# KiyoKart Dangerous Function Audit Report ## Scope Scanned PHP files under: - `app/` - `routes/` - `config/` - `database/` - `bootstrap/` - `public/` - `tools/` (custom helper/utility area) - `vendor/` (quick check for same pattern) Function signatures scanned: - Command execution: `exec`, `shell_exec`, `system`, `passthru`, `popen`, `proc_open`, `pcntl_exec` - Process control: `pcntl_alarm`, `pcntl_fork`, `pcntl_wait`, `pcntl_waitpid`, `pcntl_signal`, `pcntl_signal_dispatch` - Code execution: `eval`, `assert`, `create_function` - Link manipulation: `link`, `symlink`, `readlink` - Info/env: `phpinfo`, `getenv`, `putenv` --- ## Findings ### 1) `public/create-storage-link.php` (removed) - `readlink()` usage - `symlink()` usage - `exec()` usage Severity: - `exec`: **Critical** - `symlink`/`readlink`: **High** (dangerous in public web runtime) Action taken: - Removed `public/create-storage-link.php` from webroot. - Operational replacement: run `php artisan storage:link` in deployment pipeline only. --- ### 2) `app/Http/Controllers/Auth/OtpLoginController.php` - `getenv('OPENSSL_CONF')` usage Severity: - **Medium** (information/config disclosure and env dependence in request path) Action taken: - Removed `getenv(...)` call from runtime path list. - Retained safer config discovery via `ini_get('openssl.cnf')` and known file paths. --- ## Refactored Secure Replacements ### Replace public shell-based storage linking Do not use web-exposed scripts with `exec/symlink/readlink`. Use deployment step: ```bash php artisan storage:link ``` ### Replace `getenv(...)` in app runtime Use explicit config or `ini_get(...)`: ```php $opensslCnf = ini_get('openssl.cnf') ?: null; ``` --- ## Application-Level Enforcement Implemented: 1. Tokenized scanner script: `tools/security/forbidden-functions-scan.php` 2. Composer gate scripts in `composer.json` 3. Git pre-commit example: `.githooks/pre-commit` 4. CI check workflow: `.github/workflows/forbidden-functions.yml` 5. PHPStan custom rule class: `tools/security/phpstan/ForbiddenFunctionRule.php` 6. PHPStan config snippet: `tools/security/phpstan-forbidden-functions.neon` 7. Internal policy doc: `docs/KIYOKART_SECURE_CODING_POLICY_v1.0.md` --- ## CI/CD Enforcement Plan Required PR gate: 1. `composer security:forbidden-functions` 2. optional static rule check: - `composer security:forbidden-functions:phpstan` Fail merge if any forbidden function is detected. --- ## Production Runtime Safety Config ### `php.ini` hard block ```ini disable_functions = exec,shell_exec,system,passthru,popen,proc_open,pcntl_exec,pcntl_alarm,pcntl_fork,pcntl_wait,pcntl_waitpid,pcntl_signal,pcntl_signal_dispatch,eval,assert,create_function,link,symlink,readlink,phpinfo,getenv,putenv ``` ### ModSecurity command injection guard ```apache SecRuleEngine On SecRequestBodyAccess On SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS "@rx (?i)(?:;|\\||`|\\$\\(|\\b(?:wget|curl|bash|sh|cmd|powershell|nc|python)\\b)" \ "id:120100,phase:2,deny,status:403,log,msg:'Command injection pattern detected'" ``` ### Apache query-string hardening ```apache RewriteEngine On RewriteCond %{QUERY_STRING} (?i)(;|\\||`|\\$\\(|<\\?|%3C\\?) [OR] RewriteCond %{QUERY_STRING} (?i)(union\\s+select|sleep\\(|benchmark\\() RewriteRule ^ - [F,L] ``` ### Upload/storage PHP execution block Create `public/storage/.htaccess`: ```apache Require all denied ``` ### Sensitive route throttles Use strict throttling on login, OTP, password reset, and webhook routes. --- ## OWASP Alignment - OWASP ASVS 5.0: - V1 Architecture / Design controls - V5 Validation, Sanitization, Encoding - V8 Data Protection - V10 Malicious Code / Runtime handling - V14 Configuration / Deployment hardening