ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4825/php/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

79 lines
2.2 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
Builtin functions
----
function sendHttpRequest($url) {
// The following are sensitive when used with a hard coded http or https url. The limitation is to avoid False positives.
file_get_contents('https://example.com'); // Sensitive
fopen('http://example.com', 'r'); // Sensitive
readfile('http://example.com'); // Sensitive
copy('http://example.com', 'test.txt'); // Sensitive
file('http://example.com'); // Sensitive
// Some of these function also accept a context. When this context is an 'http' context. See above.
file_get_contents('http://example.com', false, $context); // Sensitive
fopen('http://example.com', 'r', false, $context); // Sensitive
file('http://example.com', 0, $context); // Sensitive
readfile('http://example.com', False, $context); // Sensitive
get_headers('http://example.com'); // Sensitive
get_meta_tags('http://example.com'); // Sensitive, when used with a hard coded http or https url. The limitation is to avoid False positives.
}
----
Curl functions
----
$url = 'http://example.com';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
//Execute the request.
$data = curl_exec($ch); // Sensitive
curl_close($ch);
----
Guzzle
----
new GuzzleHttp\Client(); // Sensitive
----
PECL HTTP
----
new http\Client\Request('GET', 'http://example.com'); // Sensitive
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 15 Jan 2019, 15:56:45 Nicolas Harraudeau wrote:
Current limitation of the implementation: It marks every call to ``++curl_exec()++`` as an HTTP request even when another protocol is used (ex: FTP, Gopher, Telnet ...). This is acceptable for now as:
* HTTP is the most common case by far.
* Even if the hotspot uses another protocol, a review is still needed.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink