rspec/rules/S6418/php/rule.adoc

:detections: variables/fields
:defaultsensibility: 5

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,php,diff-id=1,diff-type=noncompliant]
----
$secret = '47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37';
MyClass->callMyService($secret);
----

== Compliant Solution

Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/secretsmanager[AWS Secrets Manager]:

[source,php,diff-id=1,diff-type=compliant]
----
use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
$client = new SecretsManagerClient(...);
$secretName = 'example';
doSomething($client, $secretName)
function doSomething($client, $secretName) {
    try {
        $result = $client->getSecretValue([
            'SecretId' => $secretName,
        ]);
    } catch (AwsException $e) {
    ...
    }
    if (isset($result['SecretString'])) {
        $secret = $result['SecretString'];
    } else {
        $secret = base64_decode($result['SecretBinary']);
    }
    // do something with the secret
    MyClass->callMyService($secret);
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../parameters.adoc[]

'''
endif::env-github,rspecator-view[]