cd03a1dd3d
## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
46 lines
1009 B
Plaintext
46 lines
1009 B
Plaintext
== How to fix it in Guzzle
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=11,diff-type=noncompliant]
|
|
----
|
|
use GuzzleHttp\Client;
|
|
|
|
$client = new Client();
|
|
|
|
$host = $_GET['host'];
|
|
$url = "https://$host/.well-known/openid-configuration";
|
|
|
|
$client->request('GET', $url); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=11,diff-type=compliant]
|
|
----
|
|
use GuzzleHttp\Client;
|
|
|
|
$client = new Client();
|
|
|
|
$allowedHosts = ["trusted1" => "trusted1.example.com", "trusted2" => "trusted2.example.com"];
|
|
$host = $allowedHosts[$_GET['host']];
|
|
$url = "https://$host/.well-known/openid-configuration";
|
|
|
|
$client->request('GET', $url);
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/pre-approved-list.adoc[]
|
|
|
|
The compliant code example uses such an approach.
|
|
The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default.
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[]
|