Allow named params & non-CSPRNG insecure calls & PHP 8.2

[spaze]

Overview

Bit more things this time I even had to use headings. In no particular order:

• PHP 8.2 is now supported (by running tests on 8.2) (Start running tests on PHP 8.2 #143)
• Can allow a previously disallowed call when done with a named parameter in allowParams* config options, see below, previously only positional params were accepted (Support named parameters in allowParams* config keys #141, thanks @ilazaridis for the inital implementation)
• Can allow a previously disallowed call when done only with a flag set in a bitmask param, see below (Support flag/bitmask params #150, Update loose config to use allowParamFlagsAnywhere #151)
• disallowed-insecure-calls.neon bundled config file now disallows insecure randomness functions rand(), mt_rand(), lcg_value(), uniqid() (Disallow insecure randomness functions #145, thanks @compwright)
• It may be a good idea to disallow functions and classes disabled in PHP config (disable_functions, disable_classes) and now there's a config generator script in bin/generate-from-disabled.php which will read the PHP config and dump the generated NEON config to STDOUT which you can fine-tune and commit to your repository (A script to generate config from 'disable_functions' & 'disable_classes' #149, loosely based on an idea by @staabm, thanks)

Named params

Named params are now fully supported, even mixed usage of both positional and named

For example, to allow a function foo(string $message, bool $alert): void when called with $alert = true:

allowParamsAnywhere:
    -
        position: 2
        name: 'alert'
        value: true

All keys are optional although I'd definitely recommend adding both position and name. The value key doesn't need to be specified with allowParams*AnyValue.

The old-style shortcusts still work:

allowParamsInAllowed:
    1: 'foo'
    2: true

But they're not recommended because sometimes, somewhere, you may suddenly use a named parameter and you'd start to see disallowed calls for no apparent reason. Some of the bundled config files still use these shortcuts, so they'll be supported for, I think, ever.

Allow a call with a flag in a bitmask param

This very same excerpt was also added to the README.

Some functions can be called with flags or bitmasks, for example

json_encode($foo, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT);

Let's say you want to disallow json_encode() except when called with JSON_HEX_APOS (integer 4) flag. In the call above, the value of the second parameter (JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT) is 13 (1 | 4 | 8).
For the extension to be able to "find" the 4 in 13, you need to use the ParamFlags family of config options:

• allowParamFlagsInAllowed
• allowParamFlagsAnywhere
• allowExceptParamFlagsInAllowed or disallowParamFlagsInAllowed
• allowExceptParamFlags or disallowParamFlags

They work like their non-flags Param counterparts except they're looking if specific bits in the mask parameter are set.

The json_encode() example mentioned above would look like the following snippet:

parameters:
    disallowedFunctionCalls:
            function: 'json_encode'
            allowParamFlagsAnywhere:
                -
                    position: 2
                    value: ::JSON_HEX_APOS

---

This discussion was created from the release Allow named params & non-CSPRNG insecure calls & PHP 8.2.

[spaze]

2.11.1 was just released to fix a bug which prevented the named param config to work properly (#156).