rspec/rules/S5144/php/how-to-fix-it/core.adoc

== How to fix it in Core PHP

=== Code examples
The following code is vulnerable to SSRF as it opens a URL defined by untrusted data.

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$host = $_GET['host'];
$url = "https://$host/.well-known/openid-configuration";

$ch = curl_init($url); // Noncompliant
curl_exec($ch);
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$allowedHosts = ["trusted1" => "trusted1.example.com", "trusted2" => "trusted2.example.com"];
$host = $allowedHosts[$_GET['host']];
$url = "https://$host/.well-known/openid-configuration";

$ch = curl_init($url);
curl_exec($ch);
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

include::../../common/fix/blacklist.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]

include::../../common/pitfalls/blacklist-toctou.adoc[]
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in Core PHP`

			`=== Code examples`
Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00			`The following code is vulnerable to SSRF as it opens a URL defined by untrusted data.`

			`==== Noncompliant code example`

			`[source,php,diff-id=1,diff-type=noncompliant]`
			`----`
			`$host = $_GET['host'];`
			`$url = "https://$host/.well-known/openid-configuration";`

Modify rule S5144: Change the education framework code example sink (APPSEC-310) (#1451) 2022-12-09 15:18:11 +01:00			`$ch = curl_init($url); // Noncompliant`
			`curl_exec($ch);`
Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00			`----`

			`==== Compliant solution`

			`[source,php,diff-id=1,diff-type=compliant]`
			`----`
			`$allowedHosts = ["trusted1" => "trusted1.example.com", "trusted2" => "trusted2.example.com"];`
			`$host = $allowedHosts[$_GET['host']];`
			`$url = "https://$host/.well-known/openid-configuration";`

Modify rule S5144: Change the education framework code example sink (APPSEC-310) (#1451) 2022-12-09 15:18:11 +01:00			`$ch = curl_init($url);`
			`curl_exec($ch);`
Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00			`----`

Modify S5144&S6547: Improve fixes (#2912) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-21 10:51:21 +02:00			`=== How does this work?`
Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00
Modify S5144&S6547: Improve fixes (#2912) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-21 10:51:21 +02:00			`include::../../common/fix/pre-approved-list.adoc[]`
Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00
Modify Rule S5144: Add information on blacklisting (#4454) * Modify Rule S5144: Add information on blacklisting 2024-10-30 15:57:46 +01:00			`include::../../common/fix/blacklist.adoc[]`

Modify rule S5144[PHP]: Change text to the education framework format (APPSEC-286) (#1424) 2022-11-25 17:34:37 +01:00			`=== Pitfalls`

			`include::../../common/pitfalls/starts-with.adoc[]`
Modify Rule S5144: Add information on blacklisting (#4454) * Modify Rule S5144: Add information on blacklisting 2024-10-30 15:57:46 +01:00
			`include::../../common/pitfalls/blacklist-toctou.adoc[]`