ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2278/php/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

64 lines
2.1 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../description.adoc[]
=== Noncompliant code example
[source,php]
----
<?php
$ciphertext = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, $mode); // Noncompliant
// ...
$ciphertext = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, $mode); // Noncompliant
// ...
$ciphertext = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, $mode); // Noncompliant
// ...
$ciphertext = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, $mode); // Noncompliant
$cipher = "des-ede3-cfb"; // Noncompliant
$ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
?>
----
=== Compliant solution
[source,php]
----
<?php
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaintext, MCRYPT_MODE_CBC, $iv);
?>
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 15 Jun 2018, 15:10:28 Alexandre Gigleux wrote:
Mcrypt ciphers: \http://us3.php.net/manual/en/mcrypt.ciphers.php
=== on 16 Jul 2018, 13:55:32 Pierre-Yves Nicolas wrote:
It seems that http://php.net/manual/en/intro.mcrypt.php[Mcrypt is deprecated] in PHP 7.1 and removed in PHP 7.2.
=== on 16 Jul 2018, 14:20:39 Alexandre Gigleux wrote:
The fact Mcrypt is deprecated in PHP 7.1 and removed in PHP 7.2 doesn't prevent us to catch this pattern to help developers still relying on it to know that their code is not secure.
=== on 19 Jul 2018, 17:05:52 Tibor Blenessy wrote:
I also added DES when used with openssl_encrypt(...), as described here \https://stackoverflow.com/questions/39467008/use-openssl-encrypt-to-replace-mcrypt-for-3des-ecb-encryption
\[~alexandre.gigleux] I agree that we should detect also deprecated function calls, however I would refrain for using them in compliant code example (to avoid anybody blaming us that we recommended deprecated crypto). Either we can use ``++openssl_encrypt++`` \http://php.net/manual/en/function.openssl-encrypt.php , or drop compliant example completely
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink