Skip to content

Rule Idea: UriSigner check result is used and not used as a void method #387

Open
@alexander-schranz

Description

@alexander-schranz
Contributor

I currently did stumble today over some issue in my code base which I think would be interesting for every project. I have a controller which used the UriSigner to check for a correclty signed Uri.

    public function acceptAction(Request $request): Response
    {
        $this->uriSigner->checkRequest($request);

Actually the UriSigner itself does not throw any exception. So calling it without do anything basically is a Security issue in some projects.

Valid cases would be:

// write the result atleast in a variable
$isValid = $this->uriSigner->checkRequest($request);

// usage in a if statement
if (!$this->uriSigner->checkRequest($request)) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in complex if statements
if (!$this->uriSigner->checkRequest($request) && !$request->attributes->getBoolean('simulate')) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in method calls
$this->validate($this->uriSigner->checkRequest($request));

Invalid would be calling it like a void method:

$this->uriSigner->checkRequest($request);

I'm not sure maybe if there already exist some kind of annotations we could add to the Symfony UriSigner that the result need to be handled and the method not be used like a void method.

Activity

ondrejmirtes

ondrejmirtes commented on Mar 14, 2024

@ondrejmirtes
Member

Try putting @phpstan-pure above it. You can do it in a stub file.

alexander-schranz

alexander-schranz commented on Mar 15, 2024

@alexander-schranz
ContributorAuthor

Thx will give it a try :) symfony/symfony#54297

alexander-schranz

alexander-schranz commented on May 26, 2025

@alexander-schranz
ContributorAuthor

The pure was not merged by the Symfony team. I created following PHPstan rule for the project corrently what you think?

<?php

declare(strict_types=1);

namespace App\Tests\phpstan\rules;

use PhpParser\Node;
use PhpParser\Node\Expr\MethodCall;
use PhpParser\Node\Identifier;
use PhpParser\Node\Stmt\Expression;
use PHPStan\Analyser\Scope;
use PHPStan\Rules\Rule;
use PHPStan\Type\TypeWithClassName;
use Symfony\Component\HttpFoundation\UriSigner;

/**
 * @implements Rule<MethodCall>
 */
class CheckRequestUsedRule implements Rule
{
    public function getNodeType(): string
    {
        return MethodCall::class;
    }

    public function processNode(Node $node, Scope $scope): array
    {
        if (!$node instanceof MethodCall) {
            return [];
        }

        if (!$node->name instanceof Identifier || 'checkRequest' !== $node->name->toString()) {
            return [];
        }

        $calledOnType = $scope->getType($node->var);

        if (!$calledOnType instanceof TypeWithClassName) {
            return [];
        }

        if (UriSigner::class !== $calledOnType->getClassName()) {
            return [];
        }

        if ($node->getAttribute('parent') instanceof Expression) {
            return [
                'The result of ' . UriSigner::class . '::checkRequest() must not be ignored.',
            ];
        }

        return [];
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @ondrejmirtes@alexander-schranz

        Issue actions

          Rule Idea: UriSigner check result is used and not used as a void method · Issue #387 · phpstan/phpstan-symfony