Update rule metadata (#1160)

SonarSource · Nov 14, 2023 · 7c1b6f5 · 7c1b6f5
1 parent 9ac26e5
commit 7c1b6f5
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 32 deletions.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S112.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S112.html
@@ -15,7 +15,7 @@ <h2>How to fix it</h2>
 <ul>
   <li> Throw a subtype of <code>Exception</code> that already exists in the Standard PHP Library. For instance <code>InvalidArgumentException</code>
   could be raised when an unexpected argument is provided to a function. </li>
-  <li> Define a custom exception type that derives from <code>Exception`</code> or one of its subclasses. </li>
+  <li> Define a custom exception type that derives from <code>Exception</code> or one of its subclasses. </li>
 </ul>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>

diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S113.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S113.html
@@ -1,5 +1,5 @@
 <h2>Why is this an issue?</h2>
-<p>Some tools work better when files end with an empty line.</p>
+<p>Some tools work better when files end with a newline.</p>
 <p>This rule simply generates an issue if it is missing.</p>
 <p>For example, a Git diff looks like this if the empty line is missing at the end of the file:</p>
 <pre>

diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S113.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S113.json
@@ -1,5 +1,5 @@
 {
-  "title": "Files should contain an empty newline at the end",
+  "title": "Files should end with a newline",
   "type": "CODE_SMELL",
   "code": {
     "impacts": {

diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1603.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1603.html
@@ -1,7 +1,7 @@
 <h2>Why is this an issue?</h2>
 <p>Using a function in PHP with the same name as the nesting class was historically used to declare a class constructor. However, as of PHP 8.0.0,
 this declaration is discouraged and will provoke an <code>E_DEPRECATED</code> error, albeit it functions as a constructor.</p>
-<p>Instead, users should explicitly define the constructor by declaring a <code>__construct(…)</code> function. However, if both styles are present
+<p>Instead, users should explicitly define the constructor by declaring a <code>__construct(...)</code> function. However, if both styles are present
 in the same class, PHP will treat the <code>__construct</code> function as the class constructor, which can cause unintended behavior.</p>
 <p>Adhering to this convention improves readability and maintainability by ensuring that the constructor declaration is named uniformly throughout the
 codebase.</p>

diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html
@@ -1,33 +1,48 @@
+<p>When accessing files on the local filesystem, PHP can enforce security checks to defend against some attacks. The <code>open_basedir</code> setting
+in the main PHP configuration defines a set of directories that the application is allowed to access. Access to locations outside of these directories
+will be blocked.</p>
 <h2>Why is this an issue?</h2>
-<p>The <code>open_basedir</code> configuration in <em>php.ini</em> limits the files the script can access using, for example, <code>include</code> and
-<code>fopen()</code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access
-files outside the allowed path.</p>
-<p><code>open_basedir</code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.</code>
-(current directory) as an <code>open_basedir</code> value should be avoided since it’s resolved dynamically during script execution, so a
-<code>chdir('/')</code> command could lay the whole server open to the script.</p>
-<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence
-step. This rule raises an issue when <code>open_basedir</code> is not present in <em>php.ini</em>, and when <code>open_basedir</code> contains root,
-or the current directory (<code>.</code>) symbol.</p>
-<h3>Noncompliant code example</h3>
-<pre>
-; php.ini try 1
-; open_basedir="${USER}/scripts/data"  Noncompliant; commented out
-
-; php.ini try 2
+<p>The PHP runtime will allow the application to access all files underneath the configured set of directories. If no value is set, the application
+may access any file on the filesystem.</p>
+<h3>What is the potential impact?</h3>
+<p><code>open_basedir</code> is commonly used to ensure that a PHP application can only access files needed for the application function. While
+deactivating this setting does not pose a direct threat to the application’s security, it can make exploitation of other vulnerabilities easier and
+more severe.</p>
+<p>If an attacker can exploit a path traversal vulnerability, they will be able to access any file made available to the application’s user account.
+This may include system-critical or otherwise sensitive files.</p>
+<p>In shared hosting environments, a vulnerability can affect all co-hosted applications and not only the vulnerable one. <code>open_basedir</code>
+can help limit the scope of the compromise in that case.</p>
+<h2>How to fix it</h2>
+<p>The main PHP configuration should define the <code>open_basedir</code> setting. This setting should not include overly large directories, such as
+the root directory of the filesystem.</p>
+<p>Adding the current directory, denoted by “.”, to the <code>open_basedir</code> configuration is also dangerous. It is possible to change the
+current directory within PHP scripts by calling <code>chdir()</code>, effectively removing any protection.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+; php.ini
 open_basedir="/:${USER}/scripts/data"  ; Noncompliant; root directory in the list
 </pre>
-<h3>Compliant solution</h3>
-<pre>
-; php.ini try 1
+<pre data-diff-id="2" data-diff-type="noncompliant">
+; php.ini
+; open_basedir= ; Noncompliant; setting commented out
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+; php.ini
 open_basedir="${USER}/scripts/data"
 </pre>
+<pre data-diff-id="2" data-diff-type="compliant">
+; php.ini try 1
+open_basedir="/var/www/myapp/data"
+</pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 2021 Category A1</a> - Broken Access Control </li>
-  <li> <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP Top 10 2021 Category A5</a> - Security Misconfiguration </li>
-  <li> <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
-  Misconfiguration </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/23">MITRE, CWE-23</a> - Relative Path Traversal </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/36">MITRE, CWE-36</a> - Absolute Path Traversal </li>
+  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
+  Misconfiguration</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/23">CWE-23 - Relative Path Traversal</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/36">CWE-36 - Absolute Path Traversal</a> </li>
 </ul>
 
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json
@@ -29,7 +29,6 @@
       "A6"
     ],
     "OWASP Top 10 2021": [
-      "A1",
       "A5"
     ],
     "PCI DSS 3.2": [

diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3415.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3415.html
@@ -1,6 +1,6 @@
 <h2>Why is this an issue?</h2>
-<p>The standard PHPUnit assertion methods such as <code><em>assertEquals</em></code>, expect the first argument to be the expected value and the
-second argument to be the actual value.</p>
+<p>The standard PHPUnit assertion methods such as <code>__assertEquals__</code>, expect the first argument to be the expected value and the second
+argument to be the actual value.</p>
 <h3>What is the potential impact?</h3>
 <p>Having the expected value and the actual value in the wrong order will not alter the outcome of tests, (succeed/fail when it should) but the error
 messages will contain misleading information.</p>

diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "PHP"
   ],
-  "latest-update": "2023-10-25T13:45:51.374777800Z",
+  "latest-update": "2023-11-14T14:50:12.166348Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,7 +29,6 @@ @@
           "A6"
         ],
         "OWASP Top 10 2021": [
-          "A1",
           "A5"
         ],
         "PCI DSS 3.2": [
@@ Expand Down @@