Download the PHP package oro/phpstan-rules without Composer
On this page you can find all versions of the php package oro/phpstan-rules. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download oro/phpstan-rules
More information about oro/phpstan-rules
Files in oro/phpstan-rules
Package phpstan-rules
Short Description A set of additional PHPStan rules used in Oro products.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package phpstan-rules
Oro's rules for PHPStan
This package contains a set of additional rules for PHPStan - PHP Static Analysis Tool.
We use these rules at Oro, Inc. and ask anyone contributing code to Oro Products to follow them as well.
Rules
Unsafe DQL usage analysis
Why DQL and SQL queries should be checked
Using DQL does not protect against injection vulnerabilities. The following APIs are designed to be SAFE from SQL injections:
- For Doctrine\DBAL\Connection#insert($table, $values, $types), Doctrine\DBAL\Connection#update($table, $values, $where, $types) and Doctrine\DBAL\Connection#delete($table, $where, $types) only the array values of $values and $where. The table name and keys of $values and $where are NOT escaped.
- Doctrine\DBAL\Query\QueryBuilder#setFirstResult($offset)
- Doctrine\DBAL\Query\QueryBuilder#setMaxResults($limit)
- Doctrine\DBAL\Platforms\AbstractPlatform#modifyLimitQuery($sql, $limit, $offset) for the $limit and $offset parameters.
Consider ALL other APIs to be not safe for user-input:
- Query methods on the Connection
- The QueryBuilder API
- The Platforms and SchemaManager APIs to generate and execute DML/DDL SQL statements
-
Expressions constructed with the help of various Expression Builders
See full article at Doctrine Security
Static code analysis - Execution
As checking the whole codebase requires a lot of time, sql-injection search tool was added to simplify the process. The tool is based on PHPStan - PHP Static Analysis Tool and is implemented as additional Rule.
To check codebase for unsafe DQL and SQL usages perform the following actions:
- change directory to
<application_path>/tool/where<application_path>is path to application in the file system - install dependencies
composer install - run check with
./bin/phpstan analyze -c phpstan.neon <path_to_code> --autoload-file=<path_to_autoload.php>
To speedup analysis it's recommended to run it in parallel on per package basis. This may be achieved with the help of the parallel command:
Note that commerce-crm-ee application should have autoload.php generated.
The results of the analysis should be available within a minute. Each result should be checked carefully. Unsafe variables should be sanitized or escaped as a precaution.
HOW TO fix found warnings
Unsafe variables are any methods that may depend on external data. Even cached data may be unsafe if an attacker manages to access the cache storage. Any variable that comes from the outside, or contains a value returned by an unsafe function, is also unsafe and should be passed into queries with caution.
You can make a variable safe in a number of ways:
ORM
ORM based queries may contain vulnerable inputs. To keep them clean, follow the next rules:
- Parameter identifier MUST be a named placeholder. Passing data directly as the right operand is prohibited.
The only possible exception is numbers,
\DateTimeand booleans. - All identifiers MUST BE [a-zA-Z0-9_] compatible.
If there is a need to pass a variable directly into the query, use QueryBuilderUtil safe methods
- getField - use it when field is constructed with sprintf or concatenation. For example,
select($alias . '.' . $field),select('alias.', $field),select(sprintf('%s.%s', $alias, $field), etc. - sprintf - should be used instead of sprintf when it cannot be replaced with getField. For example,
select('IDENTITY(%s.%s) as %s', $alias, $fieldName, $fieldAlias) - checkIdentifier - should be used to check identifiers (alphanumeric strings). A variable passed to checkIdentifier is considered safe and is allowed for further use.
- checkField - similar to checkIdentifier with exception that it's designed to check strings in format "\w+.\w+" (alias.fieldName). A variable passed to checkField is considered safe and is allowed for further use.
- checkParameter -similar to checkIdentifier with exception that it's designed to check strings in format ":\w+" (:parameterName). A variable passed to checkParameter is considered safe and is allowed for further use.
-
getSortOrder - return ASC or DESC if one of these values is passed. Otherwise, an exception is thrown. Used to clear sort directions passed as parameters.
NOTE!!! ->select(sprintf(%s as something', $fullName)) may be not quick fixed as $fullName may contain CONCAT(firstName, lastName) or any other statement. Such calls should be checked and marked safe
DBAL
Use bind parameters or quote them with the connection quote method. Identifiers should be either checked for safety with QueryBuilderUtil or quoted with the quoteIdentifier method of connection.
Common warnings and possible ways to fix them
-
Unsafe field is used as a part of query
Fix - use
QueryBuilderUtil::checkFieldto check field for safeness -
Using composite identifier
Or
Possible ways to fix.
Fix 1 - use
QueryBuilderUtil::getFieldFix 2 - check each identifier separately with
QueryBuilderUtil::checkIdentifierFix 3 - use safe
QueryBuilderUtil::sprintf, also applicable when replacing sprintf -
Using composite parameter name
Fix - use
QueryBuilderUtil::checkParameter -
Using sort order passed from outside
Fix - use
QueryBuilderUtil::getSortOrder -
Literal is passed to query
Fix use
literalexpression
Static code analysis - Configuration
If a variable, a property or a method are considered safe after a detailed manual analysis, they may be added to trusted_data.neon.
Such items will be marked as safe during further checks and skipped.
Available trusted_data.neon configuration sections are:
variables- whitelist of safe variables. Formatclass.method.variable: trueproperties- whitelist of safe properties. Formatclass.method.property: truesafe_methods- whitelist of safe class methods. Formatclass.method: truesafe_static_methods- whitelist of safe class static methods. Formatclass.method: truecheck_methods_safety- consider method safe if passed variables are safe. Formatclass.method: truewhen all passed variables should be checked. Includes__constructmethod for new instance creation checks
orclass.method: [1]when only certain variables require checks (their positions are listed in array)check_static_methods_safety- consider static method safe if passed variables are safe. Formatclass.method: truewhen all passed variables should be checked orclass.method: [1]when only certain variables require checks (their positions are listed in array)clear_methods- variable is considered as safe if it is passed as argument into listed method. Formatclass.method: trueclear_static_methods- variable is considered as safe if it is passed as argument into listed static method. Formatclass.method: truecheck_methods- contains a list of methods that are checked for safeness. If passed arguments are unsafe, a security warning about such usage is reported by the analysis tool. Formatclass.method: truewhen all passed variables should be checked orclass.method: [1]when only certain variables require checks (their positions are listed in array). Useclass.__all__: trueto check all class methods. For example, there is SomeClass and we want to check all its methods, except formethod1. Formethod1, we want to enable only the first and third argument checks, and formethod2we want all arguments to be checked:
It is recommended to mark methods as safe. If a variable consists of several parts, it is better to add a minimal unsafe part to the whitelist, rather than the whole expression.
Example
Such code will lead to a security warning, as $fieldName variable was constructed using several parts, some of which are not safe.
The best solution to make this expression safe is to check $suffix with QueryBuilderUtil::checkIdentifier($suffix)
Another option is to add $suffix into the trusted_data.neon whitelist if its values are always passed as safe or checked in the caller.
The worst solution would be to mark $fieldName as safe because its parts may be changed and, after adding a new or an unsafe part, it will be skipped, although it may contain an unchecked vulnerability.
Contribute
Please referer to Oro Community Guide for information on how to contribute to this package and other Oro products.
All versions of phpstan-rules with dependencies
phpstan/phpstan-doctrine Version 1.5.*
nette/neon Version ^3.1