Rule Idea: UriSigner check result is used and not used as a void method

[alexander-schranz]

I currently did stumble today over some issue in my code base which I think would be interesting for every project. I have a controller which used the UriSigner to check for a correclty signed Uri.

    public function acceptAction(Request $request): Response
    {
        $this->uriSigner->checkRequest($request);

Actually the UriSigner itself does not throw any exception. So calling it without do anything basically is a Security issue in some projects.

Valid cases would be:

// write the result atleast in a variable
$isValid = $this->uriSigner->checkRequest($request);

// usage in a if statement
if (!$this->uriSigner->checkRequest($request)) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in complex if statements
if (!$this->uriSigner->checkRequest($request) && !$request->attributes->getBoolean('simulate')) {
    throw new AccessDeniedHttpException('The given uri is not valid.');
}

// usage in method calls
$this->validate($this->uriSigner->checkRequest($request));

Invalid would be calling it like a void method:

$this->uriSigner->checkRequest($request);

I'm not sure maybe if there already exist some kind of annotations we could add to the Symfony UriSigner that the result need to be handled and the method not be used like a void method.

[ondrejmirtes]

Try putting @phpstan-pure above it. You can do it in a stub file.

[alexander-schranz]

Thx will give it a try :) symfony/symfony#54297

[alexander-schranz]

The pure was not merged by the Symfony team. I created following PHPstan rule for the project corrently what you think?

<?php

declare(strict_types=1);

namespace App\Tests\phpstan\rules;

use PhpParser\Node;
use PhpParser\Node\Expr\MethodCall;
use PhpParser\Node\Identifier;
use PhpParser\Node\Stmt\Expression;
use PHPStan\Analyser\Scope;
use PHPStan\Rules\Rule;
use PHPStan\Type\TypeWithClassName;
use Symfony\Component\HttpFoundation\UriSigner;

/**
 * @implements Rule<MethodCall>
 */
class CheckRequestUsedRule implements Rule
{
    public function getNodeType(): string
    {
        return MethodCall::class;
    }

    public function processNode(Node $node, Scope $scope): array
    {
        if (!$node instanceof MethodCall) {
            return [];
        }

        if (!$node->name instanceof Identifier || 'checkRequest' !== $node->name->toString()) {
            return [];
        }

        $calledOnType = $scope->getType($node->var);

        if (!$calledOnType instanceof TypeWithClassName) {
            return [];
        }

        if (UriSigner::class !== $calledOnType->getClassName()) {
            return [];
        }

        if ($node->getAttribute('parent') instanceof Expression) {
            return [
                'The result of ' . UriSigner::class . '::checkRequest() must not be ignored.',
            ];
        }

        return [];
    }
}

[alexander-schranz]

Maybe we could make a more general Rule, maybe inside phpstan core which is configurable as there are more methods like Security->isGranted. Could think other frameworks maybe also have methods where results should not be ignored.