rules: - id: openssl-decrypt-validate patterns: - pattern: openssl_decrypt(...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if($DECRYPTED_STRING === false){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if($DECRYPTED_STRING == false){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if(false === $DECRYPTED_STRING){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if(false == $DECRYPTED_STRING){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assertTrue(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assertTrue($DECRYPTED_STRING !== false,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... $REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... $REFERENCE::assertTrue($DECRYPTED_STRING !== false,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assert(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assert($DECRYPTED_STRING !== false,...); message: The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`. languages: - php severity: WARNING metadata: references: - https://www.php.net/manual/en/function.openssl-decrypt.php cwe: 'CWE-252: Unchecked Return Value' owasp: - A02:2021 - Cryptographic Failures technology: - php - openssl category: security