PHP Classes

How Can PHP Audit a Shell Script to Find Security Issues Using the Package Script Sandbox Validator: Validate scripts written in different languages

Recommend this page to a friend!
     
  Info   Example   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2026-02-22 (4 months ago) RSS 2.0 feedNot yet rated by the usersTotal: Not yet counted Not yet ranked
Version License PHP version Categories
scriptsandboxvalidat 1.0.0GNU General Publi...7Security, Parsers, PHP 7
Description 

Author

Ali YILMAZ

This package can validate scripts written in different languages.

It provides a class that can scan scripts of code to detect potentially dangerous scripts and returns a list of security violations.

Currently it can validate scripts written in Bash, Python, and BAT languages to detect scripts that:

- Access paths outside a given sandbox directory

- Use commands that can perform dangerous operations

- Use dynamic directory paths that cannot be validated

Innovation Award
PHP Programming Innovation award nominee
February 2026
Number 7		 Sometimes PHP developers need to use scripts written in other languages by other developers.

If the PHP developer does not understand much of the code written in those other languages, it may be dangerous to use those scripts without knowing if they are secure.

This package can perform basic security audits on scripts written in other languages like Bash shell script, Python, and BAT batch shell scripts.

Manuel Lemos
Picture of Ali YILMAZ
  Performance   Level  
Name: Ali YILMAZ <contact>
Classes: 18 packages by
Country: Turkey Turkey

Level 1 Star

 Innovation award
Innovation award
Nominee: 10x

Winner: 1x

Instructions

Please read this document to learn how to audit scripts to find security violations.

Example

<?php

require_once __DIR__ . '/../src/ScriptSandboxValidator.php';

use ScriptSandboxValidator\ScriptSandboxValidator;

$validator = new ScriptSandboxValidator();

$script = 'touch sandbox/file1.txt; rm /etc/passwd; echo $HOME/file';
$sandbox = __DIR__ . '/sandbox';

$result = $validator->validateScript($script, $sandbox, 'bash');

echo "<pre>";
print_r($result);
echo "</pre>";

Details

ScriptSandboxValidator

PHP library to validate Bash, Python, and BAT scripts against a sandbox directory.

Features

  • Detects paths that escape the sandbox
  • Detects dynamic paths (`$VAR`, `${VAR}`, backticks, etc.)
  • Detects dangerous system commands (`rm`, `shutdown`, `del`, etc.)
  • Reports violations with line numbers
  • Cross-platform (Linux/Windows/Unix)
  • Strict mode enabled

Installation

composer require aliyilmaz/script-sandbox-validator

Or include src/ScriptSandboxValidator.php manually.

Usage

use ScriptSandboxValidator\ScriptSandboxValidator;

$validator = new ScriptSandboxValidator();

$script = 'touch sandbox/file1.txt; rm /etc/passwd; echo $HOME/file';
$sandbox = __DIR__ . '/sandbox';

$result = $validator->validateScript($script, $sandbox, 'bash');

print_r($result);

Example Output

Array
(
    [valid] => false
    [violations] => Array
        (
            [0] => Array
                (
                    [type] => path_escape
                    [value] => /etc/passwd
                    [line] => 1
                    [reason] => Outside sandbox directory
                )

            [1] => Array
                (
                    [type] => dynamic_path
                    [value] => $HOME
                    [line] => 1
                    [reason] => Dynamic path cannot be validated
                )

            [2] => Array
                (
                    [type] => dangerous_command
                    [value] => rm
                    [line] => 1
                    [reason] => System-level or dangerous command is blocked
                )

        )

)

Warning / Caution

  • This validator does not execute scripts. It only parses the content and checks for paths and commands.
  • Dynamic paths (e.g., `$HOME`, `${VAR}`) are flagged because their runtime value cannot be verified.
  • It may not catch all possible ways to escape the sandbox, especially with highly obfuscated scripts.
  • Always test new scripts in a safe environment before deployment.
  • Designed for sandboxed environments; do not rely solely on this for full system security.

  Files folder image Files (8)  
File Role Description
Files folder imageexamples (1 file)
Files folder imagesrc (1 file)
Files folder imagetests (3 files)
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file Readme.md Doc. Documentation

  Files folder image Files (8)  /  examples  
File Role Description
  Accessible without login Plain text file example.php Example Example script

  Files folder image Files (8)  /  src  
File Role Description
  Plain text file ScriptSandboxValidator.php Class Class source

  Files folder image Files (8)  /  tests  
File Role Description
  Accessible without login Plain text file bash_test.sh Data Auxiliary data
  Accessible without login Plain text file bat_test.bat Data Auxiliary data
  Accessible without login Plain text file python_test.py Data Auxiliary data

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
Downloadscriptsandboxvalidat-2026-02-22.zip 15KB
Downloadscriptsandboxvalidat-2026-02-22.tar.gz 15KB
Install with ComposerInstall with Composer
 Version Control Unique User Downloads  
 100%
Total:0
This week:0

  Applications that use this package  
No pages of applications that use this class were specified.

Add link image If you know an application of this package, send a message to the author to add a link here.