rspec/rules/S2755/php/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:

[source,php]
----
$xml = file_get_contents("xxe.xml");
$doc = simplexml_load_string($xml, "SimpleXMLElement", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)
----

https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:

[source,php]
----
$doc = new DOMDocument();
$doc->load("xxe.xml", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)
----

https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:

[source,php]
----
$reader = new XMLReader();
$reader->open("xxe.xml");
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, true); // Noncompliant (SUBST_ENTITIES enable external entities substitution)
----

== Compliant Solution

https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:

[source,php]
----
$xml = file_get_contents("xxe.xml");
$doc = simplexml_load_string($xml, "SimpleXMLElement"); // Compliant (external entities substitution are disabled by default)
----

https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:

[source,php]
----
$doc = new DOMDocument();
$doc->load("xxe.xml"); // Compliant (external entities substitution are disabled by default)
----

https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:

[source,php]
----
$reader = new XMLReader();
$reader->open("xxe.xml");
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, false); // Compliant (SUBST_ENTITIES set to false)
----

== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#php[OWASP XXE Prevention Cheat Sheet]
* https://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
* https://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`include::../description.adoc[]`

RULEAPI-608 Rename unconventional headers in RSPECs and update the validation script in GitHub rspec repository 2021-06-04 14:23:34 +02:00			`== Noncompliant Code Example`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$xml = file_get_contents("xxe.xml");`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$doc = simplexml_load_string($xml, "SimpleXMLElement", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$doc = new DOMDocument();`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$doc->load("xxe.xml", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$reader = new XMLReader();`
RULEAPI-608 Rename unconventional headers in RSPECs and update the validation script in GitHub rspec repository 2021-06-04 14:23:34 +02:00			`$reader->open("xxe.xml");`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$reader->setParserProperty(XMLReader::SUBST_ENTITIES, true); // Noncompliant (SUBST_ENTITIES enable external entities substitution)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`== Compliant Solution`

			`https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$xml = file_get_contents("xxe.xml");`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$doc = simplexml_load_string($xml, "SimpleXMLElement"); // Compliant (external entities substitution are disabled by default)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$doc = new DOMDocument();`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$doc->load("xxe.xml"); // Compliant (external entities substitution are disabled by default)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`$reader = new XMLReader();`
RULEAPI-608 Rename unconventional headers in RSPECs and update the validation script in GitHub rspec repository 2021-06-04 14:23:34 +02:00			`$reader->open("xxe.xml");`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`$reader->setParserProperty(XMLReader::SUBST_ENTITIES, false); // Compliant (SUBST_ENTITIES set to false)`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)`
			`* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#php[OWASP XXE Prevention Cheat Sheet]`
Update CWE mapping (#534) 2021-10-28 10:07:16 +02:00			`* https://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference`
			`* https://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`