"GitLab Advanced SAST rules: PHP"
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in PHP code.
| Rule ID | Rule description | CWE | OWASP Top 10 | Status |
|---|---|---|---|---|
php-doctrine-sqli-dbal-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-doctrine-sqli-orm-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-accesscontrol-phpinfo-atomic |
Exposure of sensitive system information to an unauthorized control sphere | CWE-497 | A5:2017, A01:2021 | N/A |
php-lang-cmdi-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 | N/A |
php-lang-codei-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 | N/A |
php-lang-crypto-curl-ssl-verification-atomic |
Improper certificate validation | CWE-295 | A3:2017, A02:2021 | N/A |
php-lang-crypto-ftp-use-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 | N/A |
php-lang-crypto-hash-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-insecure-randomness-atomic |
Use of cryptographically weak pseudo-random number generator (PRNG) | CWE-338 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mcrypt-cipher-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mcrypt-cipher-mode-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-mhash-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-cipher-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-hash-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-crypto-openssl-verify-peer-atomic |
Improper certificate validation | CWE-295 | A3:2017, A02:2021 | N/A |
php-lang-crypto-weak-hash-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 | N/A |
php-lang-deserialization-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-lang-ldapi-dn-taint |
Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | CWE-90 | A1:2017, A03:2021 | N/A |
php-lang-ldapi-filter-taint |
Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | CWE-90 | A1:2017, A03:2021 | N/A |
php-lang-misconfiguration-cookie-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-cookie-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-cookie-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-lang-misconfiguration-session-useonlycookies-atomic |
Use of GET request method with sensitive query strings | CWE-598 | A6:2017, A05:2021 | N/A |
php-lang-openredirect-taint |
URL redirection to untrusted site ('Open Redirect') | CWE-601 | A01:2021, A5:2017 | N/A |
php-lang-pathtraversal-information-disclosure-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-pathtraversal-medium-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-pathtraversal-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-lang-sqli-inbuilt-libs-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-sqli-inbuilt-libs-two-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-lang-ssrf-buzz-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-curl-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-functions-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-guzzle-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-httpful-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-ssrf-reactphp-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-lang-xss-stored-one-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xss-stored-two-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xss-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-lang-xxe-domdocument-taint |
Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-domdocument-xinclude-taint |
Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-simplexml-taint |
Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-xmldocument-taint |
Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-lang-xxe-xmlreader-taint |
Improper restriction of XML external entity reference | CWE-611 | A4:2017, A05:2021 | N/A |
php-laravel-cmdi-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 | N/A |
php-laravel-misconfiguration-cookie-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-cookie-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-cookie-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-laravel-misconfiguration-session-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-laravel-openredirect-taint |
URL redirection to untrusted site ('Open Redirect') | CWE-601 | A01:2021, A5:2017 | N/A |
php-laravel-pathtraversal-file-facade-information-disclosure-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-file-facade-medium-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-file-facade-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-request-response-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-storage-facade-information-disclosure-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-storage-facade-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-pathtraversal-view-facade-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-laravel-sqli-column-one-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-sqli-column-two-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-sqli-raw-queries-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 | N/A |
php-laravel-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-laravel-ssti-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-laravel-xss-stored-one-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | Added 2026-02-17 |
php-laravel-xss-stored-two-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | Added 2026-02-17 |
php-laravel-xss-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-smarty-ssti-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-symfony-cmdi-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 | N/A |
php-symfony-codei-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 | N/A |
php-symfony-deserialization-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-symfony-deserialization-yaml-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 | N/A |
php-symfony-misconfiguration-cookie-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-cookie-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-cookie-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-httponly-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-samesite-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 | N/A |
php-symfony-misconfiguration-session-secure-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 | N/A |
php-symfony-openredirect-taint |
URL redirection to untrusted site ('Open Redirect') | CWE-601 | A01:2021, A5:2017 | N/A |
php-symfony-pathtraversal-filesystem-information-disclosure-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-filesystem-medium-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-filesystem-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-pathtraversal-uploadedfile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 | N/A |
php-symfony-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 | N/A |
php-symfony-ssti-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 | N/A |
php-symfony-xss-stored-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-stored-two-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |
php-symfony-xss-twig-autoescape-atomic |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 | N/A |