rspec/rules/S6437/php/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

[source,php]
----
use Defuse\Crypto\KeyOrPassword;

function createKey() {
    $password = "example";
    return KeyOrPassword::createFromPassword($password); // Noncompliant
}
----

=== Compliant solution

Modern web frameworks tend to provide a secure way to pass passwords and secrets
to the code. For example, in Symfony you can use https://symfony.com/doc/current/configuration/secrets.html[vaults]
to store your secrets. The secret values are referenced in the same way as
environment variables, so you can easily access them through https://symfony.com/doc/current/configuration.html#configuration-parameters[configuration parameters].

[source,php]
----
use Defuse\Crypto\KeyOrPassword;

class PasswordService
{
    private string $password;

    public function setPassword(string $password): void
    {
        $this->password = $password;
    }

    public function createKey(): KeyOrPassword
    {
        return KeyOrPassword::createFromPassword($this->password);
    }
}
----

== Resources

* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials
* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
* https://symfony.com/doc/current/configuration/env_var_processors.html[Symfony] - Environment Variable Processors
* https://symfony.com/doc/current/configuration.html#configuration-parameters[Symfony] - Configuring Symfony
* https://symfony.com/doc/current/configuration/secrets.html[Symfony] - How to Keep Sensitive Information Secret

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Revoke and change this password, as it is compromised.

=== Highlighting

Highlight the credential use and its initialization.

'''
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Create rule S6437: Credentials should not be hard-coded (#1600) 2023-03-02 15:55:56 +00:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Create rule S6437: Credentials should not be hard-coded (#1600) 2023-03-02 15:55:56 +00:00
			`[source,php]`
			`----`
			`use Defuse\Crypto\KeyOrPassword;`

			`function createKey() {`
			`$password = "example";`
			`return KeyOrPassword::createFromPassword($password); // Noncompliant`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Create rule S6437: Credentials should not be hard-coded (#1600) 2023-03-02 15:55:56 +00:00
			`Modern web frameworks tend to provide a secure way to pass passwords and secrets`
			`to the code. For example, in Symfony you can use https://symfony.com/doc/current/configuration/secrets.html[vaults]`
			`to store your secrets. The secret values are referenced in the same way as`
			`environment variables, so you can easily access them through https://symfony.com/doc/current/configuration.html#configuration-parameters[configuration parameters].`

			`[source,php]`
			`----`
			`use Defuse\Crypto\KeyOrPassword;`

			`class PasswordService`
			`{`
			`private string $password;`

			`public function setPassword(string $password): void`
			`{`
			`$this->password = $password;`
			`}`

			`public function createKey(): KeyOrPassword`
			`{`
			`return KeyOrPassword::createFromPassword($this->password);`
			`}`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Create rule S6437: Credentials should not be hard-coded (#1600) 2023-03-02 15:55:56 +00:00
			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
			`* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication`
			`* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials`
			`* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password`
			`* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information`
			`* https://symfony.com/doc/current/configuration/env_var_processors.html[Symfony] - Environment Variable Processors`
			`* https://symfony.com/doc/current/configuration.html#configuration-parameters[Symfony] - Configuring Symfony`
			`* https://symfony.com/doc/current/configuration/secrets.html[Symfony] - How to Keep Sensitive Information Secret`

			`ifdef::env-github,rspecator-view[]`
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Revoke and change this password, as it is compromised.`

			`=== Highlighting`

			`Highlight the credential use and its initialization.`

			`'''`
			`endif::env-github,rspecator-view[]`