Disallow superglobals usage and allow it back also in a trait, you can

2.3.0 has added a way to detect and disallow superglobal usage and now it can be allowed back in traits too (#107, thanks @ruudk for spotting the flaw)

Disallow superglobals usage, you can

Add disallowedSuperglobals rule to disallow usage of:

• $_GET
• $_POST
• $GLOBALS
• and other superglobals

Done by detecting disallowed variables that are not defined in the current scope (#105, thanks @ekisu!)

Happy New Disallowed Calls! (& some new config items and aliases)

• Optional root dir config/prefix (allowInRootDir) for all allowIn paths, needed when running PHPStan from a subdir for example (#102)
• Added disallow* aliases to allowExcept* config directives, might be more readable (#104)
• Can specify errorIdentifier in the config, will be more useful in the future, see phpstan/phpstan-src#844 (#97, thanks @ruudk)

Bugfix:

• Check allowedIn trait files, if the call is in a trait (#103)

Internal changes mostly:

• Works with composer 2.2.0 which requires plugin activation (#96, thanks @ruudk)
• Running tests on PHP 8.1 too (#98)
• When running tests manually & separately (not as part of composer test), the -dev suffix has been dropped. I'm probably the only one but you too can run only e.g. composer phpunit when building (and breaking) things (#101)

Case-(in)sensitivity

Function names, method names, namespaces are matched irrespective of their case (disallowing print_r will also find print_R calls), while anything else like constants, file names, paths are not. This is similar to how PHP itself works. (#94)

You can also check your code for case-mismatches in general with PHPStan's strict rules, see example.

Require PHPStan 1.0

That's it, that's the release (#82)

Remove allowCount

This reverts the allowCount feature (#87) introduced in 1.10, it doesn't work as expected and seems it can't be made to work as planned (#91, thanks @ruudk).

No other change.

allowCount to allow max N method/function calls

This release adds support for allowCount config key for disallowedMethodCalls to allow methods/functions to be called max N times. This might be useful when you have some classes you don't want to be reused for some reason (like some generated classes for example). (#87, thanks @ruudk!) This feature got reverted in 1.11.0.

Internally, the code now uses int & bool instead of integer & boolean and uses Use PHP Parser 4.12 (#84) but not newer (newer will be supported once PHPStan 1.0 is out, real soon now)

allowExceptParamsInAllowed config option

When you want to allow the call in allowed paths/calls only when it's not using those params (#80)

allowInMethods/allowInFunctions

• Using allowInMethods (or allowInFunctions alias), one can allow a method/function when called from another method/function (#77)
• New bundled config file (disallowed-insecure-calls.neon) with pre-disallowed (potentially) insecure calls (#78)
• Another bundled config file (disallowed-loose-calls.neon), some calls are better when done with some params set (e.g. in_array(..., ..., true), and this config is for those calls (#79)
• The extension is now tested by itself, a practice known as 🐶🥣ing
• All bundled config files are now tested as well

New allowed param-related options

• New config options allowParamsAnywhereAnyValue & allowParamsInAllowedAnyValue to allow previously forbidden call when a param with any value is present (#75)
• Support allowExceptParams & allowExceptCaseInsensitiveParams config options, when you need to disallow a function or a method only when a param has a specified value (#74)
• Backtick operator (...) is also automatically forbidden when shell_exec() is forbidden (f66118b)
• Internal changes (factory methods 0e73b99, params are represented by objects 5092bc4)
• AllowAnywhere params should not be enough to also satisfy AllowInAllowed condition, params in allowParamsInAllowedAnyValue are checked in allowed paths even if allowParamsAnywhere exists too (823da13)