feat: add eval($variable) malware pattern to file scanner#175
Closed
feat: add eval($variable) malware pattern to file scanner#175
Conversation
The file scanner missed the totally-legit-seo simulated hack because eval() and base64_decode() were on separate lines. The existing eval_base64 pattern only catches eval(base64_decode(...)) as a single expression, and standalone base64_decode scores 5.0 (below the 6.0 threshold). Adding eval($variable) at risk 9.0 catches this evasion technique. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The script was moved into the plugin folder but still used its own directory as the working directory. Now it detects the WordPress root via WP-CLI or by walking up the directory tree, so file paths like wp-login.php and wp-content/plugins/ resolve correctly regardless of where the script lives. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
|
Closing this one. The simulate-hack.sh script and related additions were created for the hackathon demo. We are removing hackathon-specific test utilities from the codebase going forward. Thanks for the contribution during the hackathon! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
eval($variable)pattern (risk score 9.0) to the file scanner's malware detectiontotally-legit-seosimulated hack was missed becauseeval()andbase64_decode()were split across separate lines, evading the existingeval(base64_decode(...))combined patternbase64_decodepattern only scores 5.0 (below the 6.0 risk threshold), so the hack was filtered out entirelyTest plan
totally-legit-seoplugin installed and verifyeval($decoded)is now flaggedeval()with string literalscomposer lintto confirm PHP coding standards🤖 Generated with Claude Code