0

After user submitted form post, I'm essentially doing this: Sanitize JSON with php to sanitize my json_decoded input.

json_decode creates an object which I pass to custom class method: 

$body = json_decode($_POST['body']);
$form_id = $_POST['form_id'];

$errors = $this->validate_form( $form_id, $body, $options );

In $this->validate_form, I immediately do validation similarly to solutions in link above.

Is there a security gap in assigning decoded json, form_id to variables at runtime, and then passing these values through to custom method, even if the first thing done with them after is sanitizing?

I.e. is there some exploit, like a fancy json encoded 'call_user_func' etc that can be implemented here, just by simply passing values/storing run time values?

edit: (also just to clarify, i'm not doing anything obviously terrible after like call_user_func($form_id); )

baku
  • 765
  • 8
  • 22
  • is form_id an actual function? If so, I would recommend you don't let the user input be the function. Instead, you can present them with options and use a switch statement to run the appropriate function. – Ibu Dec 15 '18 at 00:26
  • no form_id is an int, and will be sanitized using FILTER_SANITIZE_NUMBER_INT, i'm more interested about whether there is something more low level in how PHP assigns values to variables/objects at run time, and whether there is something exploitable there that i'm not aware of – baku Dec 15 '18 at 00:35
  • See also: https://stackoverflow.com/questions/3126072/what-are-the-best-php-input-sanitizing-functions – mario Dec 15 '18 at 00:53
  • In PHP I'm fairly confident that JSON decoding is safe, though don't quote me on that there's always gremlins hiding in serialization formats. That said, the deserialization format into which you absolutely _should not_ feed user-provided data is `unserialize()`. – Sammitch Dec 15 '18 at 02:24
  • good to know, thanks – baku Dec 15 '18 at 02:39

1 Answers1

1

No, there's no security problem. PHP never executes data on its own when you assign variables, you have to call functions that interpret the data in a way that requires executing it. json_decode() doesn't do anything like that, it just transforms the data statically from one format to another.

Some examples of dangerous operations are eval() (it executes arbitrary code), call_user_func() (where the function name comes from user input), extract() (it creates variables from the array), and inserting parameters into SQL query strings (use parametrized queries to prevent SQL-injection). You can also run into XSS problems if you include user input in HTML output without sanitizing or encoding it.

Barmar
  • 741,623
  • 53
  • 500
  • 612