FORBIDDEN FUNCTIONS: Add eval()

[sjokkateer]

This PR forbids the use of a considered non-secure function, eval().

All scripting languages used in web applications have a form of an eval call which receives code at runtime and executes it. If code is crafted using unvalidated and unescaped user input code injection can occur which allows an attacker to subvert application logic and eventually to gain local access.

Take the following PHP script as an example:

<?php

// index.php

declare(strict_types=1);

$x = $_GET['x'];
$y = $_GET['y'];
$z = $_GET['z'];

eval("echo $x * $y / $z;");

Using the following query string:

?x="<pre>", print_r(scandir('./')), "</pre>";//&y=5&z=7

Displays the following in the browser:

Array
(
    [0] => .
    [1] => ..
    [2] => .valet-env.php
    [3] => .vscode
    [4] => composer.json
    [5] => composer.lock
    [6] => index.php
    [7] => phpcs.xml
    [8] => src
    [9] => vendor
)
1

A malicious user has more creative exploits than the example but it demonstrates the risk.

Information taken from OWASP, example taken from SE INFOSEC.

For a real example see: TRUESEC which exploits unserialize() (forbidden in PR 33), which, through a so called gadget chain gets to a class that makes use of eval(), resulting in the establishment of a reverse shell.

With eval() added to the list of forbidden functions, the user would get the following error notification:

------------------------------------------------------------------------------------------------------------------------
9 | ERROR | The use of function eval() is forbidden (Generic.PHP.ForbiddenFunctions.Found)
------------------------------------------------------------------------------------------------------------------------

The PHP documentation also reports a warning/caution about eval() in its documentation.