Phpstan Disallowed Calls Versions Save

• Add default error identifiers, used if not specified/overridden in your custom config (#258)

PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.

This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config. The full list of identifiers is in the ErrorIdentifiers class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something format.

• Can disallow control structures like else, elseif, goto (#257)

Checking params inside ( ... ) doesn't work at the moment, so you can disallow all declare() constructs but can't re-allow e.g. declare(strict-types = 1).

If you try to disallow else if with the space, an exception will be thrown, because else if is parsed as else followed by if, so disallowing else if with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif, or don't write else if in your code 😇

Add phpinfo() to dangerous calls config (#255)

See

• https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
• or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

• It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
• Update dev dependencies (#254)

• Hardcode ENT_QUOTES as int 3 in disallowed-loose-calls.neon config (#250)
• Run tests every day to assure compatibility (#251)

What's Changed

• Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
• Added disallowedEnums, they use DisallowedConstant internally (#243, docs)

Internal changes:

• The PHP 8.0 polyfill is not needed anymore (#237)
• More tests for attributes (#240) and on more PHP versions (#244)
• More strict/correct config schema, disallowedConstants' constant field is always present (#245)
• Reuse the existing reflection variable (#246)

Note

The 3.1.0 release was the same minus #248.

New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.

New features

• Can specify params with a doctype in typeString config option (#234) You can now specify dis/allowed parameter values as PHPDoc string like typeString: 'foo'|'bar' or typeString: 'array{}' etc. instead of just value: scalar
• Support more attribute targets: properties, class constants, params (#225) Disallowed attributes will now be also reported when used on/with those.

Changed

• No "because reasons", because reasons (#221) (Possible backwards compatibility break, if you ignore error messages in your config) Previously, if there was no message key in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop ., unless it already ends with one, or unless it ends with ? or !.
• Define extension parameters as a structure (#222, #231 and a follow-up in #229 thanks to @francescolaffi) (Possible BC break, if you have a typo in your config, you may suddenly be alerted about it) Bye typos, at least some of them.
• Can add more rules for the same call to have different messages for various params (#232) (Possible BC break if you for some reason relied on the order of the rules for the same function or method)
• The allowExceptParamsInAllowed description in docs was flipped around (#235)

Internal test changes

• Use the DI container in tests (#223, #228)
• Merge test libs dir into src (#227)
• Rename attribute tests and drop ClassWithAttributesAllow (#230)

What's Changed

• Support PHP 8.3 (#217)
• Bump actions/checkout from 3 to 4 (#218)

Did you know you can use @dependabot to update your actions, not just your code? I've updated my article which mentions Dependabot https://www.michalspacek.com/dont-let-security-bugs-catch-you-off-guard#github-dependabot

Method calls from interface implementations are now detected (#212, @enumag wrote the test, thanks)

So you can disallow Interface::method() and Implementation::method() will also be detected. It already worked for constructors so makes sense to support it generally.

Attributes in config can be specified like #[\Foo()], not just like Foo (#207)

Make copy/pasting attribute names more straightforward. Similar already works for method calls etc.

Split the README into multiple smaller files (#209 + #210)

The README file was getting way too big already, making it shorter also gives better overview of what the extension does.

Internal changes

• Specify all required test files explicitly in given order and test all libs loaded (#213) And write a test to test that all test files are actually required because I don't trust anyone (=me) to not forget to add that file. Autoloading them seemed fine but the order could be more or less random which could break some tests, and it did.
• Use more precise list<type> instead of type[] where possible (#214)

Fixes The definedIn filter added in 2.15.0 now also works correctly and as expected for new Class() statements (#203, thanks @BackEndTea)

Internal changes

• The newest coding standard is required no changes were needed (#202)
• Load all library files automatically in tests, otherwise class reflection doesn't class-reflect (#204)

Can exclude some attributes, calls, namespaces (#197, #199)

Handy when you disallow items with wildcards but there's this one thing you'd like to leave out.

parameters:
    disallowedFunctionCalls:
        -
            function: 'pcntl_*()'
            exclude:
                - 'pcntl_foo*()'

exclude can be a string or an array/list of strings. Currently works for attributes, function & method calls, namespaces.

Add definedIn?:string|list<string> config option (#198, #200)

To further specify/limit files where the function or method should be defined to be disallowed.

parameters:
    disallowedFunctionCalls:
        -
            function: '*'
            definedIn:
                - 'vendor/foo/bar'
    disallowedMethodCalls:
        -
            method: '*'
            definedIn:
                - 'vendor/foo/bar'

definedIn can also be string or a list/array of strings. Currently works for function and method calls only. You may also need to set filesRootDir, see the README.

Internal changes

• Internal naming cleanup (#195)
• Require symfony/polyfill-php80 for dev/tests because some tests use str_starts_with() (#196)