PHPStan rules to detect disallowed method & function calls, constant, namespace, attribute & superglobal usages
PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.
This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config.
The full list of identifiers is in the ErrorIdentifiers
class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something
format.
else
, elseif
, goto
(#257)Checking params inside ( ... )
doesn't work at the moment, so you can disallow all declare()
constructs but can't re-allow e.g. declare(strict-types = 1)
.
If you try to disallow else if
with the space, an exception will be thrown, because else if
is parsed as else
followed by if
, so disallowing else if
with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif
, or don't write else if
in your code 😇
phpinfo()
to dangerous calls config (#255)See
for reasons why (phpinfo()
echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly
cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo()
.
array_values()
(#253, this is a new bleeding edge rule added in PHPStan 1.10.59)ENT_QUOTES
as int 3
in disallowed-loose-calls.neon
config (#250)disallowedEnums
, they use DisallowedConstant
internally (#243, docs)disallowedConstants
' constant
field is always present (#245)The 3.1.0 release was the same minus #248.
New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.
typeString
config option (#234)
You can now specify dis/allowed parameter values as PHPDoc string like typeString: 'foo'|'bar'
or typeString: 'array{}'
etc. instead of just value: scalar
message
key in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop .
, unless it already ends with one, or unless it ends with ?
or !
.allowExceptParamsInAllowed
description in docs was flipped around (#235)libs
dir into src
(#227)ClassWithAttributesAllow
(#230)Did you know you can use @dependabot to update your actions, not just your code? I've updated my article which mentions Dependabot https://www.michalspacek.com/dont-let-security-bugs-catch-you-off-guard#github-dependabot
So you can disallow Interface::method()
and Implementation::method()
will also be detected. It already worked for constructors so makes sense to support it generally.
#[\Foo()]
, not just like Foo
(#207)Make copy/pasting attribute names more straightforward. Similar already works for method calls etc.
The README file was getting way too big already, making it shorter also gives better overview of what the extension does.
require
d because I don't trust anyone (=me) to not forget to add that file. Autoloading them seemed fine but the order could be more or less random which could break some tests, and it did.list<type>
instead of type[]
where possible (#214)Fixes
The definedIn
filter added in 2.15.0 now also works correctly and as expected for new Class()
statements (#203, thanks @BackEndTea)
Internal changes
Handy when you disallow items with wildcards but there's this one thing you'd like to leave out.
parameters:
disallowedFunctionCalls:
-
function: 'pcntl_*()'
exclude:
- 'pcntl_foo*()'
exclude
can be a string or an array/list of strings. Currently works for attributes, function & method calls, namespaces.
definedIn?:string|list<string>
config option (#198, #200)To further specify/limit files where the function or method should be defined to be disallowed.
parameters:
disallowedFunctionCalls:
-
function: '*'
definedIn:
- 'vendor/foo/bar'
disallowedMethodCalls:
-
method: '*'
definedIn:
- 'vendor/foo/bar'
definedIn
can also be string or a list/array of strings. Currently works for function and method calls only. You may also need to set filesRootDir
, see the README.
str_starts_with()
(#196)