Download the PHP package laramint/laravel-security-scanner without Composer

On this page you can find all versions of the php package laramint/laravel-security-scanner. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-security-scanner

Laravel-aware security rules for laramint/php-security-scanner

PHP License Sponsor Buy Me a Coffee

laravel-security-scanner

Laravel-aware security rules for laramint/php-security-scanner. Installs as an Extension and adds Laravel-specific detections on top of the base ruleset.

Install

The scanner auto-discovers the extension via composer/installed.json. To force-load it, pass --extension=LaraMint\\LaravelSecurityScanner\\LaravelExtension on the CLI.

Rules added

ID Default severity Detects
laravel.debug-code medium dd/ddd/dump/ray/var_dump/print_r calls left in code
laravel.sql-injection critical Tainted input in whereRaw, orderByRaw, selectRaw, DB::raw, DB::statement, unprepared
laravel.mass-assignment high Model::create($request->all()) / ->fill($request->input()) / ->update(request()->all())
laravel.unsafe-validator high Validator::make() / $request->validate() called with tainted or non-literal rules
laravel.cookie-insecure medium Cookie::queue(...) with secure=false, httpOnly=false, or sameSite=none
laravel.csrf-bypass high VerifyCsrfToken::$except wildcard route or ->withoutMiddleware('csrf')
laravel.env-leak medium echo env(...) / return env(...) — leaks secrets, breaks under config:cache
laravel.blade-raw-echo medium {!! $expr !!} raw output in Blade — bypasses auto-escaping
laravel.open-redirect high redirect()->to()/away() or Redirect::to() with tainted URL
laravel.ssrf.http-client high Http::get/post/put/sink/baseUrl(...) with tainted URL
laravel.unsafe-storage-path high Storage::get/put/download/disk(...) / File::get/put / response()->download with tainted path
laravel.file-upload-validation high Validator rule file/image without mimes: / mimetypes: / max: constraints
laravel.unsafe-auth critical Auth::loginUsingId($tainted) / onceUsingId($tainted) — authentication bypass
laravel.unsafe-crypt high Crypt::decrypt() / decryptString() / decrypt() on tainted ciphertext
laravel.artisan-call critical Artisan::call($tainted) / queue($tainted) — attacker picks the command
laravel.process-shell critical Process::run($tainted) / start($tainted) (Laravel 10+ Process facade)
laravel.config-injection high config([$k => $v]) / Config::set() / config()->set() with tainted key or value
laravel.tainted-view-name high view($tainted) / Route::view(_, $tainted) / View::make($tainted)
laravel.session-fixation high Session::setId($tainted) / session()->setId($tainted)
laravel.mail-tainted-header medium Mail::to/cc/bcc/subject($tainted) — recipient / header injection

The base php-security-scanner rules (eval, SQLi, XSS, path traversal, deserialize, SSRF, CORS, mcrypt, MD5-as-password, openssl-CBC-static-IV, hardcoded secrets, …) all continue to apply when this extension is installed.

Extra taint awareness

LaravelExtension::register() also teaches the taint engine about Laravel:

Writing your own rule

Implement LaraMint\PhpSecurityScanner\Rules\Rule (or extend AbstractRule) and register it in your own Extension::register(). See src/Rules/ for examples.

Development

License

MIT.

All versions of laravel-security-scanner with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
laramint/php-security-scanner Version ^0.1
nikic/php-parser Version ^5.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package laramint/laravel-security-scanner contains the following files

Loading the files please wait ...