- [x] ### 3. shell_exec/exec/system/passthru (any usage)

Author: noelsaw1

CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.8] - 2026-01-14
+
+### Added
+- **Tier 1 Security Rules (PHP)** - Shell command execution detection
+  - New rule: `php-shell-exec-functions` (**CRITICAL**, security)
+    - Detects usage of `shell_exec()`, `exec()`, `system()`, and `passthru()` in PHP code
+    - Pattern JSON: `dist/patterns/php-shell-exec-functions.json`
+    - Scanner integration: new `run_check` block in `dist/bin/check-performance.sh`
+  - New fixture: `dist/tests/fixtures/shell-exec-antipatterns.php` with shell command execution anti-patterns
+
+### Changed
+- **Severity Configuration** - Updated `dist/config/severity-levels.json`
+  - Incremented `total_checks` from 35 to 36
+  - Added severity entry for `php-shell-exec-functions` (CRITICAL, category: security)
+
 ## [1.3.7] - 2026-01-14
 
 ### Added

PROJECT/1-INBOX/BACKLOG.md

@@ -1,18 +1,18 @@
 # Backlog - Issues to Investigate
 
+### Checklist - 2025-01-14
+- [ ] Continue with Tier 1 rules
+- [ ] Fix tty output for HTML reports (The commit added great new features (init, update, tab completion) with proper TTY detection. However, the original HTML generation code (lines 5848-5863) still writes to /dev/tty unconditionally)
+- [ ] Make a comment in main script to make rules in external files going forward
+- [ ] Breakout check-performance.sh into multiple files and external rule files
+
 ## Mini Project Plan: Enhanced Context Detection (False Positive Reduction)
 
 Goal: Improve context/scope accuracy (especially “same function”) to reduce false positives and severity inflation, while keeping the scanner fast and zero-dependency.
 
 Notes:
 - This is **not a new standalone script**. `dist/bin/check-performance.sh` already has limited “same function” scoping (used in caching mitigation); this mini-project extends/centralizes that approach.
 
-### Checklist
-- [ ] Fix tty output for HTML reports (The commit added great new features (init, update, tab completion) with proper TTY detection. However, the original HTML generation code (lines 5848-5863) still writes to /dev/tty unconditionally)
-- [ ] Make a comment in main script to make rules in external files going forward
-- [ ] Breakout check-performance.sh into multiple files and external rule files
-- [ ] Continue with Tier 1 rules
-
 - [ ] Audit where we rely on context windows today (±N lines) and where “same function” scoping would reduce false positives.
 - [x] Add/centralize a helper to compute function/method scope boundaries (support `function foo()`, `public/protected/private static function foo()`, and common formatting).
 - [x] Use the helper in mitigation detection (so caching/ids-only/admin-only/parent-scoped all share the same scoping rules).

PROJECT/1-INBOX/RULES-2026-01-14.md

@@ -52,7 +52,7 @@ include_once($user_controlled_path);
 
