New Published Rules - formassembly.wp-ssrf-audit (#3574)

* add formassembly/wp-ssrf-audit.yaml

* add formassembly/wp-ssrf-audit.php

* update wp-ssrf-audit test

* move wp-ssrf-audit rule to php directory

* update wp-ssrf-audit rule

* update wp-ssrf-audit rule

---------

Co-authored-by: AJ Dumanhug <[email protected]>
Co-authored-by: Vasilii Ermilov <[email protected]>

Author: 3 people

php/wordpress-plugins/security/audit/wp-ssrf-audit.php

@@ -0,0 +1,58 @@
+<?php
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_get($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_request($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_head($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_oembed_get($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = vip_safe_wp_remote_get($url);
+
+$url = $_GET['url'];
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_post($url);
+
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($_POST['link']);
+
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_post($_POST['link']);
+
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($_REQUEST['target']);
+
+// ruleid: wp-ssrf-audit
+$response = wp_safe_remote_request($_REQUEST['target']);
+
+$url = get_option('external_api_url');
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($url);
+
+$url = get_user_meta(get_current_user_id(), 'custom_api', true);
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($url);
+
+$url = get_query_var('redirect_url');
+// ruleid: wp-ssrf-audit
+$response = wp_remote_get($url);
+
+// ok: wp-ssrf-audit
+$response = wp_remote_get('https://example.com/api/data');
+
+?>

php/wordpress-plugins/security/audit/wp-ssrf-audit.yaml

@@ -0,0 +1,48 @@
+rules:
+- id: wp-ssrf-audit
+  languages:
+  - php
+  severity: WARNING
+  message: Detected usage of vulnerable functions with user input, which could lead
+    to SSRF vulnerabilities.
+  mode: taint
+  pattern-sources:
+    - patterns:
+      - pattern-either:
+        - pattern: $_GET[...]
+        - pattern: $_POST[...]
+        - pattern: $_REQUEST[...]
+        - pattern: get_option(...)
+        - pattern: get_user_meta(...)
+        - pattern: get_query_var(...)
+  pattern-sinks:
+    - patterns:
+      - focus-metavariable: $URL
+      - pattern-either:
+        - pattern: wp_remote_get($URL, ...)
+        - pattern: wp_safe_remote_get($URL, ...)
+        - pattern: wp_safe_remote_request($URL, ...)
+        - pattern: wp_safe_remote_head($URL, ...)
+        - pattern: wp_oembed_get($URL, ...)
+        - pattern: vip_safe_wp_remote_get($URL, ...)
+        - pattern: wp_safe_remote_post($URL, ...)
+  paths:
+    include:
+    - wp-content/plugins/**/*.php
+  metadata:
+    cwe: 'CWE-918: Server-Side Request Forgery (SSRF)'
+    owasp: A10:2021 - Server-Side Request Forgery (SSRF)
+    category: security
+    confidence: MEDIUM
+    likelihood: MEDIUM
+    impact: HIGH
+    subcategory:
+    - audit
+    technology:
+    - Wordpress Plugins
+    references:
+    - https://developer.wordpress.org/reference/functions/wp_safe_remote_get/
+    - https://developer.wordpress.org/reference/functions/wp_remote_get/
+    - https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/
+    vulnerability_class:
+    - Server-Side Request Forgery (SSRF)