Uploaded image for project: 'SonarPHP'
  1. SonarPHP
  2. SONARPHP-823

Rule S2255: update implementation to include Cookie reading

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.16
    • Component/s: None
    • Labels:

      Description

      RSPEC-2255 has been updated. The current implementation of the rule only raises issues on code writing cookies sent to the client. It should now also raise an issue on code reading cookies sent by the client.

      The resulting "Questionable Code Example" should be:

      $value= "1234 1234 1234 1234";
      
      // Review this cookie as it seems to send sensitive information (credit card number).
      setcookie("CreditCardNumber", $value, $expire, $path, $domain, true, true); // Questionable
      setrawcookie("CreditCardNumber", $value, $expire, $path, $domain, true, true); // Questionable
      
      $_COOKIE["name"]; // Questionable
      $HTTP_COOKIE_VARS["name"]; // Questionable
      
      // Unseting and testing existence of a cookie value is fine
      unset($_COOKIE["cookie"]); // Compliant
      unset($HTTP_COOKIE_VARS["cookie"]); // Compliant
      isset($_COOKIE["cookie"]); // Compliant
      isset($HTTP_COOKIE_VARS["cookie"]); // Compliant
      

      Note that the message has also been changed.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                christophe.zurn Christophe Zurn
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: