Uploaded image for project: 'SonarPHP'
  1. SonarPHP
  2. SONARPHP-959

Rule S2068: filter string literal that contains the wordlist item

    XMLWordPrintable

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4
    • Component/s: Rules
    • Labels:
      None

      Description

      The implementation of this rule highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:

      $pwd = "pwd"; // Compliant
      $password = "password"; // Compliant
      $ampq_password = 'amqp-password'; // Compliant
      const CONFIG_PATH_QUEUE_AMQP_PASSWORD = 'queue/amqp/password'; // Compliant
      const IDENTITY_VERIFICATION_PASSWORD_FIELD = 'current_password'; // Compliant
      const DEFAULT_AMQP_PASSWORD = 'pwd'; // Noncompliant; the literal string doesn't contain the wordlist item matched on the variable name
      

      The new approach is to avoid raising issues when the matched wordlist item is present in both symbol name and literal string value.
      This apply to all detection pattern that are based on matching wordlist item to variable name or field name.
      Exception made when matching wordlist item to query parameters. Therefore, the following use cases that are still True Positives:

      $params = "user=admin&password=Password123"; // Sensitive
      $sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres"; // Sensitive
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nils.werner Nils Werner
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: