Patterns 4, 5, and 6

4. Direct file write with user-controlled path
5. Hardcoded credentials in PHP
6. Insecure data deserialization from superglobals

Author: noelsaw1

CHANGELOG.md

@@ -7,6 +7,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.10] - 2026-01-14
+
+### Fixed
+- **PHP Security Rules**
+  - `php-user-controlled-file-write`: Fixed a shell variable interpolation bug in the inline grep patterns that prevented detection when the file path was derived from PHP superglobals (e.g., `$_GET`, `$_POST`). The rule now reliably flags direct file writes with user-controlled paths.
+  - `spo-003-insecure-deserialization`: Hardened the pattern definitions to avoid accidental expansion of shell special variables while scanning for insecure deserialization of superglobal input.
+
+### Internal
+- Added an opt-in `DEBUG_PATTERN=1` environment flag for `dist/bin/check-performance.sh` that prints the resolved grep include arguments, patterns, and paths for pattern-based rules to aid future debugging.
+ 
+### Documentation
+- Updated `PROJECT/1-INBOX/RULES-2026-01-14.md` to:
+  - Reflect that `php-user-controlled-file-write` is hardened as of v1.3.10.
+  - Promote `spo-003-insecure-deserialization` to a Tier 1 PHP rule with clear rationale and examples.
+  - Document the `DEBUG_PATTERN=1` flag as a supported internal tool for auditing Tier 1 pattern behavior.
+
+## [1.3.9] - 2026-01-14
+
+### Added
+- **Tier 1 Security Rules (PHP)** - Direct file writes and hardcoded credentials
+  - New rule: `php-user-controlled-file-write` (**CRITICAL**, security)
+    - Detects `file_put_contents()`, `fopen()`, and `move_uploaded_file()` calls where the target path is derived directly from PHP superglobals (e.g., `$_GET`, `$_POST`)
+    - Pattern JSON: `dist/patterns/php-user-controlled-file-write.json`
+    - Scanner integration: new `run_check` block in `dist/bin/check-performance.sh`
+    - New fixture: `dist/tests/fixtures/php-user-controlled-file-write.php` with direct file write anti-patterns
+  - New rule: `php-hardcoded-credentials` (**CRITICAL**, security)
+    - Detects hardcoded API keys, secrets, tokens, and passwords in PHP variables, constants, and Authorization headers
+    - Pattern JSON: `dist/patterns/php-hardcoded-credentials.json`
+    - Scanner integration: new `run_check` block in `dist/bin/check-performance.sh`
+    - New fixture: `dist/tests/fixtures/php-hardcoded-credentials.php` with representative hardcoded credential patterns
+
+### Changed
+- **Severity Configuration** - Updated `dist/config/severity-levels.json`
+  - Incremented `total_checks` from 36 to 38
+  - Added severity entries for `php-user-controlled-file-write` and `php-hardcoded-credentials` (both CRITICAL, category: security)
+
 ## [1.3.8] - 2026-01-14
 
 ### Added

PROJECT/1-INBOX/BACKLOG.md

@@ -1,7 +1,7 @@
 # Backlog - Issues to Investigate
 
 ### Checklist - 2025-01-14
-- [ ] Continue with Tier 1 rules
+- [ ] Continue with Tier 1 rules - First 5 completed
 - [ ] Fix tty output for HTML reports (The commit added great new features (init, update, tab completion) with proper TTY detection. However, the original HTML generation code (lines 5848-5863) still writes to /dev/tty unconditionally)
 - [ ] Make a comment in main script to make rules in external files going forward
 - [ ] Breakout check-performance.sh into multiple files and external rule files

PROJECT/1-INBOX/RULES-2026-01-14.md

@@ -74,7 +74,7 @@ passthru($user_input);
 
