Rule S2 repeats too many times

Question

Rule S2 repeats too many times

davethegr8 opened this issue 13 years ago · 4 comments

I get this output when running on a big codebase:

S2 Unsecure use of: include xxxxx/customer_view.php Line: 14
S2 Unsecure use of: include xxxxx/customer_view.php Line: 14
S2 Unsecure use of: include xxxxx/customer_view.php Line: 14
S2 Unsecure use of: include xxxxx/customer_view.php Line: 14
S2 Unsecure use of: include xxxxx/customer_view.php Line: 14
...

goes on about 20 times

Answer 1 · 2011-11-08T21:52:59.000Z

Can you show me the line that causes this error, I cant replicate this behavior. S2 should only fire on when using $_GET/$_POST .ect in include/request statements

Answer 2 · 2011-11-08T21:57:59.000Z

It's just a standard include, like include('../../includes/functions.inc'); There's nothing fancy like a variable path or conditional including, it's just a straight up include. That part confused me a little, but the real weird thing is that it listed the error more than once (leading that file to get a -1400 score).

Answer 3 · 2011-11-08T22:07:32.000Z

I found an error likely to have caused this, and fixed it in master.

Answer 4 · 2011-11-08T23:08:27.000Z

That looks like it did it. :) I re-ran some tests, and S2 didn't popup. Then I added in a $_GET include, and it did -- but only once.