Resource Injection

php.resource_injection

Severity

high

Resource

Injection

Language

Php

Description

Improper control of resource identifiers ('Resource Injection').

Rationale

Resource Injection occurs when an attacker is able to manipulate inputs that are concatenated with paths, queries, or resource identifiers in such a way that unintended resources are accessed. The main risk is unauthorized access, data leakage, and potential modification or destruction of resources.

For example, consider this PHP code snippet:

<?php
  $path = $_POST['path'];
  $remote = FTP_BASEDIR . $path;
  $local = LOCAL_BASEDIR . $path;
  $conn = ftp_connect(MY_FTP_SERVER);
  ftp_get($conn, $local, $remote, FTP_BINARY); // FLAW
  ftp_close($conn);
?>

In this example, $path is concatenated to construct a resource path. If $path can be influenced by user input without any validation or sanitization, an attacker could potentially access and load unintended resources within the application’s directory structure.

Remediation

The most common way to prevent resource injection vulnerabilities is to sanitize user input before using it in resource construction: Ensure that resource identifiers are strictly validated against a whitelist of known safe values. This prevents arbitrary input from being interpreted as a valid identifier.

If whitelisting is not possible, use a strict blacklist to limit the range of allowed identifiers.

Additional precautions include:

Privilege Segregation: Run resource access code under the least privilege principle. Design the application to minimize the access scope for sensitive resources.
Logging and Alerting: Implement comprehensive logging and alerting to monitor resource access, making clear which resources are accessed. This helps in early detection of suspicious activities or misuse.
Static Code Analysis: Utilize SAST tools with detectors that specifically check for untrusted input in resource construction. Regular scans will help identify new vulnerabilities introduced in your code base.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-99 : Improper Control of Resource Identifiers ('Resource Injection').
OWASP Top 10 2021 - A03 : Injection.
CAPEC-240: Resource Injection
Resource Injection Attack, in OWASP Attacks Project.