Releases: spaze/phpstan-disallowed-calls
Constructors, evals, bump
- Two new internal services
NewCallsandEvalCallswere added.
If you're not usingincludes: - vendor/spaze/phpstan-disallowed-calls/extension.neonyou'd need to manually add them to yourphpstan.neon'sservices, checkextension.neonto see what needs to be added
This alone brings some breaking changes (see #25 for discussion) so I thought I'd bump the version number. Due to some rather poor choices in the past, the version is now 0.12 and I can't stay on that because of the changes. Going to 0.13 would be confusing because PHPStan 0.12 is still supported. So let's go to 1.0. I like what this does already so why not :-) - Constructor calls (object creations) are now detected, just disallow
Foo\Bar::__construct()even if there's no constructor defined in that particular class. Bothnew Fooand$a = 'Foo'; new $a;is detected. (#37, thanks @enumag for the test) - Disallowed calls can start with a backslash (
method \Foo::bar()instead of justmethod Foo::bar()) (#38) eval()is detected, did you know it's not a function but a language construct? (#36)- Extra functions added to the bundled config files (#35):
disallowed-execution-calls.neonincludespopen()
disallowed-dangerous-calls.neonnow also includes these:apache_setenv()dl()posix_getpwuid()posix_kill()posix_mkfifo()posix_mknod()highlight_file()show_source()pfsockopen()proc_nice()putenv()socket_create_listen()socket_listen()
Wildcards
- Optional parentheses so you can use
function: foo()orfunction: foo(#34) - Support wildcard in function or method names (only as the rightmost character in the name) to disable multiple calls at once (
function: pcntl_*) - New example file that can also be included and disallows
exec(),shell_exec()and friends:disallowed-execution-calls.neon
Detect more calls
PHPStan level max
This PHPStan extension is also PHPStan-tested and this release brings mostly internal refactoring only to beat PHPStan's max level.
Also checking static calls like $this->foo::bar() which has been previously crashing PHPStan, now doesn't crash it (#24)
PHPStan extension installer support
- Support for PHPStan's extension installer, more straightforward config (#9)
- Sample dangerous config (#10)
Migration to extension installer:
If you're not using the extension installer, you're fine with the configuration you already use and can continue using it as long as you wish.
If you're using the extension installer, the extension.neon where the classes are set up will be included automatically by PHPStan and you'll probably get "Multiple services found" when you'll run PHPStan. In that case you'd need to change the configuration slightly:
- Remove
Spaze\PHPStan\Rules\Disallowed\DisallowedHelperfrom yourphpstan.neon - Copy
forbiddenCallskeys and values fromSpaze\PHPStan\Rules\Disallowed\{Method,Static,Function}Callsdefinitions toparameters>disallowedMethodCalls(anddisallowedStaticCalls,disallowedFunctionCalls, respectively), can even put them in a new file (e.g.disallowed-calls.neon) which you can then include manually - Delete
Spaze\PHPStan\Rules\Disallowed\{Method,Static,Function}Callsdefinitions from yourphpstan.neonincluding the keys and values underarguments>forbiddenCalls
If you'd like to switch to using extension.neon even without using the extension installer, follow the steps above and manually include vendor/spaze/phpstan-disallowed-calls/extension.neon in your phpstan.neon.
AllowParams support
Now you can allow calls with specified parameters while calls with different parameters would still be disallowed (#1)
Don't forget that since 0.12.2, you need to add DisallowedHelper to your services section in phpstan.neon:
services:
- Spaze\PHPStan\Rules\Disallowed\DisallowedHelper
AllowIn support
You can also allow some previously disallowed calls using the allowIn configuration key (#3)
You need to add DisallowedHelper to your services section in phpstan.neon:
services:
- Spaze\PHPStan\Rules\Disallowed\DisallowedHelper