Hi Adrien,
Taking the following example, showing the typical mistake developers make:
$search = ($_GET['q'] ?? '');
$logger->info("User $userId search $search");
When their static analysis tool complains (because $message is not a
literal-string), I suppose they could decide to use a Stringable object,
but I'd hope it would prompt them to use placeholders, e.g.
https://phpstan.org/r/6b3b8f2b-ed5a-4694-a20f-2bf6838c8d44
I take the view that at least they were told.
Craig
On Thu, 1 Jun 2023 at 15:44, Adrien Crivelli <[email protected]>
wrote:
> Hi
>
> This would still accept any (unsafe) Stringable as can be seen in:
>
> - https://phpstan.org/r/1b827130-5dd0-41c4-92e1-d08279d89601
> - https://psalm.dev/r/1b19498b4e
>
> Is it still worth doing it ?
>
> Cheers,
>
> Adrien
> On Wednesday, 31 May 2023 at 17:12:49 UTC+7 Craig Francis wrote:
>
>> Hi,
>>
>> Regarding PRS-3 (Logger Interface), at the moment the $message is simply
>> defined as a string (or stringable).
>>
>> That's fine, but it relies on the developer understanding that they
>> cannot include untrusted user values in the message, and for them to never
>> make a mistake - which could lead to a log-injection vulnerability.
>>
>> Since September 2021, both PHPStan and Psalm support the `literal-string`
>> type:
>>
>> https://github.com/vimeo/psalm/releases/tag/4.8.0
>> https://github.com/phpstan/phpstan/releases/tag/0.12.97
>>
>> This allows static analysis tools to check $message is a trusted
>> developer defined string; it can still use variables, and it supports
>> concatenation as well (so long as all of the strings are also of the
>> literal-string type), so I'm hopeful that it's relaxed enough of a check to
>> not cause problems, while still identifying mistakes that could lead to a
>> security issue.
>>
>> I'm wondering if this would be appropriate to use in a future version of
>> the Logger Interface?
>>
>> Something like:
>>
>>
>> https://github.com/craigfrancis/php-fig-log/commit/80ac8b82cb049fb11cefa8a5ad199751d34149d0
>>
>> Thanks,
>> Craig
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "PHP Framework Interoperability Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/php-fig/4fe6dcf9-1fc1-44c3-87f4-88da3dd01de4n%40googlegroups.com
> <https://groups.google.com/d/msgid/php-fig/4fe6dcf9-1fc1-44c3-87f4-88da3dd01de4n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups "PHP
Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/php-fig/CAFv4g%2BGKUoFcVvbCmkBRUNWGz71E65o2AJ-S%2B66TvWaO1r4Lmg%40mail.gmail.com.
