include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example Builtin functions ---- function sendHttpRequest($url) { // The following are sensitive when used with a hard coded http or https url. The limitation is to avoid False positives. file_get_contents('https://example.com'); // Sensitive fopen('http://example.com', 'r'); // Sensitive readfile('http://example.com'); // Sensitive copy('http://example.com', 'test.txt'); // Sensitive file('http://example.com'); // Sensitive // Some of these function also accept a context. When this context is an 'http' context. See above. file_get_contents('http://example.com', false, $context); // Sensitive fopen('http://example.com', 'r', false, $context); // Sensitive file('http://example.com', 0, $context); // Sensitive readfile('http://example.com', False, $context); // Sensitive get_headers('http://example.com'); // Sensitive get_meta_tags('http://example.com'); // Sensitive, when used with a hard coded http or https url. The limitation is to avoid False positives. } ---- Curl functions ---- $url = 'http://example.com'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); //Execute the request. $data = curl_exec($ch); // Sensitive curl_close($ch); ---- Guzzle ---- new GuzzleHttp\Client(); // Sensitive ---- PECL HTTP ---- new http\Client\Request('GET', 'http://example.com'); // Sensitive ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 15 Jan 2019, 15:56:45 Nicolas Harraudeau wrote: Current limitation of the implementation: It marks every call to ``++curl_exec()++`` as an HTTP request even when another protocol is used (ex: FTP, Gopher, Telnet ...). This is acceptable for now as: * HTTP is the most common case by far. * Even if the hotspot uses another protocol, a review is still needed. include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]