OS Command Injection via eval()
Description
Evaluating non-constant commands using the eval() function can lead to OS command injection, allowing an attacker to execute arbitrary system commands.
Examples
Insecure Code
php
eval($user_input);Secure Code
php
$allowed_commands = ['ls', 'pwd']; if (in_array($user_input, $allowed_commands)) { exec($user_input); }Remediation
Avoid using eval() with user-controlled input. Instead, use a whitelist of allowed commands or validate and sanitize the input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0748 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, eval |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php
- https://www.php.net/manual/en/function.eval