Vaultpress suspicious code php.generic.badpattern.5

[alessandrotesoro]

Hey there,

I've been using your library within a plugin of mine https://wordpress.org/plugins/wp-user-manager/

A user of the plugin has reported that the Vaultpress triggered a "suspicious code" warning found within the library which is of course a false positive. The user has reported, that Vaultpress said:

The vulnerability was detected on this line: return $callable($factory($c), $c);

The affected file is https://github.com/htmlburger/carbon-fields/blob/master/core/Pimple/Container.php#L243

Not sure if there's anything you can do, I just wanted to report it 👍

[emohamed]

Hi @alessandrotesoro

Thanks for the report! This class is taken verbatim from the Pimple Dependency Injection Container, so we don't want to tweak it in any way.

I contacted Vaultpress to see if there is something they can do on their end. I'll update the issue once I hear back.

[emohamed]

Hi @alessandrotesoro

Here is VaultPress response:

I'd say if you're certain that it isn't a security threat, it can be ignored in the VaultPress dashboard by going to the security tab.

I'm afraid there isn't a direct workaround here as malicious code will be detected in VaultPress because of the way VP is designed. However, it will also suggest the reason why it was detected as a security threat.

The user can then do a quick google search around it and take the steps to fix it :)

So, I'm afraid that we can't mitigate this issue. Hopefully if this happens to another user, they'll find this issue via Google Search and see that there is no security threat.

I'm closing this issue. Happy coding 🙂

[joevansteen]

Did the search, ended up here. If VP says your code is a potential threat, I can live without your code. Sorry dude. If your code is not a threat, have them create a white-list for when good guys get trapped. Else, you are gone from my plugin list. Can't live without a security screen. Can live without you version of your function. Or, suggest a better security that lets you through, and blocks the real bad guys. Who is going to remember which undefined exceptions to a hole in a security wall were good once, but now have gone South. Practice safe coding. And don't take excuses from security guys that they can't find a way to let good guys do their thing, safely. That is their job, not just writing cool subterranean code. Like they're the first people to write sniffers. Make it useful. Cool comes with usefulness, Utility. Means I can actually get the job done with your code, without breaking another job that has to get done at the same time. Welcome to coding for real.

[joevansteen]

I'm not really an ass, I'm just getting real tired of people who think tomorrow you can just throw it away, and roll out a new app. The internet age is a new world, but you still have to deal with a human interface that has habits built up over 40,000 years. Welcome to reality. We were here first. We want your stuff. Relax, slow down, get it right. Your future generations depend on it.

[emohamed]

Wow, that was a lot to process :-)

• We use Pimple library from Symfony. It's not a security threat -- we double checked the code and there is nothing suspicious in it. You can also go through the code and check that as well
• VaultPress has false positive and they're not interested in fixing it(as you can see from the reply I got from them)

All in all, it's neither our problem, nor Pimple's -- it's a flaw in VaultPress. We won't introduce workarounds in Pimple code just to satisfy a flawed test from VP -- this would actually be considered suspicious(by a human code reviewer) since there will be changes in a very well-tested and widely used package that's bundled within Carbon Fields.

I'm sorry if you can't use our library due to this problem. I understand some people need a green screen in VaultPress, but there is no easy way for us to work around the situation.

[joevansteen]

If you read careful, I thought I had agreed it was VP's issue to fix. Send them this note. I won't use them as long as this condition exists, especially if you can't get a whitelist from them, that can be maintained without user effort. Because of this. I'll try you stuff again, but I have to move sites first. So, ... not right now. I appreciate your other comments. I'm just an old fart that knows well why things work the way they do in digital town, and am pissed that while I had to build quality first, marketing has taken over for engineering, and people who we used to build software for, have become products for advertising and finance first. Thought it was bad when it started, intentionally planted viruses is what most cookies are, and a few for functional purposes. The cookies would be good place to audit more than some of the code patterns if anyone was really interested in securing a work space. Oh well. I like library approaches. I used Copy libraries for COBOL code in 1971, and MACLIBs for aASM, and JCLProc LIBS, libs, libs, libs. A good way to do layering. Thanks for the note Joe

…

On Mon, Feb 25, 2019 at 12:26 AM Emil Mohamed ***@***.***> wrote: Wow, that was a lot to process :-) - We use Pimple library from Symfony. It's not a security threat -- we double checked the code and there is nothing suspicious in it. You can also go through the code and check that as well - VaultPress has false positive and they're not interested in fixing it(as you can see from the reply I got from them) All in all, it's neither our problem, nor Pimple's -- it's a flaw in VaultPress. We won't introduce workarounds in Pimple code just to satisfy a flawed test from VP -- this would actually be considered suspicious(by a human code reviewer) since there will be changes in a very well-tested and widely used package that's bundled within Carbon Fields. I'm sorry if you can't use our library due to this problem. I understand some people need a green screen in VaultPress, but there is no easy way for us to work around the situation. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#550 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGmkA9auoYg0CyNKh7ZW8zPzoJ-_Fdakks5vQ545gaJpZM4U_LuM> .