Releases: spaze/phpstan-disallowed-calls
Disallow superglobals usage and allow it back also in a trait, you can
Disallow superglobals usage, you can
Add disallowedSuperglobals
rule to disallow usage of:
$_GET
$_POST
$GLOBALS
- and other superglobals
Done by detecting disallowed variables that are not defined in the current scope (#105, thanks @ekisu!)
Happy New Disallowed Calls! (& some new config items and aliases)
- Optional root dir config/prefix (
allowInRootDir
) for allallowIn
paths, needed when running PHPStan from a subdir for example (#102) - Added
disallow*
aliases toallowExcept*
config directives, might be more readable (#104) - Can specify
errorIdentifier
in the config, will be more useful in the future, see phpstan/phpstan-src#844 (#97, thanks @ruudk)
Bugfix:
- Check
allowedIn
trait files, if the call is in a trait (#103)
Internal changes mostly:
- Works with composer 2.2.0 which requires plugin activation (#96, thanks @ruudk)
- Running tests on PHP 8.1 too (#98)
- When running tests manually & separately (not as part of
composer test
), the-dev
suffix has been dropped. I'm probably the only one but you too can run only e.g.composer phpunit
when building (and breaking) things (#101)
Case-(in)sensitivity
Function names, method names, namespaces are matched irrespective of their case (disallowing print_r
will also find print_R
calls), while anything else like constants, file names, paths are not. This is similar to how PHP itself works. (#94)
You can also check your code for case-mismatches in general with PHPStan's strict rules, see example.
Require PHPStan 1.0
That's it, that's the release (#82)
Remove allowCount
allowCount to allow max N method/function calls
This release adds support for This feature got reverted in 1.11.0.allowCount
config key for disallowedMethodCalls
to allow methods/functions to be called max N times. This might be useful when you have some classes you don't want to be reused for some reason (like some generated classes for example). (#87, thanks @ruudk!)
Internally, the code now uses int
& bool
instead of integer
& boolean
and uses Use PHP Parser 4.12 (#84) but not newer (newer will be supported once PHPStan 1.0 is out, real soon now)
allowExceptParamsInAllowed config option
When you want to allow the call in allowed paths/calls only when it's not using those params (#80)
allowInMethods/allowInFunctions
- Using
allowInMethods
(orallowInFunctions
alias), one can allow a method/function when called from another method/function (#77) - New bundled config file (
disallowed-insecure-calls.neon
) with pre-disallowed (potentially) insecure calls (#78) - Another bundled config file (
disallowed-loose-calls.neon
), some calls are better when done with some params set (e.g.in_array(..., ..., true)
, and this config is for those calls (#79) - The extension is now tested by itself, a practice known as 🐶🥣ing
- All bundled config files are now tested as well
New allowed param-related options
- New config options
allowParamsAnywhereAnyValue
&allowParamsInAllowedAnyValue
to allow previously forbidden call when a param with any value is present (#75) - Support
allowExceptParams
&allowExceptCaseInsensitiveParams
config options, when you need to disallow a function or a method only when a param has a specified value (#74) - Backtick operator (
...
) is also automatically forbidden whenshell_exec()
is forbidden (f66118b) - Internal changes (factory methods 0e73b99, params are represented by objects 5092bc4)
- AllowAnywhere params should not be enough to also satisfy AllowInAllowed condition, params in
allowParamsInAllowedAnyValue
are checked in allowed paths even ifallowParamsAnywhere
exists too (823da13)