Releases: spaze/phpstan-disallowed-calls
Support PHP 8.4
Disallow create_function and support PHPStan 1.12.6, getting ready for 2.0
- Add
create_functionas a disallowed function call (#261, thanks @BackEndTea) - Process
ClassConstFetchwhere$classisNameonly for enums to correctly support PHPStan 1.12.6 (#266)
Internal changes:
- Add phpstan/phpstan-deprecation-rules in expectation of PHPStan 2.0 (#263)
- Fix test class name (#260, spotted by @szepeviktor, thanks)
Default error identifiers
- Add default error identifiers, used if not specified/overridden in your custom config (#258)
PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.
This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config.
The full list of identifiers is in the ErrorIdentifiers class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something format.
Disallow control structures like else, elseif, goto and others
- Can disallow control structures like
else,elseif,goto(#257)
Checking params inside ( ... ) doesn't work at the moment, so you can disallow all declare() constructs but can't re-allow e.g. declare(strict-types = 1).
If you try to disallow else if with the space, an exception will be thrown, because else if is parsed as else followed by if, so disallowing else if with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif, or don't write else if in your code 😇
Add phpinfo() to dangerous calls config
Add phpinfo() to dangerous calls config (#255)
See
- https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
- or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)
for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().
Internal changes
Support PHPStan 1.10.58 in disallowed-loose-calls.neon config
Dynamic class constant fetch, disallowedEnums
What's Changed
- Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
- Added
disallowedEnums, they useDisallowedConstantinternally (#243, docs)
Internal changes:
- The PHP 8.0 polyfill is not needed anymore (#237)
- More tests for attributes (#240) and on more PHP versions (#244)
- More strict/correct config schema,
disallowedConstants'constantfield is always present (#245) - Reuse the existing reflection variable (#246)
Note
The 3.1.0 release was the same minus #248.
Param values with PHPdoc `typeString`, attributes on properties and more reported, no "because reasons" in errors, more rules for the same call, few possible bw compat breaks
New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.
New features
- Can specify params with a doctype in
typeStringconfig option (#234)
You can now specify dis/allowed parameter values as PHPDoc string liketypeString: 'foo'|'bar'ortypeString: 'array{}'etc. instead of justvalue: scalar - Support more attribute targets: properties, class constants, params (#225)
Disallowed attributes will now be also reported when used on/with those.
Changed
- No "because reasons", because reasons (#221) (Possible backwards compatibility break, if you ignore error messages in your config)
Previously, if there was nomessagekey in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop., unless it already ends with one, or unless it ends with?or!. - Define extension parameters as a structure (#222, #231 and a follow-up in #229 thanks to @francescolaffi) (Possible BC break, if you have a typo in your config, you may suddenly be alerted about it)
Bye typos, at least some of them. - Can add more rules for the same call to have different messages for various params (#232) (Possible BC break if you for some reason relied on the order of the rules for the same function or method)
- The
allowExceptParamsInAlloweddescription in docs was flipped around (#235)
Internal test changes
Contributors
Assets 2
Support PHP 8.3
What's Changed
Did you know you can use @dependabot to update your actions, not just your code? I've updated my article which mentions Dependabot https://www.michalspacek.com/dont-let-security-bugs-catch-you-off-guard#github-dependabot
Detect disallowed interface methods, docs update
Method calls from interface implementations are now detected (#212, @enumag wrote the test, thanks)
So you can disallow Interface::method() and Implementation::method() will also be detected. It already worked for constructors so makes sense to support it generally.
Attributes in config can be specified like #[\Foo()], not just like Foo (#207)
Make copy/pasting attribute names more straightforward. Similar already works for method calls etc.
Split the README into multiple smaller files (#209 + #210)
The README file was getting way too big already, making it shorter also gives better overview of what the extension does.
Internal changes
- Specify all required test files explicitly in given order and test all libs loaded (#213)
And write a test to test that all test files are actuallyrequired because I don't trust anyone (=me) to not forget to add that file. Autoloading them seemed fine but the order could be more or less random which could break some tests, and it did. - Use more precise
list<type>instead oftype[]where possible (#214)
