoid losing the override.
Related Links: SAST Resources and New and Changed Query Details (PDF)
If you overrode a PHP query that was renamed (which does not use any deprecated general query)
The override will be available.
Warning
Please take into account that only queries using base.* as a prefix will be updated and renamed.
Danger
It is critical to remove all usages of renamed general queries without the base.* prefix either before or after the upgrade, but before a new scan, to avoid any issues.
Related Links: SAST Resources and New and Changed Query Details (PDF)
If you overrode a PHP query (which uses at least one deprecated general query)
Warning
Expect an error while compiling the query.
Danger
It is critical to remove all usages of deprecated general queries either before or after the upgrade, but before a new scan, to avoid any issues.
Related Links: SAST Resources and New and Changed Query Details (PDF)
If you overrode a PHP query that changed its severity and was moved to another group
No problems are expected.
Related Links: SAST Resources and New and Changed Query Details (PDF)
Query Results Scenarios
There are results in PHP queries (overridden or not) that were modified
Queries were modified with the focus of reducing false positives. As a side effect, the starting and ending nodes of the results in many queries now indicate the affected parameter versus the affected method when compared with the previous PHP version.
<?php $foo = $_POST['foo']; echo $foo; // Before: $_POST (line2) -> echo (line 3) // After: $_POST (line 2) -> $foo (line 3)
This kind of behavior is usual for most queries. For example, for generic database queries, the sink is the execution function parameter, not the method itself.
There are results in PHP queries (overridden or not) whose names were changed
The following queries were renamed while reusing the same query ID. All the results are associated with the query ID and not with its name.
Notice
Since the query ID will remain the same, then there is nothing to do here, the results will be assigned to the new query (*).
Old Query | New Query | Old Severity | New Severity |
|---|---|---|---|
Reflected_XSS_All_Clients | Reflected_XSS | High | |
Reflection_Injection | Unsage_Injection | High | |
Stored_Reflection_Injection | Stored_Unsafe_Reflection | Medium | |
Improper_Control_of_Dynamically_Identified_Variables | User_Controlled_Dynamic_Variable | Medium | |
Inappropriate_Encoding_for_Output_Context | Insufficient_Sanitization_for_XSS | Medium | Low |
Insecure_Randomness | Use_of_Non_Cryptographic_Random | Medium | Low |
Notes:
Queries
Object_InjectionandDeserialization_of_Untrusted_Datawere merged intoDeserialization_of_Untrusted_Data. The query scope changed, and thus, query severity was increased to High.
Warning
Results for the old Object_Injection deprecated query will disappear and new results need to be analyzed. The old Deserialization_of_Untrusted_Data results will be assigned to the new query severity.
Old Query | New Query | Old Severity | New Severity |
|---|---|---|---|
Deserialization_of_Untrusted_Data | Deserialization_of_Untrusted_Data | Medium | High |
Object_Injection | Medium |
The following old queries were removed, and new queries were created that shared their intent.
Warning
The query ID was not recycled and as such all results of the new queries must be analyzed.
Old Query | New Query | Old Severity | New Severity |
|---|---|---|---|
Use_of_Broken_or_Risky_Cryptographic_Algorithm | Broken_or_Risky_Encryption_Algorithm | Low | Medium |
Broken_or_Risky_Hashing_Function | Medium | ||
Outdated_Encryption_Algorithm | Information | ||
Outdated_Hashing_Function | Information | ||
File_Disclosure Path_Traversal | Relative_Path_Traversal | High Medium | Medium |
Stored_Relative_Path_Traversal | Medium | ||
Absolute_Path_Traversal | High | ||
Stored_Absolute_Path_Traversal | High | ||
HttpOnlyCookies | HttpOnly_Cookie_Flag_Not_Set | Medium | Medium |
HttpOnly_Cookie_Flag_Not_Set_In_Config | Medium | ||
Secure_Cookie_Flag_Not_Set | Medium | ||
Secure_Cookie_Flag_Not_Set_In_Config | Medium | ||
Insecure_Value_of_the_SameSite_Cookie_Attribute_In_Code | Medium | ||
Insecure_Value_of_the_SameSite_Cookie_Attribute_In_Config | Medium | ||
Cookie_Overly_Broad_Path | Low | ||
Cookie_Overly_Broad_Path_In_Config | Low | ||
File_Inclusion | Dangerous_File_Inclusion | High | |
Remote_File_Inclusion | |||
Danger
It’s critical to remove or replace all usages of renamed queries without base.* prefix either before or after the upgrade, but before a new scan, to avoid any issues.
Related Links: SAST Resources and New and Changed Query Details (PDF)
Many queries require the search for APIs by their name
The results now reflect the language approach to case sensitivity, in this case, the lack of it.
<?php
// This behavior is valid for both user-defined functions and language built-ins
function sayHello(){
echo 'Hello, World!';
}
// Old & New support finds this invocation
sayHello();
// Only New support finds this invocation
sayhello();Notice
All the queries were updated to support the PHP case sensitivity.
Group Scenarios
There are groups in PHP that were renamed to assert consistency in naming conventions (ex.:
Php_*→PHP_*)
No problems are expected.
