Learn an extension Taint for detecting dangerous functions in PHP

Posted by atokatim on Tue, 14 Dec 2021 04:43:17 +0100

In daily development, security has always been one of the key contents we want to study. In security, the most important point is our input data. All attacks and ultra vires occur from a inadvertently left request vulnerability. Of course, many frameworks have solved most of the security problems for us, but there are always unexpected places where we forget to add filtering or omit some verification. The extension we want to learn today was born to solve this problem.

What is Taint

We got it in the last article. We also want to introduce an extension tool of brother bird. Taint is one of the works of brother bird's great God. However, this extension is not recommended to be installed in the production environment. Its main battlefield is to use it in our test environment. Its main function is if we use unprocessed$_ GET , $_ POST , $_ For variables such as COOKIE, a warning message will be reported. Note that this is a warning, not an error or exception. Generally, in the online environment, we will habitually turn off the error reporting of warning information, so the online function of this extension is limited.

The installation of the extension is very simple. You can download the corresponding extension and then install the ordinary extension without the support of other components in the operating system. For details of this extension, please refer to the description of brother bird article in the second link at the end of the article.

How to use it?

php.ini, and then set taint enable = 1 . This extension is officially enabled. Then we test through the code.

$a = $_GET['a'];
$file_name = '/tmp' .  $a;
$output    = "Welcome, {$a} !!!";
$var       = "output";
$sql       = "Select *  from " . $a;

echo $a, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 10

echo $output, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 12

print $$var; echo "<br/>"; // Warning: main() [print]: Attempt to print a string that might be tainted in /data/www/blog/taint/1.php on line 14

include($file_name);echo "<br/>"; // Warning: main() [include]: File path contains data that might be tainted in /data/www/blog/taint/1.php on line 16

mysqli_query(null, $sql);echo "<br/>"; // Warning: main() [mysqli_query]: SQL statement contains data that might be tainted in /data/www/blog/taint/1.php on line 18

We use php -S to debug the test file. After accessing the test file and taking the a parameter, we can see that the following operations will report warnings. The unfiltered $a, whether spliced into a string or as a variable, is only through echo, print, include or mysqli_ After the query() function is called, an alarm will appear immediately, reminding you that the data string you use needs to be filtered. taint means stain. May be tainted means having tainted content.

Most functions such as output or database operation will report these warnings. The specific information of these contents can be found in the official documents.

We can also verify whether a variable contains such unprocessed data through a judgment function.

var_dump(is_tainted($var)); // bool(false) 
echo "<br/>";
var_dump(is_tainted($output)); // bool(true) 
echo "<br/>";

Why not call the police?

How not to let it call the police? That is, of course, data processing.

$output    = "Welcome, ".htmlentities($a)." !!!";
echo $output, "<br/>";

$sql       = "Select *  from " . mysqli_escape_string(null, $a);
mysqli_query(null, $sql);echo "<br/>";

When outputting html code, it corresponds to the prevention of XSS attack. During database operation, escape the SQL injection attack. After using these processing functions for data security processing, there will be no alarm information.

It can be seen that this extension is really a good helper in our daily development and debugging, especially in the test environment. As mentioned earlier, there will always be omissions and forgets. Making the program automatically discover these contents through this extension can greatly improve the security of our development.

Detection and conversion function

Finally, in the Taint extension, two functions are provided to enforce and remove warnings. Of course, they are also convenient for debugging in the test environment.

$newOutput = "Welcome !!!";
echo $newOutput, "<br/>";
var_dump(taint($newOutput)); // bool(true) 
echo $newOutput, "<br/>"; // // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 39

$newOutput = "Welcome {$a} !!!";
 echo $newOutput, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 42
var_dump(untaint($newOutput)); // bool(true) 
echo $newOutput, "<br/>";

The taint() function can make a normal statement report a warning. However, infinite () can make a data that should be alarmed not alarmed.

summary

It is also a very small expansion, but it is really useful after learning, and it is especially suitable to provide you with an alarm system for comprehensively detecting safety and quality in our test environment. As the article has always emphasized, omission is inevitable for medium and large-scale project development. Even if there is a perfect code review mechanism, there will always be loopholes that everyone misses. It's the best way to test through procedures. You can try more.

Test code:

https://github.com/zhangyue0503/dev-blog/blob/master/php/2021/02/source/1. Learn an extension Taint.php for detecting dangerous functions php

Reference documents:

https://www.php.net/manual/zh/book.taint.php

https://www.laruence.com/2012/02/14/2544.html

Topics: PHP