 ---
 
-- [ ] ### 4. Direct file write with user-controlled path
+- [x] ### 4. Direct file write with user-controlled path
 
 ```php
 // CRITICAL - Arbitrary file write → RCE
@@ -87,11 +87,14 @@ fwrite($handle, $data);  // when $handle from user input
 
 **False positive rate:** Low (~10%). The pattern of user input → file path is specific.
 
-**Current coverage:** Not covered.
+**Current coverage:**
+- PHP: `php-user-controlled-file-write` (Tier 1 rule, implemented in `check-performance.sh` v1.3.9; detection hardened in v1.3.10)
+
+**Status:** Implemented in scanner (PHP) as of v1.3.9; detection bug fixed in v1.3.10.
 
 ---
 
-- [ ] ### 5. Hardcoded credentials in PHP
+- [x] ### 5. Hardcoded credentials in PHP
 
 ```php
 // CRITICAL - Exposed secrets
@@ -105,7 +108,31 @@ $password = 'admin123';
 
 **False positive rate:** Medium (~25%). Example code and tests may trigger this, but the risk of missing a real exposure is too high.
 
-**Current coverage:** Client-side JS only (`headless-api-key-exposure`). PHP not covered.
+**Current coverage:**
+- Client-side JS: `headless-api-key-exposure` (existing rule for browser bundles)
+- PHP: `php-hardcoded-credentials` (new Tier 1 rule, implemented in `check-performance.sh` v1.3.9)
+
+**Status:** Implemented in scanner (PHP + client-side JS coverage) as of v1.3.9.
+
+---
+
+- [x] ### 6. Insecure data deserialization from superglobals
+
+```php
+// CRITICAL - Object injection / RCE via unserialize/json_decode/maybe_unserialize
+$data   = unserialize($_POST['payload']);
+$json   = json_decode($_GET['json'], true);
+$value  = maybe_unserialize($_REQUEST['data']);
+```
+
+**Why always critical:** Deserializing attacker-controlled input enables object injection and arbitrary code execution via magic methods, especially in large plugin ecosystems.
+
+**False positive rate:** Low–medium (~15%). Some admin tools may intentionally deserialize trusted payloads, but usage with raw `$_GET` / `$_POST` / `$_REQUEST` is a strong red flag.
+
+**Current coverage:**
+- PHP: `spo-003-insecure-deserialization` (Tier 1 rule, implemented in `check-performance.sh` v1.3.10)
+
+**Status:** Implemented in scanner (PHP) as of v1.3.10; focuses on deserialization that starts from superglobals to keep false positives manageable.
 
 ---
 
@@ -114,7 +141,6 @@ $password = 'admin123';
 These are also effectively zero-tolerance in modern WordPress/PHP code and should be implemented as dedicated scanner rules:
 
 - `create_function()` (deprecated eval-equivalent, strong malware/legacy indicator)
-- `unserialize()` with user-controlled data (object injection → RCE)
 - `preg_replace()` with the `/e` modifier (deprecated code execution)
 - `assert()` with string arguments (code execution in older PHP configs)
 
@@ -273,10 +299,11 @@ set_transient($key, $data, HOUR_IN_SECONDS);  // ← Cache poisoning?
 ## Implementation Recommendation
 
 ### For Tier 1 (Zero-Tolerance)
-- Add PHP patterns to match Node.js coverage (including dynamic include/require, eval/create_function, unserialize, `preg_replace` with `/e`, and `assert` with strings)
+- Add PHP patterns to match Node.js coverage (including dynamic include/require, eval/create_function, `preg_replace` with `/e`, and `assert` with strings; insecure `unserialize` from superglobals is covered by `spo-003-insecure-deserialization` as of v1.3.10)
 - Build should fail on any match
 - Baseline exceptions are **strongly discouraged**; if used, they MUST include explicit justification, be reviewed by a human, and still appear as warnings (e.g., "BASELINED CRITICAL ISSUE")
 - These are "stop the line" issues
+  - Scanner internals: when debugging Tier 1 patterns, `DEBUG_PATTERN=1` can be set when running `check-performance.sh` to log the resolved grep patterns and include arguments without changing behavior.
 
 ### For Tier 2 (AI-Assisted)
 - Scanner flags as "Needs Review"

dist/PATTERN-LIBRARY.json

@@ -1,28 +1,28 @@
 {
   "version": "1.0.0",
-  "generated": "2026-01-14T22:17:45Z",
+  "generated": "2026-01-14T22:35:52Z",
   "summary": {
-    "total_patterns": 32,
-    "enabled": 31,
+    "total_patterns": 34,
+    "enabled": 33,
     "disabled": 1,
     "by_severity": {
-      "CRITICAL": 12,
+      "CRITICAL": 14,
       "HIGH": 10,
       "MEDIUM": 7,
       "LOW": 3
     },
     "by_category": {
-      "performance": 9,"duplication": 5,"reliability": 5,"security": 11
+      "performance": 9,"duplication": 5,"reliability": 5,"security": 13
     },
     "by_pattern_type": {
-      "php": 21,
+      "php": 23,
       "headless": 6,
       "nodejs": 4,
       "javascript": 1
     },
     "mitigation_detection_enabled": 6,
     "heuristic_patterns": 10,
-    "definitive_patterns": 22
+    "definitive_patterns": 24
   },
   "patterns": [
     {
@@ -305,6 +305,20 @@
   "heuristic": false,
   "file": "php-eval-injection.json"
 },
+{
+  "id": "php-hardcoded-credentials",
+  "version": "1.0.0",
+  "enabled": true,
+  "category": "security",
+  "severity": "CRITICAL",
+  "title": "Hardcoded credentials in PHP",
+  "description": "Detects API keys, secrets, tokens, or passwords hardcoded into PHP source files.",
+  "detection_type": "direct",
+  "pattern_type": "php",
+  "mitigation_detection": false,
+  "heuristic": false,
+  "file": "php-hardcoded-credentials.json"
+},
 {
   "id": "php-shell-exec-functions",
   "version": "",
@@ -319,6 +333,20 @@
   "heuristic": false,
   "file": "php-shell-exec-functions.json"
 },
+{
+  "id": "php-user-controlled-file-write",
+  "version": "1.0.0",
+  "enabled": true,
+  "category": "security",
+  "severity": "CRITICAL",
+  "title": "Direct file write with user-controlled path",
+  "description": "Detects file writes where the target path is derived directly from PHP superglobals (user-controlled input). This is a common pattern for arbitrary file write vulnerabilities.",
+  "detection_type": "direct",
+  "pattern_type": "php",
+  "mitigation_detection": false,
+  "heuristic": false,
+  "file": "php-user-controlled-file-write.json"
+},
 {
   "id": "superglobal-with-nonce-context",
   "version": "1.0.0",

dist/PATTERN-LIBRARY.md

@@ -1,43 +1,43 @@
 # Pattern Library Registry
 
 **Auto-generated by Pattern Library Manager**
-**Last Updated:** 2026-01-14 22:17:45 UTC
+**Last Updated:** 2026-01-14 22:35:52 UTC
 
 ---
 
 ## 📊 Summary Statistics
 
 ### Total Patterns
-- **Total:** 32 patterns
-- **Enabled:** 31 patterns
+- **Total:** 34 patterns
+- **Enabled:** 33 patterns
 - **Disabled:** 1 patterns
 
 ### By Severity
 | Severity | Count | Percentage |
 |----------|-------|------------|
-| CRITICAL | 12 | 37.5% |
-| HIGH | 10 | 31.2% |
-| MEDIUM | 7 | 21.9% |
-| LOW | 3 | 9.4% |
+| CRITICAL | 14 | 41.2% |
+| HIGH | 10 | 29.4% |
+| MEDIUM | 7 | 20.6% |
+| LOW | 3 | 8.8% |
 
 ### By Type
 | Type | Count | Percentage |
 |------|-------|------------|
-| Definitive | 22 | 68.8% |
-| Heuristic | 10 | 31.2% |
+| Definitive | 24 | 70.6% |
+| Heuristic | 10 | 29.4% |
 
