Do not call extract on untrusted user data

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Do not call extract on untrusted user data

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: php-security/extract-untrusted-data

Language: PHP

Severity: Error

Category: Security

CWE: 95

Description

The extract() function in PHP can be used to import variables into the local symbol table from an array. However, using it on untrusted data, such as user input, can lead to a variety of security vulnerabilities, including arbitrary code execution and SQL injection, making it a dangerous practice.

By using extract() on untrusted data, you may inadvertently create variables that overwrite important ones, or worse, you could execute harmful code that was injected by a malicious user.

To adhere to this rule, you should explicitly assign and sanitize user input rather than using extract(). This will ensure your code remains secure and compliant.

Non-Compliant Code Examples

<?php
// Insecure: Using extract() on untrusted data from $_GET
extract($_GET);

echo "Hello, $name!";

// Insecure: Using extract() on untrusted data from $_POST
extract($_POST);

if ($isAdmin) {
    echo "Welcome, admin!";
} else {
    echo "Welcome, user!";
}

// Insecure: Using extract() on untrusted data from $_FILES
extract($_FILES['uploadedFile']);

if (move_uploaded_file($tmp_name, "uploads/$name")) {
    echo "File uploaded successfully!";
} else {
    echo "File upload failed.";
}
?>

Compliant Code Examples

<?php
// Secure: Explicitly assign and sanitize user input
$name = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');

echo "Hello, $name!";

// Secure: Explicitly assign and validate user input
$isAdmin = isset($_POST['isAdmin']) && $_POST['isAdmin'] == '1';

if ($isAdmin) {
    echo "Welcome, admin!";
} else {
    echo "Welcome, user!";
}

// Secure: Explicitly handle file upload variables and validate
$file = $_FILES['uploadedFile'];
$uploadDir = 'uploads/';
$uploadFile = $uploadDir . basename($file['name']);

if (move_uploaded_file($file['tmp_name'], $uploadFile)) {
    echo "File uploaded successfully!";
} else {
    echo "File upload failed.";
}
?>