From ff55dba1302b3852c9e3b60edf8f33b0cf269eb5 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 16 Nov 2020 21:04:22 +0100
Subject: [PATCH] Add sinks for popen and proc_open (#4572)

User input in those two functions could lead to a RCE.

popen: https://www.php.net/manual/en/function.popen.php
proc_open: https://www.php.net/manual/en/function.proc-open.php
---
 dictionaries/InternalTaintSinkMap.php |  2 ++
 tests/TaintTest.php                   | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/dictionaries/InternalTaintSinkMap.php b/dictionaries/InternalTaintSinkMap.php
index d6451202b..3313d24b8 100644
--- a/dictionaries/InternalTaintSinkMap.php
+++ b/dictionaries/InternalTaintSinkMap.php
@@ -39,4 +39,6 @@ return [
 'shell_exec' => [['shell']],
 'system' => [['shell']],
 'unserialize' => [['text']],
+'popen' => [['shell']],
+'proc_open' => [['shell']],
 ];
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 206dfc9d1..d00f40918 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -1615,7 +1615,17 @@ class TaintTest extends TestCase
 
                 echo some_stub($r);',
                 'error_message' => 'TaintedInput',
-            ]
+            ],
+            'taintPopen' => [
+                '<?php
+                    $cb = popen($_POST[\'x\'], \'r\');',
+                'error_message' => 'TaintedInput',
+            ],
+            'taintProcOpen' => [
+                '<?php
+                    $cb = proc_open($_POST[\'x\'], [], []);',
+                'error_message' => 'TaintedInput',
+            ],
             /*
             // TODO: Stubs do not support this type of inference even with $this->message = $message.
             // Most uses of getMessage() would be with caught exceptions, so this is not representative of real code.