mirror of
https://github.com/danog/psalm.git
synced 2024-11-27 12:55:26 +01:00
78f4a0691c
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie' * Add documentation * Add mapping for taint flows * Add tests * Fix test
1.3 KiB
1.3 KiB
TaintedHeader
Potential header injection. This rule is emitted when user-controlled input can be passed into a HTTP header.
Risk
The risk of a header injection depends hugely on your environment.
If your webserver supports something like XSendFile
/ X-Accel
, an attacker could potentially access arbitrary files on the systems.
If your system does not do that, there may be other concerns, such as:
- Cookie Injection
- Open Redirects
- Proxy Cache Poisoning
Example
<?php
header($_GET['header']);
Mitigations
Make sure only the value and not the key can be set by an attacker. (e.g. header('Location: ' . $_GET['target']);
)
Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)