rspec/rules/S2076/php/how-to-fix-it/symfony.adoc

== How to fix it in Symfony

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
public function unsafe(Request $request): JsonResponse
{
    $process = Process::fromShellCommandline($request->query->get("cmd")); // Noncompliant
    $process->run();
    $code = $process->wait();
    return $this->json($code == 0);
}
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
public function safe(Request $request): JsonResponse
{
    $allowedCommands = [["/bin/ping","-c","1","--"],["/usr/bin/host","--"]];
    $cmd = $allowedCommands[$request->query->get("cmdId")];
    $cmd[] = $request->query->get("host");

    $process = new Process($cmd);
    $process->run();
    $code = $process->wait();
    return $this->json($code == 0);
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/pre-approved-list.adoc[]

In the example compliant code, a static list of allowed commands is used.
Users are only allowed to provide a command index that will be used to access
this list. The command resulting from the list access can be considered
trusted.

:sanitizationLib: Symfony\Component\Process\Process
include::../../common/fix/sanitize-meta-characters.adoc[]

In the example compliant code, the `Process` constructor is used in place of
the less safe `fromShellCommandline` function. It accepts a list of command
arguments that will be properly escaped and concatenated to form the command
line to execute.

include::../../common/fix/shell_integration.adoc[]

In the example compliant code, using the `Process` constructor is preferred
over the less safe `fromShellCommandline` `Process` factory. This way of
creating `Process` instances disables shell integration by default.