Hi This would still accept any (unsafe) Stringable as can be seen in:
- https://phpstan.org/r/1b827130-5dd0-41c4-92e1-d08279d89601 - https://psalm.dev/r/1b19498b4e Is it still worth doing it ? Cheers, Adrien On Wednesday, 31 May 2023 at 17:12:49 UTC+7 Craig Francis wrote: > Hi, > > Regarding PRS-3 (Logger Interface), at the moment the $message is simply > defined as a string (or stringable). > > That's fine, but it relies on the developer understanding that they cannot > include untrusted user values in the message, and for them to never make a > mistake - which could lead to a log-injection vulnerability. > > Since September 2021, both PHPStan and Psalm support the `literal-string` > type: > > https://github.com/vimeo/psalm/releases/tag/4.8.0 > https://github.com/phpstan/phpstan/releases/tag/0.12.97 > > This allows static analysis tools to check $message is a trusted developer > defined string; it can still use variables, and it supports concatenation > as well (so long as all of the strings are also of the literal-string > type), so I'm hopeful that it's relaxed enough of a check to not cause > problems, while still identifying mistakes that could lead to a security > issue. > > I'm wondering if this would be appropriate to use in a future version of > the Logger Interface? > > Something like: > > > https://github.com/craigfrancis/php-fig-log/commit/80ac8b82cb049fb11cefa8a5ad199751d34149d0 > > Thanks, > Craig > > -- You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/4fe6dcf9-1fc1-44c3-87f4-88da3dd01de4n%40googlegroups.com.
