Uploaded image for project: 'SonarPHP'
  1. SonarPHP
  2. SONARPHP-1102

Rule S5332: Using clear-text protocols is security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.15
    • Component/s: Rules
    • Labels:
      None

      Description

      Url scheme in string literal

      Highlight literal strings that start with:

      • http://
      • ftp://
      • telnet://

      Matching is case insensitive.
      Exception: the url domain component is a loopback address.

      Sensitive Code Example

      <?php
      
      $url = "http://"; // Sensitive
      $url = "http://exemple.com"; // Sensitive
      $url = "http://0001::1"; // Sensitive
      $url = "http://dead:beef::1"; // Sensitive
      $url = "http://::dead:beef:1"; // Sensitive
      $url = "http://192.168.0.1"; // Sensitive
      $url = "http://10.1.1.123"; // Sensitive
      $url = "http://subdomain.exemple.com"; // Sensitive
      
      $url = "ftp://"; // Sensitive
      $url = "ftp://anonymous@exemple.com"; // Sensitive
      $url = "telnet://"; // Sensitive
      $url = "telnet://anonymous@exemple.com"; // Sensitive
      
      function test(string $xxx = 'http://test.com') { // Sensitive
          echo $xxx;
      }
      

      Compliant Solution

      <?php
      
      // Non sensitive url scheme
      $url = "https://"; // Compliant
      $url = "sftp://"; // Compliant
      $url = "ftps://"; // Compliant
      $url = "scp://"; // Compliant
      $url = "ssh://"; // Compliant
      
      // Only report string staring with the sensitive url scheme
      $doc = "See http://exemple.com"; // Compliant
      $doc = "See ftp://exemple.com"; // Compliant
      $doc = "See telnet://exemple.com"; // Compliant
      
      // The url domain component is a loopback address
      $url = "http://localhost"; // Compliant
      $url = "http://127.0.0.1"; // Compliant
      $url = "http://::1"; // Compliant
      $url = "ftp://user@localhost"; // Compliant
      

      FTP

      Report any use of the ftp_connect method.

      Sensitive Code Example

      <?php
      
      ftp_connect('xxx'); // Sensitive
      ftp_connect('xxx', 1234); // Sensitive
      

      Compliant Solution

      <?php
      
      ftp_ssl_connect('xxx'); // Compliant
      ftp_ssl_connect('xxx', 1234); // Compliant
      

      Swift Mailer

      Encryption has to be enabled through setEncryption() (possible values ssl and tls, case insensitive) or through the URL scheme of the host. Localhost also does not require encryption.

      Sensitive Code Example

      <?php
      
      $transport1 = (new Swift_SmtpTransport('XXX', 1234))
        ->setEncryption(null) // Sensitive - everything that is true on "empty()"
      ;
      
      $transport2 = (new Swift_SmtpTransport('XXX', 1234))
        ->setEncryption('tcp') // Sensitive
      ;
      
      $transport3 = (new Swift_SmtpTransport('XXX', 1234)); // Sensitive - no encryption specified
      

      Compliant Solution

      <?php
      
      $transport1 = (new Swift_SmtpTransport('smtp.example.org', 1234))
        ->setEncryption('tls') // Compliant
      ;
      
      $transport1 = (new Swift_SmtpTransport('smtp.example.org', 1234))
        ->setEncryption('ssl') // Compliant
      ;
      
      $transport3 = (new Swift_SmtpTransport('localhost', 1234)); // Compliant
      
      $transport = (new Swift_SmtpTransport('XXX', 1234))
        ->setEncryption(null) // and everything that is true on "empty()"
      ;
      
      $transport = (new Swift_SmtpTransport('XXX', 1234))
        ->setEncryption('tcp')
      ;
      

      PHPMailer

      Encryption has to be enabled through SMTPSecure (possible values ssl and tls, case insensitive) or through the URL scheme of the host. Localhost also does not require encryption.

      Sensitive Code Example

      <?php
      
      use PHPMailer\PHPMailer\PHPMailer;
      
      $mail1 = new PHPMailer(true);
      $mail1->Host = 'test.com';
      $mail1->SMTPSecure = ''; // Sensitive - anything other than 'tls' and 'ssl' seems to disable encryption
      
      $mail2 = new PHPMailer(true); // Sensitive - SMTPSecure is not set
      $mail2->Host = 'test.com';
      

      Compliant Solution

      <?php
      
      use PHPMailer\PHPMailer\PHPMailer;
      
      $mail1 = new PHPMailer(true);
      $mail1->Host = 'ssl://test.com'; // Compliant
      
      $mail2 = new PHPMailer(true);
      $mail2->Host = 'tls://test.com'; // Compliant
      
      $mail3 = new PHPMailer(true);
      $mail3->Host = 'tls://test.com'; // Compliant
      $mail3->SMTPSecure = '';
      
      $mail4 = new PHPMailer(true);
      $mail4->Host = 'test.com';
      $mail4->SMTPSecure = 'tls'; // Compliant
      
      $mail5 = new PHPMailer(true);
      $mail5->Host = 'test.com';
      $mail5->SMTPSecure = 'ssl'; // Compliant
      
      $mail6 = new PHPMailer(true);
      $mail6->Host = '127.0.0.1'; // Compliant
      $mail6->SMTPSecure = '';
      

      Laravel 7 + 8

      A wrapper for Swift Mailer. Encryption has to be enabled through encryption (possible values ssl and tls, case insensitive) or through the URL scheme of the host. Localhost also does not require encryption.

      Sensitive Code Example

      <?php
      
      return [
          'mailers' => [
              'smtp_sens1' => [
                  'transport' => 'smtp',
                  'host' => 'xxx',
                  'encryption' => null, // Sensitive
              ],
      
              'smtp_sens2' => [ // Sensitive - hard coded URL and no 'encryption'
                  'transport' => 'smtp',
                  'host' => 'xxx'
              ]
          ]
      ];
      

      Compliant Solution

      <?php
      
      return [
          'mailers' => [
              'smtp_comp1' => [
                  'transport' => 'smtp',
                  'host' => 'xxx',
                  'encryption' => env('MAIL_ENC') // Compliant
              ],
      
              'smtp_comp2' => [
                  'transport' => 'smtp',
                  'host' => 'xxx',
                  'encryption' => 'tls' // Compliant
              ],
      
              'smtp_comp3' => [
                  'transport' => 'smtp',
                  'host' => env('MAIL_HOST') // Compliant - host might start with tls:// or ssl://
              ],
      
              'smtp_comp4' => [
                  'transport' => 'smtp',
                  'host' => 'tls://xxx' // Compliant
              ],
      
              'smtp_comp5' => [
                  'transport' => 'smtp',
                  'host' => '127.0.0.1' // Compliant - localhost
              ],
          ]
      ];
      

      More code samples

      https://github.com/SonarSource/security-expected-issues/tree/master/php/rules/hotspots/RSPEC-5332

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              karim.ouerghemmi Karim El Ouerghemmi
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: