<xs:element name="TaintedCookie" type="IssueHandlerType" minOccurs="0" />

<xs:element name="TaintedFile" type="IssueHandlerType" minOccurs="0" />

<xs:element name="TaintedHeader" type="IssueHandlerType" minOccurs="0" />

'file_get_contents' => [['file']],

'file_put_contents' => [['file']],

'fopen' => [['file']],

'unlink' => [['file']],

'copy' => [['file'], ['file']],

'file' => [['file']],

'link' => [['file'], ['file']],

'mkdir' => [['file']],

'move_uploaded_file' => [['file'], ['file']],

'parse_ini_file' => [['file']],

'chown' => [['file']],

'lchown' => [['file']],

'readfile' => [['file']],

'rename' => [['file'], ['file']],

'rmdir' => ['file'],

'header' => [['header']],

'symlink' => [['file']],

'tempnam' => [['file']],

'setcookie' => [['cookie'], ['cookie']],

Potential cookie injection. This rule is emitted when user-controlled input can be passed into a cookie.

The risk of setting arbitrary cookies depends on further application configuration.

Examples of potential issues:

- Session Fixation: If the authentication cookie doesn't change after a successful login an attacker could fixate the session cookie. If a victim logs in with a fixated cookie, the attacker can now take over the session of the user.

- Cross-Site-Scripting (XSS): Some application code could read cookies and print it out unsanitized to the user.

<?php

setcookie('authtoken', $_GET['value'], time() + (86400 * 30), '/');

If this is required functionality, limit the cookie setting to values and not the name. (e.g. `authtoken` in the example)

Make sure to change session tokens after authentication attempts.

- [OWASP Wiki for Session fixation](https://owasp.org/www-community/attacks/Session_fixation)

- [Session Management Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)

- [CWE-384](https://cwe.mitre.org/data/definitions/384.html)

This rule is emitted when user-controlled input can be passed into a sensitive file operation.

The risk here depends on the actual operation that contains user-controlled input, and how it is later on processed.

It could range from:

- Creating files

- Example: `file_put_contents`

- Risk: Depending on the server configuration this may result in remote code execution. (e.g. writing a file in the web root)

- Modifying files

- Example: `file_put_contents`

- Risk: Depending on the server configuration this may result in remote code execution. (e.g. modifying a PHP file)

- Reading files

- Example: `file_get_contents`

- Risk: Sensitive data could be exposed from the filesystem. (e.g. config values, source code, user-submitted files)

- Deleting files

- Example: `unlink`

- Risk: Denial of Service or potentially RCE. (e.g. deleting application code, removing a .htaccess file)

<?php

$content = file_get_contents($_GET['header']);

echo $content;

Use an allowlist approach where possible to verify names on file operations.

Sanitize user-controlled filenames by stripping `..`, `\` and `/`.

- [File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html)

- [OWASP Wiki for Unrestricted FIle Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)

- [CWE-73](https://cwe.mitre.org/data/definitions/73.html)

Potential header injection. This rule is emitted when user-controlled input can be passed into a HTTP header.

The risk of a header injection depends hugely on your environment.

If your webserver supports something like [`XSendFile`](https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/) / [`X-Accel`](https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/), an attacker could potentially access arbitrary files on the systems.

If your system does not do that, there may be other concerns, such as:

- Cookie Injection

- Open Redirects

- Proxy Cache Poisoning

<?php

header($_GET['header']);

Make sure only the value and not the key can be set by an attacker. (e.g. `header('Location: ' . $_GET['target']);`)

Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)

- [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)

- [OWASP Wiki for Cache Poisoning](https://owasp.org/www-community/attacks/Cache_Poisoning)

- [CWE-601](https://cwe.mitre.org/data/definitions/601.html)

- [CWE-644](https://cwe.mitre.org/data/definitions/644.html)

use Psalm\Issue\TaintedCookie;

use Psalm\Issue\TaintedFile;

use Psalm\Issue\TaintedHeader;

case TaintKind::INPUT_COOKIE:

$issue = new TaintedCookie(

'Detected tainted cookie',

$issue_location,

$issue_trace,

$path

);

break;

case TaintKind::INPUT_FILE:

$issue = new TaintedFile(

'Detected tainted file handling',

$issue_location,

$issue_trace,

$path

);

break;

case TaintKind::INPUT_HEADER:

$issue = new TaintedHeader(

'Detected tainted header',

$issue_location,

$issue_trace,

$path

);

break;

namespace Psalm\Issue;

class TaintedCookie extends TaintedInput

{

public const SHORTCODE = 257;

}

namespace Psalm\Issue;

class TaintedFile extends TaintedInput

{

public const SHORTCODE = 255;

}

namespace Psalm\Issue;

class TaintedHeader extends TaintedInput

{

public const SHORTCODE = 256;

}

public const INPUT_FILE = 'file';

public const INPUT_COOKIE = 'cookie';

public const INPUT_HEADER = 'header';

TaintKind::INPUT_FILE,

TaintKind::INPUT_HEADER,

TaintKind::INPUT_COOKIE,

'taintedFile' => [

'<?php

file_get_contents($_GET[\'taint\']);',

'error_message' => 'TaintedFile',

],

'taintedHeader' => [

'<?php

header($_GET[\'taint\']);',

'error_message' => 'TaintedHeader',

],

'taintedCookie' => [

'<?php

setcookie($_GET[\'taint\'], \'value\');',

'error_message' => 'TaintedCookie',

],