 ---
 
-- [ ] ### 3. `shell_exec`/`exec`/`system`/`passthru` (any usage)
+- [x] ### 3. `shell_exec`/`exec`/`system`/`passthru` (any usage)
 
 ```php
 // CRITICAL - Command execution
@@ -66,7 +66,11 @@ passthru($user_input);
 
 **False positive rate:** Medium (~20%). Legitimate uses exist but are rare in WordPress themes/plugins.
 
-**Current coverage:** Node.js only (`njs-002-command-injection`). PHP not covered.
+**Current coverage:**
+- Node.js: `njs-002-command-injection` (server-side command injection checks)
+- PHP: `php-shell-exec-functions` (new Tier 1 rule, implemented in `check-performance.sh` v1.3.8)
+
+**Status:** Implemented in scanner (PHP + Node.js coverage) as of v1.3.8.
 
 ---
 

PROJECT/BACKLOG.md PROJECT/BACKLOG-DEPRECATED.mdPROJECT/BACKLOG.md renamed to PROJECT/BACKLOG-DEPRECATED.md

@@ -1,4 +1,6 @@
-# Backlog - Future Work
+# Backlog - DEPRECATED - 
+
+**Status:** DEPRECATED
 
 This backlog intentionally contains **only pending work**. Completed items belong in `CHANGELOG.md` and `PROJECT/3-COMPLETED/`.
 
@@ -18,6 +20,12 @@ This backlog intentionally contains **only pending work**. Completed items belon
 - [ ] Plan and execute a breakout of `dist/bin/check-performance.sh` into smaller, focused modules (e.g., core CLI, scan orchestration, pattern runner, reporting), while keeping the current behavior intact.
 - [ ] Gradually migrate existing inline checks to external rule files and continue implementing the remaining **Tier 1 rules** using the JSON + helper pattern (pattern file, fixture, integration, severity wiring, CHANGELOG).
 
+### Alternate - Checklist
+- [ ] Continue with Tier 1 rules
+- [ ] Fix tty output for HTML reports (The commit added great new features (init, update, tab completion) with proper TTY detection. However, the original HTML generation code (lines 5848-5863) still writes to /dev/tty unconditionally)
+- [ ] Make a comment in main script to make rules in external files going forward
+- [ ] Breakout check-performance.sh into multiple files and external rule files
+
 ### Calibration Feature - Pattern Sensitivity Adjustment (NEW)
 **Priority:** MEDIUM
 **Effort:** 3–5 days

dist/PATTERN-LIBRARY.json

@@ -1,28 +1,28 @@
 {
   "version": "1.0.0",
-  "generated": "2026-01-14T21:03:38Z",
+  "generated": "2026-01-14T22:17:45Z",
   "summary": {
-    "total_patterns": 31,
+    "total_patterns": 32,
     "enabled": 31,
-    "disabled": 0,
+    "disabled": 1,
     "by_severity": {
-      "CRITICAL": 11,
+      "CRITICAL": 12,
       "HIGH": 10,
       "MEDIUM": 7,
       "LOW": 3
     },
     "by_category": {
-      "performance": 9,"duplication": 5,"reliability": 5,"security": 10
+      "performance": 9,"duplication": 5,"reliability": 5,"security": 11
     },
     "by_pattern_type": {
-      "php": 20,
+      "php": 21,
       "headless": 6,
       "nodejs": 4,
       "javascript": 1
     },
     "mitigation_detection_enabled": 6,
     "heuristic_patterns": 10,
-    "definitive_patterns": 21
+    "definitive_patterns": 22
   },
   "patterns": [
     {
@@ -305,6 +305,20 @@
   "heuristic": false,
   "file": "php-eval-injection.json"
 },
+{
+  "id": "php-shell-exec-functions",
+  "version": "",
+  "enabled": ,
+  "category": "security",
+  "severity": "CRITICAL",
+  "title": "Shell command execution functions in PHP (shell_exec/exec/system/passthru)",
+  "description": "Usage of shell_exec(), exec(), system(), or passthru() in PHP code. These functions execute system commands and are almost never safe in WordPress plugins/themes.",
+  "detection_type": "direct",
+  "pattern_type": "php",
+  "mitigation_detection": false,
+  "heuristic": false,
+  "file": "php-shell-exec-functions.json"
+},
 {
   "id": "superglobal-with-nonce-context",
   "version": "1.0.0",

dist/PATTERN-LIBRARY.md

@@ -1,43 +1,43 @@
 # Pattern Library Registry
 
 **Auto-generated by Pattern Library Manager**
-**Last Updated:** 2026-01-14 21:03:38 UTC
+**Last Updated:** 2026-01-14 22:17:45 UTC
 
 ---
 
 ## 📊 Summary Statistics
 
 ### Total Patterns
-- **Total:** 31 patterns
+- **Total:** 32 patterns
 - **Enabled:** 31 patterns
-- **Disabled:** 0 patterns
+- **Disabled:** 1 patterns
 
 ### By Severity
 | Severity | Count | Percentage |
 |----------|-------|------------|
-| CRITICAL | 11 | 35.5% |
-| HIGH | 10 | 32.3% |
-| MEDIUM | 7 | 22.6% |
-| LOW | 3 | 9.7% |
+| CRITICAL | 12 | 37.5% |
+| HIGH | 10 | 31.2% |
+| MEDIUM | 7 | 21.9% |
+| LOW | 3 | 9.4% |
 
 ### By Type
 | Type | Count | Percentage |
 |------|-------|------------|
-| Definitive | 21 | 67.7% |
-| Heuristic | 10 | 32.3% |
+| Definitive | 22 | 68.8% |
+| Heuristic | 10 | 31.2% |
 
 ### Advanced Features
-- **Mitigation Detection Enabled:** 6 patterns (19.4%)
+- **Mitigation Detection Enabled:** 6 patterns (18.8%)
 - **False Positive Reduction:** 60-70% on mitigated patterns
 
 ### By Category
 - **performance:** 9 patterns
 - **duplication:** 5 patterns
 - **reliability:** 5 patterns
-- **security:** 10 patterns
+- **security:** 11 patterns
 
 ### By Pattern Type
-- **PHP/WordPress:** 20 patterns
+- **PHP/WordPress:** 21 patterns
 - **Headless WordPress:** 6 patterns
 - **Node.js/Server-Side JS:** 4 patterns
 - **Client-Side JavaScript:** 1 patterns
@@ -54,6 +54,7 @@
 - **njs-001-eval-injection** - Dangerous eval() or code execution
 - **php-dynamic-include** - Dynamic PHP include/require with variables
 - **php-eval-injection** - Dangerous eval() usage in PHP
+- **php-shell-exec-functions** - Shell command execution functions in PHP (shell_exec/exec/system/passthru)
 - **unbounded-wc-get-orders** 🛡️ - Unbounded wc_get_orders()
 - **unbounded-wc-get-products** - Unbounded wc_get_products()
 - **wp-query-unbounded** 🛡️ - Unbounded WP_Query/get_posts
@@ -99,26 +100,26 @@
 
 ### Key Selling Points
 
-1. **Comprehensive Coverage:** 31 detection patterns across 4 categories
-2. **Multi-Platform Support:** PHP/WordPress (20), Headless WordPress (6), Node.js (4), JavaScript (1)
+1. **Comprehensive Coverage:** 32 detection patterns across 4 categories
+2. **Multi-Platform Support:** PHP/WordPress (21), Headless WordPress (6), Node.js (4), JavaScript (1)
 3. **Enterprise-Grade Accuracy:** 6 patterns with AI-powered mitigation detection (60-70% false positive reduction)
-4. **Severity-Based Prioritization:** 11 CRITICAL + 10 HIGH severity patterns catch the most dangerous issues
-5. **Intelligent Analysis:** 21 definitive patterns + 10 heuristic patterns for comprehensive code review
+4. **Severity-Based Prioritization:** 12 CRITICAL + 10 HIGH severity patterns catch the most dangerous issues
+5. **Intelligent Analysis:** 22 definitive patterns + 10 heuristic patterns for comprehensive code review
 
 ### One-Liner Stats
 
-> **31 detection patterns** | **6 with AI mitigation** | **60-70% fewer false positives** | **Multi-platform: PHP, Headless, Node.js, JS**
+> **32 detection patterns** | **6 with AI mitigation** | **60-70% fewer false positives** | **Multi-platform: PHP, Headless, Node.js, JS**
 
 ### Feature Highlights
 
-- ✅ **11 CRITICAL** OOM and security patterns
+- ✅ **12 CRITICAL** OOM and security patterns
 - ✅ **10 HIGH** performance and security patterns
 - ✅ **6 patterns** with context-aware severity adjustment
 - ✅ **10 heuristic** patterns for code quality insights
 - ✅ **Multi-platform:** WordPress, Headless, Node.js, JavaScript
 
 ---
 
-**Generated:** 2026-01-14 21:03:38 UTC
+**Generated:** 2026-01-14 22:17:45 UTC
 **Version:** 1.0.0
 **Tool:** Pattern Library Manager

dist/bin/check-performance.sh

@@ -61,7 +61,7 @@ source "$REPO_ROOT/lib/pattern-loader.sh"
 # This is the ONLY place the version number should be defined.
 # All other references (logs, JSON, banners) use this variable.
 # Update this ONE line when bumping versions - never hardcode elsewhere.
-SCRIPT_VERSION="1.3.7"
+SCRIPT_VERSION="1.3.8"
 
 # Get the start/end line range for the enclosing function/method.
 #
@@ -2775,6 +2775,13 @@ section_start "Critical Checks"
 text_echo "${RED}━━━ CRITICAL CHECKS (will fail build) ━━━${NC}"
 text_echo ""
 
+# NOTE (Rule Definition Strategy, v1.3.8):
+# - New rules SHOULD be defined in external JSON pattern files under dist/patterns
+#   and registered with the Pattern Library Manager.
+# - Inline run_check(...) blocks below are legacy and glue code; when adding
+#   new rules, prefer JSON + helper glue (see dist/patterns/php-eval-injection.json
+#   and dist/patterns/php-dynamic-include.json for examples).
+
 # Debug code in production (JS + PHP)
 OVERRIDE_GREP_INCLUDE="--include=*.php --include=*.js --include=*.jsx --include=*.ts --include=*.tsx"
 run_check "ERROR" "$(get_severity "spo-001-debug-code" "CRITICAL")" "Debug code in production" "spo-001-debug-code" \
@@ -3117,6 +3124,13 @@ run_check "ERROR" "$(get_severity "php-dynamic-include" "CRITICAL")" "Dynamic PH
   "-E include(_once)?[[:space:]]+[^;]*\\$" \
   "-E require(_once)?[[:space:]]+[^;]*\\$"
 
+# Shell command execution functions (shell_exec/exec/system/passthru)
+run_check "ERROR" "$(get_severity "php-shell-exec-functions" "CRITICAL")" "Shell command execution functions in PHP" "php-shell-exec-functions" \
+  "-E shell_exec[[:space:]]*\\(" \
+  "-E exec[[:space:]]*\\(" \
+  "-E system[[:space:]]*\\(" \
+  "-E passthru[[:space:]]*\\("
+
 # Insecure data deserialization
 run_check "ERROR" "$(get_severity "spo-003-insecure-deserialization" "CRITICAL")" "Insecure data deserialization" "spo-003-insecure-deserialization" \
   "-E unserialize[[:space:]]*\\(\\$_" \

dist/config/severity-levels.json

@@ -1,9 +1,9 @@
 {
   "_metadata": {
-    "version": "1.3.7",
+    "version": "1.3.8",
     "description": "WP Code Check - Severity Level Customization",
     "last_updated": "2026-01-14",
-    "total_checks": 35,
+    "total_checks": 36,
     "instructions": "Copy this file and edit 'level' fields to customize severity. Leave 'factory_default' unchanged for reference. Use --severity-config <path> to apply customizations. Any field starting with underscore (_comment, _note, _reason, _ticket, etc.) is ignored by the parser and can be used for documentation.",
     "_comment": "Example: This comment field is ignored during parsing. Use it to document your configuration decisions."
   },
@@ -57,6 +57,14 @@
       "category": "security",
       "description": "include/require statements where the path expression contains variables; dynamic paths can lead directly to local/remote file inclusion and remote code execution"
     },
+    "php-shell-exec-functions": {
+      "id": "php-shell-exec-functions",
+      "name": "Shell command execution functions in PHP",
+      "level": "CRITICAL",
+      "factory_default": "CRITICAL",
+      "category": "security",
+      "description": "Usage of shell_exec(), exec(), system(), or passthru() in PHP code. These functions execute system commands and are almost never safe in WordPress plugins/themes."
+    },
     "unbounded-posts-per-page": {
       "id": "unbounded-posts-per-page",
       "name": "Unbounded posts_per_page",

dist/patterns/php-shell-exec-functions.json

@@ -0,0 +1,42 @@
+{
+  "id": "php-shell-exec-functions",
+  "detection_type": "direct",
+  "category": "security",
+  "severity": "CRITICAL",
+  "title": "Shell command execution functions in PHP (shell_exec/exec/system/passthru)",
+  "description": "Usage of shell_exec(), exec(), system(), or passthru() in PHP code. These functions execute system commands and are almost never safe in WordPress plugins/themes.",
+  "added_in_scanner_version": "1.3.8",
+  "languages": ["php"],
+  "detection": {
+    "type": "grep",
+    "file_patterns": ["*.php"],
+    "patterns": [
+      {
+        "id": "shell_exec-call",
+        "pattern": "shell_exec[[:space:]]*\\("
+      },
+      {
+        "id": "exec-call",
+        "pattern": "exec[[:space:]]*\\("
+      },
+      {
+        "id": "system-call",
+        "pattern": "system[[:space:]]*\\("
+      },
+      {
+        "id": "passthru-call",
+        "pattern": "passthru[[:space:]]*\\("
+      }
+    ]
+  },
+  "rationale": "Shell command execution APIs are high-risk in a web context and are strong indicators of malware, backdoors, or fragile integrations. Legitimate uses in WordPress themes/plugins are rare and should undergo manual review.",
+  "remediation": "Remove shell_exec/exec/system/passthru usage where possible. Prefer WordPress APIs, PHP built-ins, or background jobs that do not execute arbitrary shell commands. If absolutely required, tightly constrain inputs (whitelists), escape arguments safely, and restrict execution to trusted administrators only.",
+  "references": [
+    "https://www.php.net/manual/en/function.exec.php",
+    "https://owasp.org/www-community/attacks/Command_Injection"
+  ],
+  "test_fixtures": [
+    "dist/tests/fixtures/shell-exec-antipatterns.php"
+  ]
+}
+

dist/tests/fixtures/shell-exec-antipatterns.php

@@ -0,0 +1,22 @@
+<?php
+
+// Intentional anti-patterns for shell_exec/exec/system/passthru Tier 1 rule
+
+function bad_shell_exec_from_input() {
+    $cmd = $_GET['cmd'];
+    shell_exec($cmd);
+}
+
+function bad_exec_for_image_convert($filename) {
+    // Even seemingly legitimate uses should be reviewed
+    exec("convert " . $filename);
+}
+
+function bad_system_call() {
+    system($_POST['command']);
+}
+
+function bad_passthru_call($arg) {
+    passthru($arg);
+}
+