Rule Idea: UriSigner check result is used and not used as a void method #387
Comments
|
Try putting |
|
Thx will give it a try :) symfony/symfony#54297 |
|
The <?php
declare(strict_types=1);
namespace App\Tests\phpstan\rules;
use PhpParser\Node;
use PhpParser\Node\Expr\MethodCall;
use PhpParser\Node\Identifier;
use PhpParser\Node\Stmt\Expression;
use PHPStan\Analyser\Scope;
use PHPStan\Rules\Rule;
use PHPStan\Type\TypeWithClassName;
use Symfony\Component\HttpFoundation\UriSigner;
/**
* @implements Rule<MethodCall>
*/
class CheckRequestUsedRule implements Rule
{
public function getNodeType(): string
{
return MethodCall::class;
}
public function processNode(Node $node, Scope $scope): array
{
if (!$node instanceof MethodCall) {
return [];
}
if (!$node->name instanceof Identifier || 'checkRequest' !== $node->name->toString()) {
return [];
}
$calledOnType = $scope->getType($node->var);
if (!$calledOnType instanceof TypeWithClassName) {
return [];
}
if (UriSigner::class !== $calledOnType->getClassName()) {
return [];
}
if ($node->getAttribute('parent') instanceof Expression) {
return [
'The result of ' . UriSigner::class . '::checkRequest() must not be ignored.',
];
}
return [];
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
I currently did stumble today over some issue in my code base which I think would be interesting for every project. I have a controller which used the UriSigner to check for a correclty signed Uri.
Actually the UriSigner itself does not throw any exception. So calling it without do anything basically is a Security issue in some projects.
Valid cases would be:
Invalid would be calling it like a void method:
I'm not sure maybe if there already exist some kind of annotations we could add to the Symfony UriSigner that the result need to be handled and the method not be used like a void method.
The text was updated successfully, but these errors were encountered: