You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+72Lines changed: 72 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,78 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
## [1.3.10] - 2026-01-14
11
+
12
+
### Fixed
13
+
-**PHP Security Rules**
14
+
-`php-user-controlled-file-write`: Fixed a shell variable interpolation bug in the inline grep patterns that prevented detection when the file path was derived from PHP superglobals (e.g., `$_GET`, `$_POST`). The rule now reliably flags direct file writes with user-controlled paths.
15
+
-`spo-003-insecure-deserialization`: Hardened the pattern definitions to avoid accidental expansion of shell special variables while scanning for insecure deserialization of superglobal input.
16
+
17
+
### Internal
18
+
- Added an opt-in `DEBUG_PATTERN=1` environment flag for `dist/bin/check-performance.sh` that prints the resolved grep include arguments, patterns, and paths for pattern-based rules to aid future debugging.
19
+
20
+
### Documentation
21
+
- Updated `PROJECT/1-INBOX/RULES-2026-01-14.md` to:
22
+
- Reflect that `php-user-controlled-file-write` is hardened as of v1.3.10.
23
+
- Promote `spo-003-insecure-deserialization` to a Tier 1 PHP rule with clear rationale and examples.
24
+
- Document the `DEBUG_PATTERN=1` flag as a supported internal tool for auditing Tier 1 pattern behavior.
25
+
26
+
## [1.3.9] - 2026-01-14
27
+
28
+
### Added
29
+
-**Tier 1 Security Rules (PHP)** - Direct file writes and hardcoded credentials
30
+
- New rule: `php-user-controlled-file-write` (**CRITICAL**, security)
31
+
- Detects `file_put_contents()`, `fopen()`, and `move_uploaded_file()` calls where the target path is derived directly from PHP superglobals (e.g., `$_GET`, `$_POST`)
Copy file name to clipboardExpand all lines: PROJECT/1-INBOX/BACKLOG.md
+6-1Lines changed: 6 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,18 @@
1
1
# Backlog - Issues to Investigate
2
2
3
+
### Checklist - 2025-01-14
4
+
-[ ] Continue with Tier 1 rules - First 5 completed
5
+
-[ ] Fix tty output for HTML reports (The commit added great new features (init, update, tab completion) with proper TTY detection. However, the original HTML generation code (lines 5848-5863) still writes to /dev/tty unconditionally)
6
+
-[ ] Make a comment in main script to make rules in external files going forward
7
+
-[ ] Breakout check-performance.sh into multiple files and external rule files
8
+
3
9
## Mini Project Plan: Enhanced Context Detection (False Positive Reduction)
4
10
5
11
Goal: Improve context/scope accuracy (especially “same function”) to reduce false positives and severity inflation, while keeping the scanner fast and zero-dependency.
6
12
7
13
Notes:
8
14
- This is **not a new standalone script**. `dist/bin/check-performance.sh` already has limited “same function” scoping (used in caching mitigation); this mini-project extends/centralizes that approach.
9
15
10
-
### Checklist
11
16
-[ ] Audit where we rely on context windows today (±N lines) and where “same function” scoping would reduce false positives.
12
17
-[x] Add/centralize a helper to compute function/method scope boundaries (support `function foo()`, `public/protected/private static function foo()`, and common formatting).
13
18
-[x] Use the helper in mitigation detection (so caching/ids-only/admin-only/parent-scoped all share the same scoping rules).
0 commit comments