Open
Description
I currently did stumble today over some issue in my code base which I think would be interesting for every project. I have a controller which used the UriSigner to check for a correclty signed Uri.
public function acceptAction(Request $request): Response
{
$this->uriSigner->checkRequest($request);
Actually the UriSigner itself does not throw any exception. So calling it without do anything basically is a Security issue in some projects.
Valid cases would be:
// write the result atleast in a variable
$isValid = $this->uriSigner->checkRequest($request);
// usage in a if statement
if (!$this->uriSigner->checkRequest($request)) {
throw new AccessDeniedHttpException('The given uri is not valid.');
}
// usage in complex if statements
if (!$this->uriSigner->checkRequest($request) && !$request->attributes->getBoolean('simulate')) {
throw new AccessDeniedHttpException('The given uri is not valid.');
}
// usage in method calls
$this->validate($this->uriSigner->checkRequest($request));
Invalid would be calling it like a void method:
$this->uriSigner->checkRequest($request);
I'm not sure maybe if there already exist some kind of annotations we could add to the Symfony UriSigner that the result need to be handled and the method not be used like a void method.
Activity
ondrejmirtes commentedon Mar 14, 2024
Try putting
@phpstan-pure
above it. You can do it in a stub file.alexander-schranz commentedon Mar 15, 2024
Thx will give it a try :) symfony/symfony#54297
alexander-schranz commentedon May 26, 2025
The
pure
was not merged by the Symfony team. I created following PHPstan rule for the project corrently what you think?