Prevent chain of vulnerability
None obvious trusted data
DO:
<?php function test() { $id = Configuration::get('MY_CONF'); $name = Context::getContext()->cookie->mymodule_name; $querystr = 'SELECT id, `' . bqSQL($name) . '` FROM mytable WHERE id = ' . (int) $id; return Db::getInstance()->executeS($querystr); }
Be careful with parameters that come from databases like PrestaShop Configurations ! It can contain an SQL injection… In which case ? If you have another sql injection, this type of vulnerability is more hidden and perhaps easier to exploit. Data from Cookie like in the previous sample with sensitive SQL calls can be dangerous.
Take the habits to fix all sensitive SQL calls !
Sample with file_put_contents
In this sample, this piece of code calls a webservice that should return a barcode image. In a PrestaShop configuration, the administrator has selected a type of file (PNG, JPG or PDF).
DON’T DO:
$type = Configuration::get('MY_TYPE_OF_FILE'); // pdf or jpeg or png $api = new ClientAPI(Configuration::get('MY_API_URL')); $content = $api->getBarcode($product->ean); file_put_contents(dirname(__FILE__) . 'files/' . $product->ean . '.' . $type, $content);
Be aware that code is very sensitive ! In fact, in case of SQL injection or a sensitive controller that saves Configuration without enough verifications, URL of the API and type of file can be hijacked by malicious data. In fine, a hacker can inject a malicious PHP file like a webshell or a filemanager.
DO:
$type = Configuration::get('MY_TYPE_OF_FILE'); // pdf or jpeg or png if (in_array($type, ['png', 'jpeg', 'png']) === false) { exit; } $api = new ClientAPI(Configuration::get('MY_API_URL')); $content = $api->getBarcode($product->ean); file_put_contents(dirname(__FILE__) . 'files/' . $product->ean . '.' . $type, $content);
 |
Prevent logical weakness |  |
 |