Php_Low_Visibility→PHP_Low_VisibilityPhp_Best_Coding_Practice→PHP_Best_Coding_Practice
Flow Changes
With the new PHP support version, in some cases, more DOM nodes will be available in the flow. If any flow is missing we highly recommend increasing the LazyFlow hops limit.
The array support was improved
Before: The array was supported as MethodInvokeExpr, this means that any parameter will influence the return, giving origin to some FPs results.
After: The array map was fully supported as an AssociativeArray, which means that only the relevant flow for the specific key that is being used will appear.
<?php
$a = array("a" , "b");
echo $a[0]; // “a”File Inclusion Changes
Previously, we had no support for
include/requiremethods, nevertheless, we still managed to have flow and definitions for methods in different files.
Before: All files were in a shared namespace, which meant they had by omission access to all other files.
After: We resolve the file inclusion using the given argument.
<?php // Supported include __DIR__ . 'filename.php'; // Unsupported include ABS_PATH . 'filename.php';
Danger
We do not support dynamically generated filenames as they are run-time-based.
Retain Results
In our internal benchmarks, it was detected, to have a huge number of results revalidation after the upgrade. As already mentioned, most of the general queries were reviewed, which will have a big impact on the results.
Warning
t is expected 15% retainment of the results after the upgrade with a high percentage in the PHP_Best_Coding_Practice queries group.
Severity | Query Name | Average Retain Results (%) |
|---|---|---|
High | Deserialization_of_Untrusted_Data RENAMED (Object_Injection) | 70% |
Missing_HSTS_Header | 100% | |
Medium | User_Controlled_Dynamic_Variable | 40% |
Low | Reliance_on_DNS_Lookups_in_a_Decision | 30% |
Use_Of_Hardcoded_Password | 70% | |
Use_of_Non_Cryptographic_Random | 30% | |
Information | Declaration_Of_Catch_For_Generic_Exception | 100% |
Detection_of_Error_Condition_Without_Action | 100% | |
Exposure_of_Resource_to_Wrong_Sphere | 5% | |
Hardcoded_Absolute_Path | 100% | |
Possible_Global_Variable_Overwrite | 100% | |
Unchecked_Error_Condition | 99% | |
Unclosed_Objects | 100% | |
Use_Of_Namespace | 98% | |
Use_Of_Private_Static_Variable | 100% | |
Use_Of_Super_GLOBALS | 70% |
Warning
Most of the missing results are duplicated results, false positives, or query changes that affect flow results.
Action on Non-General/General and Impact on Non-General/General
The matrix below summarizes situations when a Non-General or a General query went through some change/action. The impact is reported for the results status only on the query itself and what may happen to the associated custom/overridden query. Read further below to see the effect of General on Non-General queries.
Note
The vertical and the horizontal panels describe the main action performed on a certain non-general query. The cells describe the side effects of the combination of these modifications in both results and existing custom queries related to the non-general query. Example: File_Inclusion and Remote_File_Inclusion were merged into Dangerous_File_Inclusion, it doesn’t make sense to reuse any of them so they are both removed and a new query is created.
Actions vs. Impact | renamed | regrouped | rewritten | removed | divided / merged |
|---|---|---|---|---|---|
renamed | results: recurrent custom: recurrent | - | - | - | - |
regrouped | results: recurrent custom: recurrent | results: recurrent custom: recurrent | - | - | - |
rewritten | results: recurrent, new, fixed custom: recurrent, new, fixed. ️️Reviewing the custom query to adapt to changes in the original query is advised. | results: recurrent, new, fixed custom: recurrent, new, fixed. ️️Reviewing the custom query to adapt to changes in the original query is advised. | results: recurrent, new, fixed custom: recurrent, new fixed. ️️Reviewing the custom query to adapt to changes in the original query is advised. | - | - |
removed | NA | NA | NA | results: fixed (results disappear) custom: fixed (️query and its results will disappear) | - |
divided / merged | NA | NA | NA | results: fixed (results will migrate to other emerging queries, and appear as new) custom: fixed (️query and its results will disappear) | results: recurrent, new, fixed (results will migrate to other emerging queries, and appear as new) custom: new (there is the need to create a new custom query) |
Actions on General vs Impact on Custom Non-General
The matrix below summarizes situations when a General query is used inside a Custom Non-General query. It reports the action done on top of such a General query and its impact on a Custom Non-General query that uses it.
Warning
A series of general queries were renamed due to similarity in intent. This renaming followed the following rule: Find_DB_In_* → Find_Bind_*; ex.:Find_DB_In_PDO → Find_Bind_PDO.
The following was also renamed:
Find_Mongo_DB_In→Find_Bind_MongoDBFind_DB_Out_Oracle→Find_DB_Out_OCI
Actions vs. Impact | renamed | regrouped | rewritten | removed | divided/merged |
|---|---|---|---|---|---|
renamed | NA | - | - | - | - |
regrouped | NA | NA | - | - | - |
rewritten | ️ The references to this general query must be updated with the new name. | NA | results: Results may differ. ️️It is advised to review the non-general custom query to adapt to changes in the general query. | - | - |
removed | NA | NA | NA | ️ An error is expected to occur (when the general query is in use in the non-general custom query) ️ The non-general custom query must remove/replace the use of this general. | - |
divided/merged | NA | NA | NA | NA | NA |