New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for literal-string
type, to address Injection Vulnerabilities
#5507
Comments
literal-string
, to address Injection Vulnerabilitiesliteral-string
type, to address Injection Vulnerabilities
Hi, please send a PR that interprets To fully support this and introduce some checks would be much more work, I have no plans to do that currently. |
Thanks for the pointers Ondřej. I’ll make a PR (it might take me a few weeks, as I’m not familiar with the internals of PHPStan, and I’ve got some other work to be doing as well). |
No problem, it's literally two lines of code :) |
Sorry, I didn't read your message correctly... I've created a PR to add 'literal-string' as a basic StringType(). To fully support... Would you say it's more of an I suspect extending would be easier, so it can contain a flag to say if it was defined in the developers source code... I wonder if |
This is implemented :) |
FWIW, this is approximately the same as #4151 (for the sake of posterity). |
Thanks @dktapps, I'm hoping to bring this concept (identifying programmer defined strings to stop Injection Vulnerabilities) to a few different projects, and generally raise awareness - if you want to discuss it further, or help out, feel free to email me off-list. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Feature request
Psalm 4.8 has introduced a new
literal-string
type, which is used to "distinguish strings from a trusted developer, from strings that may be attacker controlled".This helps identify the main source of Injection Vulnerabilities, where developers incorrectly include user-input in sensitive strings (SQL, HTML, CLI, etc).
It is based on the is_literal() RFC that didn't make it in for PHP 8.1, but will be re-considered for 8.2.
As an aside, this is not the same as Taint Checking, which incorrectly assumes the output of an escaping function is “safe” for a particular context (creating a false sense of security); for example:
Did PHPStan help you today? Did it make you happy in any way?
PHPStan helps me focus on problem solving, knowing that it will pick up most typos/mistakes (the reason for this feature request is to catch the last set of mistakes that I still worry about, especially when working with a larger team of developers).
The text was updated successfully, but these errors were encountered: