This rule is deprecated, and will eventually be removed.
Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:
Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.
Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus
passing sensitive information via command line arguments should be considered as insecure.
This rule raises an issue when on every program entry points (main methods) when command line arguments are used. The goal is to guide
security code reviews.
Ask Yourself Whether
- any of the command line arguments are used without being sanitized first.
- your application accepts sensitive information via command line arguments.
If you answered yes to any of these questions you are at risk.
Recommended Secure Coding Practices
Sanitize all command line arguments before using them.
Any user or application can list running processes and see the command line arguments they were started with. There are safer ways of providing
sensitive information to an application than exposing them in the command line. It is common to write them on the process' standard input, or give the
path to a file containing the information.
Sensitive Code Example
Builtin access to $argv
function globfunc() {
global $argv; // Sensitive. Reference to global $argv
foreach ($argv as $arg) { // Sensitive.
// ...
}
}
function myfunc($argv) {
$param = $argv[0]; // OK. Reference to local $argv parameter
// ...
}
foreach ($argv as $arg) { // Sensitive. Reference to $argv.
// ...
}
$myargv = $_SERVER['argv']; // Sensitive. Equivalent to $argv.
function serve() {
$myargv = $_SERVER['argv']; // Sensitive.
// ...
}
myfunc($argv); // Sensitive
$myvar = $HTTP_SERVER_VARS[0]; // Sensitive. Note: HTTP_SERVER_VARS has ben removed since PHP 5.4.
$options = getopt('a:b:'); // Sensitive. Parsing arguments.
$GLOBALS["argv"]; // Sensitive. Equivalent to $argv.
function myglobals() {
$GLOBALS["argv"]; // Sensitive
}
$argv = [1,2,3]; // Sensitive. It is a bad idea to override argv.
Zend Console
new Zend\Console\Getopt(['myopt|m' => 'this is an option']); // Sensitive
Getopt-php library
new \GetOpt\Option('m', 'myoption', \GetOpt\GetOpt::REQUIRED_ARGUMENT); // Sensitive
See
