Sending HTTP requests is security-sensitive. It has led in the past to the following vulnerabilities:

An HTTP request has different kinds of vulnerabilities:

This rule flags code that initiates an HTTP request. The goal is to guide security code reviews.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Questionable Code Example

Builtin functions

function sendHttpRequest($url) {
    // The following are questionable when used with a hard coded http or https url. The limitation is to avoid False positives.
    file_get_contents('https://example.com'); // Questionable
    fopen('http://example.com', 'r');  // Questionable
    readfile('http://example.com'); // Questionable
    copy('http://example.com', 'test.txt'); // Questionable
    file('http://example.com'); // Questionable

    // Some of these function also accept a context. When this context is an 'http' context. See above.
    file_get_contents('http://example.com', false, $context); // Questionable
    fopen('http://example.com', 'r', false, $context); // Questionable
    file('http://example.com', 0, $context); // Questionable
    readfile('http://example.com', False, $context); // Questionable

    get_headers('http://example.com'); // Questionable
    get_meta_tags('http://example.com'); // Questionable, when used with a hard coded http or https url. The limitation is to avoid False positives.
}

Curl functions

$url = 'http://example.com';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
//Execute the request.
$data = curl_exec($ch); // Questionable
curl_close($ch);

Guzzle

new GuzzleHttp\Client(); // Questionable

PECL HTTP

new http\Client\Request('GET', 'http://example.com'); // Questionable

See