Using sockets is security-sensitive. It has led in the past to the following vulnerabilities:
Sockets are vulnerable in multiple ways:
This rules flags code that creates sockets. It matches only the direct use of sockets, not use through frameworks or high-level APIs such as the use of http connections.
There is a risk if you answered yes to any of those questions.
function handle_sockets($domain, $type, $protocol, $port, $backlog, $addr, $hostname, $local_socket, $remote_socket, $fd) {
socket_create($domain, $type, $protocol); // Sensitive
socket_create_listen($port, $backlog); // Sensitive
socket_addrinfo_bind($addr); // Sensitive
socket_addrinfo_connect($addr); // Sensitive
socket_create_pair($domain, $type, $protocol, $fd);
fsockopen($hostname); // Sensitive
pfsockopen($hostname); // Sensitive
stream_socket_server($local_socket); // Sensitive
stream_socket_client($remote_socket); // Sensitive
stream_socket_pair($domain, $type, $protocol); // Sensitive
}
This rule is deprecated, and will eventually be removed.