Skip to the content.

Prevent chain of vulnerability

  1. None obvious trusted data
  2. Sample with file_put_contents

None obvious trusted data

DO:

<?php
function test() {
   $id = Configuration::get('MY_CONF');
   $name = Context::getContext()->cookie->mymodule_name;
   $querystr = 'SELECT id, `' . bqSQL($name) . '` FROM mytable WHERE id = ' . (int) $id;
   return Db::getInstance()->executeS($querystr);
}

Be careful with parameters that come from databases like PrestaShop Configurations ! It can contain an SQL injection… In which case ? If you have another sql injection, this type of vulnerability is more hidden and perhaps easier to exploit. Data from Cookie like in the previous sample with sensitive SQL calls can be dangerous.

Take the habits to fix all sensitive SQL calls !

Sample with file_put_contents

In this sample, this piece of code calls a webservice that should return a barcode image. In a PrestaShop configuration, the administrator has selected a type of file (PNG, JPG or PDF).

DON’T DO:

$type = Configuration::get('MY_TYPE_OF_FILE'); // pdf or jpeg or png
$api = new ClientAPI(Configuration::get('MY_API_URL'));

$content = $api->getBarcode($product->ean);

file_put_contents(dirname(__FILE__) . 'files/' . $product->ean . '.' . $type, $content);

Be aware that code is very sensitive ! In fact, in case of SQL injection or a sensitive controller that saves Configuration without enough verifications, URL of the API and type of file can be hijacked by malicious data. In fine, a hacker can inject a malicious PHP file like a webshell or a filemanager.

DO:

$type = Configuration::get('MY_TYPE_OF_FILE'); // pdf or jpeg or png
if (in_array($type, ['png', 'jpeg', 'png']) === false) {
   exit;
}
$api = new ClientAPI(Configuration::get('MY_API_URL'));

$content = $api->getBarcode($product->ean);

file_put_contents(dirname(__FILE__) . 'files/' . $product->ean . '.' . $type, $content);




go left Prevent logical weakness go back go up