ProHoster > Blog > internet news > Release of Psalm 3.12, a static analyzer for the PHP language. Alpha release of PHP 8.0

Release of Psalm 3.12, a static analyzer for the PHP language. Alpha release of PHP 8.0

Vimeo Company ΠΎΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π»Π° new release of static analyzer Psalm 3.12, which allows you to detect both obvious and subtle errors in PHP code, as well as automatically correct some types of errors. The system is suitable for identifying problems both in obsolete code and in code that uses modern features that have appeared in new PHP branches. The project code is written in PHP and spreads under the MIT license.

Psalm defines most of the problems associated with incorrect use of types, as well as various typical mistakes. For example, it supports warnings about mixing variables with different types in an expression, incorrect boolean checks (such as "if ($a && $a) {}", "if ($a && !$a) {}", and "if ( $a) {} elseif ($a) {}"), incomplete initialization of object properties. The analyzer runs in multithreaded mode. It is possible to perform incremental checks, in which only files that have changed since the last check are analyzed.

Additionally, secure programming tools are provided that allow use annotations in the format Docblock ("/** @var Type */") to provide information about variable types, return values, function parameters, object properties. It also supports the definition of type usage patterns and the use of assert statements. For example:

/** @varstring|null */
$a = foo();

/** @var string $a */
echo strpos($a, 'hello');

/** @psalm-assert-if-true B $a */
function isValidB(A $a) : bool {
return $a instanceof B && $a->isValid();
}

To automate the troubleshooting of found problems, the Psalter utility is provided, which supports plugins and Allows fix common problems in code, add type annotations, and perform manipulations such as moving classes from one namespace to another, moving methods between classes, renaming classes and methods.

In the new issue of Psalm implemented option "-taint-analysis", which allows to trace the relationship between the input parameters received from the user (for example, $_GET['name']) and their use in places that require character escaping (for example, echo " $name ”), including through tracking chains of intermediate assignments and function calls. The use of associative arrays $_GET, $_POST and $_COOKIE is considered as sources of potentially dangerous data, but it is also possible definition own sources. Actions that require escaping tracking include output operations that result in HTML content, HTTP headers, or SQL queries.

Validation is applied when using functions such as echo, exec, include, and header. When analyzing the need for escaping, data types are taken into account, such as text, strings with SQL, HTML and Shell code, strings with authentication parameters. The proposed mode allows you to identify vulnerabilities in the code that lead to cross-site scripting (XSS) or SQL code substitution.

Additionally, it can be noted start alpha testing of the new PHP 8.0 branch. The release is scheduled for November 26th. In the new branch are expected such innovationsAs:

  • Π’ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ JIT compiler, the use of which will improve performance.
  • Support union types, which define collections of two or more types (for example, "public function foo(Foo|Bar $input): int|float;").
  • Support attributes (annotations) that allow metadata (such as type information) to be attached to classes without using Docblock syntax.
  • Shorthand Syntax class definitions, which allows you to combine the definition of the constructor and properties.
  • New return type βˆ’ static.
  • New type - mixed, which can be used to determine whether a function accepts parameters with different types.
  • Expression throw for exception handling.
  • WeakMap to create objects that can be sacrificed by garbage collection (for example, to store optional caches).
  • Possibility using the "::class" expression for objects (analogous to calling get_class()).
  • Possibility definitions in the catch block of exceptions that are not bound to variables.
  • Possibility leaving a comma after the last element in the function's parameter list.
  • New interface Stringable to identify any string types or data that can be converted to a string (for which the __toString() method is available).
  • New feature str_contains(), a simplified analogue of strpos for detecting the occurrence of a substring, as well as the functions str_starts_with() and str_ends_with() for checking matches at the beginning and end of a string.
  • Feature added fdiv()A that performs a division operation without outputting an error in case of division by zero.
  • Changed string join logic. For example, the expression 'echo "sum: " . $a + $b' was previously interpreted as 'echo ("sum: " . $a) + $b' and will be treated as 'echo "sum: " in PHP 8. ($a + $b)'.
  • Tightened checks for arithmetic and bitwise operations such as "[] % [42]" and "$object + 4" will result in an error.
  • Implemented a stable sorting algorithm that preserves the order of the same values ​​on different runs.

Source: opennet.ru

Add a comment