 ### Advanced Features
-- **Mitigation Detection Enabled:** 6 patterns (18.8%)
+- **Mitigation Detection Enabled:** 6 patterns (17.6%)
 - **False Positive Reduction:** 60-70% on mitigated patterns
 
 ### By Category
 - **performance:** 9 patterns
 - **duplication:** 5 patterns
 - **reliability:** 5 patterns
-- **security:** 11 patterns
+- **security:** 13 patterns
 
 ### By Pattern Type
-- **PHP/WordPress:** 21 patterns
+- **PHP/WordPress:** 23 patterns
 - **Headless WordPress:** 6 patterns
 - **Node.js/Server-Side JS:** 4 patterns
 - **Client-Side JavaScript:** 1 patterns
@@ -54,7 +54,9 @@
 - **njs-001-eval-injection** - Dangerous eval() or code execution
 - **php-dynamic-include** - Dynamic PHP include/require with variables
 - **php-eval-injection** - Dangerous eval() usage in PHP
+- **php-hardcoded-credentials** - Hardcoded credentials in PHP
 - **php-shell-exec-functions** - Shell command execution functions in PHP (shell_exec/exec/system/passthru)
+- **php-user-controlled-file-write** - Direct file write with user-controlled path
 - **unbounded-wc-get-orders** 🛡️ - Unbounded wc_get_orders()
 - **unbounded-wc-get-products** - Unbounded wc_get_products()
 - **wp-query-unbounded** 🛡️ - Unbounded WP_Query/get_posts
@@ -100,26 +102,26 @@
 
 ### Key Selling Points
 
-1. **Comprehensive Coverage:** 32 detection patterns across 4 categories
-2. **Multi-Platform Support:** PHP/WordPress (21), Headless WordPress (6), Node.js (4), JavaScript (1)
+1. **Comprehensive Coverage:** 34 detection patterns across 4 categories
+2. **Multi-Platform Support:** PHP/WordPress (23), Headless WordPress (6), Node.js (4), JavaScript (1)
 3. **Enterprise-Grade Accuracy:** 6 patterns with AI-powered mitigation detection (60-70% false positive reduction)
-4. **Severity-Based Prioritization:** 12 CRITICAL + 10 HIGH severity patterns catch the most dangerous issues
-5. **Intelligent Analysis:** 22 definitive patterns + 10 heuristic patterns for comprehensive code review
+4. **Severity-Based Prioritization:** 14 CRITICAL + 10 HIGH severity patterns catch the most dangerous issues
+5. **Intelligent Analysis:** 24 definitive patterns + 10 heuristic patterns for comprehensive code review
 
 ### One-Liner Stats
 
-> **32 detection patterns** | **6 with AI mitigation** | **60-70% fewer false positives** | **Multi-platform: PHP, Headless, Node.js, JS**
+> **34 detection patterns** | **6 with AI mitigation** | **60-70% fewer false positives** | **Multi-platform: PHP, Headless, Node.js, JS**
 
 ### Feature Highlights
 
-- ✅ **12 CRITICAL** OOM and security patterns
+- ✅ **14 CRITICAL** OOM and security patterns
 - ✅ **10 HIGH** performance and security patterns
 - ✅ **6 patterns** with context-aware severity adjustment
 - ✅ **10 heuristic** patterns for code quality insights
 - ✅ **Multi-platform:** WordPress, Headless, Node.js, JavaScript
 
 ---
 
-**Generated:** 2026-01-14 22:17:45 UTC
+**Generated:** 2026-01-14 22:35:52 UTC
 **Version:** 1.0.0
 **Tool:** Pattern Library Manager

dist/bin/check-performance.sh

@@ -61,7 +61,7 @@ source "$REPO_ROOT/lib/pattern-loader.sh"
 # This is the ONLY place the version number should be defined.
 # All other references (logs, JSON, banners) use this variable.
 # Update this ONE line when bumping versions - never hardcode elsewhere.
-SCRIPT_VERSION="1.3.8"
+SCRIPT_VERSION="1.3.10"
 
 # Get the start/end line range for the enclosing function/method.
 #
@@ -2670,11 +2670,19 @@ run_check() {
 
   text_echo "${BLUE}▸ $name ${impact_badge}${NC}"
 
-   # Run grep with all patterns
-   local result
-   local finding_count=0
-   local severity="error"
-   [ "$level" = "WARNING" ] && severity="warning"
+  # Run grep with all patterns
+  local result
+  local finding_count=0
+  local severity="error"
+  [ "$level" = "WARNING" ] && severity="warning"
+
+  # Optional debug for pattern-based checks (enable with DEBUG_PATTERN=1)
+  if [ "${DEBUG_PATTERN:-0}" = "1" ]; then
+    text_echo "DEBUG run_check: rule_id=$rule_id"
+    text_echo "  include_args: $include_args"
+    text_echo "  patterns: $patterns"
+    text_echo "  PATHS: $PATHS"
+  fi
 
   # SAFEGUARD: "$PATHS" MUST be quoted - paths with spaces will break otherwise (see SAFEGUARDS.md)
   if result=$(grep -rHn $EXCLUDE_ARGS $include_args $patterns "$PATHS" 2>/dev/null); then
@@ -3133,10 +3141,34 @@ run_check "ERROR" "$(get_severity "php-shell-exec-functions" "CRITICAL")" "Shell
 
 # Insecure data deserialization
 run_check "ERROR" "$(get_severity "spo-003-insecure-deserialization" "CRITICAL")" "Insecure data deserialization" "spo-003-insecure-deserialization" \
-  "-E unserialize[[:space:]]*\\(\\$_" \
-  "-E base64_decode[[:space:]]*\\(\\$_" \
-  "-E json_decode[[:space:]]*\\(\\$_" \
-  "-E maybe_unserialize[[:space:]]*\\(\\$_"
+	  '-E unserialize[[:space:]]*\(\$_' \
+	  '-E base64_decode[[:space:]]*\(\$_' \
+	  '-E json_decode[[:space:]]*\(\$_' \
+	  '-E maybe_unserialize[[:space:]]*\(\$_' 
+	
+	# Direct file write with user-controlled path
+	run_check "ERROR" "$(get_severity "php-user-controlled-file-write" "CRITICAL")" "Direct file write with user-controlled path" "php-user-controlled-file-write" \
+	  '-E file_put_contents[[:space:]]*\([^,]*\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)' \
+	  '-E fopen[[:space:]]*\([^,]*\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)' \
+	  '-E move_uploaded_file[[:space:]]*\([^,]+,[^,]*\$_(GET|POST|REQUEST|COOKIE|SERVER)'
+
+# Hardcoded credentials in PHP
+run_check "ERROR" "$(get_severity "php-hardcoded-credentials" "CRITICAL")" "Hardcoded credentials in PHP" "php-hardcoded-credentials" \
+  "-E \\$password[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$passwd[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$secret[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$token[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$api_key[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$apikey[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$auth_token[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$PASSWORD[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$PASSWD[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$SECRET[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$TOKEN[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$API_KEY[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \\$AUTH_TOKEN[[:space:]]*=[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E define[[:space:]]*\\([[:space:]]*['\"][A-Z0-9_]*(SECRET|TOKEN|PASSWORD|KEY|API)[A-Z0-9_]*['\"][[:space:]]*,[[:space:]]*['\"][^'\"]{8,}['\"]" \
+  "-E \"Authorization\"[[:space:]]*=>[[:space:]]*\"Bearer[[:space:]]+[A-Za-z0-9._-]{16,}\"" 
 
 # Direct database queries without $wpdb->prepare() (SQL injection risk)
 # Note: This check requires custom implementation because we need to filter out lines