GithubHelp home page GithubHelp logo

oleg-andreyev / psalm-plugin-symfony Goto Github PK

View Code? Open in Web Editor NEW

This project forked from psalm/psalm-plugin-symfony

0.0 1.0 0.0 284 KB

Psalm Plugin for Symfony

License: MIT License

PHP 47.04% Gherkin 52.96%

psalm-plugin-symfony's Introduction

Symfony Psalm Plugin

Integrate

Installation

composer require --dev psalm/plugin-symfony
vendor/bin/psalm-plugin enable psalm/plugin-symfony

Features

  • Detects the ContainerInterface::get() result type. Works better if you configure a compiled container XML file.
  • Supports Service Subscribers. Works only if you configure a compiled container XML file.
  • Detects return types from console arguments (InputInterface::getArgument()) and options (InputInterface::getOption()). Enforces to use "InputArgument" and "InputOption" constants as a best practise.
  • Detects Doctrine repository classes associated to entities when configured via annotations.
  • Fixes PossiblyInvalidArgument for Symfony\Component\HttpFoundation\Request::getContent(). The plugin determines the real return type by checking the given argument and marks it as either "string" or "resource".
  • Detects the return type of Symfony\Component\HttpFoundation\HeaderBag::get() by checking the default value (third argument for < Symfony 4.4).
  • Detects the return types of Symfony\Component\Messenger\Envelope::last and Symfony\Component\Messenger\Envelope::all, based on the provided argument.
  • Taint analysis for Symfony.
  • Detects services and parameters naming conventions violations.
  • Complains when Container is injected in a service, and asks to use dependency-injection instead.
  • Fixes PropertyNotSetInConstructor false positive issues:
    • $container in AbstractController
    • $context in ConstraintValidator classes
    • properties in custom @Annotation classes
  • And much more!

Configuration

If you follow the installation instructions, the psalm-plugin command will add this plugin configuration to the psalm.xml configuration file.

<?xml version="1.0"?>
<psalm errorLevel="1">
    <!--  project configuration -->

    <plugins>
        <pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin" />
    </plugins>
</psalm>

To be able to detect return types of services using ID (generally starts with @ in Symfony YAML config files. Ex: logger service) containerXml must be provided. Example:

<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>
</pluginClass>

This file path may change based on your Symfony version, file structure and environment settings. Default files according to Symfony versions are:

  • Symfony 3: var/cache/dev/srcDevDebugProjectContainer.xml
  • Symfony 4: var/cache/dev/srcApp_KernelDevDebugContainer.xml
  • Symfony 5: var/cache/dev/App_KernelDevDebugContainer.xml

Multiple container files can be configured. In this case, the first valid file is taken into account. If none of the given files is valid, a configuration exception is thrown. Example:

<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <containerXml>var/cache/dev/App_KernelDevDebugContainer.xml</containerXml>
    <containerXml>var/cache/dev/App_KernelTestDebugContainer.xml</containerXml>
</pluginClass>

Twig tainting (experimental)

When it comes to taint analysis for Twig templates, there are currently two approaches:

  • The first one is based on a specific file analyzer (Psalm\SymfonyPsalmPlugin\Twig\TemplateFileAnalyzer) which leverages the Twig parser and visits the AST nodes.
  • The second one is based on the already compiled Twig templates, it only bridges calls from Twig\Environment::render to the actual doRender method of the compiled template.

Twig Analyzer

This approach is more robust since it relies on the official Twig parser and node visitor mechanisms. For the moment, it is only able to detect simple tainted paths.

To leverage the real Twig file analyzer, you have to configure a checker for the .twig extension as follows:

<fileExtensions>
   <extension name=".php" />
   <extension name=".twig" checker="./vendor/psalm/plugin-symfony/src/Twig/TemplateFileAnalyzer.php"/>
</fileExtensions>

See the currently supported cases.

Cache Analyzer

This approach is "dirtier", since it tries to connect the taints from the application code to the compiled PHP code representing a given template. It is theoretically able to detect more taints than the previous approach out-of-the-box, but it still lacks ways to handle inheritance and stuff like that.

To allow the analysis through the cached template files, you have to add the twigCachePath entry to the plugin configuration :

<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
    <twigCachePath>/cache/twig</twigCachePath>
</pluginClass>

See the currently supported cases.

Credits

psalm-plugin-symfony's People

Contributors

adrienlucas avatar amberovsky avatar andrew-demb avatar bendavies avatar ddebin avatar enumag avatar faizanakram99 avatar kevin-emo avatar mdeboer avatar micheh avatar mitelg avatar muglug avatar ostrolucky avatar patriziawacht avatar punk-undead avatar seferov avatar vincentlanglet avatar vudaltsov avatar wouterj avatar zmitic avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.