Commit Graph

12 Commits

Author SHA1 Message Date
Lukas Reschke 3aaa2307e9
Improve phan config
* exclude routes

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-04-26 11:51:05 +02:00
Morris Jobke 1f06bc246c
Declare func() as safe method in phan
We added a special `func()` method to the query builder, which is a plain text function by definition. It uses the string and does no escaping on purpose. It has the potential for an injection but requiring to add the "supress warning" to all surrounding code makes it harder to spot actual problems, that this plugin want to find. So it's better to only need to check the func() and not all the surrounding code as well.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-04-17 10:58:00 +02:00
Morris Jobke c930f70b52
Harden phan checks to catch more errors
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-27 07:53:56 +01:00
Roeland Jago Douma 2f36744aff
Update phan config
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-24 20:40:14 +02:00
Roeland Jago Douma ab20a64ed4
DAV Autoloader
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-24 20:40:11 +02:00
Roeland Jago Douma 112b0d57a8
Comments Autoloader
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-24 20:40:11 +02:00
Roeland Jago Douma ce7c9dfe8a
Admin Audit autoloader
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-24 20:40:09 +02:00
Roeland Jago Douma ff9f325677
Ignore composer stuff in phan
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-17 22:22:36 +02:00
Roeland Jago Douma 17bd2fb268
Phan is moved to a new repo
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-10-16 16:23:55 +02:00
Lukas Reschke 3d2600b039
Add Phan plugin to check for SQL injections
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.

As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.

The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-20 22:48:13 +02:00
Lukas Reschke 591aaa4154
Add workaround for https://github.com/etsy/phan/issues/1033
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-19 11:08:43 +02:00
Lukas Reschke d8ec399454
Run phan over code base
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-19 10:28:11 +02:00