简体繁体 English

PHP 中 XSS 的 Snyk 误报

[英]Snyk False Positives for XSS in PHP

原文 2022-03-25 15:11:24 6 1 php/ security/ xss/ snyk

We've recently started using Snyk to perform code analysis, however have hit the stumbling block that the first scan is reporting many (>700) XSS vulnerabilities despite having code in place to sanitise and handle this.我们最近开始使用 Snyk 来执行代码分析，但是遇到了绊脚石，即尽管有适当的代码来清理和处理这个问题，但第一次扫描报告了许多（>700）个 XSS 漏洞。

It looks like Snyk is unable to take into account that we are performing sanitisation in a different method that is included from a separate file, for example:看起来 Snyk 无法考虑到我们正在使用包含在单独文件中的不同方法执行清理，例如：

$mySuperAwesomeVar = Sanitise($_GET["NaughtyUser"]);

Looking at the Data Flow for the detection, we can see that the source of it is the afformentioned line, but it doesn't go into that Sanitise method.查看用于检测的数据流，我们可以看到它的来源是上述行，但它没有将 go 放入Sanitize方法中。

Any ideas?有任何想法吗？

1 个解决方案

Snyk have advised that this is a limitation of the product and have suggested that a templating language such as Twig should be used instead. Snyk 已建议这是产品的限制，并建议应改用模板语言，例如 Twig。

Unfortunately in some cases it's not possible to identify the appropriate data flow when it is separated over multiple files.遗憾的是，在某些情况下，当多个文件分开时，无法识别适当的数据流。 This is probably the case here.这可能是这里的情况。 Our support for PHP (and all languages we support) is ever-evolving and we are working on improving this.我们对 PHP（以及我们支持的所有语言）的支持在不断发展，我们正在努力改进这一点。 [...] [...]

This might not be a feasible solution, but using a PHP template engine such as Twig could help (reduce FP rate, ensure consistent escaping and layout etc), rather than using echo in such a way to render dynamic content.这可能不是一个可行的解决方案，但使用 PHP 模板引擎（例如 Twig）可能会有所帮助（降低 FP 率，确保一致的 escaping 和布局等），而不是以这种方式使用 echo 来呈现动态内容。