Is there a list of frameworks that are currently supported by SonarSource & SonarCube (my personal interest is in PHP-related frameworks)?
Besides that, is there a way in SonarSource (including paid plans as well) to define custom sinks for framework related code? Thanks in advance for pointing to potential solutions/possibilities here!
$commandUtility = $this->objectManager ->get('TYPO3\\CMS\\Core\\Utility\\CommandUtility'); $gs = $commandUtility->getCommand('gs'); $fileName = $_GET['file']; // this GhostScript command is not complete, just for demo... $commandUtility->exec($gs . ' -q -dBATCH -dNOPAUSE -dQUIET ' . ' -dEmbedAllFonts=true -dSAFER -o out.png /static/path/' . $fileName);
Which actually contains a couple of vulnerabilities:
$commandUtility->getCommand('gs');resolves GhostScript binary, a trigger for potential
gsrelated RCEs (weak match)
$commandUtility->execleads to shell execution & GET parameter
filecan be injected for RCE (strong match)
$this->objectManager->get(<T>)resolves to instance of
TYPO3\CMS\Core\Utility\CommandUtility::exec($a$)calls native PHP function